TBD

Example

Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.

# define the arguments you want to submit to the method
# remove values that you do not want to submit
# make sure you replace values with meaningful content before running the code
# see section "Parameters" below for a description of each argument.
$arguments = @{
    AttackSurfaceReductionOnlyExclusions = 'someText'  # replace 'someText' with meaningful text
    AttackSurfaceReductionRules_Actions = [UInt8[]](12345)  # replace 12345 with a meaningful value
    AttackSurfaceReductionRules_Ids = 'someText'  # replace 'someText' with meaningful text
    CheckForSignaturesBeforeRunningScan = [Boolean](12345)  # replace 12345 with a meaningful value
    CloudBlockLevel = [UInt8](12345)  # replace 12345 with a meaningful value
    CloudExtendedTimeout = [UInt32](12345)  # replace 12345 with a meaningful value
    ControlledFolderAccessAllowedApplications = 'someText'  # replace 'someText' with meaningful text
    ControlledFolderAccessProtectedFolders = 'someText'  # replace 'someText' with meaningful text
    DisableArchiveScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableAutoExclusions = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableBehaviorMonitoring = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableBlockAtFirstSeen = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableCatchupFullScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableCatchupQuickScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableEmailScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableIntrusionPreventionSystem = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableIOAVProtection = [Boolean](12345)  # replace 12345 with a meaningful value
    DisablePrivacyMode = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRealtimeMonitoring = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRemovableDriveScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRestorePoint = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScanningMappedNetworkDrivesForFullScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScanningNetworkFiles = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScriptScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableControlledFolderAccess = [UInt8](12345)  # replace 12345 with a meaningful value
    EnableFileHashComputation = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableLowCpuPriority = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableNetworkProtection = [UInt8](12345)  # replace 12345 with a meaningful value
    ExclusionExtension = 'someText'  # replace 'someText' with meaningful text
    ExclusionPath   = 'someText'  # replace 'someText' with meaningful text
    ExclusionProcess = 'someText'  # replace 'someText' with meaningful text
    Force           = [Boolean](12345)  # replace 12345 with a meaningful value
    HighThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    LowThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    MAPSReporting   = [UInt8](12345)  # replace 12345 with a meaningful value
    ModerateThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    PUAProtection   = [UInt8](12345)  # replace 12345 with a meaningful value
    QuarantinePurgeItemsAfterDelay = [UInt32](12345)  # replace 12345 with a meaningful value
    RandomizeScheduleTaskTimes = [Boolean](12345)  # replace 12345 with a meaningful value
    RealTimeScanDirection = [UInt8](12345)  # replace 12345 with a meaningful value
    RemediationScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    RemediationScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    ReportingAdditionalActionTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ReportingCriticalFailureTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ReportingNonCriticalTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ScanAvgCPULoadFactor = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanOnlyIfIdleEnabled = [Boolean](12345)  # replace 12345 with a meaningful value
    ScanParameters  = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanPurgeItemsAfterDelay = [UInt32](12345)  # replace 12345 with a meaningful value
    ScanScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanScheduleQuickScanTime = [DateTime](12345)  # replace 12345 with a meaningful value
    ScanScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    SevereThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    SharedSignaturesPath = 'someText'  # replace 'someText' with meaningful text
    SignatureAuGracePeriod = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureDefinitionUpdateFileSharesSources = 'someText'  # replace 'someText' with meaningful text
    SignatureDisableUpdateOnStartupWithoutEngine = [Boolean](12345)  # replace 12345 with a meaningful value
    SignatureFallbackOrder = 'someText'  # replace 'someText' with meaningful text
    SignatureFirstAuGracePeriod = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    SignatureScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    SignatureUpdateCatchupInterval = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureUpdateInterval = [UInt32](12345)  # replace 12345 with a meaningful value
    SubmitSamplesConsent = [UInt8](12345)  # replace 12345 with a meaningful value
    ThreatIDDefaultAction_Actions = [UInt8[]](12345)  # replace 12345 with a meaningful value
    ThreatIDDefaultAction_Ids = [SInt64[]](12345)  # replace 12345 with a meaningful value
    UILockdown      = [Boolean](12345)  # replace 12345 with a meaningful value
    UnknownThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
}


