Run a detection test on a newly onboarded Microsoft Defender for Endpoint device


Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

  • Supported Windows 10 versions
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server, version 1803
  • Windows Server, 2019
  • Microsoft Defender for Endpoint

Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.

  1. Create a folder: 'C:\test-MDATP-test'.

  2. Open an elevated command-line prompt on the device and run the script:

    1. Go to Start and type cmd.

    2. Right-click Command Prompt and select Run as administrator.

      Window Start menu pointing to Run as administrator

  3. At the prompt, copy and run the following command:

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes.