Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

We recommend using Microsoft Intune or Microsoft Endpoint Configuration Manager to manage Defender for Endpoint settings. However, you can use other tools to manage some settings, such as Microsoft Defender Antivirus, exploit protection, and customized attack surface reduction rules with:

Important

Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.

Configure Microsoft Defender for Endpoint with PowerShell

You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.

Task Resources to learn more
Manage Microsoft Defender Antivirus

View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.*
Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus

Use PowerShell cmdlets to enable cloud-delivered protection
Configure exploit protection to mitigate threats on your organization's devices

We recommend using exploit protection in audit mode at first. That way, you can see how exploit protection affects apps your organization is using.
Customize exploit protection

PowerShell cmdlets for exploit protection
Configure attack surface reduction rules with PowerShell

You can use PowerShell to exclude files and folders from attack surface reduction rules.
Customize attack surface reduction rules: Use PowerShell to exclude files & folders

Also, see António Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell.
Enable Network Protection with PowerShell

You can use PowerShell to enable Network Protection.
Turn on Network Protection with PowerShell
Configure controlled folder access to protect against ransomware

Controlled folder access is also referred to as antiransomware protection.
Enable controlled folder access with PowerShell
Configure Microsoft Defender Firewall to block unauthorized network traffic flowing into or out of your organization's devices Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell
Configure encryption and BitLocker to protect information on your organization's devices running Windows BitLocker PowerShell reference guide

Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)

WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see Using WMI.

Task Resources to learn more
Enable cloud-delivered protection on a device Use Windows Management Instruction (WMI) to enable cloud-delivered protection
Retrieve, modify, and update settings for Microsoft Defender Antivirus [Use WMI to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus

Review the list of available WMI classes and example scripts

Also see the archived Windows Defender WMIv2 Provider reference information

Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)

On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. Run it from a command prompt.

To learn more, see Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe.

Configure your Microsoft 365 Defender portal

If you haven't already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.

You can also configure whether and what features end users can see.

Next steps

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.