Invoke-CimMethod -ClassName MSFT_MpPreference -Namespace Root/Microsoft/Windows/Defender -MethodName Set -Arguments $arguments

To run this method on one or more remote systems, use New-CimSession:

$ComputerName = 'server12','server14'  # adjust to your server names
$Credential   = Get-Credential         # submit a user account with proper permissions

# define the arguments you want to submit to the method
# remove values that you do not want to submit
# make sure you replace values with meaningful content before running the code
# see section "Parameters" below for a description of each argument.
$arguments = @{
    AttackSurfaceReductionOnlyExclusions = 'someText'  # replace 'someText' with meaningful text
    AttackSurfaceReductionRules_Actions = [UInt8[]](12345)  # replace 12345 with a meaningful value
    AttackSurfaceReductionRules_Ids = 'someText'  # replace 'someText' with meaningful text
    CheckForSignaturesBeforeRunningScan = [Boolean](12345)  # replace 12345 with a meaningful value
    CloudBlockLevel = [UInt8](12345)  # replace 12345 with a meaningful value
    CloudExtendedTimeout = [UInt32](12345)  # replace 12345 with a meaningful value
    ControlledFolderAccessAllowedApplications = 'someText'  # replace 'someText' with meaningful text
    ControlledFolderAccessProtectedFolders = 'someText'  # replace 'someText' with meaningful text
    DisableArchiveScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableAutoExclusions = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableBehaviorMonitoring = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableBlockAtFirstSeen = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableCatchupFullScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableCatchupQuickScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableEmailScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableIntrusionPreventionSystem = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableIOAVProtection = [Boolean](12345)  # replace 12345 with a meaningful value
    DisablePrivacyMode = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRealtimeMonitoring = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRemovableDriveScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableRestorePoint = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScanningMappedNetworkDrivesForFullScan = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScanningNetworkFiles = [Boolean](12345)  # replace 12345 with a meaningful value
    DisableScriptScanning = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableControlledFolderAccess = [UInt8](12345)  # replace 12345 with a meaningful value
    EnableFileHashComputation = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableLowCpuPriority = [Boolean](12345)  # replace 12345 with a meaningful value
    EnableNetworkProtection = [UInt8](12345)  # replace 12345 with a meaningful value
    ExclusionExtension = 'someText'  # replace 'someText' with meaningful text
    ExclusionPath   = 'someText'  # replace 'someText' with meaningful text
    ExclusionProcess = 'someText'  # replace 'someText' with meaningful text
    Force           = [Boolean](12345)  # replace 12345 with a meaningful value
    HighThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    LowThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    MAPSReporting   = [UInt8](12345)  # replace 12345 with a meaningful value
    ModerateThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    PUAProtection   = [UInt8](12345)  # replace 12345 with a meaningful value
    QuarantinePurgeItemsAfterDelay = [UInt32](12345)  # replace 12345 with a meaningful value
    RandomizeScheduleTaskTimes = [Boolean](12345)  # replace 12345 with a meaningful value
    RealTimeScanDirection = [UInt8](12345)  # replace 12345 with a meaningful value
    RemediationScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    RemediationScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    ReportingAdditionalActionTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ReportingCriticalFailureTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ReportingNonCriticalTimeOut = [UInt32](12345)  # replace 12345 with a meaningful value
    ScanAvgCPULoadFactor = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanOnlyIfIdleEnabled = [Boolean](12345)  # replace 12345 with a meaningful value
    ScanParameters  = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanPurgeItemsAfterDelay = [UInt32](12345)  # replace 12345 with a meaningful value
    ScanScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    ScanScheduleQuickScanTime = [DateTime](12345)  # replace 12345 with a meaningful value
    ScanScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    SevereThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
    SharedSignaturesPath = 'someText'  # replace 'someText' with meaningful text
    SignatureAuGracePeriod = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureDefinitionUpdateFileSharesSources = 'someText'  # replace 'someText' with meaningful text
    SignatureDisableUpdateOnStartupWithoutEngine = [Boolean](12345)  # replace 12345 with a meaningful value
    SignatureFallbackOrder = 'someText'  # replace 'someText' with meaningful text
    SignatureFirstAuGracePeriod = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureScheduleDay = [UInt8](12345)  # replace 12345 with a meaningful value
    SignatureScheduleTime = [DateTime](12345)  # replace 12345 with a meaningful value
    SignatureUpdateCatchupInterval = [UInt32](12345)  # replace 12345 with a meaningful value
    SignatureUpdateInterval = [UInt32](12345)  # replace 12345 with a meaningful value
    SubmitSamplesConsent = [UInt8](12345)  # replace 12345 with a meaningful value
    ThreatIDDefaultAction_Actions = [UInt8[]](12345)  # replace 12345 with a meaningful value
    ThreatIDDefaultAction_Ids = [SInt64[]](12345)  # replace 12345 with a meaningful value
    UILockdown      = [Boolean](12345)  # replace 12345 with a meaningful value
    UnknownThreatDefaultAction = [UInt8](12345)  # replace 12345 with a meaningful value
}


