Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
We recommend using Microsoft Intune or Microsoft Endpoint Configuration Manager to manage Defender for Endpoint settings. However, you can use other tools to manage some settings, such as Microsoft Defender Antivirus, exploit protection, and customized attack surface reduction rules with:
- PowerShell;
- Windows Management Instrumentation (WMI); and
- The Microsoft Malware Protection Command Line Utility (MPCmdRun.exe).
Important
Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
Configure Microsoft Defender for Endpoint with PowerShell
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
| Task | Resources to learn more |
|---|---|
| Manage Microsoft Defender Antivirus View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.* |
Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus Use PowerShell cmdlets to enable cloud-delivered protection |
| Configure exploit protection to mitigate threats on your organization's devices We recommend using exploit protection in audit mode at first. That way, you can see how exploit protection affects apps your organization is using. |
Customize exploit protection PowerShell cmdlets for exploit protection |
| Configure attack surface reduction rules with PowerShell You can use PowerShell to exclude files and folders from attack surface reduction rules. |
Customize attack surface reduction rules: Use PowerShell to exclude files & folders Also, see António Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell. |
| Enable Network Protection with PowerShell You can use PowerShell to enable Network Protection. |
Turn on Network Protection with PowerShell |
| Configure controlled folder access to protect against ransomware Controlled folder access is also referred to as antiransomware protection. |
Enable controlled folder access with PowerShell |
| Configure Microsoft Defender Firewall to block unauthorized network traffic flowing into or out of your organization's devices | Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell |
| Configure encryption and BitLocker to protect information on your organization's devices running Windows | BitLocker PowerShell reference guide |
Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see Using WMI.
| Task | Resources to learn more |
|---|---|
| Enable cloud-delivered protection on a device | Use Windows Management Instruction (WMI) to enable cloud-delivered protection |
| Retrieve, modify, and update settings for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus Review the list of available WMI classes and example scripts Also see the archived Windows Defender WMIv2 Provider reference information |
Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. Run it from a command prompt.
To learn more, see Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe.
Configure your Microsoft 365 Defender portal
If you haven't already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
- Overview of the Microsoft Defender Security Center
- Endpoint protection: Microsoft Defender Security Center
Next steps
Feedback
Submit and view feedback for