diff --git a/docset/winserver2022-ps/defender/Set-MpPreference.md b/docset/winserver2022-ps/defender/Set-MpPreference.md
index bd248dce4e..9dae961c56 100644
--- a/docset/winserver2022-ps/defender/Set-MpPreference.md
+++ b/docset/winserver2022-ps/defender/Set-MpPreference.md
@@ -11,8 +11,13 @@ title: Set-MpPreference
# Set-MpPreference
## SYNOPSIS
+
Configures preferences for Windows Defender scans and updates.
+> [!NOTE]
+> You need to run this cmdlet in an elevated PowerShell window (a PowerShell window you opened by
+selecting **Run as administrator**).
+
## SYNTAX
```powershell
@@ -31,12 +36,12 @@ Set-MpPreference
[-CloudExtendedTimeout <UInt32>]
[-ControlledFolderAccessAllowedApplications <String[]>]
[-ControlledFolderAccessProtectedFolders <String[]>]
- [-DefinitionUpdatesChannel <UpdatesChannelType>]
+ [-DefinitionUpdatesChannel <DefinitionUpdatesChannelType>]
[-DisableArchiveScanning <Boolean>]
[-DisableAutoExclusions <Boolean>]
[-DisableBehaviorMonitoring <Boolean>]
[-DisableBlockAtFirstSeen <Boolean>]
- [-DisableCacheMaintenance <UInt32>]
+ [-DisableCacheMaintenance <Boolean>]
[-DisableCatchupFullScan <Boolean>]
[-DisableCatchupQuickScan <Boolean>]
[-DisableCpuThrottleOnIdleScans <Boolean>]
@@ -47,8 +52,8 @@ Set-MpPreference
[-DisableFtpParsing <Boolean>]
[-DisableGradualRelease <Boolean>]
[-DisableHttpParsing <Boolean>]
- [-DisableIOAVProtection <Boolean>]
[-DisableInboundConnectionFiltering <Boolean>]
+ [-DisableIOAVProtection <Boolean>]
[-DisableNetworkProtectionPerfTelemetry <Boolean>]
[-DisablePrivacyMode <Boolean>]
[-DisableRdpParsing <Boolean>]
@@ -62,30 +67,33 @@ Set-MpPreference
[-DisableSshParsing <Boolean>]
[-DisableTlsParsing <Boolean>]
[-EnableControlledFolderAccess <ControlledFolderAccessType>]
+ [-EnableConvertWarnToBlock <Boolean>]
[-EnableDnsSinkhole <Boolean>]
[-EnableFileHashComputation <Boolean>]
[-EnableFullScanOnBatteryPower <Boolean>]
[-EnableLowCpuPriority <Boolean>]
[-EnableNetworkProtection <ASRRuleActionType>]
+ [-EnableUdpReceiveOffload <Boolean>]
+ [-EnableUdpSegmentationOffload <Boolean>]
[-EngineUpdatesChannel <UpdatesChannelType>]
[-ExclusionExtension <String[]>]
[-ExclusionIpAddress <String[]>]
[-ExclusionPath <String[]>]
[-ExclusionProcess <String[]>]
- [-ForceUseProxyOnly <Boolean>]
[-Force]
+ [-ForceUseProxyOnly <Boolean>]
[-HighThreatDefaultAction <ThreatAction>]
- [-IntelTDTEnabled <UInt32>]
+ [-IntelTDTEnabled <Boolean>]
[-LowThreatDefaultAction <ThreatAction>]
[-MAPSReporting <MAPSReportingType>]
[-MeteredConnectionUpdates <Boolean>]
[-ModerateThreatDefaultAction <ThreatAction>]
[-OobeEnableRtpAndSigUpdate <Boolean>]
- [-PUAProtection <PUAProtectionType>]
[-PlatformUpdatesChannel <UpdatesChannelType>]
[-ProxyBypass <String[]>]
[-ProxyPacUrl <String>]
[-ProxyServer <String>]
+ [-PUAProtection <PUAProtectionType>]
[-QuarantinePurgeItemsAfterDelay <UInt32>]
[-RandomizeScheduleTaskTimes <Boolean>]
[-RealTimeScanDirection <ScanDirection>]
@@ -101,7 +109,7 @@ Set-MpPreference
[-ScanScheduleDay <Day>]
[-ScanScheduleOffset <UInt32>]
[-ScanScheduleQuickScanTime <DateTime>]
- [-ScanScheduleTime <HH:MM:SS>]
+ [-ScanScheduleTime <DateTime>]
[-SchedulerRandomizationTime <UInt32>]
[-ServiceHealthReportInterval <UInt32>]
[-SevereThreatDefaultAction <ThreatAction>]
@@ -117,10 +125,10 @@ Set-MpPreference
[-SignatureScheduleTime <DateTime>]
[-SignatureUpdateCatchupInterval <UInt32>]
[-SignatureUpdateInterval <UInt32>]
- [-SignaturesUpdatesChannel <UpdatesChannelType>]
[-SubmitSamplesConsent <SubmitSamplesConsentType>]
[-ThreatIDDefaultAction_Actions <ThreatAction[]>]
[-ThreatIDDefaultAction_Ids <Int64[]>]
+ [-ThrottleForScheduledScanOnly <Boolean>]
[-ThrottleLimit <Int32>]
[-UILockdown <Boolean>]
[-UnknownThreatDefaultAction <ThreatAction>]
@@ -128,23 +136,26 @@ Set-MpPreference
```
## DESCRIPTION
+
The **Set-MpPreference** cmdlet configures preferences for Windows Defender scans and updates.
-You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels.
+You can modify exclusion file name extensions, paths, or processes, and specify the default action
+for high, moderate, and low threat levels.
-**REMEDIATION VALUES**
+**REMEDIATION VALUES**:
-The following table provides remediation action values for detected threats at low, medium, high, and severe alert levels.
+The following table provides remediation action values for detected threats at low, medium, high,
+and severe alert levels.
-|Value |Action |
-|------|-------------------------------------------------------------------------|
-|1 |Clean the detected threat. |
-|2 |Quarantine the detected threat. |
-|3 |Remove the detected threat. |
-|6 |Allow the detected threat. |
-|8 |Allow the user to determine the action to take with the detected threat. |
-|9 |Don't take any action. |
-|10 |Block the detected threat. |
-|0 | (NULL)|Apply action based on the Security Intelligence Update (SIU). This is the default value. |
+|Value|Action|
+|---|---|
+|0 (NULL)|Apply action based on the Security Intelligence Update (SIU). This is the default value.|
+|1|Clean the detected threat.|
+|2|Quarantine the detected threat.|
+|3|Remove the detected threat.|
+|6|Allow the detected threat.|
+|8|Allow the user to determine the action to take with the detected threat.|
+|9|Don't take any action.|
+|10|Block the detected threat.|
## EXAMPLES
@@ -162,12 +173,17 @@ This command configures preferences to check for definition updates every day.
PS C:\> Set-MpPreference -SignatureScheduleTime 02:00:00
```
-This command configures preferences to check for definition updates 120 minutes after midnight on days when it's scheduled to check.
+This command configures preferences to check for definition updates 120 minutes after midnight on
+days when it's scheduled to check.
## PARAMETERS
### -AllowDatagramProcessingOnWinServer
-Specifies whether to disable inspection of UDP connections on Windows Server.
+
+Specifies whether to disable the inspection of UDP connections on Windows Server. Valid values are:
+
+- $true: The inspection of UDP connections is enabled.
+- $false: The inspection of UDP connections is disabled.
```yaml
Type: Boolean
@@ -182,7 +198,20 @@ Accept wildcard characters: False
```
### -AllowNetworkProtectionDownLevel
-Specifies whether to allow network protection to be set to Enabled or Audit Mode on Windows versions before 1709.
+
+Specifies whether network protection on Windows Server 2016 or Windows Server 2012 R2 is controlled
+by the **EnableNetworkProtection** parameter. Valid values are:
+
+- $true: Network protection is controlled by the **EnableNetworkProtection**
+parameter (Enabled, Disabled, or AuditMode).
+
+ **Tip**: For Windows Server 2016 or Windows Server 2012 R2, you also need to set the
+**AllowNetworkProtectionOnWinServer** parameter to the value $true.
+
+- $false: Network protection isn't controlled by the **EnableNetworkProtection**
+parameter.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -197,7 +226,20 @@ Accept wildcard characters: False
```
### -AllowNetworkProtectionOnWinServer
-Specifies whether to allow network protection to be set to Enabled or Audit Mode for Windows Server.
+
+Specifies whether network protection on Windows Server is controlled by the
+**EnableNetworkProtection** parameter. Valid values are:
+
+- $true: Network protection is controlled by the **EnableNetworkProtection**
+parameter (Enabled, Disabled, or AuditMode).
+
+ **Tip**: For Windows Server 2016 or Windows Server 2012 R2, you also need to set the
+**AllowNetworkProtectionDownLevel** parameter to the value $true.
+
+- $false: Network protection isn't controlled by the **EnableNetworkProtection**
+parameter.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -213,7 +255,13 @@ Accept wildcard characters: False
### -AllowSwitchToAsyncInspection
-Specifies whether to enable a performance optimization that allows synchronously inspected network flows to switch to async inspection once they have been checked and validated.
+Specifies whether to enable a performance optimization that allows synchronously inspected network
+flows to switch to async inspection once they have been checked and validated. Valid values are:
+
+- $true: Allow synchronously inspected network flows to switch to async inspection once they have
+been checked and validated.
+- $false: Don't allow synchronously inspected network flows to switch to async inspection once they
+have been checked and validated.
```yaml
Type: Boolean
@@ -228,14 +276,19 @@ Accept wildcard characters: False
```
### -AsJob
-Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.
-The cmdlet immediately returns an object that represents the job and then displays the command prompt.
+Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to
+complete.
+
+The cmdlet immediately returns an object that represents the job and then displays the command
+prompt.
You can continue to work in the session while the job completes.
To manage the job, use the `*-Job` cmdlets.
-To get the job results, use the [Receive-Job](https://go.microsoft.com/fwlink/?LinkID=113372) cmdlet.
+To get the job results, use the [Receive-Job](https://go.microsoft.com/fwlink/?LinkID=113372)
+cmdlet.
-For more information about Windows PowerShell background jobs, see [about_Jobs](https://go.microsoft.com/fwlink/?LinkID=113251).
+For more information about Windows PowerShell background jobs, see
+[about_Jobs](https://go.microsoft.com/fwlink/?LinkID=113251).
```yaml
Type: SwitchParameter
@@ -250,9 +303,24 @@ Accept wildcard characters: False
```
### -AttackSurfaceReductionOnlyExclusions
-Specifies the files and paths to exclude from Attack Surface Reduction (ASR) rules. Specify the folders or files and resources that should be excluded from ASR rules. Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder.
-For more information about excluding files and folders from [ASR rules](/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules).
+Specifies the folders or files to exclude from Attack Surface Reduction (ASR) rules. Enter a folder
+path or a fully qualified resource name. For example:
+
+- `"C:\Windows"` excludes all files in that folder.
+- `"C:\Windows\App.exe"` excludes only that specific file in that specific folder.
+
+To replace all existing values with the values you specify, use the following syntax: `"Value1","Value2",..."ValueN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -AttackSurfaceReductionOnlyExclusions "Value1","Value2",..."ValueN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -AttackSurfaceReductionOnlyExclusions "Value1","Value2",..."ValueN"`
+
+For more information, see [Exclude files and folders from attack surface reduction rules](/defender-endpoint/enable-attack-surface-reduction#exclude-files-and-folders-from-attack-surface-reduction-rules).
```yaml
Type: String[]
@@ -267,8 +335,36 @@ Accept wildcard characters: False
```
### -AttackSurfaceReductionRules_Actions
-Specifies the states of attack surface reduction rules specified by using the **AttackSurfaceReductionRules_Ids** parameter.
-If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
+
+Use the **AttackSurfaceReductionRules_Ids** and **AttackSurfaceReductionRules_Actions** parameters
+together in the same command to specify the states of attack surface reduction (ASR) rules.
+
+- The **AttackSurfaceReductionRules_Ids** parameter identifies the ASR rule by GUID value. For
+example, the GUID value of the "Block Office communication application from creating child
+processes" ASR rule is `26190899-1602-49e8-8b27-eb1d0a1ce869`. For more information, see
+[ASR rule to GUID matrix](/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix).
