windows defender

Managing Windows Defender Using PowerShell


Windows Defender first appeared as an anti-virus utility for Windows XP. Since Vista version it was built into all Microsoft OS as a protection against malicious software. In Windows 8 it was merged with another antivirus product — Microsoft Security Essentials, and now it is a full-featured antivirus software.

Windows Defender is productive enough and has low system requirements. It can be updated from Microsoft website or from an internal WSUS server. That allows you to use it not only on home computers, but also in SMB corporate networks.

But the main advantage of Defender is that it is easy to use, it’s already pre-installed in Windows, enabled by default and practically does not need manual configuration.

windows defender status

Tip. At the moment, Windows Defender is a part of the only client side OS and not available in the current versions of Windows Server. Although, in a recent preview versions of Windows Server 2016, Windows Defender can be installed as a server feature (Install-WindowsFeature-Name Windows-Server-Antimalware).

In most cases, Windows Defender works well with the default settings, but sometimes user needs to change its behavior. A large number of settings available from the PowerShell console, through a special module Defender. It appeared first time in PowerShell 4.0 and designed specifically for Windows Defender management. This module contains 11 cmdlets, which we are reviewing today.

READ ALSO  Microsoft Security Essentials Error Upon Windows Startup 0x80070002

To display a list of cmdlets contained in the module, run following command:

Get-Command -Module Defender

powershell module defender

  • Add-MpPreferenc
  • Get-MpComputerStatus
  • Get-MpPreference
  • Get-MpThreat
  • Get-MpThreatCatalog
  • Get-MpThreatDetection
  • Remove-MpPreference
  • Remove-MpThreat
  • Set-MpPreference
  • Start-MpScan
  • Update-MpSignature

Get-MpComputerStatus allows you to display current status of Windows Defender: enabled options, virus definition date and version, last scan time and other.

powershell get mpcomputerstatus

To display current Windows Defender settings you can use cmdlet Get-MpPreference, to change settings use – Set-MpPreference.

For example, we need to enable scanning of removable drives. Let’s get the current settings using command:

Get-MpPreference | fl disable*

As you can see, scan removable drives is disabled (DisableRemovableDriveScanning = True). Turn it on using following command:

Set-MpPreference -DisableRemovableDriveScanning $false

powershell get mppreference

Also, to add or remove the antivirus settings, you can use Add-MpPreference and Remove-MpPreference cmdlets. For example, let’s add some folders to the antivirus exclusion path:

Add-MpPreference -ExclusionPath C:\Video, C:\install

Display a list of path exceptions for Windows Defender:

Get-MpPreference | fl excl*

To remove an exception for a particular directory:

Remove-MpPreference -ExclusionPath C:\install

powershell add mppreference

To start the antivirus signature update, you can use command Update-MpSignature. By default, Windows Defender updates with standard computer settings, but using UpdateSource argument  will let you to specify where exactly you want to take the updates.

The following sources are available:

  • MicrosoftUpdateServer
  • MMPC Microsoft Malware Protection Center;
  • FileShares
  • InternalDefinitionUpdateServer — internal WSUS server
READ ALSO  XP SP3 Sysprep - Copy User Profile

To update antivirus from file share, at first you need to download necessary definition update files from https://www.microsoft.com/security/portal/definitions/adl.aspx and place them into network folder. Then we have to specify that Windows Defender should be updated from a network directory (UNC path):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\DESKTOP-V20E3PO\Updates

To run virus update and malware definitions manually:

Update-MpSignature -UpdateSource FileShares
Update-MpSignature

powershell update mpsignature

To perform antivirus scanning of system use Start-MpScan cmdlet. With ScanType argument, you can choose one of three scan modes:

  • FullScan — scan is performed for all files on your computer, as well as the system registry and current apps running
  • QuickScan — analysis of only those areas that are most likely may be infected by malware
  • CustomScan — user selects the folders and drives to be scanned.

For example, run a custom scan for check system folder “C:\Program Files”:

Start-MpScan -ScanType CustomScan -ScanPath ”C:\Program Files”

powershell start mpscan

All Defender module cmdlets can be performed both for the local and remote computers. To connect to remote computer you need to use CimSession option. For example, to get the date of the last scan from the remote computer with hostname lnd_wks21 run the following commands (WimRM must be enabled):

$session = NewCimSession -ComputerName lnd_wks21
 Get-MpComputerStatus -CimSession $session | fl fullscan*

If you want to disable Defender real-time protection:

Set-MpPreference -DisableRealtimeMonitoring $true

To completely disable Windows Defender on PC use command:

New-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

powershell newitemproperty


You may also like:

Sysprep Windows 10 Machine: Step by Step Guide In this article we will show you how to use PowerShell and Windows System Preparation Tool to prepare a highly customized, personal Windows 10 install...
How to Convert Windows ESD File to Windows WIM Fil... In this tutorial we will show you how to convert ESD file to Windows WIM file using Command Prompt. ESD file is a new thing within Windows 10 OS, that...
How to perform a RAM Check in Windows 10 RAM is the part of computer hardware, which is often the cause of many system problems. If your computer frequently hangs, blue screen of death (BSOD)...
System Restore Point in Windows 10: How to Enable,... Today we will show you how to enable, create and perform a system restore point in Windows 10. Let’s get started here by clicking on Start menu. Go to...
Capture Windows 10 Reference Image using MDT 2013 In this article we are going to show you how to capture Windows 10 reference image using Microsoft Deployment Toolkit 2013 (MDT 2013). Later you can u...