windowsdefender

Table of Contents

1. Description
2. Requirements
3. Usage
4. Troubleshooting

Description

This is an auto-generated module, using the Puppet DSC Builder to vendor and expose the windowsdefender PowerShell module's DSC resources as Puppet resources. The functionality of this module comes entirely from the vendored PowerShell resources, which are pinned at v1.0.0.4. The PowerShell module describes itself like this:

Windows Defender module allows you to configure Windows Defender settings.

For information on troubleshooting to determine whether any encountered problems are with the Puppet wrapper or the DSC resource, see the troubleshooting section below.

Requirements

This module, like all auto-generated Puppetized DSC modules, relies on two important technologies in the Puppet stack: the Puppet Resource API and the puppetlabs/pwshlib Puppet module.

The Resource API provides a simplified option for writing types and providers and is responsible for how this module is structured. The Resource API ships inside of Puppet starting with version 6. While it is technically possible to add the Resource API functionality to Puppet 5.5.x, the DSC functionality has not been tested in this setup. For more information on the Resource API, review the documentation.

The module also depends on the pwshlib module. This Puppet module includes two important things: the ruby-pwsh library for running PowerShell code from ruby and the base provider for DSC resources, which this module leverages.

All of the actual work being done to call the DSC resources vendored with this module is in this file from the pwshlib module. This is important for troubleshooting and bug reporting, but doesn't impact your use of the module except that the end result will be that nothing works, as the dependency is not installed alongside this module!

Long File Path Support

Several PowerShell modules with DSC Resources end up with very long file paths once vendored, many of which exceed the 260 character limit for file paths. Luckily in Windows 10 (build 1607+), Windows Server 2016 (build 1607+), and Windows Server 2019 there is now an option for supporting long file paths transparently!

We strongly recommend enabling long file path support on any machines using this module to avoid path length issues.

You can set this value using the Puppet registry_value resource:

registry_value { 'HKLM\System\CurrentControlSet\Control\FileSystem\LongPathsEnabled':
  ensure   => 'present',
  data     => [1],
  provider => 'registry',
  type     => 'dword',
}

You can also set this value outside of Puppet by following the Microsoft documentation.

Usage

You can specify any of the DSC resources from this module like a normal Puppet resource in your manifests. The examples below use DSC resources from from the PowerShellGet repository, regardless of what module you're looking at here; the syntax, not the specifics, is what's important.

For reference documentation about the DSC resources exposed in this module, see the Reference Forge tab, or the REFERENCE.md file.

# Include a meaningful title for your resource declaration
dsc_psrepository { 'Add team module repo':
    dsc_name               => 'foo',
    dsc_ensure             => present,
    # This location is nonsense, can be any valid folder on your
    # machine or in a share, any location the SourceLocation param
    # for the DSC resource will accept.
    dsc_sourcelocation     => 'C:\Program Files',
    # You must always pass an enum fully lower-cased;
    # Puppet is case sensitive even when PowerShell isn't
    dsc_installationpolicy => untrusted,
}

dsc_psrepository { 'Trust public gallery':
    dsc_name               => 'PSGallery',
    dsc_ensure             => present,
    dsc_installationpolicy => trusted,
}

dsc_psmodule { 'Make Ruby manageable via uru':
  dsc_name   => 'RubyInstaller',
  dsc_ensure => present,
}

Credentials

Credentials are always specified as a hash of the username and password for the account. The password must use the Puppet Sensitive type; this ensures that logs and reports redact the password, displaying it instead as <Sensitive [value redacted]>.

dsc_psrepository { 'PowerShell Gallery':
  dsc_name                 => 'psgAllery',
  dsc_installationpolicy   => 'Trusted',
  dsc_psdscrunascredential => {
    user     => 'apple',
    password => Sensitive('foobar'),
  },
}

Class-Based Resources

Class-based DSC Resources can be used like any other DSC Resource in this module, with one important note: Due to a bug in calling class-based DSC Resources by path instead of module name, each call to Invoke-DscResource needs to temporarily munge the system-level environment variable for PSModulePath; the variable is reset prior to the end of each invocation.

CIM Instances

Because the CIM instances for DSC resources are fully mapped, the types actually explain fairly precisely what the shape of each CIM instance has to be - and, moreover, the type definition means that you get checking at catalog compile time. Puppet parses CIM instances are structured hashes (or arrays of structured hashes) that explicitly declare their keys and the valid types of values for each key.

So, for the dsc_accesscontrolentry property of the dsc_ntfsaccessentry type, which has a MOF type of NTFSAccessControlList[], Puppet defines the CIM instance as:

Array[Struct[{
  accesscontrolentry => Array[Struct[{
    accesscontroltype => Enum['Allow', 'Deny'],
    inheritance => Enum['This folder only', 'This folder subfolders and files', 'This folder and subfolders', 'This folder and files', 'Subfolders and files only', 'Subfolders only', 'Files only'],
    ensure => Enum['Present', 'Absent'],
    cim_instance_type => 'NTFSAccessControlEntry',
    filesystemrights => Array[Enum['AppendData', 'ChangePermissions', 'CreateDirectories', 'CreateFiles', 'Delete', 'DeleteSubdirectoriesAndFiles', 'ExecuteFile', 'FullControl', 'ListDirectory', 'Modify', 'Read', 'ReadAndExecute', 'ReadAttributes', 'ReadData', 'ReadExtendedAttributes', 'ReadPermissions', 'Synchronize', 'TakeOwnership', 'Traverse', 'Write', 'WriteAttributes', 'WriteData', 'WriteExtendedAttributes']]
  }]],
  forceprincipal => Optional[Boolean],
  principal => Optional[String],
}]]

A valid example of that in a puppet manifest looks like this:

dsc_accesscontrollist => [
  {
    accesscontrolentry => [
      {
        accesscontroltype => 'Allow',
        inheritance       => 'This folder only',
        ensure            => 'Present',
        filesystemrights  => 'ChangePermissions',
        cim_instance_type => 'NTFSAccessControlEntry',
      },
    ],
    principal          => 'veryRealUserName',
  },
]

For more information about using a built module, check out our narrative documentation.

Properties

Note that the only properties specified in a resource declaration which are passed to Invoke-Dsc are all prepended with dsc. If a property does _not start with dsc_ it is used to control how Puppet interacts with DSC/other Puppet resources - for example, specifying a unique name for the resource for Puppet to distinguish between declarations or Puppet metaparameters (notifies, before, etc).

Validation Mode

By default, these resources use the property validation mode, which checks whether or not the resource is in the desired state the same way most Puppet resources are validated; by comparing the properties returned from the system with those specified in the manifest. Sometimes, however, this is insufficient; many DSC Resources return data that does not compare properly to the desired state (some are missing properties, others are malformed, some simply cannot be strictly compared). In these cases, you can set the validation mode to resource, which falls back on calling Invoke-DscResource with the Test method and trusts that result.

When using the resource validation mode, the resource is tested once and will then treat all properties of that resource as in sync (if the result returned true) or not in sync. This loses the granularity of change reporting for the resource but prevents flapping and unexpected behavior.

# This will flap because the DSC resource never returns name in SecurityPolicyDsc v2.10.0.0
dsc_securityoption { 'Enforce Anonoymous SID Translation':
  dsc_name => 'Enforce Anonymous SID Translation',
  dsc_network_access_allow_anonymous_sid_name_translation => 'Disabled',
}

# This will idempotently apply
dsc_psrepository { 'PowerShell Gallery':
  validation_mode => 'resource',
  dsc_name        => 'Enforce Anonymous SID Translation',
  dsc_network_access_allow_anonymous_sid_name_translation => 'Disabled',
}

It is important to note that this feature is only supported with a version of puppetlabs-pwshlib equal to or higher than 0.9.0, in which the supporting code for the DSC Base Provider to implement custom insync was shipped.

Finally, while this module's metadata says that the supported Puppet versions are 6.0.0 and up, the implementation of the validation_mode parameter relies on the custom_insync feature of the Puppet Resource API. The custom_insync feature first shipped in the puppet-resource_api version 1.8.14, which itself is only included in Puppet versions equal to or newer than 6.23.0 and 7.8.0 for the 6x and 7x platforms respectively. Using this module against older Puppet versions will result in a warning (example below) and only use the default property-by-property change reporting, regardless of the setting of validation_mode.

Warning: Unknown feature detected: ["custom_insync"]

Troubleshooting

In general, there are three broad categories of problems:

1. Problems with the way the underlying DSC resource works.
2. Problems with the type definition, where you can't specify a valid set of properties for the DSC resource
3. Problems with calling the underlying DSC resource - the parameters aren't being passed correctly or the resource can't be found

Unfortunately, problems with the way the underlying DSC resource works are something we can't help directly with. You'll need to file an issue with the upstream maintainers for the PowerShell module.

Problems with the type definition are when a value that should be valid according to the DSC resource's documentation and code is not accepted by the Puppet wrapper. If and when you run across one of these, please file an issue with the Puppet DSC Builder; this is where the conversion happens and once we know of a problem we can fix it and regenerate the Puppet modules. To help us identify the issue, please specify the DSC module, version, resource, property and values that are giving you issues. Once a fix is available we will regenerate and release updated versions of this Puppet wrapper.

Problems with calling the underlying DSC resource become apparent by comparing <value passed in in puppet> with <value received by DSC>. In this case, please file an issue with the puppetlabs/pwshlib module, which is where the DSC base provider actually lives. We'll investigate and prioritize a fix and update the puppetlabs/pwshlib module. Updating to the pwshlib version with the fix will immediately take advantage of the improved functionality without waiting for this module to be reconverted and published.

For specific information on troubleshooting a generated module, check the troubleshooting guide for the puppet.dsc module.

Known Limitations

Currently, because of the way Puppet caches files on agents, use of the legacy puppetlabs-dsc module is not compatible with this or any auto-generated DSC module. Inclusion of both will lead to pluginsync conflicts.

Right now, if you have the same version of a PowerShell module with class-based DSC Resources in your PSModulePath as vendored in a Puppetized DSC Module, you cannot use those class-based DSC Resources from inside of Puppet due to a bug in DSC which prevents using a module by path reference instead of name. Instead, DSC will see that there are two DSC Resources for the same module and version and then error out.

Configuring the LCM

In order for a Puppetized DSC module to function, the DSC Local Configuration Manager (LCM) RefreshMode must be set to either Push or Disabled. The default value for RefreshMode in WMF 5.0 and WMF 5.1 is Push - so if it has not been set to anything else then there is no action needed on your part. However if the value of the LCM has been set to anything other than Push then the module will not function and so the value must either be changed back or disabled.

The Puppetized DSC modules use the Invoke-DscResource cmdlet to invoke DSC Resources of the target machine. If the RefreshMode is set to Pull, DSC Resources will only run from a DSC Pull Server - in this setting DSC does not allow any DSC Resources to be run interactively on the host.

Module Installation

If you're using this module with Puppet Enterprise and Code Manager, everything should "just work" - no errors or issues acquiring and deploying this or any Puppetized DSC module to nodes.

Unfortunately, due a bug in minitar which prevents it from unpacking archives with long file paths, both r10k and serverless Puppet (via puppet module install) methods of installing modules with long path names will fail. In short, minitar is unable to unpack modules that contain long file paths (though it can create them).

As a workaround, you can retrieve DSC modules from the forge via PowerShell and 7zip:

$ModuleAuthor = 'dsc'
$ModuleName = 'xremotedesktopsessionhost'
$ModuleVersion = '2.0.0-0-1'
$ArchiveFileName = "$ModuleAuthor-$ModuleName-$ModuleVersion.tar.gz"
$DownloadUri = "https://forge.puppet.com/v3/files/$ArchiveFileName"
# Download the module tar.gz to the current directory
Invoke-WebRequest -Uri $DownloadUri -OutFile ./$ArchiveFileName
# Use 7zip to extract the module to the current directory
& 7z x $ArchiveFileName -so | & 7z x -aoa -si -ttar

Reference

Table of Contents

Resource types

• dsc_windowsdefender: The DSC WindowsDefender resource type. Automatically generated from version 1.0.0.4

Resource types

dsc_windowsdefender

The DSC WindowsDefender resource type. Automatically generated from version 1.0.0.4

Properties

The following properties are available in the dsc_windowsdefender type.

dsc_attacksurfacereductiononlyexclusions

Data type: Optional[Array[String]]

Specifies an array of file/folder paths to exclude from Attack Surface Reduction Rules(ASR) feature.

dsc_attacksurfacereductionrules_actions

Data type: Optional[Array[Enum['Disabled', 'Enabled', 'AuditMode']]]

Configure Attack Surface Reduction Rule(ASR) actions. The actions need to be in the same order as their respective rule Ids specified in the AttackSurfaceReductionRules_Ids property.

dsc_attacksurfacereductionrules_ids

Data type: Optional[Array[String]]

Specifies an array of Attack Surface Reduction Rule(ASR) Ids. The rule Ids need to be in the same order as their respective actions specified in the AttackSurfaceReductionRules_Actions property.

dsc_checkforsignaturesbeforerunningscan

Data type: Optional[Boolean]

Indicates whether to check for new virus and spyware definitions before Windows Defender runs a scan. If you specify a value of $True, Windows Defender checks for new definitions. If you specify $False or do not specify a value, the scan begins with existing definitions. This value applies to scheduled scans and to scans that you start from the command line, but it does not affect scans that you start from the user interface.

dsc_cloudblocklevel

Data type: Optional[Enum['Default', 'High', 'HighPlus', 'ZeroTolerance']]

Select cloud protection level.

dsc_cloudextendedtimeout

Data type: Optional[Integer[0, 4294967295]]

Specifies time in seconds for extended cloud check feature.

dsc_controlledfolderaccessallowedapplications

Data type: Optional[Array[String]]

Specifies an array of application file paths to add to allowed list for guard my folders feature.

dsc_controlledfolderaccessprotectedfolders

Data type: Optional[Array[String]]

Specifies an array of folder paths to add to guarded list for guard my folders feature.

dsc_disablearchivescanning

Data type: Optional[Boolean]

Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software. If you specify a value of $True or do not specify a value, Windows Defender scans archive files.

dsc_disableautoexclusions

Data type: Optional[Boolean]

Indicates whether to disable the Automatic Exclusions feature for the server.

dsc_disablebehaviormonitoring

Data type: Optional[Boolean]

Indicates whether to enable behavior monitoring. If you specify a value of $True or do not specify a value, Windows Defender enables behavior monitoring

dsc_disableblockatfirstseen

Data type: Optional[Boolean]

Indicates whether to disable 'Block at First Sight' feature.

dsc_disablecatchupfullscan

Data type: Optional[Boolean]

Indicates whether Windows Defender runs catch-up scans for scheduled full scans. A computer can miss a scheduled scan, usually because the computer is turned off at the scheduled time. If you specify a value of $True, after the computer misses two scheduled full scans, Windows Defender runs a catch-up scan the next time someone logs on to the computer. If you specify a value of $False or do not specify a value, the computer does not run catch-up scans for scheduled full scans.

dsc_disablecatchupquickscan

Data type: Optional[Boolean]

Indicates whether Windows Defender runs catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time. If you specify a value of $True, after the computer misses two scheduled quick scans, Windows Defender runs a catch-up scan the next time someone logs onto the computer. If you specify a value of $False or do not specify a value, the computer does not run catch-up scans for scheduled quick scans.

dsc_disableemailscanning

Data type: Optional[Boolean]

Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex. If you specify a value of $True, Windows Defender performs email scanning. If you specify a value of $False or do not specify a value, Windows Defender does not perform email scanning.