+- The **AttackSurfaceReductionRules_Actions** parameter identifies ASR rule action. Valid values
+are:
+
+ • 0 or Deactivated
+
+ • 1 or Activated
+
+ • 2 or Audit mode
+
+ • 6 or Warning
+
+To replace all existing values with the values you specify, use the following syntax:
+
+`Set-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
```yaml
Type: ASRRuleActionType[]
@@ -283,8 +379,38 @@ Accept wildcard characters: False
```
### -AttackSurfaceReductionRules_Ids
-Specifies the states of attack surface reduction rules specified by using the **AttackSurfaceReductionRules_Ids** parameter.
-If you add multiple rules as a comma-separated list, specify their states separately as a comma-separated list.
+
+Use the **AttackSurfaceReductionRules_Ids** and **AttackSurfaceReductionRules_Actions** parameters
+together in the same command to specify the states of attack surface reduction (ASR) rules.
+
+- The **AttackSurfaceReductionRules_Ids** parameter identifies the ASR rule by GUID value. For
+example, the GUID value of the "Block Office communication application from creating child
+processes" ASR rule is `26190899-1602-49e8-8b27-eb1d0a1ce869`. For more information, see
+[ASR rule to GUID matrix](/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix).
+- The **AttackSurfaceReductionRules_Actions** parameter identifies ASR rule action for the
+- corresponding ASR rule. Valid values are:
+
+ • 0 or Disabled
+
+ • 1 or Enabled
+
+ • 2 or AuditMode
+
+ • 5 or NotConfigured
+
+ • 6 or Warn
+
+To replace all existing values with the values you specify, use the following syntax:
+
+`Set-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -AttackSurfaceReductionRules_Ids Rule1,Rule2,...RuleN -AttackSurfaceReductionRules_Actions Action1,Action2,...ActionN`
```yaml
Type: String[]
@@ -299,10 +425,15 @@ Accept wildcard characters: False
```
### -CheckForSignaturesBeforeRunningScan
-Indicates whether to check for new virus and spyware definitions before Windows Defender runs a scan.
-If you specify a value of $True, Windows Defender checks for new definitions.
-If you specify $False or don't specify a value, the scan begins with existing definitions.
-This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or on scans started from the command line using "mpcmdrun -Scan".
+
+Specifies whether to check for new virus and spyware definitions before Windows Defender runs a
+scan. Valid values are:
+
+- $true: Windows Defender checks for new definitions before running a scan.
+- $false: The scan begins with the existing definitions. This is the default value.
+
+This parameter applies to scheduled scans, but it has no effect on scans initiated manually from the
+user interface from the command line using `mpcmdrun -Scan`.
```yaml
Type: Boolean
@@ -317,9 +448,16 @@ Accept wildcard characters: False
```
### -CimSession
-Runs the cmdlet in a remote session or on a remote computer.
-Enter a computer name or a session object, such as the output of a [New-CimSession](https://go.microsoft.com/fwlink/p/?LinkId=227967) or [Get-CimSession](https://go.microsoft.com/fwlink/p/?LinkId=227966) cmdlet.
-The default is the current session on the local computer.
+
+Runs the cmdlet in a remote session or on a remote computer that were created by the
+[New-CimSession](https://go.microsoft.com/fwlink/p/?LinkId=227967) cmdlet and specified by the
+[Get-CimSession](https://go.microsoft.com/fwlink/p/?LinkId=227966) cmdlet. For example:
+
+`Set-MpPreference -CimSession (Get-CimSession -ID 1),(Get-CimSession -ID 2),...(Get-CimSession -ID N)`
+
+or
+
+`Set-MpPreference -CimSession (Get-CimSession -ID Server1),(Get-CimSession -ID Server2),...(Get-CimSession -ID ServerN)`
```yaml
Type: CimSession[]
@@ -334,8 +472,15 @@ Accept wildcard characters: False
```
### -CloudBlockLevel
-Specifies a cloud block level.
-This value determines how aggressive Microsoft Defender Antivirus is in blocking and scanning suspicious files.
+
+Specifies the cloud block level that determines how aggressively Microsoft Defender Antivirus scans
+and blocks suspicious files. Valid values are:
+
+- 0 or Default
+- 1 or Moderate
+- 2 or High
+- 4 or HighPlus
+- 6 or ZeroTolerance
```yaml
Type: CloudBlockLevelType
@@ -350,7 +495,11 @@ Accept wildcard characters: False
```
### -CloudExtendedTimeout
-Specifies the amount of extended time to block a suspicious file and scan it in the cloud. Standard time is 10 seconds. Extend by up to 50 seconds.
+
+<!---The default value on 2 Win 11 PCs is 0; Max value claimed to be 50 --->
+
+Specifies the amount of extended time in seconds to block a suspicious file and scan it in the
+cloud. A valid value is an integer from 0 to 4294967295. The default value is 10 seconds.
```yaml
Type: UInt32
@@ -365,7 +514,30 @@ Accept wildcard characters: False
```
### -ControlledFolderAccessAllowedApplications
-Specifies applications that can make changes in controlled folders.
+
+Specifies the path and filename of applications that are allowed to make changes in controlled
+folders. You can use absolute folder paths (for example `C;\Windows\...` or environment variables
+(for example, `%appdata%...`) for path names.
+
+To replace all existing values with the values you specify, use the following syntax:
+`"PathAndFileName1","PathAndFileName2",..."PathAndFileNameN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ControlledFolderAccessAllowedApplications "PathAndFileName1","PathAndFileName2",..."PathAndFileNameN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ControlledFolderAccessAllowedApplications "PathAndFileName1","PathAndFileName2",..."PathAndFileNameN"`
+
+The value parameter is meaningful only if the value of the **EnableControlledFolderAccess**
+parameter isn't `Disabled`.
+
+To specify additional folders that are protected by controlled folder access, use the
+**ControlledFolderAccessProtectedFolders** parameter.
+
+For more information about controlled folder access, see [Protect important folders with controlled
+folder access](/defender-endpoint/controlled-folders).
```yaml
Type: String[]
@@ -380,7 +552,30 @@ Accept wildcard characters: False
```
### -ControlledFolderAccessProtectedFolders
-Specifies more folders to protect.
+
+Specifies additional folders to protect as controlled access folders. You can use absolute folder
+paths (for example `C;\Windows\...` or environment variables (for example, `%appdata%...`) for path
+names.
+
+To replace all existing values with the values you specify, use the following syntax:
+`"Path1","Path2"..."PathN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ControlledFolderAccessAllowedApplications "Path1","Path2",..."PathN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ControlledFolderAccessAllowedApplications "Path1","Path2",..."PathN"`
+
+The value parameter is meaningful only if the value of the **EnableControlledFolderAccess**
+parameter isn't `Disabled`.
+
+To specify applications that are allowed to access controlled folders, use the
+**ControlledFolderAccessAllowedApplications** parameter.
+
+For more information about controlled folder access, see [Protect important folders with controlled
+folder access](/defender-endpoint/controlled-folders).
```yaml
Type: String[]
@@ -394,9 +589,40 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -DefinitionUpdatesChannel
+
+Specifies when devices receive daily Microsoft Defender definition updates during the monthly gradual
+rollout. Valid values are:
+
+- NotConfigured: Devices stay up to date automatically during the gradual release cycle. This value
+is suitable for most devices.
+- Staged: Devices are offered updates after the monthly gradual release cycle. This value is
+suggested for a small, representative part of your production population, around 10 percent.
+- Broad: Devices are offered updates only after the gradual release cycle completes. This value is
+suggested for a broad set of devices in your production population, from 10 to 100 percent.
+
+This parameter replaces the **SignaturesUpdatesChannel** parameter.
+
+```yaml
+Type: DefinitionUpdatesChannelType
+Parameter Sets: (All)
+Aliases: duc
+Accepted values: NotConfigured, Staged, Broad
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -DisableArchiveScanning
-Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software.
-If you specify a value of $False or do not specify a value, Windows Defender scans archive files.
+
+Specifies whether to scan archive files (for example, .zip and .cab files) for malicious and
+unwanted software. Valid values are:
+
+- $true: Windows Defender doesn't scan archive file.
+- $false: Windows Defender scans archive files. This is the default value.
```yaml
Type: Boolean
@@ -411,8 +637,11 @@ Accept wildcard characters: False
```
### -DisableAutoExclusions
-Indicates whether to disable the Automatic Exclusions feature for the server.
-If you specify a value of $False or do not specify a value, Windows Defender enables the Automatic Exclusions feature for the server.
+
+Specifies whether to disable the Automatic Exclusions feature for the server. Valid values are:
+
+- $true: Windows Defender disables the Automatic Exclusions feature for the server.
+- $false: Windows Defender enables the Automatic Exclusions feature for the server. This is the default value.
```yaml
Type: Boolean
@@ -427,8 +656,11 @@ Accept wildcard characters: False
```
### -DisableBehaviorMonitoring
-Indicates whether to enable behavior monitoring.
-If you specify a value of $False or do not specify a value, Windows Defender enables behavior monitoring.
+
+Specifies whether to enable behavior monitoring. Valid values are:
+
+- $true: Windows Defender disables behavior monitoring.
+- $false: Windows Defender enables behavior monitoring. This is the default value.
```yaml
Type: Boolean
@@ -443,8 +675,11 @@ Accept wildcard characters: False
```
### -DisableBlockAtFirstSeen
-Indicates whether to enable block at first seen.
-If you specify a value of $False or do not specify a value, Windows Defender enables block at first seen.
+
+Specifies whether to enable block at first seen. Valid values are:
+
+- $true: Windows Defender disables block at first seen.
+- $false: Windows Defender enables block at first seen. This is the default value.
```yaml
Type: Boolean
@@ -459,7 +694,11 @@ Accept wildcard characters: False
```
### -DisableCacheMaintenance
-Defines whether the cache maintenance idle task will perform the cache maintenance or not. Allowed values are 1 - cache maintenance is disabled, and 0 - cache maintenance is enabled (default).
+
+Defines whether the cache maintenance idle task performs cache maintenance. Valid values are:
+
+- $true: Cache maintenance is disabled.
+- $false: Cache maintenance is enabled. This is the default value.
```yaml
Type: Boolean
@@ -474,9 +713,13 @@ Accept wildcard characters: False
```
### -DisableCatchupFullScan
-Indicates whether Windows Defender runs catch-up scans for scheduled full scans.
-A computer can miss a scheduled scan, usually because the computer is turned off at the scheduled time.
-If you specify a value of $False, after the computer misses two scheduled full scans, Windows Defender runs a catch-up scan the next time someone logs on to the computer. If you specify a value of $True, the computer does not run catch-up scans for scheduled full scans.
+
+Specifies whether Windows Defender runs catch-up scans for missed scheduled full scans. Valid values
+are:
+
+- $true: Windows Defender doesn't run catch-up scans for missed scheduled full scans.
+- $false: After two missed scheduled full scans, Windows Defender runs a catch-up scan.
+the next time someone signs in to the computer.
```yaml
Type: Boolean
@@ -491,9 +734,13 @@ Accept wildcard characters: False
```
### -DisableCatchupQuickScan
-Indicates whether Windows Defender runs catch-up scans for scheduled quick scans.
-A computer can miss a scheduled scan, usually because the computer is off at the scheduled time.
-If you specify a value of $False, after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time someone logs onto the computer. If you specify a value of $True, the computer does not run catch-up scans for scheduled quick scans.
+
+Specifies whether Windows Defender runs catch-up scans for missed scheduled quick scans. Valid values
+are:
+
+$true: Windows Defender doesn't run catch-up scans for missed scheduled quick scans.
+$false: After two missed scheduled quick scans, Windows Defender runs a catch-up scan
+the next time someone signs in to the computer.
```yaml
Type: Boolean
@@ -508,7 +755,15 @@ Accept wildcard characters: False
```
### -DisableCpuThrottleOnIdleScans
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This parameter is enabled by default, thus ensuring that the CPU won't be throttled for scheduled scans performed when the device is idle, regardless of what **ScanAvgCPULoadFactor** is set to. For all other scheduled scans, this flag does not have any impact and normal throttling will occur.
+
+Specifies whether the CPU is throttled for scheduled scans while the device is idle. Valid
+values are:
+
+- $true: The CPU is throttled for scheduled scans.
