Details

This policy setting allows you to configure whether Windows Defender automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action user-defined action and the signature-defined action. If you enable this policy setting Windows Defender does not automatically take action on the detected threats but prompts users to choose from the actions available for each threat. If you disable or do not configure this policy setting Windows Defender automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> ‘Turn off routine remediation’ to ‘Disabled’ or ‘Not Configured’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

• 800-53|SI-3c.2.
• CAT|II
• CCI|CCI-001243
• Rule-ID|SV-213427r569189_rule
• STIG-ID|WNDF-AV-000003
• STIG-Legacy|SV-89831
• STIG-Legacy|V-75151
• Vuln-ID|V-213427

Source

• Tenable.com/audits