Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus

Applies to:

Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.

Read more about WMI at the Microsoft Developer Network System Administration library.

Microsoft Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to Defender for Cloud PowerShell cmdlets.

The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Microsoft Defender Antivirus, and includes example scripts.

Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.

You can configure which settings can be overridden locally with local policy overrides.