+- $false: The CPU isn't throttled for scheduled scans, regardless of the value of the
+**ScanAvgCPULoadFactor** parameter.
+
+This parameter doesn't affect other types scheduled scans. Normal CPU throttling occurs on other types of scheduled scans.
```yaml
Type: Boolean
@@ -522,7 +777,11 @@ Accept wildcard characters: False
```
### -DisableDatagramProcessing
-Specifies whether to disable inspection of UDP connections.
+
+Specifies whether to disable inspection of UDP connections. Valid values are:
+
+- $true: Inspection of UDP connections is disabled.
+- $false: Inspection of UDP connections is enabled.
```yaml
Type: Boolean
@@ -537,7 +796,19 @@ Accept wildcard characters: False
```
### -DisableDnsOverTcpParsing
-Specifies whether to disable inspection of DNS traffic that occurs over a TCP channel.
+
+Specifies whether to disable inspection of DNS traffic that occurs over a TCP. Valid values
+are:
+
+- $true: Inspection of DNS traffic over TCP is disabled.
+- $false: Inspection of DNS traffic over TCP is enabled.
+
+Network protection needs to inspect DNS traffic over TCP in the following scenarios:
+
+- To provide metadata for anti-malware behavior monitoring.
+- To allow for a DNS sinkhole if the **EnableDnsSinkhole** parameter is set to the value $true.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -552,8 +823,12 @@ Accept wildcard characters: False
```
### -DisableDnsParsing
-Specifies whether to disable inspection of DNS traffic that occurs over a UDP channel.
-Network protection inspects DNS traffic that occurs over a TCP channel to provide metadata for anti-malware behavior monitoring or to allow for DNS sink holing if the "-EnableDnsSinkhole" configuration is set. This can be disabled by setting this value to "$true".
+
+Specifies whether to disable inspection of DNS traffic that occurs over a UDP. Valid values
+are:
+
+- $true: Inspection of DNS traffic over UDP is disabled.
+- $false: Inspection of DNS traffic over UDP channels is enabled.
```yaml
Type: Boolean
@@ -567,48 +842,68 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -DisableFtpParsing
-Specifies whether to disable FTP parsing for network protection.
+### -DisableEmailScanning
+
+Specifies whether Windows Defender parses mailbox and email message files to analyze message bodies
+and email attachments. Valid values are:
+
+- $true: Windows Defender doesn't scan mailbox and email message files.
+- $false: Windows Defender scans mailbox and email message files. This is the default value.
+
+ Windows Defender supports several mailbox and email message file formats. For example:
+
+- .binhex
+- .dbx
+- .mbx
+- .mime
+- .pst
```yaml
Type: Boolean
Parameter Sets: (All)
-Aliases: dfp
+Aliases: demsc
Required: False
Position: Named
-Default value: 0
+Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
-### -DisableEmailScanning
-Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments.
-Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex.
-If you specify a value of $False or do not specify a value, Windows Defender performs email scanning. If you specify a value of $True, Windows Defender does not perform email scanning.
+### -DisableFtpParsing
+
+Specifies whether to disable FTP parsing for network protection. Valid values are:
+
+- $true: FTP parsing for network protection is disabled.
+- $false: FTP parsing for network protection is enabled.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
Parameter Sets: (All)
-Aliases: demsc
+Aliases: dfp
Required: False
Position: Named
-Default value: None
+Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -DisableGradualRelease
-Specifies whether to disable gradual rollout of monthly and daily Windows Defender updates.
-If you enable this option, devices are offered all updates after the gradual release cycle finishes.
-Consider this option for datacenter computers that only receive limited updates.
-This setting applies to both monthly and daily updates.
-It overrides configured channel selections for platform and engine updates.
+Specifies whether to disable gradual rollout of monthly and daily Windows Defender updates. Valid
+values are:
-If you disable or do not configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels.
-The device stays up to date automatically during the gradual release cycle, which is suitable for most devices.
+- $true: Devices are offered all updates after the gradual release cycle finishes. Consider this
+option for datacenter computers that receive only limited updates.
+- $false: This is the default value. Devices remain in the Current Channel unless otherwise
+specified in specific channels. The device stays up to date automatically during the gradual release
+cycle, which is suitable for most devices.
+
+This setting applies to both monthly and daily updates. This setting overrides configured channel
+selections for platform and engine updates.
This policy is available starting with platform version 4.18.2106.5 and later.
@@ -625,8 +920,14 @@ Accept wildcard characters: False
```
### -DisableHttpParsing
-Specifies whether disable inspection of HTTP traffic.
-If **EnableNetworkProtection** has the value `Enabled`, HTTP connections to malicious websites can be blocked.
+
+Specifies whether to disable inspection of HTTP traffic. Valid values are:
+
+- $true: Inspection of HTTP traffic is disabled.
+- $false: Inspection of HTTP traffic is enabled.
+
+If the value of the **EnableNetworkProtection** parameter is `Enabled`, HTTP connections to
+malicious websites can be blocked.
```yaml
Type: Boolean
@@ -641,8 +942,13 @@ Accept wildcard characters: False
```
### -DisableInboundConnectionFiltering
-Specifies whether to inspect only outbound connections.
-By default, Network Protection inspects both inbound and outbound connections.
+
+Specifies whether Network Protection inspects only outbound connections. Valid values are:
+
+- $true: Network Protection inspects only outbound connections.
+- $false: Network Protection inspects inbound and outbound connections. This is the default value.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -657,8 +963,11 @@ Accept wildcard characters: False
```
### -DisableIOAVProtection
-Indicates whether Windows Defender scans all downloaded files and attachments.
-If you specify a value of $False or do not specify a value, scanning downloaded files and attachments is enabled.
+
+Specifies whether Windows Defender scans all downloaded files and attachments. Valid values are:
+
+- $true: Windows Defender doesn't scan all downloaded files and attachments.
+- $false: Windows Defender scans all downloaded files and attachments. This is the default value.
```yaml
Type: Boolean
@@ -673,11 +982,14 @@ Accept wildcard characters: False
```
### -DisableNetworkProtectionPerfTelemetry
+
This setting disables the gathering and sending of performance telemetry from network protection.
-The accepted values are 0 and 1.
+Valid values are:
-- 1- Network protection telemetry is disabled.
-- 0 (Default) - Network protection telemetry is enabled.
+- $true: Network protection telemetry is disabled.
+- $false: Network protection telemetry is enabled. This is the default value.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -692,7 +1004,11 @@ Accept wildcard characters: False
```
### -DisablePrivacyMode
-**This is a legacy setting that does not have any affect on current platforms**. The intent of this parameter was to disable privacy mode, which prevented users, other than administrators, from displaying threat history. When this parameter was in use, if you specified a value of $False or did not specify a value, privacy mode was enabled.
+
+**Note**: This parameter is a legacy setting that doesn't affect current platforms.
+
+The intent of this parameter was to disable privacy mode, which prevented users (not admins) from
+displaying the threat history.
```yaml
Type: Boolean
@@ -707,7 +1023,12 @@ Accept wildcard characters: False
```
### -DisableRdpParsing
-This setting controls whether to parse RDP traffic to look for malicious attacks using the RDP protocol.
+
+This setting controls whether to parse RDP traffic to look for malicious attacks using the RDP
+protocol. Valid values are:
+
+- $true: Windows Defender doesn't scan RDP traffic.
+- $false: Windows Defender scans RDP traffic.
```yaml
Type: Boolean
@@ -722,9 +1043,11 @@ Accept wildcard characters: False
```
### -DisableRealtimeMonitoring
-Indicates whether to use real-time protection.
-If you specify a value of $False or do not specify a value, Windows Defender uses real-time protection.
-We recommend that you enable Windows Defender to use real-time protection.
+
+Specifies whether to use real-time protection. Valid values are:
+
+- $true: Windows Defender doesn't use real-time protection.
+- $false: Windows Defender uses real-time protection. This is the default and recommended value.
```yaml
Type: Boolean
@@ -739,8 +1062,14 @@ Accept wildcard characters: False
```
### -DisableRemovableDriveScanning
-Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.
-If you specify a value of $False or do not specify a value, Windows Defender scans removable drives during any type of scan. If you specify a value of $True, Windows Defender does not scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.
+
+Specifies whether to scan for malicious and unwanted software in removable drives, such as flash
+drives, during a full scan. Valid values are:
+
+- $true: Windows Defender doesn't scan removable drives during a full scan, but can still scan
+removable drives during quick scans or custom scans.
+- $false: Windows Defender scans removable drives during any type of scan. This is the default
+value.
```yaml
Type: Boolean
@@ -755,13 +1084,16 @@ Accept wildcard characters: False
```
### -DisableRestorePoint
-Indicates whether to disable scanning of restore points.
-If you specify a value of $False or do not specify a value, Windows Defender restore point is enabled.
+
+Specifies whether to disable scanning of restore points. Valid values are:
+
+- $true: Windows Defender restore point scanning is disabled.
+- $false: Windows Defender restore point scanning is enabled. This is the default value.
```yaml
Type: Boolean
Parameter Sets: (All)
-Aliases: drp, dsnf
+Aliases: drp
Required: False
Position: Named
@@ -771,7 +1103,11 @@ Accept wildcard characters: False
```
### -DisableScanningMappedNetworkDrivesForFullScan
-Indicates whether to scan mapped network drives. If you specify a value of $False or do not specify a value, Windows Defender scans mapped network drives. If you specify a value of $True, Windows Defender does not scan mapped network drives.
+
+Specifies whether to scan mapped network drives. Valid values are:
+
+- $true: Windows Defender doesn't scan mapped network drives.
+- $false: Windows Defender scans mapped network drives. This is the default value.
```yaml
Type: Boolean
@@ -786,7 +1122,11 @@ Accept wildcard characters: False
```
### -DisableScanningNetworkFiles
-Indicates whether to scan for network files. If you specify a value of $False or do not specify a value, Windows Defender scans network files. If you specify a value of $True, Windows Defender does not scan network files.
+
+Specifies whether to scan network files. Valid values are:
+
+- $true: Windows Defender doesn't scan network files.
+- $false: Windows Defender scans network files. This is the default value.
```yaml
Type: Boolean
@@ -801,8 +1141,11 @@ Accept wildcard characters: False
```
### -DisableScriptScanning
-Specifies whether to disable the scanning of scripts during malware scans.
-If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts.
+
+Specifies whether to disable the scanning of scripts during malware scans. Valid values are:
+
+- $true: Windows Defender doesn't scan scripts.
+- $false: Windows Defender scans scripts. This is the default value.
```yaml
Type: Boolean
@@ -816,44 +1159,62 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -DisableSshParsing
-Specifies whether to disable inspection of SSH traffic.
-By default, Network Protection inspects SSH traffic.
+### -DisableSmtpParsing
+
+This setting disables SMTP parsing by network protection. Valid values are:
+
+- $true: SMTP parsing is disabled.
+- $false: SMTP parsing is enabled. This is the default value
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
Parameter Sets: (All)
-Aliases: dsshp
+Aliases: dsp
Required: False
Position: Named
-Default value: None
+Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
-### -DisableSmtpParsing
-This setting disables SMTP parsing for network protection.
-The accepted values are 0 and 1.
+### -DisableSshParsing
+
+Specifies whether to disable the inspection of SSH traffic. Valid values are:
+
+- $true: Network protection doesn't inspect SSH traffic.
+- $false: Network protection inspects SSH traffic. This is the default value.
-- 1 - SMTP parsing is disabled.
-- 0 (Default) - SMTP parsing is enabled.
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
Parameter Sets: (All)
-Aliases: dsp
+Aliases: dsshp
Required: False
Position: Named
-Default value: 0
+Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -DisableTlsParsing
-Specifies whether to disable inspection of TLS traffic.
-Network protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to behavior monitoring. TLS connections to malicious websites can also be blocked if "-EnableNetworkProtection" is set to enabled. HTTP inspection can be disabled by setting this value to "$true". By default, network protection inspects TLS traffic.
+
+Specifies whether to disable the inspection of TLS traffic. Valid values are:
+
+- $true: Network Protection doesn't inspect TLS traffic.
+- $false: Network Protection inspects TLS traffic. This is the default value.
+
+Network protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is
+being made to a malicious website, and to provide metadata to behavior monitoring.
+
+TLS connections to malicious websites can also be blocked if the value of the
+**EnableNetworkProtection** parameter is `Enabled`.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -868,7 +1229,25 @@ Accept wildcard characters: False
```
### -EnableControlledFolderAccess
-Specifies the state for the controlled folder access feature. Valid values are Disabled, Enabled, and Audit Mode.
+
+<!--- Regardless of the value I enter, the property value in Get-MpPreference is 3--->
+
+Specifies the state for the controlled folder access feature. Valid values are:
+
+- Disabled
+- Enabled
+- AuditMode
+- BlockDiskModificationOnly
+- AuditDiskModificationOnly
+
+To specify additional folders that are protected by controlled folder access, use the
+**ControlledFolderAccessProtectedFolders** parameter.
+
+To specify applications that are allowed to access controlled folders, use the
+**ControlledFolderAccessAllowedApplications** parameter.
+
+For more information about controlled folder access, see [Protect important folders with controlled
+folder access](/defender-endpoint/controlled-folders).
```yaml
Type: ControlledFolderAccessType
@@ -883,10 +1262,17 @@ Accept wildcard characters: False
```
### -EnableConvertWarnToBlock
-This setting controls whether network protection blocks network traffic instead of displaying a warning. This setting can be manually controlled by setting it to `1` to enable and `0` to disable.
+
+This setting controls whether network protection blocks network traffic instead of displaying a
+warning. Valid values are:
+
+- $true: Network Protection blocks network traffic instead of displaying a warning.
+- $false: Network Protection displaying a warning.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
-Type: ASRRuleActionType
+Type: Boolean
Parameter Sets: (All)
Aliases:
@@ -897,9 +1283,19 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -EnableDnsSinkhole (Deprecated)
-Specifies whether to examine DNS traffic to detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks.
-Network protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts, and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+### -EnableDnsSinkhole
+
+**Note**: This parameter has been deprecated.
+
+Specifies whether to examine DNS traffic to detect and sinkhole DNS exfiltration attempts and other
+DNS based malicious attacks. Valid values are:
+
+- $true: DNS sinkhole is enabled. Network protection can inspect the DNS traffic of a machine and,
+in conjunction with behavior monitoring, detect and sinkhole DNS exfiltration attempts, and other
+DNS based malicious attacks.
+- $false: DNS sinkhole is disabled.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: Boolean
@@ -914,8 +1310,11 @@ Accept wildcard characters: False
```
### -EnableFileHashComputation
-Specifies whether to enable file hash computation.
-When this feature is enabled, Windows Defender computes hashes for files it scans.
+
+Specifies whether to enable file hash computation. Valid values are:
+
+- $true: Windows Defender computes hashes for scanned files.
+- $false: Windows Defender doesn't compute hashes for scanned files.
```yaml
Type: Boolean
@@ -930,7 +1329,11 @@ Accept wildcard characters: False
```
### -EnableFullScanOnBatteryPower
-Specifies whether Windows Defender does a full scan while on battery power.
+
+Specifies whether Windows Defender does full scans while on battery power. Valid values are:
+
+- $true: Windows Defender does full scans while on battery power.
+- $false: Windows Defender doesn't do full scans while on battery power.
```yaml
Type: Boolean
@@ -945,7 +1348,11 @@ Accept wildcard characters: False
```
### -EnableLowCpuPriority
-Specifies whether Windows Defender uses low CPU priority for scheduled scans.
+
+Specifies whether Windows Defender uses low CPU priority for scheduled scans. Valid values are:
+
+- $true: Windows Defender uses low CPU priority for scheduled scans.
+- $false: Windows Defender doesn't use low CPU priority for scheduled scans.
```yaml
Type: Boolean
@@ -960,8 +1367,19 @@ Accept wildcard characters: False
```
### -EnableNetworkProtection
-Specifies how the network protection service handles web-based malicious threats, including phishing and malware.
-Possible values are Disabled, Enabled, and AuditMode.
+
+Specifies how the network protection service handles web-based malicious threats, including phishing
+and malware. Valid values are:
+
+- 0 or Disabled
+- 1 or Enabled
+- 2 or AuditMode
+
+**Tip**: Network protection on Windows Server also requires that the
+**AllowNetworkProtectionOnWinServer** and (for Windows Server 2016 or Windows Server 2012 R2)
+**AllowNetworkProtectionDownLevel** parameters are set to the value $true.
+
+For more information about network protection, see [Protect your network](/defender-endpoint/network-protection).
```yaml
Type: ASRRuleActionType
@@ -975,11 +1393,19 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### Enable UdpReceiveOffload:
-Specifies whether UDP receive offload support in Network Protection is enabled, resulting in potentially higher UDP bandwidth in the inbound direction. Starting with platform version `4.18.24030`, Microsoft will gradually move this support default from disabled to enabled. This setting can be manually controlled by setting it to `1` to enable and `0` to disable.
+### -EnableUdpReceiveOffload
+
+Specifies whether UDP receive offload support in Network Protection is enabled, resulting in
+potentially higher inbound UDP bandwidth. Valid values are:
+
+- $true: UDP receive offload support in Network Protection is enabled.
+- $false: UDP receive offload support in Network Protection is disabled.
+
+Starting with platform version `4.18.24030`, we're gradually moving the default value from
+$false (disabled) to $true (enabled).
```yaml
-Type: ASRRuleActionType
+Type: Boolean
Parameter Sets: (All)
Aliases:
@@ -990,11 +1416,19 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### Enable UdpSegmentationOffload:
-Specifies whether UDP segmentation offload support in Network Protection is enabled, resulting in potentially higher UDP bandwidth in the outbound direction. Starting with platform version `4.18.24030`, Microsoft will gradually move this support default from disabled to enabled. This setting can be manually controlled by setting it to `1` to enable and `0` to disable.
+### -EnableUdpSegmentationOffload
+
+Specifies whether UDP segmentation offload support in Network Protection is enabled, resulting in
+potentially higher outbound UDP bandwidth in the outbound direction. Valid values are:
+
+- $true: UDP segmentation offload support in Network Protection is enabled.
+- $false: UDP segmentation offload support in Network Protection is disabled.
+
+Starting with platform version `4.18.24030`, Microsoft will gradually move the default value from
+disabled to enabled.
```yaml
-Type: ASRRuleActionType
+Type: Boolean
Parameter Sets: (All)
Aliases:
@@ -1006,20 +1440,28 @@ Accept wildcard characters: False
```
### -EngineUpdatesChannel
-Specifies when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-Valid values are:
+Specifies when devices receive Microsoft Defender engine updates during the monthly gradual
+rollout. Valid values are:
-- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
-- Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
-- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
-- Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
-- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
+- 0 or NotConfigured: Devices stay up to date automatically during the gradual release cycle. This
+value is suitable for most devices.
+- 2 or Beta: Devices are the first to receive new updates. Select Beta Channel to participate in
+identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are
+subscribed to this channel by default. This value is for use in manual test environments only and a
+limited number of devices.
+- 3 or Preview: Devices are offered updates earliest during the monthly gradual release cycle. This
+value is suggested for pre-production or validation environments.
+- 4 or Staged: Devices are offered updates after the monthly gradual release cycle. This value is
+suggested for a small, representative part of your production population, around 10 percent.
+- 5 or Broad: Devices are offered updates only after the gradual release cycle completes. This
+value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
+- 6 or Delayed
```yaml
Type: UpdatesChannelType
Parameter Sets: (All)
-Aliases: erelr
+Aliases: euc
Required: False
Position: Named
@@ -1029,7 +1471,19 @@ Accept wildcard characters: False
```
### -ExclusionExtension
-Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning.
+
+Specifies the file name extensions, such as `obj` and `lib`, to exclude from scheduled, custom,
+and real-time scanning.
+
+To replace all existing values with the values you specify, use the following syntax: `"Extension1","Extension2",..."ExtensionN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ExclusionExtension "Extension1","Extension2"..."ExtensionN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ExclusionExtension "Extension1","Extension2"..."ExtensionN"`
```yaml
Type: String[]
@@ -1044,7 +1498,18 @@ Accept wildcard characters: False
```
### -ExclusionIpAddress
-Specifies an array of IP addresses to exclude from scheduled and real-time scanning.
+
+Specifies the IP addresses to exclude from scheduled and real-time scanning.
+
+To replace all existing values with the values you specify, use the following syntax: `"IPAddress1","IPAddress2",..."IPAddresseN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ExclusionIpAddress "IPAddress1","IPAddress",..."IPAddressN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ExclusionIpAddress "IPAddress1","IPAddress2",..."IPAddressN"`
```yaml
Type: String[]
@@ -1059,8 +1524,20 @@ Accept wildcard characters: False
```
### -ExclusionPath
-Specifies an array of file paths to exclude from scheduled and real-time scanning.
-You can specify a folder to exclude all the files under the folder.
+
+Specifies the path and filename (for specific files) or path only (for all files in the folder) to
+exclude from scheduled and real-time scanning.
+
+To replace all existing values with the values you specify, use the following syntax:
+`"Value1","Value2"..."ValueN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ExclusionPath "Value1","Value2",..."ValuehN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ExclusionPath "Value1","Value2",..."ValueN"`
```yaml
Type: String[]
@@ -1075,11 +1552,22 @@ Accept wildcard characters: False
```
### -ExclusionProcess
-Specifies an array of processes, as paths to process images.
-This cmdlet excludes any files opened by the processes that you specify from scheduled and real-time scanning.
-Specifying this parameter excludes files opened by executable programs only.
-The cmdlet does not exclude the processes themselves.
-To exclude a process, specify it by using the **ExclusionPath** parameter.
+
+Specifies the paths to process images to exclude from scheduled and real-time scanning.
+
+To replace all existing values with the values you specify, use the following syntax:
+`"Path1","Path2"..."PathN"`.
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ExclusionProcess "Path1","Path2",..."PathhN"`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ExclusionProcess "Path1","Path2",..."PathN"`
+
+This parameter excludes files opened by executable programs only, not the processes themselves.
+To exclude processes, use the **ExclusionPath** parameter.
```yaml
Type: String[]
@@ -1094,7 +1582,9 @@ Accept wildcard characters: False
```
### -Force
-Forces the command to run without asking for user confirmation.
+
+Forces the command to run without asking for user confirmation. You don't need to specify a value
+with this switch.
```yaml
Type: SwitchParameter
@@ -1109,7 +1599,11 @@ Accept wildcard characters: False
```
### -ForceUseProxyOnly
-Specifies whether to force the device to use only the proxy.
+
+Specifies whether to force the device to use only the proxy. Valid values are:
+
+- $true: Use the proxy only.
+- $false: Don't force the device to use the proxy.
```yaml
Type: Boolean
@@ -1124,12 +1618,19 @@ Accept wildcard characters: False
```
### -HighThreatDefaultAction
-Specifies which automatic remediation action to take for a high level threat.
-The acceptable values for this parameter are:
+<!--- Regardless of the value I enter, the property value in Get-MpPreference is 0. If I could
+change it like UnknownThreatDefaultAction, I wouldn't be able to change it back.--->
+
+Specifies the automatic remediation action to take for high level threats. Valid values are:
+
+- Clean
- Quarantine
- Remove
-- Ignore
+- Allow
+- UserDefined
+- NoAction
+- Block
```yaml
Type: ThreatAction
@@ -1145,15 +1646,15 @@ Accept wildcard characters: False
```
### -IntelTDTEnabled
-This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
-The acceptable values for this parameter are:
-- 0 (Default) - If you don't configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.
-- 1 - If you configure this setting to enabled, Intel TDT integration will turn on.
-- 2 - If you configure this setting to disabled, Intel TDT integration will turn off.
+This policy setting configures the Intel TDT integration level for Intel TDT-capable devices. Valid
+values are:
+
+- $true: Intel TDT integration is turned on.
+- $false: Intel TDT integration is turned off.
```yaml
-Type: UInt32
+Type: Boolean
Parameter Sets: (All)
Aliases: itdte
Accepted values: 0,1 and 2
@@ -1166,12 +1667,19 @@ Accept wildcard characters: False
```
### -LowThreatDefaultAction
-Specifies which automatic remediation action to take for a low level threat.
-The acceptable values for this parameter are:
+<!--- Regardless of the value I enter, the property value in Get-MpPreference is 0. If I could
+change it like UnknownThreatDefaultAction, I wouldn't be able to change it back.--->
+
+Specifies the automatic remediation action to take for low level threats. Valid values are:
+
+- Clean
- Quarantine
- Remove
-- Ignore
+- Allow
+- UserDefined
+- NoAction
+- Block
```yaml
Type: ThreatAction
@@ -1187,23 +1695,22 @@ Accept wildcard characters: False
```
### -MAPSReporting
-Specifies the type of membership in Microsoft Active Protection Service.
-Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats.
-The community also helps prevent the spread of new malicious software.
-The acceptable values for this parameter are:
-- 0: Disabled.
-Send no information to Microsoft.
-This is the default value.
-- 1: Basic membership.
-Send basic information to Microsoft about detected software, including where the software came from, the actions that you apply or that apply automatically, and whether the actions succeeded.
-- 2: Advanced membership.
-In addition to basic information, send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it affects your computer.
+Specifies the type of membership in Microsoft Active Protection Service. This services is an online
+community that helps you choose how to respond to potential threats. The community also helps
+prevent the spread of new malicious software. Valid values are:
+
+- 0 or Disabled: Send no information to Microsoft. This is the default value.
+- 1 or Basic: Send basic information to Microsoft about detected software, including where the software
+came from, the actions you applied (manually or automatically), and whether the actions succeeded.
+- 2 or Advanced: In addition to basic information, send more information to Microsoft about malicious
+software, spyware, and potentially unwanted software, including the location of the software,
+filenames, how the software operates, and how it affects your computer.
-If you join this community, you can choose to automatically send basic or additional information about detected software.
-Additional information helps Microsoft create new definitions.
-In some instances, personal information might unintentionally be sent to Microsoft.
-However, Microsoft will not use this information to identify you or contact you.
+If you join this community, you can choose to automatically send basic or additional information
+about detected software. Additional information helps Microsoft create new definitions. In some
+instances, personal information might unintentionally be sent to Microsoft. However, Microsoft
+doesn't use this information to identify you or contact you.
```yaml
Type: MAPSReportingType
@@ -1219,8 +1726,11 @@ Accept wildcard characters: False
```
### -MeteredConnectionUpdates
-Specifies whether to update managed devices to update through metered connections.
-Data charges may apply.
+
+Specifies whether to update managed devices to update through metered connections. Valid values are:
+
+- $true: Updates are made over metered connections. Data charges may apply.
+- $false: Updates aren't made over metered connections.
```yaml
Type: Boolean
@@ -1235,12 +1745,19 @@ Accept wildcard characters: False
```
### -ModerateThreatDefaultAction
-Specifies which automatic remediation action to take for a moderate level threat.
-The acceptable values for this parameter are:
+<!--- Regardless of the value I enter, the property value in Get-MpPreference is 0. If I could
+change it like UnknownThreatDefaultAction, I wouldn't be able to change it back.--->
+
+Specifies the automatic remediation action to take for moderate level threats. Valid values are:
+
+- Clean
- Quarantine
- Remove
-- Ignore
+- Allow
+- UserDefined
+- NoAction
+- Block
```yaml
Type: ThreatAction
@@ -1257,12 +1774,12 @@ Accept wildcard characters: False
### -OobeEnableRtpAndSigUpdate
-This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during Out of Box experience (OOBE).
+This setting allows you to configure whether real-time protection and Security Intelligence Updates
+are enabled during Out of Box experience (OOBE). Valid values are:
-Valid values are:
-
-- True - If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
-- False (Default) - If you either disable or don't configure this setting, real-time protection and Security Intelligence Updates during OOBE aren't enabled.
+- $true: Real-time protection and Security Intelligence Updates are enabled during OOBE.
+- $false: Real-time protection and Security Intelligence Updates during OOBE aren't enabled. This
+is the default value.
```yaml
Type: Boolean
@@ -1277,15 +1794,23 @@ Accept wildcard characters: False
```
### -PlatformUpdatesChannel
-Specifies when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-Valid values are:
+Specifies when devices receive Microsoft Defender platform updates during the monthly gradual
+rollout. Valid values are:
-- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
-- Beta. Devices are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. This value is for use in manual test environments only and a limited number of devices.
-- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
-- Preview. Devices are offered updates earliest during the monthly gradual release cycle. This value is suggested for pre-production or validation environments.
-- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
+- NotConfigured: Devices stay up to date automatically during the gradual release cycle. This value
+is suitable for most devices.
+- Beta: Devices are the first to receive new updates. Select Beta Channel to participate in
+identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are
+subscribed to this channel by default. This value is for use in manual test environments only and
+for a limited number of devices.
+- Preview: Devices are offered updates earliest during the monthly gradual release cycle. This value
+is suggested for pre-production or validation environments.
+- Staged: Devices are offered updates after the monthly gradual release cycle. This value is
+suggested for a small, representative part of your production population, around 10 percent.
+- Broad: Devices are offered updates only after the gradual release cycle completes. This value is
+suggested for a broad set of devices in your production population, from 10 to 100 percent.
+- Delayed
```yaml
Type: UpdatesChannelType
@@ -1300,8 +1825,38 @@ Accept wildcard characters: False
```
### -ProxyBypass
+
Specifies proxy bypasses.
+To replace all existing values with the values you specify, use the following syntax: `"Value1","Value2",..."ValueN"`.
+
+To add values without affecting existing values, use the following syntax:
+
+`$a = Get-MpPreference | Select-Object -Expand ProxyBypass`
+
+`$ += "Value1","Value2"..."ValueN"`
+
+`Set-MpPreference -ProxyBypass $a`
+
+To remove values without affecting existing values, do the following steps:
+
+- Run the following commands to see the existing list of values in order:
+
+ `$x = Get-MpPreference`
+
+ `$r = [System.Collections.ArrayList]($x.ProxyBypass)`
+
+ `$r`
+
+ The first value in the list has the index number 0, the second has the index number 1, and so on.
+
+- Use the index number to specify the value to remove. For example, to remove the seventh value in
+the list, run the following commands:
+
+ `$r.RemoveAt(6)`
+
+ `Set-MpPreference -ProxyBypass $r`
+
```yaml
Type: String[]
Parameter Sets: (All)
@@ -1315,6 +1870,7 @@ Accept wildcard characters: False
```
### -ProxyPacUrl
+
Specifies the Privilege Attribute Certificate (PAC) proxy.
```yaml
@@ -1330,6 +1886,7 @@ Accept wildcard characters: False
```
### -ProxyServer
+
Specifies the proxy server.
```yaml
@@ -1345,8 +1902,13 @@ Accept wildcard characters: False
```
### -PUAProtection
-Specifies the level of detection for potentially unwanted applications.
-When potentially unwanted software is downloaded or attempts to install itself on your computer, you are warned.
+
+Specifies the level of detection for potentially unwanted applications. Valid values are:
+
+- 0 or Disabled
+- 1 or Enabled: You're warned when potentially unwanted software is downloaded or attempts to install
+itself on your computer.
+- 2 or Audit
```yaml
Type: PUAProtectionType
@@ -1362,8 +1924,9 @@ Accept wildcard characters: False
```
### -QuarantinePurgeItemsAfterDelay
-Specifies the number of days to keep items in the Quarantine folder.
-If you specify a value of zero or do not specify a value for this parameter, items stay in the Quarantine folder indefinitely.
+
+Specifies the number of days to keep items in the Quarantine folder. A valid value is an integer
+from 0 to 4294967295. The value 0 means items stay in the Quarantine folder indefinitely.
```yaml
Type: UInt32
@@ -1378,10 +1941,17 @@ Accept wildcard characters: False
```
### -RandomizeScheduleTaskTimes
-Indicates whether to select a random time for the scheduled start and scheduled update for definitions.
-If you specify a value of $True or do not specify a value, scheduled tasks begin within 30 minutes, before or after, the scheduled time.
-If you randomize the start times, it can distribute the impact of scanning.
-For example, if several virtual machines share the same host, randomized start times prevents all the hosts from starting the scheduled tasks at the same time.
+
+Specifies whether to select a random time for the scheduled start and scheduled update for
+definitions. Valid values are:
+
+- $true: Scheduled tasks begin within 30 minutes before or after the scheduled time. This is the
+default value.
+- $false: Scheduled tasks begin on the scheduled time
+
+Randomized start times can distribute the impact of scanning. For example, if several virtual
+machines share the same host, randomized start times prevent all virtual machines from starting the
+scheduled tasks at the same time.
```yaml
Type: Boolean
@@ -1396,17 +1966,18 @@ Accept wildcard characters: False
```
### -RealTimeScanDirection
-Specifies scanning configuration for incoming and outgoing files on NTFS volumes.
-The acceptable values for this parameter are:
-- 0: Scan both incoming and outgoing files.
-This is the default.
-- 1: Scan incoming files only.
-- 2: Scan outgoing files only.
+Specifies scanning configuration for incoming and outgoing files on NTFS volumes. Valid values are:
+
+- 0 or Both: Scan incoming and outgoing files. This is the default value.
+- 1 or Incoming: Scan incoming files only.
+- 2 or Outcoming \[SP\]: Scan outgoing files only.
-Specify a value for this parameter to enhance performance on servers which have a large number of file transfers, but need scanning for either incoming or outgoing files.
-Evaluate this configuration based on the server role.
-For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity.
+Use this parameter to restrict scanning to incoming or outgoing files on servers that have a large
+number of file transfers in only one direction.
+
+Evaluate this configuration based on the server role. For non-NTFS volumes, Windows Defender
+does full monitoring of file and program activity.
```yaml
Type: ScanDirection
@@ -1422,22 +1993,21 @@ Accept wildcard characters: False
```
### -RemediationScheduleDay
-Specifies the day of the week on which to perform a scheduled full scan in order to complete remediation.
-Alternatively, specify everyday for this full scan or never.
-The acceptable values for this parameter are:
-- 0: Everyday
-- 1: Sunday
-- 2: Monday
-- 3: Tuesday
-- 4: Wednesday
-- 5: Thursday
-- 6: Friday
-- 7: Saturday
-- 8: Never
+Specifies the day of the week to run scheduled full scans to complete remediation. Valid values are:
+
+- 0 or Everyday
+- 1 or Sunday
+- 2 or Monday
+- 3 or Tuesday
+- 4 or Wednesday
+- 5 or Thursday
+- 6 or Friday
+- 7 or Saturday
+- 8 or Never (default)
-The default value is 8, never.
-If you specify a value of 8 or do not specify a value, Windows Defender performs a scheduled full scan to complete remediation by using a default frequency.
+For the value 8 or Never, Windows Defender uses a default frequency to run scheduled full scans to
+complete remediation.
```yaml
Type: Day
@@ -1453,9 +2023,13 @@ Accept wildcard characters: False
```
### -RemediationScheduleTime
-Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan.
-The time refers to the local time on the computer.
-If you do not specify a value for this parameter, a scheduled scan runs at the default time of two hours after midnight.
+
+Specifies the time on the local computer to run scheduled scans for remediation.
+
+To specify a value, enter it as a time span: `hh:mm:ss` where `hh` = hours, `mm` = minutes and `ss`
+= seconds. For example, `13:30:00` indicates 1:30 PM.
+
+The default value is `02:00:00` (2:00 AM).
```yaml
Type: DateTime
@@ -1470,7 +2044,9 @@ Accept wildcard characters: False
```
### -ReportingAdditionalActionTimeOut
-Specifies the number of minutes before a detection in the additional action state changes to the cleared state.
+
+Specifies the number of minutes before a detection in the additional action state changes to the
+cleared state. A valid value is an integer from 0 to 4294967295.
```yaml
Type: UInt32
@@ -1485,7 +2061,9 @@ Accept wildcard characters: False
```
### -ReportingCriticalFailureTimeOut
-Specifies the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.
+
+Specifies the number of minutes before a detection in the critically failed state changes to
+the additional action state or the cleared state. A valid value is an integer from 0 to 4294967295.
```yaml
Type: UInt32
@@ -1500,7 +2078,9 @@ Accept wildcard characters: False
```
### -ReportingNonCriticalTimeOut
-Specifies the number of minutes before a detection in the non-critically failed state changes to the cleared state.
+
+Specifies the number of minutes before a detection in the non-critically failed state changes to
+the cleared state. A valid value is an integer from 0 to 4294967295.
```yaml
Type: UInt32
@@ -1515,12 +2095,21 @@ Accept wildcard characters: False
```
### -ScanAvgCPULoadFactor
+
Specifies the maximum percentage CPU usage for a scan.
-The acceptable values for this parameter are: integers from 5 through 100, and the value 0, which disables CPU throttling.
-Windows Defender does not exceed the percentage of CPU usage that you specify.
-The default value is 50.
-Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. If ScanOnlyIfIdleEnabled (instructing the product to scan only when the computer is not in use) and DisableCpuThrottleOnIdleScans (instructing the product to disable CPU throttling on idle scans) are both enabled, then the value of ScanAvgCPULoadFactor is ignored.
+A valid value is an integer from 5 to 100. The default value is 50. The value 0 disables CPU
+throttling.
+
+**Note**: This value isn't a hard limit, but rather guidance for the scanning engine to not exceed
+the specified value on average.
+
+The value of this parameter is ignored if both of the following conditions are true:
+
+- The value of the **ScanOnlyIfIdleEnabled** parameter is $true (scan only when the computer isn't
+in use).
+- The value of the **DisableCpuThrottleOnIdleScans** parameter is $false (disable CPU throttling on
+idle scans).
```yaml
Type: Byte
@@ -1535,8 +2124,12 @@ Accept wildcard characters: False
```
### -ScanOnlyIfIdleEnabled
-Indicates whether to start scheduled scans only when the computer is not in use.
-If you specify a value of $True or do not specify a value, Windows Defender runs schedules scans when the computer is on, but not in use.
+
+Specifies whether to start scheduled scans only when the computer is not in use. Valid values are:
+
+- $true: Windows Defender runs schedules scans when the computer is on, but not in use. This is the
+default value.
+- $false: Windows Defender runs schedules scans when the computer is in use.
```yaml
Type: Boolean
@@ -1551,13 +2144,11 @@ Accept wildcard characters: False
```
### -ScanParameters
-Specifies the scan type to use during a scheduled scan.
-The acceptable values for this parameter are:
-- 1: Quick scan
-- 2: Full scan
+Specifies the scan type to use during a scheduled scan. Valid values are:
-If you do not specify this parameter, Windows Defender uses the default value of quick scan.
+- 1 or QuickScan (default)
+- 2 or FullScan
```yaml
Type: ScanType
@@ -1573,10 +2164,12 @@ Accept wildcard characters: False
```
### -ScanPurgeItemsAfterDelay
-Specifies the number of days to keep items in the scan history folder.
-After this time, Windows Defender removes the items.
-If you specify a value of zero, Windows Defender does not remove items.
-If you do not specify a value, Windows Defender removes items from the scan history folder after the default length of time, which is 15 days.
+
+Specifies the number of days to keep items in the scan history folder. After this time, Windows
+Defender removes the items.
+
+A valid value is an integer from 0 to
+4294967295. The default value is 15 days. The value 0 means Windows Defender doesn't remove items from the scan history folder.
```yaml
Type: UInt32
@@ -1591,22 +2184,20 @@ Accept wildcard characters: False
```
### -ScanScheduleDay
-Specifies the day of the week on which to perform a scheduled scan.
-Alternatively, specify everyday for a scheduled scan or never.
-The acceptable values for this parameter are:
-- 0: Everyday
-- 1: Sunday
-- 2: Monday
-- 3: Tuesday
-- 4: Wednesday
-- 5: Thursday
-- 6: Friday
-- 7: Saturday
-- 8: Never
+Specifies the day of the week to run scheduled scans. Valid values are:
+
+- 0 or Everyday
+- 1 or Sunday
+- 2 or Monday
+- 3 or Tuesday
+- 4 or Wednesday
+- 5 or Thursday
+- 6 or Friday
+- 7 or Saturday
+- 8 or Never (default)
-The default value is 8, never.
-If you specify a value of 8 or do not specify a value, Windows Defender does not perform scheduled scans.
+For the value 8 or Never, Windows Defender doesn't do scheduled scans.
```yaml
Type: Day
@@ -1621,16 +2212,18 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -ScanScheduleQuickScanTime
-Specifies the time of day, as the number of minutes after midnight, to perform a scheduled quick scan.
-The time refers to the local time on the computer.
-If you do not specify a value for this parameter, a scheduled quick scan runs at the time specified by the **ScanScheduleOffset** parameter.
-That parameter has a default time of two hours after midnight.
+### -ScanScheduleOffset
+
+Specifies the number of minutes after midnight on the local computer to run scheduled scans. The
+default value is 120, which means scheduled scans start on the local computer at 2:00 AM.
+
+If you don't specify a value for this parameter, scheduled scans start at the time specified by the
+**ScanScheduleTime** and **ScanScheduleQuickScanTime** parameters.
```yaml
-Type: DateTime
+Type: UInt32
Parameter Sets: (All)
-Aliases: scsqst
+Aliases: scso
Required: False
Position: Named
@@ -1639,12 +2232,24 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -ScanScheduleOffset
-Configures the number of minutes after midnight to perform a scheduled scan. The time on the endpoint is used to determine the local time. If you enable this setting, a scheduled scan will run at the time specified. If you disable or don’t enable this setting, a scheduled scan runs at the default time of two hours (120 minutes) after midnight.
+### -ScanScheduleQuickScanTime
+
+Specifies the time on the local computer to run scheduled quick scans.
+
+To specify a value, enter it as a time span: `hh:mm:ss` where `hh` = hours, `mm` = minutes and `ss`
+= seconds. For example, `13:30:00` indicates 1:30 PM.
+
+The default value is `02:00:00` (2:00 AM).
+
+If you don't specify a value for this parameter, scheduled quick scans run at the time specified
+by the **ScanScheduleOffset** parameter.
```yaml
-Type: UInt32
-Aliases: scso
+Type: DateTime
+Parameter Sets: (All)
+Aliases: scsqst
+
+Required: False
Position: Named
Default value: None
Accept pipeline input: False
@@ -1652,11 +2257,20 @@ Accept wildcard characters: False
```
### -ScanScheduleTime
-Specifies the time of day to run a scheduled scan. The time refers to the local time on the computer. Specify the number of minutes after midnight (for example, enter 60 for 1 a.m.). This parameter has a default time of two hours after midnight (2 a.m.).
+
+Specifies the time on the local computer to run scheduled scans.
+
+To specify a value, enter it as a time span: `hh:mm:ss` where `hh` = hours, `mm` = minutes and `ss`
+= seconds. For example, `13:30:00` indicates 1:30 PM.
+
+The default value is `02:00:00` (2:00 AM).
+
+If you don't specify a value for this parameter, scheduled scans run at the time specified
+by the **ScanScheduleOffset** parameter.
```yaml
Type: DateTime
-Aliases: scsqst
+Aliases: scst
Position: Named
Default value: None
Accept pipeline input: False
@@ -1664,7 +2278,9 @@ Accept wildcard characters: False
```
### -SchedulerRandomizationTime
-Specifies the randomization time for the scheduler.
+
+Specifies the randomization time for the scheduler. A valid value is an integer from 0 to
+4294967295.
```yaml
Type: UInt32
@@ -1679,11 +2295,17 @@ Accept wildcard characters: False
```
### -ServiceHealthReportInterval
-This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. These are for Microsoft Defender Antivirus events 1150 and 1151. For more information, see [Microsoft Defender Antivirus event IDs](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus#microsoft-defender-antivirus-event-ids).
-If you do not configure this setting, the default value will be applied. The default value is set at 60 minutes (one hour).
-If you configure this setting to 0, no service health reports will be sent.
-The maximum value allowed to be set is 14400 minutes (ten days).
+<!-- Max value claimed to be 1440, but I could set 429496729 --->
+
+Specifies the time interval in minutes for the service health reports to be sent from endpoints.
+These reports are for Microsoft Defender Antivirus events 1150 and 1151.
+
+A valid value is an integer from 0 to 4294967295. The default value is 60 minutes. The value 0
+means no service health reports are sent.
+
+For more information, see
+[Microsoft Defender Antivirus event IDs](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus#microsoft-defender-antivirus-event-ids).
```yaml
Type: UInt32
@@ -1696,12 +2318,19 @@ Accept wildcard characters: False
```
### -SevereThreatDefaultAction
-Specifies which automatic remediation action to take for a severe level threat.
-The acceptable values for this parameter are:
+<!--- Regardless of the value I enter, the property value in Get-MpPreference is 0. If I could
+change it like UnknownThreatDefaultAction, I wouldn't be able to change it back.--->
+
+Specifies which automatic remediation action to take for severe level threats. Valid values are:
+
+- Clean
- Quarantine
- Remove
-- Ignore
+- Allow
+- UserDefined
+- NoAction
+- Block
```yaml
Type: ThreatAction
@@ -1717,7 +2346,11 @@ Accept wildcard characters: False
```
### -SharedSignaturesPath
-Specifies the shared signatures path.
+
+Specifies the shared signatures path. For example, `"P:\Signature Data"`. If the value contains
+spaces, enclose the value in quotation marks (").
+
+To empty this setting, use the value `" "`.
```yaml
Type: String
@@ -1732,8 +2365,17 @@ Accept wildcard characters: False
```
### -SignatureAuGracePeriod
-Specifies a grace period, in minutes, for the definition.
-If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.
+
+Specified the grace period in minutes that's applied to all signature updates after the initial,
+first-time application.
+
+A valid value is an integer from 0 to 4294967295.
+
+If Windows Defender successfully updates within this period, any service initiated updates are
+abandoned.
+
+THe **SignatureFirstAuGracePeriod** parameter specifies the grace period when a new signature is
+first detected.
```yaml
Type: UInt32
@@ -1748,7 +2390,12 @@ Accept wildcard characters: False
```
### -SignatureBlobFileSharesSources
-Specifies the file shares sources for signatures.
+
+Specifies the file shares sources for signatures. For example,
+`"\\ServerName\\ShareName\Folder name\"`. If the value contains spaces, enclose the value in
+quotation marks (").
+
+To empty this setting, use the value `" "`.
```yaml
Type: String
@@ -1763,7 +2410,8 @@ Accept wildcard characters: False
```
### -SignatureBlobUpdateInterval
-Specifies the signature update interval.
+
+Specifies the signature update interval. A valid value is an integer from 0 to 4294967295.
```yaml
Type: UInt32
@@ -1778,11 +2426,17 @@ Accept wildcard characters: False
```
### -SignatureDefinitionUpdateFileSharesSources
+
Specifies file-share sources for definition updates.
-Specify sources as a bracketed sequence of Universal Naming Convention (UNC) locations, separated by the pipeline symbol; for example, { \\\\Server01\Share01 | \\\\Server02\Share02 | \\\\Server03\Share03}.
-If you specify a value for this parameter, Windows Defender attempts to connect to the shares in the order that you specify.
-After Windows Defender updates a definition, it stops attempting to connect to shares on the list.
-If you do not specify a value for this parameter, the list is empty.
+
+A valid value uses the following syntax:
+`{\\Server1\Share1 | \\Server2\Share2 | ... \\ServerN\ShareN}`.
+
+Windows Defender tries to connect to the shared folders in the specified order. After the update
+is successful, Windows Defender stops trying to connect to the remaining shared folders in the
+list.
+
+To empty this setting, use the value `" "`.
```yaml
Type: String
@@ -1797,9 +2451,12 @@ Accept wildcard characters: False
```
### -SignatureDisableUpdateOnStartupWithoutEngine
-Indicates whether to initiate definition updates even if no antimalware engine is present.
-If you specify a value of $True or do not specify a value, Windows Defender does not initiate definition updates on startup.
-If you specify a value of $False, and if no antimalware engine is present, Windows Defender initiates definition updates on startup.
+
+Specifies whether to initiate definition updates even if no antimalware engine is present. Valid values are:
+
+- $true: Windows Defender does not initiate definition updates on startup. This is the default value
+- $false: If no antimalware engine is present, Windows Defender initiates definition updates on
+startup.
```yaml
Type: Boolean
@@ -1814,20 +2471,20 @@ Accept wildcard characters: False
```
### -SignatureFallbackOrder
-Specifies the order in which to contact different definition update sources.
-Specify the types of update sources in the order in which you want Windows Defender to contact them, enclosed in braces and separated by the pipeline symbol; for example, { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }.
-The values that you can specify in the string are:
+
+Specifies the order in which to contact different definition update sources. The available sources
+are:
- InternalDefinitionUpdateServer
- MicrosoftUpdateServer
-- MMPC
-- FileShares
+- MMPC (Microsoft Malware Protection Center)
+- FileShares (specified by the **SignatureDefinitionUpdateFileSharesSources** parameter)
-MMPC refers to Microsoft Malware Protection Center.
+A valid value uses the following syntax: `{Source1 | Source2 | Source3 |Source4}`. The default
+value is `{MicrosoftUpdateServer | MMPC}`.
-If you specify a value for this parameter, Windows Defender contacts the definition update sources in the specified order.
-After Windows Defender downloads definition updates from a source, it stops attempting to connect to other sources.
-If you do not specify a value for this parameter, Windows Defender contacts sources in the default order of { MicrosoftUpdateServer | MMPC }.
+Windows Defender tries to connect to the sources in the specified order. After the update
+is successful, Windows Defender stops trying to connect to the remaining sources in the list.
```yaml
Type: String
@@ -1842,10 +2499,21 @@ Accept wildcard characters: False
```
### -SignatureFirstAuGracePeriod
-Specifies a grace period, in minutes, for the definition.
-If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.
+
+Specifies the grace period in minutes that's given to a new signature when it's first applied. This
+grace period allows more time for compatibility checks with new detection logic. For example, to
+prevent false positives from triggering alerts.
+
+A valid value is an integer from 20 to 4320.
+
+If Windows Defender successfully updates within this period, any service initiated updates are
+abandoned.
+
This parameter overrides the value of the **CheckForSignaturesBeforeRunningScan** parameter.
+The **SignatureAuGracePeriod** parameter specifies the standard grace period for all subsequent
+signature updates.
+
```yaml
Type: UInt32
Parameter Sets: (All)
@@ -1859,22 +2527,20 @@ Accept wildcard characters: False
```
### -SignatureScheduleDay
-Specifies the day of the week on which to check for definition updates.
-Alternatively, specify everyday for a scheduled scan or never.
-The acceptable values for this parameter are:
-- 0: Everyday
-- 1: Sunday
-- 2: Monday
-- 3: Tuesday
-- 4: Wednesday
-- 5: Thursday
-- 6: Friday
-- 7: Saturday
-- 8: Never
+Specifies the day of the week on which to check for definition updates. Valid values are:
+
+- 0 or Everyday
+- 1 or Sunday
+- 2 or Monday
+- 3 or Tuesday
+- 4 or Wednesday
+- 5 or Thursday
+- 6 or Friday
+- 7 or Saturday
+- 8 or Never (default)
-The default value is 8, never.
-If you specify a value of 8 or do not specify a value, Windows Defender checks for definition updates by using a default frequency.
+For the value 8 or Never, Windows Defender uses a default frequency to check for definition updates.
```yaml
Type: Day
@@ -1890,37 +2556,19 @@ Accept wildcard characters: False
```
### -SignatureScheduleTime
-Specifies the time of day, as the number of minutes after midnight, to check for definition updates.
-The time refers to the local time on the computer.
-If you do not specify a value for this parameter, Windows Defender checks for definition updates at the default time of 15 minutes before the scheduled scan time.
-
-```yaml
-Type: DateTime
-Parameter Sets: (All)
-Aliases: sigst
-
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
-### -SignaturesUpdatesChannel
-Specifies when devices receive daily Microsoft Defender definition updates during the monthly gradual rollout.
-Valid values are:
+Specifies the time on the local computer to check for definition updates.
-- NotConfigured. Devices stay up to date automatically during the gradual release cycle. This value is suitable for most devices.
-- Broad. Devices are offered updates only after the gradual release cycle completes. This value is suggested for a broad set of devices in your production population, from 10 to 100 percent.
-- Staged. Devices are offered updates after the monthly gradual release cycle. This value is suggested for a small, representative part of your production population, around 10 percent.
+To specify a value, enter it as a time span: `hh:mm:ss` where `hh` = hours, `mm` = minutes and `ss`
+= seconds. For example, `13:30:00` indicates 1:30 PM.
-This parameter name will be updated to **DefinitionUpdatesChannel** in a future release.
+If you don't specify a value for this parameter, Windows Defender checks for definition updates 15
+minutes before the scheduled scan time by default.
```yaml
-Type: UpdatesChannelType
+Type: DateTime
Parameter Sets: (All)
-Aliases: srelr
+Aliases: sigst
Required: False
Position: Named
@@ -1930,8 +2578,10 @@ Accept wildcard characters: False
```
### -SignatureUpdateCatchupInterval
+
Specifies the number of days after which Windows Defender requires a catch-up definition update.
-If you do not specify a value for this parameter, Windows Defender requires a catch-up definition update after the default value of one day.
+
+A valid value is an integer from 0 to 4294967295. The default value is one day.
```yaml
Type: UInt32
@@ -1946,10 +2596,15 @@ Accept wildcard characters: False
```
### -SignatureUpdateInterval
-Specifies the interval, in hours, at which to check for definition updates.
-The acceptable values for this parameter are: integers from 1 through 24.
-If you do not specify a value for this parameter, Windows Defender checks at the default interval.
-You can use this parameter instead of the **SignatureScheduleDay** parameter and **SignatureScheduleTime** parameter.
+
+<!---Range is supposedly 1 to 24 --->
+
+Specifies the interval in hours to check for definition updates.
+
+A valid value is an integer from 0 to 4294967295.
+
+You can use this parameter instead of the **SignatureScheduleDay**and **SignatureScheduleTime**
+parameters.
```yaml
Type: UInt32
@@ -1964,15 +2619,16 @@ Accept wildcard characters: False
```
### -SubmitSamplesConsent
-Specifies how Windows Defender checks for user consent for certain samples.
-If consent has previously been granted, Windows Defender submits the samples.
-Otherwise, if the **MAPSReporting** parameter does not have a value of Disabled, Windows Defender prompts the user for consent.
-The acceptable values for this parameter are:
-- 0: Always prompt
-- 1: Send safe samples automatically
-- 2: Never send
-- 3: Send all samples automatically
+Specifies how Windows Defender checks for user consent for certain samples. Valid values are:
+
+- 0 or AlwaysPrompt
+- 1 or SendSafeSamples
+- 2 or NeverSend
+- 3 or SendAllSamples
+
+If consent was previously granted, Windows Defender submits the samples. Otherwise, Windows Defender
+prompts the user for consent if the value of the **MAPSReporting** parameter isn't Disabled.
```yaml
Type: SubmitSamplesConsentType
@@ -1988,19 +2644,46 @@ Accept wildcard characters: False
```
### -ThreatIDDefaultAction_Actions
-Specifies an array of the actions to take for the IDs specified by using the **ThreatIDDefaultAction_Ids** parameter.
-The acceptable values for this parameter are:
-- 1: Clean
-- 2: Quarantine
-- 3: Remove
-- 6: Allow
-- 8: UserDefined
-- 9: NoAction
-- 10: Block
+Use the **ThreatIDDefaultAction_Ids** and **ThreatIDDefaultAction_Actions** parameters
+together in the same command to specify the actions to take on the corresponding threats.
-> [!NOTE]
-> A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value.
+- The **ThreatIDDefaultAction_Ids** parameter identifies the threat from the output of the
+**Get-MpThreatCatalog** cmdlet. For example, the ThreatID value of the threat named
+**Trojan:Win32/BlueFire** is `3229`.
+- The **ThreatIDDefaultAction_Actions** parameter identifies the action to take on the corresponding
+threat ID. Valid values are:
+
+ • 1 or Clean
+
+ • 2 or Quarantine
+
+ • 3 or Remove
+
+ • 6 or Allow
+
+ • 8 or UserDefined
+
+ • 9 or NoAction
+
+ • 10 or Block
+
+To replace all existing values with the values you specify, use the following syntax:
+
+`Set-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+**Note**: When a threat and corresponding action aren't specified in the
+**ThreatIDDefaultAction_Ids** and **ThreatIDDefaultAction_Actions** parameters, the action that's
+applied to the threat is based on the Security Intelligence Update (SIU). By default, no threats or
+corresponding actions are specified in the parameters.
```yaml
Type: ThreatAction[]
@@ -2016,8 +2699,46 @@ Accept wildcard characters: False
```
### -ThreatIDDefaultAction_Ids
-Specifies an array of threat IDs.
-This cmdlet modifies the default action for the threat IDs that you specify.
+
+Use the **ThreatIDDefaultAction_Ids** and **ThreatIDDefaultAction_Actions** parameters
+together in the same command to specify the actions to take on the corresponding threats.
+
+- The **ThreatIDDefaultAction_Ids** parameter identifies the threat from the output of the
+**Get-MpThreatCatalog** cmdlet. For example, the ThreatID value of the threat named
+**Trojan:Win32/BlueFire** is `3229`.
+- The **ThreatIDDefaultAction_Actions** parameter identifies the action to take on the corresponding
+threat ID. Valid values are:
+
+ • 1 or Clean
+
+ • 2 or Quarantine
+
+ • 3 or Remove
+
+ • 6 or Allow
+
+ • 8 or UserDefined
+
+ • 9 or NoAction
+
+ • 10 or Block
+
+To replace all existing values with the values you specify, use the following syntax:
+
+`Set-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+To add values without affecting existing values, use the **Add-MPPreference** cmdlet:
+
+`Add-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+To remove values without affecting other existing values, use the **Remove-MPPreference** cmdlet:
+
+`Remove-MpPreference -ThreatIDDefaultAction_Ids ThreatID1,ThreatID2,...ThreatIDN -ThreatIDDefaultAction_Actions Action1,Action2,...ActionN`
+
+**Note**: When a threat and corresponding action aren't specified in the
+**ThreatIDDefaultAction_Ids** and **ThreatIDDefaultAction_Actions** parameters, the action that's
+applied to the threat is based on the Security Intelligence Update (SIU). By default, no threats or
+corresponding actions are specified in the parameters.
```yaml
Type: Int64[]
@@ -2032,8 +2753,13 @@ Accept wildcard characters: False
```
### -ThrottleLimit
-Specifies the maximum number of concurrent operations that can be established to run the cmdlet.
-If this parameter is omitted or a value of `0` is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer.
+
+Specifies the maximum number of concurrent operations that can be established to run this cmdlet.
+
+A valid value is an integer from 0 to 2147483647. The default value is 0, which means PowerShell
+calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are
+running on the computer.
+
The throttle limit applies only to the current cmdlet, not to the session or to the computer.
```yaml
@@ -2049,11 +2775,11 @@ Accept wildcard characters: False
```
### -ThrottleForScheduledScanOnly
-A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
-The acceptable values for this parameter are:
-- 1 (Default) - If you enable this setting, CPU throttling will apply only to scheduled scans.
-- 0 - If you disable this setting, CPU throttling will apply to scheduled and custom scans.
+Specifies whether a CPU usage limit applies scheduled scans only. Valid values are:
+
+- $true: CPU throttling applies only to scheduled scans. This is the default value.
+- $false: CPU throttling applies to scheduled and custom scans.
```yaml
Type: Boolean
@@ -2068,9 +2794,11 @@ Accept wildcard characters: False
```
### -UILockdown
-Indicates whether to disable UI lockdown mode.
-If you specify a value of $True, Windows Defender disables UI lockdown mode.
-If you specify $False or do not specify a value, UI lockdown mode is enabled.
+
+Specifies whether to disable UI lockdown mode. Valid values are:
+
+- $true: UI lockdown mode is disabled.
+- $false: UI lockdown mode is enabled
```yaml
Type: Boolean
@@ -2085,12 +2813,19 @@ Accept wildcard characters: False
```
### -UnknownThreatDefaultAction
-Specifies which automatic remediation action to take for an unknown level threat.
-The acceptable values for this parameter are:
-- Quarantine
-- Remove
-- Ignore
+<!---Default value is 0, which doesn't correspond to anything. If you change it, you can't change
+it back to zero. --->
+
+Specifies the automatic remediation action to take for unknown level threats. Valid values are:
+
+- 1 or Clean
+- 2 or Quarantine
+- 3 or Remove
+- 6 or Allow
+- 8 or UserDefined
+- 9 or NoAction
+- 10 or Block
```yaml
Type: ThreatAction
@@ -2121,4 +2856,3 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
[Get-MpPreference](./Get-MpPreference.md)
[Remove-MpPreference](./Remove-MpPreference.md)
-
diff --git a/docset/winserver2022-ps/smbshare/Get-SmbServerConfiguration.md b/docset/winserver2022-ps/smbshare/Get-SmbServerConfiguration.md
index b624d9e474..e114010dce 100644
--- a/docset/winserver2022-ps/smbshare/Get-SmbServerConfiguration.md
+++ b/docset/winserver2022-ps/smbshare/Get-SmbServerConfiguration.md
@@ -34,14 +34,16 @@ Get-SmbServerConfiguration
```
```output
-AnnounceComment :
+AnnounceComment :
AnnounceServer : False
AsynchronousCredits : 512
+AuditClientCertificateAccess : False
AuditSmb1Access : False
AutoDisconnectTimeout : 15
AutoShareServer : True
AutoShareWorkstation : True
CachedOpenLimit : 10
+DisableCompression : False
DisableSmbEncryptionOnSecureConnection : True
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing : False
@@ -53,8 +55,10 @@ EnableOplocks : True
EnableSecuritySignature : False
EnableSMB1Protocol : False
EnableSMB2Protocol : True
+EnableSMBQUIC : True
EnableStrictNameChecking : True
EncryptData : False
+EncryptionCiphers : AES_128_GCM, AES_128_CCM, AES_256_GCM, AES_256_CCM
IrpStackSize : 15
KeepAliveTime : 2
MaxChannelPerSession : 32
@@ -62,12 +66,14 @@ MaxMpxCount : 50
MaxSessionPerConnection : 16384
MaxThreadsPerQueue : 20
MaxWorkItems : 1
-NullSessionPipes :
-NullSessionShares :
+NullSessionPipes :
+NullSessionShares :
OplockBreakWait : 35
PendingClientTimeoutInSeconds : 120
RejectUnencryptedAccess : True
+RequestCompression : False
RequireSecuritySignature : False
+RestrictNamedpipeAccessViaQuic : True
ServerHidden : True
Smb2CreditsMax : 8192
Smb2CreditsMin : 512
@@ -77,9 +83,6 @@ ValidateAliasNotCircular : True
ValidateShareScope : True
ValidateShareScopeNotAliased : True
ValidateTargetName : True
-RestrictNamedpipeAccessViaQuic : True
-EnableSMBQUIC : True
-EncryptionCiphers : AES_128_GCM, AES_128_CCM, AES_256_GCM, AES_256_CCM
```
This command retrieves the SMB server configuration.
diff --git a/docset/winserver2022-ps/smbshare/Reset-SmbServerConfiguration.md b/docset/winserver2022-ps/smbshare/Reset-SmbServerConfiguration.md
index 9eda3676a4..27e3456890 100644
--- a/docset/winserver2022-ps/smbshare/Reset-SmbServerConfiguration.md
+++ b/docset/winserver2022-ps/smbshare/Reset-SmbServerConfiguration.md
@@ -17,15 +17,15 @@ Resets the Server Message Block (SMB) server configuration parameters to their d
```
Reset-SmbServerConfiguration [-All] [-AnnounceComment] [-AnnounceServer] [-AsynchronousCredits]
- [-AuditSmb1Access] [-AutoShareServer] [-AutoShareWorkstation] [-CachedOpenLimit]
- [-DisableCompression] [-DisableSmbEncryptionOnSecureConnection] [-DurableHandleV2TimeoutInSeconds]
- [-EnableDownlevelTimewarp] [-EnableLeasing] [-EnableMultiChannel] [-EnableOplocks]
- [-EnableSMB2Protocol] [-EnableSMBQUIC] [-EnableStrictNameChecking] [-EncryptData]
- [-EncryptionCiphers] [-IrpStackSize] [-KeepAliveTime] [-MaxChannelPerSession] [-MaxMpxCount]
- [-MaxSessionPerConnection] [-MaxThreadsPerQueue] [-MaxWorkItems] [-NullSessionShares]
- [-OplockBreakWait] [-PendingClientTimeoutInSeconds] [-RejectUnencryptedAccess]
- [-RequestCompression] [-RestrictNamedpipeAccessViaQuic] [-ServerHidden] [-Smb2CreditsMax]
- [-Smb2CreditsMin] [-SmbServerNameHardeningLevel] [-TreatHostAsStableStorage]
+ [-AuditClientCertificateAccess] [-AuditSmb1Access] [-AutoShareServer] [-AutoShareWorkstation]
+ [-CachedOpenLimit] [-DisableCompression] [-DisableSmbEncryptionOnSecureConnection]
+ [-DurableHandleV2TimeoutInSeconds] [-EnableDownlevelTimewarp] [-EnableLeasing]
+ [-EnableMultiChannel] [-EnableOplocks] [-EnableSMB2Protocol] [-EnableSMBQUIC]
+ [-EnableStrictNameChecking] [-EncryptData] [-EncryptionCiphers] [-IrpStackSize] [-KeepAliveTime]
+ [-MaxChannelPerSession] [-MaxMpxCount] [-MaxSessionPerConnection] [-MaxThreadsPerQueue]
+ [-MaxWorkItems] [-NullSessionShares] [-OplockBreakWait] [-PendingClientTimeoutInSeconds]
+ [-RejectUnencryptedAccess] [-RequestCompression] [-RestrictNamedpipeAccessViaQuic] [-ServerHidden]
+ [-Smb2CreditsMax] [-Smb2CreditsMin] [-SmbServerNameHardeningLevel] [-TreatHostAsStableStorage]
[-ValidateAliasNotCircular] [-ValidateShareScope] [-ValidateShareScopeNotAliased]
[-ValidateTargetName] [-Force] [-CimSession <CimSession[]>] [-ThrottleLimit <Int32>] [-AsJob]
[-WhatIf] [-Confirm] [<CommonParameters>]
@@ -144,6 +144,25 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -AuditClientCertificateAccess
+
+Resets the SMB over QUIC client access control audit events to its default value.
+
+> [!NOTE]
+> Devices running Windows 11 version 22H2 and earlier may not have access to this parameter.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -AuditSmb1Access
Resets the auditing of SMB version 1 protocol behavior to its default value.
diff --git a/docset/winserver2022-ps/smbshare/Set-SmbServerConfiguration.md b/docset/winserver2022-ps/smbshare/Set-SmbServerConfiguration.md
index b97240eb0b..7806d604a7 100644
--- a/docset/winserver2022-ps/smbshare/Set-SmbServerConfiguration.md
+++ b/docset/winserver2022-ps/smbshare/Set-SmbServerConfiguration.md
@@ -2,7 +2,7 @@
description: Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
external help file: SmbServerConfiguration.cdxml-help.xml
Module Name: SmbShare
-ms.date: 10/20/2022
+ms.date: 02/22/2024
online version: /powershell/module/smbshare/set-smbserverconfiguration?view=windowsserver2022-ps&wt.mc_id=ps-gethelp
schema: 2.0.0
title: Set-SmbServerConfiguration
@@ -17,26 +17,26 @@ Sets the Server Message Block (SMB) server configuration.
```
Set-SmbServerConfiguration [-AnnounceComment <String>] [-AnnounceServer <Boolean>]
- [-AsynchronousCredits <UInt32>] [-AuditSmb1Access <Boolean>] [-AutoDisconnectTimeout <UInt32>]
- [-AutoShareServer <Boolean>] [-AutoShareWorkstation <Boolean>] [-CachedOpenLimit <UInt32>]
- [-DisableCompression <Boolean>] [-DisableSmbEncryptionOnSecureConnection <Boolean>]
- [-DurableHandleV2TimeoutInSeconds <UInt32>] [-EnableAuthenticateUserSharing <Boolean>]
- [-EnableDownlevelTimewarp <Boolean>] [-EnableForcedLogoff <Boolean>] [-EnableLeasing <Boolean>]
- [-EnableMultiChannel <Boolean>] [-EnableOplocks <Boolean>] [-EnableSecuritySignature <Boolean>]
- [-EnableSMB1Protocol <Boolean>] [-EnableSMB2Protocol <Boolean>] [-EnableSMBQUIC <Boolean>]
- [-EnableStrictNameChecking <Boolean>] [-EncryptData <Boolean>] [-EncryptionCiphers <String>]
- [-IrpStackSize <UInt32>] [-KeepAliveTime <UInt32>] [-MaxChannelPerSession <UInt32>]
- [-MaxMpxCount <UInt32>] [-MaxSessionPerConnection <UInt32>] [-MaxThreadsPerQueue <UInt32>]
- [-MaxWorkItems <UInt32>] [-NullSessionPipes <String>] [-NullSessionShares <String>]
- [-OplockBreakWait <UInt32>] [-PendingClientTimeoutInSeconds <UInt32>]
- [-RejectUnencryptedAccess <Boolean>] [-RequestCompression <Boolean>]
- [-RequireSecuritySignature <Boolean>] [-RestrictNamedpipeAccessViaQuic <Boolean>]
- [-ServerHidden <Boolean>] [-Smb2CreditsMax <UInt32>] [-Smb2CreditsMin <UInt32>]
- [-SmbServerNameHardeningLevel <UInt32>] [-TreatHostAsStableStorage <Boolean>]
- [-ValidateAliasNotCircular <Boolean>] [-ValidateShareScope <Boolean>]
- [-ValidateShareScopeNotAliased <Boolean>] [-ValidateTargetName <Boolean>] [-Force]
- [-CimSession <CimSession[]>] [-ThrottleLimit <Int32>] [-AsJob] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-AsynchronousCredits <UInt32>] [-AuditClientCertificateAccess <Boolean>]
+ [-AuditSmb1Access <Boolean>] [-AutoDisconnectTimeout <UInt32>] [-AutoShareServer <Boolean>]
+ [-AutoShareWorkstation <Boolean>] [-CachedOpenLimit <UInt32>] [-DisableCompression <Boolean>]
+ [-DisableSmbEncryptionOnSecureConnection <Boolean>] [-DurableHandleV2TimeoutInSeconds <UInt32>]
+ [-EnableAuthenticateUserSharing <Boolean>] [-EnableDownlevelTimewarp <Boolean>]
+ [-EnableForcedLogoff <Boolean>] [-EnableLeasing <Boolean>] [-EnableMultiChannel <Boolean>]
+ [-EnableOplocks <Boolean>] [-EnableSecuritySignature <Boolean>] [-EnableSMB1Protocol <Boolean>]
+ [-EnableSMB2Protocol <Boolean>] [-EnableSMBQUIC <Boolean>] [-EnableStrictNameChecking <Boolean>]
+ [-EncryptData <Boolean>] [-EncryptionCiphers <String>] [-IrpStackSize <UInt32>]
+ [-KeepAliveTime <UInt32>] [-MaxChannelPerSession <UInt32>] [-MaxMpxCount <UInt32>]
+ [-MaxSessionPerConnection <UInt32>] [-MaxThreadsPerQueue <UInt32>] [-MaxWorkItems <UInt32>]
+ [-NullSessionPipes <String>] [-NullSessionShares <String>] [-OplockBreakWait <UInt32>]
+ [-PendingClientTimeoutInSeconds <UInt32>] [-RejectUnencryptedAccess <Boolean>]
+ [-RequestCompression <Boolean>] [-RequireSecuritySignature <Boolean>]
+ [-RestrictNamedpipeAccessViaQuic <Boolean>] [-ServerHidden <Boolean>] [-Smb2CreditsMax <UInt32>]
+ [-Smb2CreditsMin <UInt32>] [-SmbServerNameHardeningLevel <UInt32>]
+ [-TreatHostAsStableStorage <Boolean>] [-ValidateAliasNotCircular <Boolean>]
+ [-ValidateShareScope <Boolean>] [-ValidateShareScopeNotAliased <Boolean>]
+ [-ValidateTargetName <Boolean>] [-Force] [-CimSession <CimSession[]>] [-ThrottleLimit <Int32>]
+ [-AsJob] [-WhatIf] [-Confirm] [<CommonParameters>]
```
## DESCRIPTION
@@ -184,6 +184,25 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -AuditClientCertificateAccess
+
+Enables SMB over QUIC client access control audit events. There are three possible events: access
+allowed, access denied, and error. The access allowed and access denied events list properties of
+the client certificate chain and any allow and deny access control entries that apply to the
+client certificates.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -AuditSmb1Access
Enables auditing of SMB version 1 protocol in Windows Event Log.