Evaluate Microsoft Defender Antivirus using Group Policy

Applies to:


  • Windows

In Windows 10 or newer and Windows Server 2016 or newer, you can use next-generation protection features offered by Microsoft Defender Antivirus (MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).

This article explains how to enable and test the key protection features in Microsoft Defender AV and Microsoft Defender EG and provides you with guidance and links to more information.

This article describes configuration options in Windows 10 or newer and Windows Server 2016 or newer.

Use Microsoft Defender Antivirus using Group Policy to enable the features

This guide provides the Microsoft Defender Antivirus Group Policy that configures the features you should use to evaluate our protection.

  1. Grab the latest 'Windows Group Policy Administrative Templates.'

    For more information, see Create and manage Central Store - Windows Client.


    1. The Windows one works with the Windows Servers.
    2. Even if you're running a Windows 10 or Windows Server 2016, get the latest administrative templates for Windows 11 or newer.
  2. Create a 'Central Store' to host the latest .admx and .adml templates.

    For more information, see Create and manage Central Store - Windows Client.

    If joined to a domain:

    1. Create a new OU block policy inheritance.

    2. Open Group policy Management Console (GPMC.msc).

    3. Go to Group Policy Objects and create a new Group Policy.

    4. Right-click the new policy created and select Edit.

    5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.


    If joined to a workgroup

    1. Open Group Policy Editor MMC (GPEdit.msc).

    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

MDAV and Potentially Unwanted Applications (PUA)


Description Setting
Turn off Microsoft Defender Antivirus Disabled
Configure detection for potentially unwanted applications Enabled - Block

Real-time protection (always-on protection, real-time scanning)

\Real-time protection:

Description Setting
Turn off real-time protection Disabled
Configure monitoring for incoming and outgoing file and program activity Enabled, bi-directional (full on-access)
Turn on Behavior Monitoring Enabled
Monitor file and program activity on your computer Enabled

Cloud protection features

Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds.

For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.


Description Setting
Join Microsoft MAPS Enabled, Advanced MAPS
Configure the 'Block at First Sight' feature Enabled
Send file samples when further analysis is required Enabled, Send all samples


Description Setting
Select cloud protection level Enabled, High blocking level
Configure extended cloud check Enabled, 50


Description Setting
Turn on Heuristics Enabled
Turn on e-mail scanning Enabled
Scan all downloaded files and attachments Enabled
Turn on script scanning Enabled
Scan archive files Enabled
Scan packed executables Enabled
Configure scanning of network files (Scan Network Files) Enabled
Scan removable drives Enabled
Turn on reparse point scanning Enabled

Security Intelligence updates

Description Setting
Specify the interval to check for security intelligence updates Enabled, 4
Define the order of sources for downloading security intelligence updates Enabled, under 'Define the order of sources for downloading security intelligence updates'

InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC

Note: Where InternalDefinitionUpdateServer is WSUS with Microsoft Defender Antivirus updates allowed.

MicrosoftUpdateServer == Microsoft Update (formerly Windows Update).

MMPC == https://www.microsoft.com/en-us/wdsi/definitions

Disable local administrator AV settings

Disable local administrator AV settings such as exclusions, and enforce the policies from the Microsoft Defender for Endpoint Security Settings Management.


Description Setting
Configure local administrator merge behavior for lists Disabled
Control whether or not exclusions are visible to local admins Enabled

Threat Severity Default Action


Description Setting Alert level Action
Specify threat alert levels at which default action shouldn't be taken when detected Enabled
5 (Severe) 2 (Quarantine)
4 (High) 2 (Quarantine)
2 (Medium) 2 (Quarantine)
1 (Low) 2 (Quarantine)


Description Setting
Configure removal of items from Quarantine folder Enabled, 60

\Client Interface

Description Setting
Enable headless UI mode Disabled

Network Protection

\Microsoft Defender Exploit Guard\Network Protection:

Description Setting
Prevent users and apps from accessing dangerous websites Enabled, Block
This settings controls whether Network Protection can be configured into block or audit mode on Windows Server Enabled

To enable Network Protection for Windows Servers, for now, please use PowerShell:

OS PowerShell cmdlet
Windows Server 2012 R2 and later set-MpPreference -AllowNetworkProtectionOnWinServer $true
Windows Server 2016 and Windows Server 2012 R2 unified MDE client set-MpPreference -AllowNetworkProtectionOnWinServer $true

set-MpPreference -AllowNetworkProtectionDownLevel $ true

Attack Surface Reduction Rules

  1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.

