Configure Windows Defender scans using Windows PowerShell

We can configure Windows Defender scans using Windows PowerShell as an alternative to configuring them through the graphical user interface. This allows us to integrate Windows Defender features into PowerShell scripts, and configure settings that are not available through the graphical user interface.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Configure Windows Defender scans using Windows PowerShell

Let’s take a look at the various PowerShell cmdlets for Windows Defender that are available to us in Windows Server 2016. We can view all cmdlets provided as part of the Defender module as shown below.

Windows Defender PowerShell cmdlets

Next let’s find out what each of these actually do.

  • Add-MpPreference: This cmdlet is used to modify settings for Windows Defender.
  • Get-MpComputerStatus: This cmdlet can be run to retrieve the status of Windows Defender.

    Windows Defender PowerShell Get-MpComputerStatus

  • Get-MpPreference: This cmdlet gets the preferences for Windows Defender scans and updates. Running it will output a list of detailed settings, most of which can only be modified through PowerShell or via group policy.

    Windows Defender PowerShell Get-MpPreference

  • Get-MpThreat: This cmdlet will display the history of detected threats from previous scans.
  • Get-MpThreatCatalog: This cmdlet displays known threats from the definitions catalog which contains information about all known threats that Windows Defender can detect – This cmdlet displays a lot of information.
  • Get-MpThreatDetection: This cmdlet will display current and prior threats that have been detected by Windows Defender.
  • Remove-MpPreference: This cmdlet is used for removing custom items that have been added, such as exclusions or default actions.
  • Remove-MpThreat: This cmdlet will remove all threats that have been detected from Windows Defender.
  • Set-MpPreference This cmdlet is used for configuring specific settings that were displayed from the Get-MpPreference cmdlet.
  • Start-MpScan This cmdlet starts a typical Windows Defender scan of the system.
  • Start-MpWDOScan: This cmdlet starts a Windows Defender offline scan. An offline scan will reboot the system into a trusted environment and perform a scan without booting into your normal operating system.
  • Update-MpSignature: This cmdlet will update the antimalware definitions.

We can view the built in documentation for any of these cmdlets in PowerShell itself with ‘Get-Help’, as shown here. We first run ‘Update-Help’ to ensure that our help files are fully up to date, if we don’t run these we may be asked when running ‘Get-Help’ anyway.

PS C:\Users\Administrator> Update-Help
PS C:\Users\Administrator> Get-Help -Name Update-MpSignature

We can also use -Examples, -Detailed or -Full with Get-Help to view even more information if needed.

PowerShell Get-Help Example

We can see that this has given us an explanation with regards to what the specified cmdlet does, syntax information for using it, and even a reference to the command online with further information.

Summary

We’ve now shown you how to configure Windows Defender scans using Windows PowerShell. We can perform updates, initiate scans, view history, and customize specific settings that are not available through the graphical user interface thanks to PowerShell.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>