{"id":2661,"date":"2013-10-26T00:01:00","date_gmt":"2013-10-26T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/10\/26\/weekend-scripter-use-powershell-to-configure-windows-defender-preferences\/"},"modified":"2013-10-26T00:01:00","modified_gmt":"2013-10-26T00:01:00","slug":"weekend-scripter-use-powershell-to-configure-windows-defender-preferences","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-configure-windows-defender-preferences\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Configure Windows Defender Preferences"},"content":{"rendered":"<p><strong>Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to configure Windows Defender preferences.<\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Today is the day. It is time for <a href=\"http:\/\/powershellsaturday.com\/005\/\" target=\"_blank\">PowerShell Saturday #005 in Atlanta<\/a>. This fifth Windows PowerShell Saturday conference is a sell out like the four previous ones. It is really exciting to see IT pros give up a Saturday to learn about this exciting technology. In reality, they are not giving up much, because the sessions are exciting, useful, and practical. If you missed this one, don&rsquo;t despair, because <a href=\"http:\/\/powershellsaturday.com\/\" target=\"_blank\">Windows PowerShell Saturday #007 is going to be in Charlotte, North Carolina<\/a>, and the roster of speakers is stellar! If you did make it to Atlanta, make sure you thank Mark Schill for all the hard work he has put into making this event a reality. If not for him, there would be no Windows PowerShell Saturday event in Atlanta. It is so cool how the power of the community steps in and makes these things a reality. Of course, also come by and say hi to the Scripting Wife and me.<\/p>\n<p><strong>Note<\/strong> &nbsp;This is the fifth in a series of posts about the Windows Defender module in Windows&nbsp;8.1. For more information, please see:<\/p>\n<ul>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/22\/exploring-the-windows-defender-catalog.aspx\" target=\"_blank\">Exploring the Windows Defender Catalog<\/a>.<\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/23\/use-powershell-to-explore-windows-defender-preferences.aspx\" target=\"_blank\">Use PowerShell to Explore Windows Defender Preferences<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/24\/use-powershell-to-update-windows-defender-signatures.aspx\" target=\"_blank\">Use PowerShell to Update Windows Defender Signatures<\/a><\/li>\n<li><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2013\/10\/25\/use-powershell-to-see-what-windows-defender-detected.aspx\" target=\"_blank\">Use PowerShell to See What Windows Defender Detected<\/a><\/li>\n<\/ul>\n<p>The other day, I wrote a post about exploring Windows Defender preferences. For my network, the defaults are just fine. But what if I needed to make changes? How would I do that? The cool thing is that with the Windows Defender module in Windows&nbsp;8.1, I can use Windows PowerShell&nbsp;4.0 to make the changes. The Windows Defender module is a CIM wrapper for new WMI classes, and so they remote by using the WinRM protocol that CIM utilizes. For information about using CIM against remote computers, see these <a href=\"http:\/\/social.technet.microsoft.com\/Search\/en-US?query=CIM&amp;beta=0&amp;rn=Hey%2c+Scripting+Guy!+Blog&amp;rq=site:blogs.technet.com\/b\/heyscriptingguy\/&amp;ac=4\" target=\"_blank\">Hey, Scripting Guy! Blog posts<\/a>.<\/p>\n<p>Configuring Windows Defender with Windows PowerShell is easy. You use the <strong>Set-MpPreference<\/strong> function. Everything you need to do is exposed as a parameter. This is good news, and also a bit of bad news, because the syntax is really, really long. Here is the syntax of the <strong>Set-MpPreference<\/strong> function.