  2. Select Next.

Description Setting

Note: (Block executable content from email client and webmail)
1 (Block)

Note: (Block Adobe Reader from creating child processes)
1 (Block)

Note: (Block execution of potentially obfuscated scripts)
1 (Block)

Note: (Block abuse of exploited vulnerable signed drivers)
1 (Block)

Note: (Block Win32 API calls from Office macros)
1 (Block)

Note: (Block executable files from running unless they meet a prevalence, age, or trusted list criterion)
1 (Block)

Note: (Block Office communication application from creating child processes)
1 (Block)

Note: (Block all Office applications from creating child processes)
1 (Block)

Note: ([PREVIEW] Block use of copied or impersonated system tools)
1 (Block)

Note: (Block JavaScript or VBScript from launching downloaded executable content)
1 (Block)

Note: (Block credential stealing from the Windows local security authority subsystem)
1 (Block)

Note: (Block Web shell creation for Servers)
1 (Block)

Note: (Block Office applications from creating executable content)
1 (Block)

Note: (Block untrusted and unsigned processes that run from USB)
1 (Block)

Note: (Block Office applications from injecting code into other processes)
1 (Block)

Note: (Block persistence through WMI event subscription)
1 (Block)

Note: (Use advanced protection against ransomware)
1 (Block)

Note: (Block process creations originating from PSExec and WMI commands)
1 (Block)

Note: If you have Configuration Manager (formerly SCCM), or other management tools that use WMI, you might need to set this to 2 ('audit') instead of 1('block').

Note: ([PREVIEW] Block rebooting machine in Safe Mode)
1 (Block)


Some rules might block behavior you find acceptable in your organization. In these cases, change the rule from 'Enabled' to 'Audit' to prevent unwanted blocks.

Controlled Folder Access

Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.

Description Setting
Configure Controlled Folder Access Enabled, Block

Assign the policies to the OU where the test machines are located.

Enable Tamper Protection

In the Microsoft XDR portal (security.microsoft.com), go to Settings > Endpoints > Advanced features > Tamper Protection > On.

For more information, see How do I configure or manage tamper protection?.

Check the Cloud Protection network connectivity

It's important to check that the Cloud Protection network connectivity is working during your pen testing.

CMD (Run as admin)

cd "C:\Program Files\Windows Defender"
MpCmdRun.exe -ValidateMapsConnection

For more information, see Use the cmdline tool to validate cloud-delivered protection.

Check the Platform Update version

The latest 'Platform Update' version Production channel (GA) is available here:

Microsoft Update Catalog

To check which 'Platform Update' version is installed, use the following PowerShell command (Run as admin):

get-mpComputerStatus | ft AMProductVersion

Check the Security Intelligence Update version

The latest 'Security Intelligence Update' version is available here:

Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence

To check which 'Security Intelligence Update' version is installed, use the following PowerShell command (Run as admin):

get-mpComputerStatus | ft AntivirusSignatureVersion

Check the Engine Update version

The latest scan 'engine update' version is available here:

Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence

To check which 'Engine Update' version is installed, use the following PowerShell command(Run as admin):

get-mpComputerStatus | ft AMEngineVersion

If you're finding that your settings aren't taking effect, you might have a conflict. To resolve conflicts, refer: Troubleshoot Microsoft Defender Antivirus settings.

For False Negatives (FNs) submissions

If you have any questions about a detection that Microsoft Defender AV makes, or you discover a missed detection, you can submit a file to us.

If you have Microsoft XDR, Microsoft Defender for Endpoint P2/P1, or Microsoft Defender for Business: refer Submit files in Microsoft Defender for Endpoint.

If you have Microsoft Defender Antivirus, refer: https://www.microsoft.com/security/portal/mmpc/help/submission-help.aspx

Microsoft Defender AV indicates a detection through standard Windows notifications. You can also review detections in the Microsoft Defender AV app.

The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions.

If your settings aren't applied properly, find out if there are conflicting policies that are enabled in your environment. For more information, see Troubleshoot Microsoft Defender Antivirus settings.

If you need to open a Microsoft support case: Contact Microsoft Defender for Endpoint support.