Deploy, manage, and report on Microsoft Defender Antivirus
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
Microsoft Defender Antivirus is installed as a core part of Windows 10 and 11, and is included in Windows Server 2016 and later (Windows Server 2012 requires Microsoft Defender for Endpoint). You can manage and report on Microsoft Defender Antivirus using one of several tools, such as:
- Microsoft Intune
- Configuration Manager
- PowerShell
- Group Policy and Microsoft Entra ID
- Windows Management Instrumentation
This article describes these options for deployment, management, and reporting.
Microsoft Intune
With Intune, you can manage device security through policies, such as a policy to configure Microsoft Defender Antivirus and other security capabilities in Defender for Endpoint. To learn more, see Use policies to manage device security.
For reporting, you can choose from several options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Manage devices with Intune, which includes the ability to view detailed information about devices and take action. Available actions include starting an antivirus scan, restarting a device, locating a device, wiping a device, and more.
Configuration Manager
With Configuration Manager, you can manage security and malware on Configuration Manager client computers. Use the Endpoint Protection point site system role and enable Endpoint Protection with custom client settings. You can use default and customized antimalware policies.
For reporting, you can choose from several options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Use the default Configuration Manager Monitoring workspace.
If your organization has Defender for Endpoint, you can also use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
PowerShell
You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that are not managed by a security team.
Use the appropriate Get- cmdlets available in the Defender module.
Use the Set-MpPreference and Update-MpSignature cmdlets that are available in the Defender module.
For reporting, you can choose from the following options:
Use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Use the default Configuration Manager Monitoring workspace.
Group Policy and Microsoft Entra ID
You can use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled. Use Group Policy Objects (GPOs) to configure update options for Microsoft Defender Antivirus and configure Windows Defender features.
For reporting, keep in mind that device reporting isn't available with Group Policy.
You can generate a list of Group Policies to determine if any settings or policies aren't applied.
If your organization has Defender for Endpoint, you can also use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.
Windows Management Instrumentation
With Windows Management Instrumentation (WMI), you can manage Microsoft Defender Antivirus with Group Policy or Configuration Manager. You can also use WMI to manage Microsoft Defender Antivirus manually on individual devices that aren't managed by a security team.
Use the Set method of the MSFT_MpPreference class and the Update method of the MSFT_MpSignature class.
Use the MSFT_MpComputerStatus class and the get method of associated classes in the Windows Defender WMIv2 Provider.
For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events (enhanced for Windows 10. Also see Security auditing and Windows Defender events.
See also
- Microsoft Defender Antivirus compatibility with other security products
- Deploy and enable Microsoft Defender Antivirus protection
- Manage Microsoft Defender Antivirus updates and apply baselines
- Monitor and report on Microsoft Defender Antivirus protection
- Microsoft Defender for Endpoint on Mac
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Performance tip Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See Performance analyzer for Microsoft Defender Antivirus.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.