$session = New-CimSession -ComputerName $ComputerName -Credential $Credential

Invoke-CimMethod -ClassName MSFT_MpPreference -Namespace Root/Microsoft/Windows/Defender -MethodName Set -Arguments $arguments -CimSession $session

Remove-CimSession -CimSession $session

Learn more about Invoke-CimMethod and invoking WMI methods.

Syntax

uint32 Set(
  [in] string   ExclusionPath[],
  [in] string   ExclusionExtension[],
  [in] string   ExclusionProcess[],
  [in] uint32   QuarantinePurgeItemsAfterDelay,
  [in] uint8    RealTimeScanDirection,
  [in] uint8    RemediationScheduleDay,
  [in] DateTime RemediationScheduleTime,
  [in] uint32   ReportingAdditionalActionTimeOut,
  [in] uint32   ReportingCriticalFailureTimeOut,
  [in] uint32   ReportingNonCriticalTimeOut,
  [in] uint8    ScanAvgCPULoadFactor,
  [in] boolean  CheckForSignaturesBeforeRunningScan,
  [in] uint32   ScanPurgeItemsAfterDelay,
  [in] boolean  ScanOnlyIfIdleEnabled,
  [in] uint8    ScanParameters,
  [in] uint8    ScanScheduleDay,
  [in] DateTime ScanScheduleQuickScanTime,
  [in] DateTime ScanScheduleTime,
  [in] uint32   SignatureFirstAuGracePeriod,
  [in] uint32   SignatureAuGracePeriod,
  [in] string   SignatureDefinitionUpdateFileSharesSources,
  [in] boolean  SignatureDisableUpdateOnStartupWithoutEngine,
  [in] string   SignatureFallbackOrder,
  [in] uint8    SignatureScheduleDay,
  [in] DateTime SignatureScheduleTime,
  [in] uint32   SignatureUpdateCatchupInterval,
  [in] uint32   SignatureUpdateInterval,
  [in] uint8    MAPSReporting,
       boolean  DisablePrivacyMode,
  [in] boolean  RandomizeScheduleTaskTimes,
  [in] boolean  DisableBehaviorMonitoring,
  [in] boolean  DisableIntrusionPreventionSystem,
  [in] boolean  DisableIOAVProtection,
  [in] boolean  DisableRealtimeMonitoring,
  [in] boolean  DisableScriptScanning,
  [in] boolean  DisableArchiveScanning,
  [in] boolean  DisableCatchupFullScan,
  [in] boolean  DisableCatchupQuickScan,
  [in] boolean  DisableEmailScanning,
  [in] boolean  DisableRemovableDriveScanning,
  [in] boolean  DisableRestorePoint,
  [in] boolean  DisableScanningMappedNetworkDrivesForFullScan,
  [in] boolean  DisableScanningNetworkFiles,
  [in] boolean  UILockdown,
  [in] sint64   ThreatIDDefaultAction_Ids[],
  [in] uint8    ThreatIDDefaultAction_Actions[],
  [in] uint8    UnknownThreatDefaultAction,
  [in] uint8    LowThreatDefaultAction,
  [in] uint8    ModerateThreatDefaultAction,
  [in] uint8    HighThreatDefaultAction,
  [in] uint8    SevereThreatDefaultAction,
  [in] boolean  Force
);

