From fb897f333df8dade427c2ee7fe9a953204d588c7 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 28 Apr 2026 18:52:09 -0700 Subject: [PATCH 1/2] Threat remediation action updates Per high viz request. --- .../Defender/Remove-MpPreference.md | 24 ++-- .../Defender/Set-MpPreference.md | 113 ++++++++++++------ 2 files changed, 87 insertions(+), 50 deletions(-) diff --git a/docset/winserver2025-ps/Defender/Remove-MpPreference.md b/docset/winserver2025-ps/Defender/Remove-MpPreference.md index 76a1e0dcb5..599f09b127 100644 --- a/docset/winserver2025-ps/Defender/Remove-MpPreference.md +++ b/docset/winserver2025-ps/Defender/Remove-MpPreference.md @@ -1530,19 +1530,17 @@ Accept wildcard characters: False ``` ### -ThreatIDDefaultAction_Actions -Specifies an array of the actions to take for the IDs specified by using the **ThreatIDDefaultAction_Ids** parameter. -The acceptable values for this parameter are: - -- 1: Clean -- 2: Quarantine -- 3: Remove -- 6: Allow -- 8: UserDefined -- 9: NoAction -- 10: Block - ->[!NOTE] ->A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value. +Specifies an array of the actions to remove for the IDs specified by using the **ThreatIDDefaultAction_Ids** parameter. +Valid values are: + +- Clean +- Quarantine +- Remove +- Allow +- UserDefined +- NoAction +- Block +- None ```yaml Type: ThreatAction[] diff --git a/docset/winserver2025-ps/Defender/Set-MpPreference.md b/docset/winserver2025-ps/Defender/Set-MpPreference.md index 108bb47954..2717cbdf50 100644 --- a/docset/winserver2025-ps/Defender/Set-MpPreference.md +++ b/docset/winserver2025-ps/Defender/Set-MpPreference.md @@ -72,20 +72,30 @@ Set-MpPreference [-ExclusionPath ] [-ExclusionExtension ] [- The **Set-MpPreference** cmdlet configures preferences for Windows Defender scans and updates. You can modify exclusion file name extensions, paths, or processes, and specify the default action for high, moderate, and low threat levels. -**REMEDIATION VALUES** +**REMEDIATION VALUES**: The following table provides remediation action values for detected threats at low, medium, high, and severe alert levels. -|Value |Action | -|------|-------------------------------------------------------------------------| -|1 |Clean the detected threat. | -|2 |Quarantine the detected threat. | -|3 |Remove the detected threat. | -|6 |Allow the detected threat. | -|8 |Allow the user to determine the action to take with the detected threat. | -|9 |Don't take any action. | -|10 |Block the detected threat. | -|0 | (NULL)|Apply action based on the Security Intelligence Update (SIU). This is the default value. | +|Value|Action| +|---|---| +|0 (NULL)|Apply action based on the Security Intelligence Update (SIU). This value is the default value.| +|1|Clean the detected threat.| +|2|Quarantine the detected threat.| +|3|Remove the detected threat.| +|6|Allow the detected threat.| +|8|Allow the user to determine the action to take with the detected threat.| +|9|Don't take any action.| +|10|Block the detected threat.| +|11|No remediation action is taken, but detection events and alerts continue to be generated.| + +> [!WARNING] +> **Non-remediating threat actions:** Actions **Allow (6)**, **NoAction (9)**, and **None (11)** don't remediate detected threats. **Allow (6)** suppresses ongoing detection events, while **None (11)** continues to generate alerts and Protection History entries. **Allow (6)** and **None (11)** can't be configured when [tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) is enabled. Use these settings only in specialized environments (for example, industrial control systems or critical infrastructure) where: +> +> - Automatic remediation isn't practical for operations. +> - Other procedures exist to respond to detected threats. +> - Compensating security controls are deployed. +> +> Use standard remediation actions (Clean, Quarantine, or Remove) in all other environments. ## EXAMPLES @@ -1021,17 +1031,23 @@ Accept wildcard characters: False ### -HighThreatDefaultAction Specifies which automatic remediation action to take for a high level threat. -The acceptable values for this parameter are: +Valid values are: +- Clean - Quarantine - Remove -- Ignore +- Allow +- UserDefined +- NoAction +- Block +- None + +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction Parameter Sets: (All) Aliases: htdefac -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named @@ -1062,17 +1078,23 @@ Accept wildcard characters: False ### -LowThreatDefaultAction Specifies which automatic remediation action to take for a low level threat. -The acceptable values for this parameter are: +Valid values are: +- Clean - Quarantine - Remove -- Ignore +- Allow +- UserDefined +- NoAction +- Block +- None + +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction Parameter Sets: (All) Aliases: ltdefac -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named @@ -1131,17 +1153,23 @@ Accept wildcard characters: False ### -ModerateThreatDefaultAction Specifies which automatic remediation action to take for a moderate level threat. -The acceptable values for this parameter are: +Valid values are: +- Clean - Quarantine - Remove -- Ignore +- Allow +- UserDefined +- NoAction +- Block +- None + +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction Parameter Sets: (All) Aliases: mtdefac -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named @@ -1602,17 +1630,23 @@ Accept wildcard characters: False ### -SevereThreatDefaultAction Specifies which automatic remediation action to take for a severe level threat. -The acceptable values for this parameter are: +Valid values are: +- Clean - Quarantine - Remove -- Ignore +- Allow +- UserDefined +- NoAction +- Block +- None + +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction Parameter Sets: (All) Aliases: stdefac -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named @@ -1898,24 +1932,23 @@ Accept wildcard characters: False ### -ThreatIDDefaultAction_Actions Specifies an array of the actions to take for the IDs specified by using the **ThreatIDDefaultAction_Ids** parameter. -The acceptable values for this parameter are: +Valid values are: -- 1: Clean -- 2: Quarantine -- 3: Remove -- 6: Allow -- 8: UserDefined -- 9: NoAction -- 10: Block +- Clean +- Quarantine +- Remove +- Allow +- UserDefined +- NoAction +- Block +- None ->[!NOTE] ->A value of 0 (NULL) applies an action based on the Security Intelligence Update (SIU). This is the default value. +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction[] Parameter Sets: (All) Aliases: tiddefaca -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named @@ -1995,17 +2028,23 @@ Accept wildcard characters: False ### -UnknownThreatDefaultAction Specifies which automatic remediation action to take for an unknown level threat. -The acceptable values for this parameter are: +Valid values are: +- Clean - Quarantine - Remove -- Ignore +- Allow +- UserDefined +- NoAction +- Block +- None + +See the [Description](#description) section for important information about these values. ```yaml Type: ThreatAction Parameter Sets: (All) Aliases: unktdefac -Accepted values: Clean, Quarantine, Remove, Allow, UserDefined, NoAction, Block Required: False Position: Named From af7032c58a15b071dfa545b7e94543a478268cb1 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 28 Apr 2026 19:07:11 -0700 Subject: [PATCH 2/2] ThreatDefaultActions --- .../Defender/Remove-MpPreference.md | 2 +- .../Defender/Set-MpPreference.md | 20 +++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docset/winserver2025-ps/Defender/Remove-MpPreference.md b/docset/winserver2025-ps/Defender/Remove-MpPreference.md index 599f09b127..6f6c39caf0 100644 --- a/docset/winserver2025-ps/Defender/Remove-MpPreference.md +++ b/docset/winserver2025-ps/Defender/Remove-MpPreference.md @@ -1530,7 +1530,7 @@ Accept wildcard characters: False ``` ### -ThreatIDDefaultAction_Actions -Specifies an array of the actions to remove for the IDs specified by using the **ThreatIDDefaultAction_Ids** parameter. +Specifies an array of actions to remove for the threat IDs specified by using the **ThreatIDDefaultAction_Ids** parameter. Valid values are: - Clean diff --git a/docset/winserver2025-ps/Defender/Set-MpPreference.md b/docset/winserver2025-ps/Defender/Set-MpPreference.md index 2717cbdf50..3082d74af4 100644 --- a/docset/winserver2025-ps/Defender/Set-MpPreference.md +++ b/docset/winserver2025-ps/Defender/Set-MpPreference.md @@ -78,18 +78,18 @@ The following table provides remediation action values for detected threats at l |Value|Action| |---|---| -|0 (NULL)|Apply action based on the Security Intelligence Update (SIU). This value is the default value.| -|1|Clean the detected threat.| -|2|Quarantine the detected threat.| -|3|Remove the detected threat.| -|6|Allow the detected threat.| -|8|Allow the user to determine the action to take with the detected threat.| -|9|Don't take any action.| -|10|Block the detected threat.| -|11|No remediation action is taken, but detection events and alerts continue to be generated.| +|0 (not configurable)|Apply action based on the Security Intelligence Update (SIU). This value is the default.| +|Clean (1)|Clean the detected threat.| +|Quarantine (2)|Quarantine the detected threat.| +|Remove (3)|Remove the detected threat.| +|Allow (6)|Allow the detected threat.| +|UserDefined (8)|Allow the user to determine the action to take with the detected threat.| +|NoAction (9)|Don't take any action.| +|Block (10)|Block the detected threat.| +|None (11)|No remediation action is taken, but detection events and alerts continue to be generated.| > [!WARNING] -> **Non-remediating threat actions:** Actions **Allow (6)**, **NoAction (9)**, and **None (11)** don't remediate detected threats. **Allow (6)** suppresses ongoing detection events, while **None (11)** continues to generate alerts and Protection History entries. **Allow (6)** and **None (11)** can't be configured when [tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) is enabled. Use these settings only in specialized environments (for example, industrial control systems or critical infrastructure) where: +> **Non-remediating threat actions:** Actions **Allow (6)**, **NoAction (9)**, and **None (11)** don't remediate detected threats. **Allow (6)** suppresses ongoing detection events, while **None (11)** continues to generate alerts and Protection History entries. **Allow (6)** and **None (11)** can't be configured when [tamper protection](https://learn.microsoft.com/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) is enabled. Use these settings only in specialized environments (for example, industrial control systems or critical infrastructure) where: > > - Automatic remediation isn't practical for operations. > - Other procedures exist to respond to detected threats.