Configure a Trusted Image Identifier for Microsoft Defender

Make your devices work faster right out of the box by adding a trusted image identifier to Microsoft Defender.

You can speed up the initial performance of your PCs and devices for the end user by adding a trusted image identifier to Microsoft Defender. Microsoft Defender can help to prevent, remove, and quarantine malware and spyware.

By default, Microsoft Defender performs a scan of each file on the device when the device accesses the file for the first time. This is known as an on-access scan. Optimization mechanisms, such as caching, help reduce unnecessary scans of files that have already been scanned. When Microsoft Defender performs a quick scan or a full scan (also known as on-demand scans), the rest of the files on the system will be marked as safe.

Note

If you have already deployed a series of devices, and then later determine that there is a potential problem with the security of the image, contact your Depth Project Manager (PM) within the Windows Ecosystem Engagement team. and provide the unique identifier of the image. Microsoft will add this unique identifier into Windows Update. After a device with that unique identifier receives updates from Windows Update, Microsoft Defender performs scans on all of the files on that device.

Add a Trusted Image Identifier

For optimal performance, add this setting when you prepare the device for final deployment, after you perform a full scan of the final image:

  1. Create a Windows Setup answer file (unattend.xml), and add the Security-Malware-Windows-Defender\TrustedImageIdentifier setting. To learn more, see the OEM deployment lab: Customize Windows with an answer file.

  2. For the TrustedImageIdentifier setting, specify a unique identifier for the image, such as a GUID or other unique value (example: "Contoso Laptop Model 1 2021-07-31").

  3. Apply the image to a new device, and boot it into audit mode, and scan the image by using Microsoft Defender or another scanning tool. This can help make sure that the image is safe.

  4. Reseal the image, adding the answer file with the TrustedImageIdentifier setting.

    C:\Windows\System32\Sysprep\sysprep /oobe /generalize /unattend:c:\recovery\oem\Unattend.xml /shutdown
    
  5. Apply the image to new devices, and deliver them to customers.

    The next time that the device starts, Windows identifies all of the files currently on the system, and skips these files during subsequent scans.

Use Answer Files with Sysprep