This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to:
Platforms
Microsoft Defender Antivirus is installed as a core part of Windows 10 and 11, and is included in Windows Server 2016 and later (Windows Server 2012 requires Microsoft Defender for Endpoint). You can manage and report on Microsoft Defender Antivirus using one of several tools, such as:
This article describes these options for deployment, management, and reporting.
With Intune, you can manage device security through policies, such as a policy to configure Microsoft Defender Antivirus and other security capabilities in Defender for Endpoint. To learn more, see Use policies to manage device security.
For reporting, you can choose from several options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Manage devices with Intune, which includes the ability to view detailed information about devices and take action. Available actions include starting an antivirus scan, restarting a device, locating a device, wiping a device, and more.
With Configuration Manager, you can manage security and malware on Configuration Manager client computers. Use the Endpoint Protection point site system role and enable Endpoint Protection with custom client settings. You can use default and customized antimalware policies.
For reporting, you can choose from several options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Use the default Configuration Manager Monitoring workspace.
If your organization has Defender for Endpoint, you can also use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that are not managed by a security team.
Use the appropriate Get- cmdlets available in the Defender module.
Use the Set-MpPreference and Update-MpSignature cmdlets that are available in the Defender module.
For reporting, you can choose from the following options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Use the default Configuration Manager Monitoring workspace.
You can use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled. Use Group Policy Objects (GPOs) to configure update options for Microsoft Defender Antivirus and configure Windows Defender features.
For reporting, keep in mind that device reporting isn't available with Group Policy.
You can generate a list of Group Policies to determine if any settings or policies aren't applied.
If your organization has Defender for Endpoint, you can also use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
With Windows Management Instrumentation (WMI), you can manage Microsoft Defender Antivirus with Group Policy or Configuration Manager. You can also use WMI to manage Microsoft Defender Antivirus manually on individual devices that aren't managed by a security team.
Use the Set method of the MSFT_MpPreference class and the Update method of the MSFT_MpSignature class.
Use the MSFT_MpComputerStatus class and the get method of associated classes in the Windows Defender WMIv2 Provider.
For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events (enhanced for Windows 10. Also see Security auditing and Windows Defender events.
Tip
Performance tip Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See Performance analyzer for Microsoft Defender Antivirus.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Training
Module
MD-102 3-Manage Microsoft Defender in Windows client - Training
This module explains the built-in security features of Windows clients and how to implement them using policies.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.