Configure remediation for Microsoft Defender Antivirus detections
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. Remediation actions can include removing a file, sending it to quarantine, or allowing it to remain. This article includes information and links to resources about specifying what actions should be taken when threats are detected on devices. You can choose from several methods, such as:
- Microsoft Intune
- Microsoft Configuration Manager
- Group Policy
- PowerShell or Windows Management Instrumentation (WMI)
Important
Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See Restore quarantined files in Microsoft Defender Antivirus. To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Microsoft Defender Antivirus scans.
Also see Configure remediation-required scheduled full Microsoft Defender Antivirus scans for more remediation-related settings.
Configure remediation options using Intune
As a global or security administrator, go to the Intune admin center and sign in.
Under Manage, choose Antivirus.
Either create a new policy, or edit an existing policy using the following settings:
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Microsoft Defender Antivirus
For configuration settings, expand Defender, scroll down to Allow On Access Protection. and set it to Allowed.
Under Allow On Access Protection, select a remediation action for each level:
- High severity threats
- Severe threats
- Moderate severity threats
- Low severity threats
Specify the device groups that should receive this policy (such as All Devices).
Review your settings, and then choose Save.
For more information about antivirus policies in Intune, see Antivirus policy for endpoint security in Intune.
Configure remediation options using Configuration Manager
If you're using Configuration Manager, see the following articles:
Configure remediation options using Group Policy
On your Group Policy management computer, open the Group Policy Management Console, and edit the Group Policy Object you want to configure.
In the Group Policy Management Editor, go to Computer configuration and then select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus.
Using the following table, edit the policy as needed.
Setting Description Default setting (if not configured) Scan
Create a system restore point.A system restore point is created each day before cleaning or scanning is attempted. Disabled Scan
Turn on removal of items from scan history folder.Specify how many days items should be kept in the scan history. 30 days Root
Turn off routine remediation.Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user. Disabled. Threats are remediated automatically. Quarantine
Configure removal of items from Quarantine folder.Specify how many days items should be kept in quarantine before being removed. 90 days Threats
Specify threat alert levels at which default action shouldn't be taken when detected.Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). Not applicable Threats
Specify threats upon which default action shouldn't be taken when detected.Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored. Not applicable Select OK.
Configure remediation options using PowerShell or WMI
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these settings.
See also
- Microsoft Defender for Endpoint on Mac
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for