TBD
Example
Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.
# define the arguments you want to submit to the method
# remove values that you do not want to submit
# make sure you replace values with meaningful content before running the code
# see section "Parameters" below for a description of each argument.
$arguments = @{
AttackSurfaceReductionOnlyExclusions = 'someText' # replace 'someText' with meaningful text
AttackSurfaceReductionRules_Actions = [UInt8[]](12345) # replace 12345 with a meaningful value
AttackSurfaceReductionRules_Ids = 'someText' # replace 'someText' with meaningful text
ControlledFolderAccessAllowedApplications = 'someText' # replace 'someText' with meaningful text
ControlledFolderAccessProtectedFolders = 'someText' # replace 'someText' with meaningful text
ExclusionExtension = 'someText' # replace 'someText' with meaningful text
ExclusionPath = 'someText' # replace 'someText' with meaningful text
ExclusionProcess = 'someText' # replace 'someText' with meaningful text
Force = [Boolean](12345) # replace 12345 with a meaningful value
HighThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
LowThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
ModerateThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
SevereThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
SharedSignaturesPath = 'someText' # replace 'someText' with meaningful text
ThreatIDDefaultAction_Ids = [SInt64[]](12345) # replace 12345 with a meaningful value
UnknownThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
}
Invoke-CimMethod -ClassName MSFT_MpPreference -Namespace Root/Microsoft/Windows/Defender -MethodName Remove -Arguments $arguments
To run this method on one or more remote systems, use New-CimSession:
$ComputerName = 'server12','server14' # adjust to your server names
$Credential = Get-Credential # submit a user account with proper permissions
# define the arguments you want to submit to the method
# remove values that you do not want to submit
# make sure you replace values with meaningful content before running the code
# see section "Parameters" below for a description of each argument.
$arguments = @{
AttackSurfaceReductionOnlyExclusions = 'someText' # replace 'someText' with meaningful text
AttackSurfaceReductionRules_Actions = [UInt8[]](12345) # replace 12345 with a meaningful value
AttackSurfaceReductionRules_Ids = 'someText' # replace 'someText' with meaningful text
ControlledFolderAccessAllowedApplications = 'someText' # replace 'someText' with meaningful text
ControlledFolderAccessProtectedFolders = 'someText' # replace 'someText' with meaningful text
ExclusionExtension = 'someText' # replace 'someText' with meaningful text
ExclusionPath = 'someText' # replace 'someText' with meaningful text
ExclusionProcess = 'someText' # replace 'someText' with meaningful text
Force = [Boolean](12345) # replace 12345 with a meaningful value
HighThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
LowThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
ModerateThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
SevereThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
SharedSignaturesPath = 'someText' # replace 'someText' with meaningful text
ThreatIDDefaultAction_Ids = [SInt64[]](12345) # replace 12345 with a meaningful value
UnknownThreatDefaultAction = [Boolean](12345) # replace 12345 with a meaningful value
}
$session = New-CimSession -ComputerName $ComputerName -Credential $Credential
Invoke-CimMethod -ClassName MSFT_MpPreference -Namespace Root/Microsoft/Windows/Defender -MethodName Remove -Arguments $arguments -CimSession $session
Remove-CimSession -CimSession $session
Learn more about
Invoke-CimMethodand invoking WMI methods.
Syntax
uint32 Remove(
[in] string ExclusionPath[],
[in] string ExclusionExtension[],
[in] string ExclusionProcess[],
[in] sint64 ThreatIDDefaultAction_Ids[],
[in] boolean UnknownThreatDefaultAction,
[in] boolean LowThreatDefaultAction,
[in] boolean ModerateThreatDefaultAction,
[in] boolean HighThreatDefaultAction,
[in] boolean SevereThreatDefaultAction,
[in] boolean Force
);
Parameters
| Name | Type | Description |
|---|---|---|
| AttackSurfaceReductionOnlyExclusions | String | Specify the exclusions for Attack Surface Reduction Rules. |
| AttackSurfaceReductionRules_Actions | UInt8[] | Default actions for Attack Surface Reduction Rule(ASR). The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property. |
| AttackSurfaceReductionRules_Ids | String | Specify Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property. |
| ControlledFolderAccessAllowedApplications | String | Add allowed applications to the Controlled folder access feature. |
| ControlledFolderAccessProtectedFolders | String | Add protected folders to the Controlled folder access feature. |
| ExclusionExtension | String | Allows an administrator to explicitly disable a scan from checking any of the extensions listed. |
| ExclusionPath | String | Allows an administrator to explicitly disable a scan from checking any of the paths listed. |
| ExclusionProcess | String | Allows an administrator to explicitly disable a scan from checking any of the processes listed. |
| Force | Boolean | A user confirmation is sought by default by this cmdlet. If -Force is specified, the default confirmation is not sought from the user. |
| HighThreatDefaultAction | Boolean | Default action for high severity threats. |
| LowThreatDefaultAction | Boolean | Default action for low severity threats. |
| ModerateThreatDefaultAction | Boolean | Default action for moderate severity threats. |
| SevereThreatDefaultAction | Boolean | Default action for severe severity threats. |
| SharedSignaturesPath | String | Defines a file share for security intelligence in virtual environments. |
| ThreatIDDefaultAction_Ids | SInt64[] | The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids |
| UnknownThreatDefaultAction | Boolean | Default action for unknown threats. |
Return Value
Returns a value of type UInt32. Typically, a value of 0 indicates success.
Requirements
To use MSFT_MpPreference, the following requirements apply:
PowerShell
Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
MSFT_MpPreference was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].
Namespace
MSFT_MpPreference lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..
Implementation
MSFT_MpPreference is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof
PREVIOUSArchive