Review Windows Defender Antivirus scan results

Applies to:

After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results are recorded and you can view the results.

Use Microsoft Intune to review scan results:

  1. In Intune, go to Devices > All Devices and select the device you want to scan.

  2. Click the scan results in Device actions status.

Use Configuration Manager to review scan results:

See How to monitor Endpoint Protection status.

Use the Windows Security app to review scan results:

  1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for Defender.

  2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history label.

    • Click See full history for any of the sections to see previous detections and the action taken. You can also clear the list.
    • Information about the last scan is displayed at the bottom of the page.

Use PowerShell cmdlets to review scan results:

The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:



You can specify -ThreatID to limit the output to only show the detections for a specific threat.

If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:



See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to review scan results:

Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.