dsc_disableintrusionpreventionsystem

Data type: Optional[Boolean]

Indicates whether to configure network protection against exploitation of known vulnerabilities. If you specify a value of $True or do not specify a value, network protection is enabled

dsc_disableioavprotection

Data type: Optional[Boolean]

Indicates whether Windows Defender scans all downloaded files and attachments. If you specify a value of $True or do not specify a value, scanning downloaded files and attachments is enabled.

dsc_disableprivacymode

Data type: Optional[Boolean]

Indicates whether to disable privacy mode. Privacy mode prevents users, other than administrators, from displaying threat history.

dsc_disablerealtimemonitoring

Data type: Optional[Boolean]

Indicates whether to use real-time protection. If you specify a value of $True or do not specify a value, Windows Defender uses real-time protection. We recommend that you enable Windows Defender to use real-time protection.

dsc_disableremovabledrivescanning

Data type: Optional[Boolean]

Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan. If you specify a value of $True, Windows Defender scans removable drives during any type of scan. If you specify a value of $False or do not specify a value, Windows Defender does not scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.

dsc_disablerestorepoint

Data type: Optional[Boolean]

Indicates whether to disable scanning of restore points.

dsc_disablescanningmappednetworkdrivesforfullscan

Data type: Optional[Boolean]

Indicates whether to scan mapped network drives. If you specify a value of $True, Windows Defender scans mapped network drives. If you specify a value of $False or do not specify a value, Windows Defender does not scan mapped network drives.

dsc_disablescanningnetworkfiles

Data type: Optional[Boolean]

Indicates whether to scan for network files. If you specify a value of $True, Windows Defender scans network files. If you specify a value of $False or do not specify a value, Windows Defender does not scan network files. We do not recommend that you scan network files.

dsc_disablescriptscanning

Data type: Optional[Boolean]

Specifies whether to disable the scanning of scripts during malware scans.

dsc_enablecontrolledfolderaccess

Data type: Optional[Enum['Disabled', 'Enabled', 'AuditMode']]

Configure the Controlled folder access feature.

dsc_enablenetworkprotection

Data type: Optional[Enum['Disabled', 'Enabled', 'AuditMode']]

Specifies how Windows Defender prevent users and apps from accessing dangerous websites.

dsc_exclusionextension

Data type: Optional[Array[String]]

Specifies an array of file name extensions, such as obj or lib, to exclude from scheduled, custom, and real-time scanning.

dsc_exclusionpath

Data type: Optional[Array[String]]

Specifies an array of file paths to exclude from scheduled and real-time scanning. You can specify a folder to exclude all the files under the folder.

dsc_exclusionprocess

Data type: Optional[Array[String]]

Specifies an array of processes, as paths to process images. The cmdlet excludes any files opened by the processes that you specify from scheduled and real-time scanning. Specifying this parameter excludes files opened by executable programs only. The cmdlet does not exclude the processes themselves. To exclude a process, specify it by using the ExclusionPath parameter.

dsc_highthreatdefaultaction

Data type: Optional[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]

Specifies which automatic remediation action to take for a high level threat.

dsc_lowthreatdefaultaction

Data type: Optional[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]

Specifies which automatic remediation action to take for a low level threat.

dsc_mapsreporting

Data type: Optional[Enum['Advanced', 'Basic', 'Disabled']]

Specifies the type of membership in Microsoft Active Protection Service. Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats. The community also helps prevent the spread of new malicious software. If you join this community, you can choose to automatically send basic or additional information about detected software. Additional information helps Microsoft create new definitions. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.

dsc_moderatethreatdefaultaction

Data type: Optional[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]

Specifies which automatic remediation action to take for a moderate level threat.

dsc_quarantinepurgeitemsafterdelay

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of days to keep items in the Quarantine folder. If you specify a value of zero or do not specify a value for this parameter, items stay in the Quarantine folder indefinitely.

dsc_randomizescheduletasktimes

Data type: Optional[Boolean]

Indicates whether to select a random time for the scheduled start and scheduled update for definitions. If you specify a value of $True or do not specify a value, scheduled tasks begin within 30 minutes, before or after, the scheduled time. If you randomize the start times, it can distribute the impact of scanning. For example, if several virtual machines share the same host, randomized start times prevents all the hosts from starting the scheduled tasks at the same time.

dsc_realtimescandirection

Data type: Optional[Enum['Both', 'Incoming', 'Outcoming']]

Specifies scanning configuration for incoming and outgoing files on NTFS volumes. Specify a value for this parameter to enhance performance on servers which have a large number of file transfers, but need scanning for either incoming or outgoing files. Evaluate this configuration based on the server role. For non-NTFS volumes, Windows Defender performs full monitoring of file and program activity.

dsc_remediationscheduleday

Data type: Optional[Enum['Everyday', 'Never', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday']]

Specifies the day of the week on which to perform a scheduled full scan in order to complete remediation. Alternatively, specify everyday for this full scan or never. The default value is Never. If you specify a value of Never or do not specify a value, Windows Defender performs a scheduled full scan to complete remediation by using a default frequency.

dsc_remediationscheduletime

Data type: Optional[Timestamp]

Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled scan runs at the default time of two hours after midnight.

dsc_reportingadditionalactiontimeout

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of minutes before a detection in the additional action state changes to the cleared state.

dsc_reportingcriticalfailuretimeout

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.

dsc_reportingnoncriticaltimeout

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of minutes before a detection in the non-critically failed state changes to the cleared state.

dsc_scanavgcpuloadfactor

Data type: Optional[Integer[0, 4294967295]]

Specifies the maxium percentage CPU usage for a scan. The acceptable values for this parameter are: integers from 5 through 100, and the value 0, which disables CPU throttling. Windows Defender does not exceed the percentage of CPU usage that you specify. The default value is 50.

dsc_scanonlyifidleenabled

Data type: Optional[Boolean]

Indicates whether to start scheduled scans only when the computer is not in use. If you specify a value of $True or do not specify a value, Windows Defender runs schedules scans when the computer is on, but not in use.

dsc_scanparameters

Data type: Optional[Enum['FullSCan', 'QuickScan']]

Specifies the scan type to use during a scheduled scan. If you do not specify this parameter, Windows Defender uses the default value of quick scan.

dsc_scanpurgeitemsafterdelay

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of days to keep items in the scan history folder. After this time, Windows Defender removes the items. If you specify a value of zero, Windows Defender does not remove items. If you do not specify a value, Windows Defender removes items from the scan history folder after the default length of time, which is 30 days.

dsc_scanscheduleday

Data type: Optional[Enum['Everyday', 'Never', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday']]

Specifies the day of the week on which to perform a scheduled scan. Alternatively, specify everyday for a scheduled scan or never. If you specify a value of Never or do not specify a value, Windows Defender performs a scheduled scan by using a default frequency.

dsc_scanschedulequickscantime

Data type: Optional[Timestamp]

Specifies the time of day, as the number of minutes after midnight, to perform a scheduled quick scan. The time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled quick scan runs at the time specified by the ScanScheduleTime parameter. That parameter has a default time of two hours after midnight.

dsc_scanscheduletime

Data type: Optional[Timestamp]

Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time refers to the local time on the computer. If you do not specify a value for this parameter, a scheduled scan runs at a default time of two hours after midnight.

dsc_severethreatdefaultaction

Data type: Optional[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]

Specifies which automatic remediation action to take for a severe level threat.

dsc_signatureaugraceperiod

Data type: Optional[Integer[0, 4294967295]]

Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this period, Windows Defender abandons any service initiated updates.

dsc_signaturedefinitionupdatefilesharessources

Data type: Optional[String]

Specifies file-share sources for definition updates. Specify sources as a bracketed sequence of Universal Naming Convention (UNC) locations, separated by the pipeline symbol. If you specify a value for this parameter, Windows Defender attempts to connect to the shares in the order that you specify. After Windows Defender updates a definition, it stops attempting to connect to shares on the list. If you do not specify a value for this parameter, the list is empty.

dsc_signaturedisableupdateonstartupwithoutengine

Data type: Optional[Boolean]

Indicates whether to initiate definition updates even if no antimalware engine is present. If you specify a value of $True or do not specify a value, Windows Defender initiates definition updates on startup. If you specify a value of $False, and if no antimalware engine is present, Windows Defender does not initiate definition updates on startup.

dsc_signaturefallbackorder

Data type: Optional[String]

Specifies the order in which to contact different definition update sources. Specify the types of update sources in the order in which you want Windows Defender to contact them, enclosed in braces and separated by the pipeline symbol.

dsc_signaturefirstaugraceperiod

Data type: Optional[Integer[0, 4294967295]]

Specifies a grace period, in minutes, for the definition. If a definition successfully updates within this period, Windows Defender abandons any service initiated updates. This parameter overrides the value of the CheckForSignaturesBeforeRunningScan parameter.

dsc_signaturescheduleday

Data type: Optional[Enum['Everyday', 'Never', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday', 'Sunday']]

Specifies the day of the week on which to check for definition updates. Alternatively, specify everyday for a scheduled scan or never. If you specify a value of Never or do not specify a value, Windows Defender checks for definition updates by using a default frequency.

dsc_signaturescheduletime

Data type: Optional[Timestamp]

Specifies the time of day, as the number of minutes after midnight, to check for definition updates. The time refers to the local time on the computer. If you do not specify a value for this parameter, Windows Defender checks for definition updates at the default time of 15 minutes before the scheduled scan time.

dsc_signatureupdatecatchupinterval

Data type: Optional[Integer[0, 4294967295]]

Specifies the number of days after which Windows Defender requires a catch-up definition update. If you do not specify a value for this parameter, Windows Defender requires a catch-up definition update after the default value of one day.

dsc_signatureupdateinterval

Data type: Optional[Integer[0, 4294967295]]

Specifies the interval, in hours, at which to check for definition updates. The acceptable values for this parameter are: integers from 1 through 24. If you do not specify a value for this parameter, Windows Defender checks at the default interval. You can use this parameter instead of the SignatureScheduleDay parameter and SignatureScheduleTime parameter.

dsc_submitsamplesconsent

Data type: Optional[Enum['None', 'Always', 'Never']]

Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been granted, Windows Defender submits the samples. Otherwise, if the MAPSReporting parameter does not have a value of Disabled, Windows Defender prompts the user for consent.

dsc_threatiddefaultaction_actions

Data type: Optional[Array[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]]

Specifies which automatic remediation action to take for an unknonwn level threat.

dsc_threatiddefaultaction_ids

Data type: Optional[Array[Integer[-9223372036854775808, 9223372036854775807]]]

Specifies an array of the actions to take for the IDs specified by using the ThreatIDDefaultAction_Ids parameter.

dsc_uilockdown

Data type: Optional[Boolean]

Indicates whether to disable UI lockdown mode. If you specify a value of $True, Windows Defender disables UI lockdown mode. If you specify $False or do not specify a value, UI lockdown mode is enabled.

dsc_unknownthreatdefaultaction

Data type: Optional[Enum['Allow', 'Block', 'Clean', 'NoAction', 'Quarantine', 'Remove', 'UserDefined']]

Specifies which automatic remediation action to take for a low level threat.

Parameters

The following parameters are available in the dsc_windowsdefender type.

• dsc_issingleinstance
• dsc_psdscrunascredential
• name
• validation_mode

dsc_issingleinstance

namevar

Data type: Enum['Yes']

Specifies the resource is a single instance, the value must be 'Yes'

dsc_psdscrunascredential

Data type: Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]

name

namevar

Data type: String

Description of the purpose for this resource declaration.

validation_mode

Data type: Enum[property, resource]

Whether to check if the resource is in the desired state by property (default) or using Invoke-DscResource in Test mode (resource).

Default value: property

Changelog

All notable changes to this project will be documented in this file.

Release 0.1.0

Features

Bugfixes

Known Issues