Categories

LKBEN11572: Howto find all defender settings in windows 10.

Symptom

You need to document your defender settings for your system.

Cause

Needed for documentation or checking the settings.

Solution

To find the preferences for Windows Defender, you can use the Get-MpPreference cmdlet. You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.

To document the settings, you open the powershell and type in the following command:

Get-MpPreference

This will show you all the settings on the screen. It will look like:

AllowNetworkProtectionOnWinServer             : False
AttackSurfaceReductionOnlyExclusions          :
AttackSurfaceReductionRules_Actions           :
AttackSurfaceReductionRules_Ids               :
CheckForSignaturesBeforeRunningScan           : False
CloudBlockLevel                               : 1
CloudExtendedTimeout                          : 1
ComputerID                                    : <your id>
ControlledFolderAccessAllowedApplications     :
ControlledFolderAccessProtectedFolders        :
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 :
DisableDatagramProcessing                     : False
DisableEmailScanning                          : True
DisableIntrusionPreventionSystem              :
DisableIOAVProtection                         : False
DisablePrivacyMode                            : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : True
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
EnableControlledFolderAccess                  : 0
EnableFileHashComputation                     : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
ExclusionExtension                            : {N/A: Must be admin to view exclusions}
ExclusionIpAddress                            : {N/A: Must be admin to view exclusions}
ExclusionPath                                 : {N/A: Must be admin to view exclusions}
ExclusionProcess                              : {N/A: Must be admin to view exclusions}
HighThreatDefaultAction                       : 0
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 2
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
PUAProtection                                 : 1
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 02:00:00
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 1
ScanPurgeItemsAfterDelay                      : 15
ScanScheduleDay                               : 0
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 02:00:00
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          :
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                :
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    :
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 8
SignatureScheduleTime                         : 01:45:00
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 0
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 :
ThreatIDDefaultAction_Ids                     :
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                :

For some parts of the information, you will need administrator rights.

If your administrator does allow to change the settings, you can use Set-MpPreference to change settings. This might be good when you notice the cpu is 100% in use by windows defender.

To prevent this, you might use:

Set-MpPreference -ScanAvgCPULoadFactor 20

and

Set-MpPreference -EnableLowCpuPriority 1

This will prevent the anti malware service from taking more than 20% of your CPU and it will use a lower priority.

 

Have fun.

Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!

About the Author

Author: Wim Peeters - Keskon GmbH & Co. KG

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.

Latest update: 23.05.2022 | Comment: