Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When Microsoft Defender Antivirus runs a scan, it attempts to remediate or remove threats that are detected. Remediation actions can include removing a file, sending it to quarantine, or allowing it to remain. This article includes information and links to resources about specifying what actions should be taken when threats are detected on devices. You can choose from several methods, such as:
Important
Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See Restore quarantined files in Microsoft Defender Antivirus. To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Microsoft Defender Antivirus scans.
Also see Schedule regular quick and full scans with Microsoft Defender Antivirus for more remediation-related settings.
Prerequisites
Supported operating systems
- Windows
Configure remediation options using Intune
- As a global or security administrator, go to the Intune admin center and sign in. 
- Under Manage, choose Antivirus. 
- Either create a new policy, or edit an existing policy using the following settings: - Platform: Windows 10, Windows 11, and Windows Server
- Profile: Microsoft Defender Antivirus
 
- For configuration settings, expand Defender, scroll down to Allow On Access Protection. and set it to Allowed. 
- Under Allow On Access Protection, select a remediation action for each level: - High severity threats
- Severe threats
- Moderate severity threats
- Low severity threats
 
- Specify the device groups that should receive this policy (such as All Devices). 
- Review your settings, and then choose Save. 
For more information about antivirus policies in Intune, see Antivirus policy for endpoint security in Intune.
Configure remediation options using Configuration Manager
If you're using Configuration Manager, see the following articles:
Configure remediation options using Group Policy
- On your Group Policy management computer, open the Group Policy Management Console, and edit the Group Policy Object you want to configure. 
- In the Group Policy Management Editor, go to Computer configuration and then select Administrative templates. 
- Expand the tree to Windows components > Microsoft Defender Antivirus. 
- Using the following table, edit the policy as needed. - Setting - Description - Default setting (if not configured) - Scan 
 Create a system restore point.- A system restore point is created each day before cleaning or scanning is attempted. - Disabled - Scan 
 Turn on removal of items from scan history folder.- Specify how many days items should be kept in the scan history. - 30 days - Root 
 Turn off routine remediation.- Specify whether Microsoft Defender Antivirus automatically remediates threats, or whether to prompt the user. - Disabled. Threats are remediated automatically. - Quarantine 
 Configure removal of items from Quarantine folder.- Specify how many days items should be kept in quarantine before being removed. - 90 days - Threats 
 Specify threat alert levels at which default action shouldn't be taken when detected.- Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored). - Not applicable - Threats 
 Specify threats upon which default action shouldn't be taken when detected.- Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored. - Not applicable 
- Select OK. 
Configure remediation options using PowerShell or WMI
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these settings.
See also
- Microsoft Defender for Endpoint on Mac
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.