<\/p>\n<p style=\"padding-left: 30px\">PS C:\\&gt; get-help Set-MpPreference | select -expand syntax<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Set-MpPreference [-AsJob] [-CheckForSignaturesBeforeRunningScan &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-CimSession &lt;CimSession[]&gt;] [-DisableArchiveScanning &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableBehaviorMonitoring &lt;Boolean&gt;] [-DisableCatchupFullScan &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableCatchupQuickScan &lt;Boolean&gt;] [-DisableEmailScanning &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableIntrusionPreventionSystem &lt;Boolean&gt;] [-DisableIOAVProtection &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisablePrivacyMode &lt;Boolean&gt;] [-DisableRealtimeMonitoring &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableRemovableDriveScanning &lt;Boolean&gt;] [-DisableRestorePoint &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableScanningMappedNetworkDrivesForFullScan &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-DisableScanningNetworkFiles &lt;Boolean&gt;] [-DisableScriptScanning &lt;Boolean&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-ExclusionExtension &lt;String[]&gt;] [-ExclusionPath &lt;String[]&gt;] [-ExclusionProcess<\/p>\n<p style=\"padding-left: 30px\">&lt;String[]&gt;] [-Force] [-HighThreatDefaultAction &lt;ThreatAction&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-LowThreatDefaultAction &lt;ThreatAction&gt;] [-MAPSReporting &lt;MAPSReportingType&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-ModerateThreatDefaultAction &lt;ThreatAction&gt;] [-QuarantinePurgeItemsAfterDelay<\/p>\n<p style=\"padding-left: 30px\">&lt;UInt32&gt;] [-RandomizeScheduleTaskTimes &lt;Boolean&gt;] [-RealTimeScanDirection<\/p>\n<p style=\"padding-left: 30px\">&lt;ScanDirection&gt;] [-RemediationScheduleDay &lt;Day&gt;] [-RemediationScheduleTime<\/p>\n<p style=\"padding-left: 30px\">&lt;DateTime&gt;] [-ReportingAdditionalActionTimeOut &lt;UInt32&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-ReportingCriticalFailureTimeOut &lt;UInt32&gt;] [-ReportingNonCriticalTimeOut &lt;UInt32&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-ScanAvgCPULoadFactor &lt;Byte&gt;] [-ScanOnlyIfIdleEnabled &lt;Boolean&gt;] [-ScanParameters<\/p>\n<p style=\"padding-left: 30px\">&lt;ScanType&gt;] [-ScanPurgeItemsAfterDelay &lt;UInt32&gt;] [-ScanScheduleDay &lt;Day&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-ScanScheduleQuickScanTime &lt;DateTime&gt;] [-ScanScheduleTime &lt;DateTime&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-SevereThreatDefaultAction &lt;ThreatAction&gt;] [-SignatureAuGracePeriod &lt;UInt32&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-SignatureDefinitionUpdateFileSharesSources &lt;String&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-SignatureDisableUpdateOnStartupWithoutEngine &lt;Boolean&gt;] [-SignatureFallbackOrder<\/p>\n<p style=\"padding-left: 30px\">&lt;String&gt;] [-SignatureFirstAuGracePeriod &lt;UInt32&gt;] [-SignatureScheduleDay &lt;Day&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-SignatureScheduleTime &lt;DateTime&gt;] [-SignatureUpdateCatchupInterval &lt;UInt32&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-SignatureUpdateInterval &lt;UInt32&gt;] [-ThreatIDDefaultAction_Actions<\/p>\n<p style=\"padding-left: 30px\">&lt;ThreatAction[]&gt;] [-ThreatIDDefaultAction_Ids &lt;Int64[]&gt;] [-ThrottleLimit &lt;Int32&gt;]<\/p>\n<p style=\"padding-left: 30px\">[-UILockdown &lt;Boolean&gt;] [-UnknownThreatDefaultAction &lt;ThreatAction&gt;]<\/p>\n<p style=\"padding-left: 30px\">[&lt;CommonParameters&gt;]<\/p>\n<h2>Making a simple change<\/h2>\n<p>So I see something I would like to change. By default, Windows Defender in Windows&nbsp;8.1 does not check for a signature update prior to initiating a scan. I would like it to make sure that it has the latest signature before scanning. So how do I do that?<\/p>\n<p>First I check to see what the current value is. I use the <strong>Get-MpPreference<\/strong> function to do this. Here is the command I use:<\/p>\n<p style=\"padding-left: 30px\">PS C:\\&gt; (Get-MpPreference).CheckForSignaturesBeforeRunningScan<\/p>\n<p style=\"padding-left: 30px\">False<\/p>\n<p>Now, I use <strong>Set-MPPreference<\/strong> to set the value of the parameter to <strong>$true<\/strong> to cause it to check first. Unfortunately, an error occurs. Here is the command and the error message:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5280.HSG-10-26-13-01.png\"><img decoding=\"async\" title=\"Image of error message\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5280.HSG-10-26-13-01.png\" alt=\"Image of error message\" \/><\/a><\/p>\n<p>Oh, yeah. That makes sense. I need to have Admin rights to make a configuration change to Windows Defender. So I right-click the Windows PowerShell console icon, and select <strong>Run as administrator<\/strong> from the action menu. I say OK to the UAC prompt, and run the commands again. Here is the command I use to set the check before scan value:<\/p>\n<p style=\"padding-left: 30px\">Set-MpPreference -CheckForSignaturesBeforeRunningScan $true<\/p>\n<p>Now, I click the Up arrow and re-run the <strong>Get-MPPreference<\/strong> command. Everything is groovy. Here is the output from the commands:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4428.HSG-10-26-13-02.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4428.HSG-10-26-13-02.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>Interestingly enough, this particular setting is not one that is available via the graphical user interface.<\/p>\n<p>Another setting that I want to change is the one to scan any attached removable drives when Windows Defender does a full scan. It is also one that could be changed via the graphical user interface. How do I make that change? Easy. I need to find the parameter and modify the value.<\/p>\n<p>So I use <strong>Get-MpPreference<\/strong> and look for something that makes sense.<\/p>\n<p>I found it! It is called <strong>DisableRemovableDriveScanning<\/strong>. Cool. Here is the screen output I used to find this property:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6835.HSG-10-26-13-03.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6835.HSG-10-26-13-03.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>Now all I need to do is to use the <strong>Set-MpPreference<\/strong> function to modify the <strong>DisableRemovableDriveScanning<\/strong> parameter. Because of the way the function is designed, this is really easy. I press the <strong>Tab<\/strong> key to look through the parameters until I find it, and then I set it to <strong>$false<\/strong>. Here is the command:<\/p>\n<p style=\"padding-left: 30px\">Set-MpPreference -DisableRemovableDriveScanning $false<\/p>\n<p>I use the <strong>Get-MpPreference<\/strong> function to ensure the command worked. The following image illustrates the command and the output.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4137.HSG-10-26-13-04.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4137.HSG-10-26-13-04.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>This time, I can use the Windows Defender GUI to check to ensure that my change actually worked. I type <em>Defender<\/em> on the Start page of my Windows&nbsp;8.1 device, go to the <strong>Settings<\/strong> tab. Sure enough, it worked&mdash;as shown in the following image:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6747.HSG-10-26-13-05.png\"><img decoding=\"async\" title=\"Image of menu\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6747.HSG-10-26-13-05.png\" alt=\"Image of menu\" \/><\/a><\/p>\n<p>And that is all there is to using Windows PowerShell&nbsp;4.0 in Windows&nbsp;8.1 to make changes to Windows Defender. Remember, because these are CIM functions, I can do this to remote devices easily by creating a CIM session, and connecting there. Because these CIM functions wrap WMI classes that are not available on down-level systems, you need to upgrade your devices to Windows&nbsp;8.1 before you can use Windows PowerShell to remotely manage Windows Defender.<\/p>\n<p>Hope to see you in Atlanta today.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to configure Windows Defender preferences. Microsoft Scripting Guy, Ed Wilson, is here. Today is the day. It is time for PowerShell Saturday #005 in Atlanta. This fifth Windows PowerShell Saturday conference is a sell out like the four previous ones. It is really exciting [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[459,462,3,63,61,461,45],"class_list":["post-2661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-defender","tag-powershell-4-0","tag-scripting-guy","tag-security","tag-weekend-scripter","tag-windows-8-1","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to configure Windows Defender preferences. Microsoft Scripting Guy, Ed Wilson, is here. Today is the day. It is time for PowerShell Saturday #005 in Atlanta. This fifth Windows PowerShell Saturday conference is a sell out like the four previous ones. It is really exciting [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2661"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2661\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}