Parameters

Name Type Description
AttackSurfaceReductionOnlyExclusions String  
AttackSurfaceReductionRules_Actions UInt8[]  
AttackSurfaceReductionRules_Ids String  
CheckForSignaturesBeforeRunningScan Boolean  
CloudBlockLevel UInt8  
CloudExtendedTimeout UInt32  
ControlledFolderAccessAllowedApplications String  
ControlledFolderAccessProtectedFolders String  
DisableArchiveScanning Boolean  
DisableAutoExclusions Boolean  
DisableBehaviorMonitoring Boolean  
DisableBlockAtFirstSeen Boolean  
DisableCatchupFullScan Boolean  
DisableCatchupQuickScan Boolean  
DisableEmailScanning Boolean  
DisableIntrusionPreventionSystem Boolean  
DisableIOAVProtection Boolean  
DisablePrivacyMode Boolean  
DisableRealtimeMonitoring Boolean  
DisableRemovableDriveScanning Boolean  
DisableRestorePoint Boolean  
DisableScanningMappedNetworkDrivesForFullScan Boolean  
DisableScanningNetworkFiles Boolean  
DisableScriptScanning Boolean  
EnableControlledFolderAccess UInt8  
EnableFileHashComputation Boolean  
EnableLowCpuPriority Boolean  
EnableNetworkProtection UInt8  
ExclusionExtension String  
ExclusionPath String  
ExclusionProcess String  
Force Boolean  
HighThreatDefaultAction UInt8  
LowThreatDefaultAction UInt8  
MAPSReporting UInt8  
ModerateThreatDefaultAction UInt8  
PUAProtection UInt8  
QuarantinePurgeItemsAfterDelay UInt32  
RandomizeScheduleTaskTimes Boolean  
RealTimeScanDirection UInt8  
RemediationScheduleDay UInt8  
RemediationScheduleTime DateTime  
ReportingAdditionalActionTimeOut UInt32  
ReportingCriticalFailureTimeOut UInt32  
ReportingNonCriticalTimeOut UInt32  
ScanAvgCPULoadFactor UInt8  
ScanOnlyIfIdleEnabled Boolean  
ScanParameters UInt8  
ScanPurgeItemsAfterDelay UInt32  
ScanScheduleDay UInt8  
ScanScheduleQuickScanTime DateTime  
ScanScheduleTime DateTime  
SevereThreatDefaultAction UInt8  
SharedSignaturesPath String  
SignatureAuGracePeriod UInt32  
SignatureDefinitionUpdateFileSharesSources String  
SignatureDisableUpdateOnStartupWithoutEngine Boolean  
SignatureFallbackOrder String  
SignatureFirstAuGracePeriod UInt32  
SignatureScheduleDay UInt8  
SignatureScheduleTime DateTime  
SignatureUpdateCatchupInterval UInt32  
SignatureUpdateInterval UInt32  
SubmitSamplesConsent UInt8  
ThreatIDDefaultAction_Actions UInt8[]  
ThreatIDDefaultAction_Ids SInt64[]  
UILockdown Boolean  
UnknownThreatDefaultAction UInt8  

Return Value

Returns a value of type UInt32. Typically, a value of 0 indicates success.

Requirements

To use MSFT_MpPreference, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpPreference was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].

Namespace

MSFT_MpPreference lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpPreference is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof