Site icon Winhelponline

Accidentally Allowed a Threat in Windows Defender. What to do now?

When Microsoft Defender Antivirus finds a virus, it asks you what action to take on the threat. The options are “Remove”, “Quarantine”, and “Allow on device”.

You may wonder the following:

  1. What happens if you’ve accidentally clicked “Allow” instead of “Remove”?
  2. What happens to the “allowed” threat? Will Microsoft Defender Antivirus redetect the item during the next scan?

If you accidentally allow a threat, Microsoft Defender stores the setting (Threat ID) in the registry. The file won’t be flagged when you run it in the future or during a system scan. This poses a big security risk.

You may also see the note “This threat or app has been allowed and will not be remediated in the future” in the Windows Security user interface.


To resolve the issue, please undo your choice by opening Windows Security → Virus and Threat protection → “Allowed Threats.”

In the “Allowed threats” page, click the “Don’t allow” button for the program(s) you accidentally allowed to run.

Do this for each threat for which you inadvertently the “Allow” button.

And then remediate the threat by clicking “Remove” or “Quarantine” and click “Start actions”.

Using PowerShell to reset the Allowed threat listing

To bulk delete the allowed threats listing, use PowerShell (admin).

In PowerShell admin, run the following commands:

$ThreatIds = (Get-MpPreference).ThreatIDDefaultAction_Ids

Foreach ($ThreatId in $ThreatIds) { Remove-MpPreference -ThreatIDDefaultAction_Ids $ThreatId -Verbose }

That’s it. It clears the “Allowed threats” listing automatically.

Exit mobile version