Table of contents
TOC
Collapse the table of content
Expand the table of content

Prevent or allow users to locally modify Windows Defender AV policy settings

Iaan|Last Updated: 4/5/2017

Applies to:

  • Windows 10

Audience

  • Enterprise security administrators

Manageability available with

  • Group Policy

By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.

For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.

Configure local overrides for Windows Defender AV settings

The default setting for these policies is Disabled.

If they are set to Enabled, users on endpoints can make changes to the associated setting with the Windows Defender Security Center app, local Group Policy settings, and PowerShell cmdlets (where appropriate).

The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.

To configure these settings:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in the table below.

  5. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK, and repeat for any other settings.

  6. Deploy the Group Policy Object as usual.

LocationSettingConfiguration topic
MAPSConfigure local setting override for reporting to Microsoft MAPSEnable cloud-delivered protection
QuarantineConfigure local setting override for the removal of items from Quarantine folderConfigure remediation for scans
Real-time protectionConfigure local setting override for monitoring file and program activity on your computerEnable and configure Windows Defender AV always-on protection and monitoring
Real-time protectionConfigure local setting override for monitoring for incoming and outgoing file activityEnable and configure Windows Defender AV always-on protection and monitoring
Real-time protectionConfigure local setting override for scanning all downloaded files and attachmentsEnable and configure Windows Defender AV always-on protection and monitoring
Real-time protectionConfigure local setting override for turn on behavior monitoringEnable and configure Windows Defender AV always-on protection and monitoring
Real-time protectionConfigure local setting override to turn on real-time protectionEnable and configure Windows Defender AV always-on protection and monitoring
RemediationConfigure local setting override for the time of day to run a scheduled full scan to complete remediationConfigure remediation for scans
ScanConfigure local setting override for maximum percentage of CPU utilizationConfigure and run scans
ScanConfigure local setting override for schedule scan dayConfigure scheduled scans
ScanConfigure local setting override for scheduled quick scan timeConfigure scheduled scans
ScanConfigure local setting override for scheduled scan timeConfigure scheduled scans
ScanConfigure local setting override for the scan type to use for a scheduled scanConfigure scheduled scans

Configure how locally and globally defined threat remediation and exclusions lists are merged

You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to exclusion lists and specified remediation lists.

By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence.

You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.

Use Group Policy to disable local list merging:

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus.

  5. Double-click the Configure local administrator merge behavior for lists setting and set the option to Enabled. Click OK.

© 2017 Microsoft