Deploy, manage, and report on Microsoft Defender Antivirus

Applies to:

Platforms

  • Windows

Microsoft Defender Antivirus is installed as a core part of Windows 10 and 11, and is included in Windows Server 2016 and later (Windows Server 2012 requires Microsoft Defender for Endpoint). You can manage and report on Microsoft Defender Antivirus using one of several tools, such as:

This article describes these options for deployment, management, and reporting.

Microsoft Intune

With Intune, you can manage device security through policies, such as a policy to configure Microsoft Defender Antivirus and other security capabilities in Defender for Endpoint. To learn more, see Use policies to manage device security.

For reporting, you can choose from several options:

Configuration Manager

With Configuration Manager, you can manage security and malware on Configuration Manager client computers. Use the Endpoint Protection point site system role and enable Endpoint Protection with custom client settings. You can use default and customized antimalware policies.

For reporting, you can choose from several options:

PowerShell

You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that are not managed by a security team.

For reporting, you can choose from the following options:

Group Policy and Microsoft Entra ID

You can use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled. Use Group Policy Objects (GPOs) to configure update options for Microsoft Defender Antivirus and configure Windows Defender features.

For reporting, keep in mind that device reporting isn't available with Group Policy.

  • You can generate a list of Group Policies to determine if any settings or policies aren't applied.

  • If your organization has Defender for Endpoint, you can also use the Microsoft Defender portal, which includes a device inventory list. To access the device inventory, in the Microsoft Defender portal (https://security.microsoft.com/), go to Assets > Devices. The device inventory list displays onboarded devices along with their health state and risk level.

Windows Management Instrumentation

With Windows Management Instrumentation (WMI), you can manage Microsoft Defender Antivirus with Group Policy or Configuration Manager. You can also use WMI to manage Microsoft Defender Antivirus manually on individual devices that aren't managed by a security team.

For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events (enhanced for Windows 10. Also see Security auditing and Windows Defender events.

See also

Tip

Performance tip Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See Performance analyzer for Microsoft Defender Antivirus.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.