Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Windows Central
Windows Central
Technology
Mauro Huculak

How to manage Microsoft Defender Antivirus with PowerShell on Windows 10

Get-Mpcomputerstatus command.

On Windows 10, Microsoft Defender Antivirus is part of the Windows Security app, providing real-time protection against unwanted viruses, ransomware, spyware, rootkits, and many other malware and hackers. It even happens to be one of our best antivirus software picks.

Although you can easily control everyday security tasks through the Windows Security app, you can also manage the anti-malware solution using PowerShell commands, which can come in handy in many scenarios. For example, when you're trying to customize an option that is unavailable through the graphical interface, such as scheduling a quick or full scan or signature update. You need to create scripts to automate some Microsoft Defender tasks. Also, using commands instead of a graphical interface can speed up the configuration process, especially when you need to apply the same settings on multiple computers.

In this how-to guide, I will explain how to start managing Microsoft Defender Antivirus with PowerShell commands.

How to check status of Microsoft Defender

To check the current status of Microsoft Defender using PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to see the Microsoft Defender Antivirus status and press Enter: Get-MpComputerStatus
  4. Confirm the AntivirusEnabled setting reads True to know if the security solution is running.
(Image credit: Mauro Huculak)

In addition to checking whether the antivirus is running, the command output also displays other important information, such as the version of the engine and product version, real-time protection status, last time updated, and more.

How to check for updates on Microsoft Defender

To use PowerShell to update Microsoft Defender Antivirus with the latest definition, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to check to update Microsoft Defender Antivirus and press Enter: Update-MpSignature
(Image credit: Mauro Huculak)

Once you complete the steps, if new updates are available, they will download and install on your device.

How to perform quick virus scan with Microsoft Defender

To complete a quick scan using PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to start a quick virus scan and press Enter: Start-MpScan -ScanType QuickScan
(Image credit: Mauro Huculak)

After you complete the steps, Microsoft Defender Antivirus will perform a quick virus scan on your device.

How to perform full virus scan with Microsoft Defender

To complete a full scan using commands on Windows 10, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to start a full virus scan and press Enter: Start-MpScan -ScanType FullScan
(Image credit: Mauro Huculak)

Once you complete the steps, the Windows 10 antivirus will scan the entire system for malware and malicious code.

How to perform custom virus scan with Microsoft Defender

To set up a custom scan using PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to perform a custom Microsoft Defender Antivirus scan and press Enter: Start-MpScan -ScanType CustomScan -ScanPath PATH\TO\FOLDER-FILES

In the command, make sure to update the path to match the folder location you want to scan. For example, this command scans the "Downloads" folder: Start-MpScan -ScanType CustomScan -ScanPath "C:\Users\user\Downloads"

(Image credit: Mauro Huculak)

After you complete the steps, Microsoft Defender will only scan for viruses in the location you specified.

How to perform offline virus scan with Microsoft Defender

Microsoft Defender Antivirus also provides an offline scan option, which will come in handy when unwanted malware infects the device, and the antivirus cannot remove it while Windows 10 is fully loaded.

Quick note: Before proceeding, save any work you may have open, as the command will immediately restart the device to perform an offline scan.

To start an offline scan, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to start an offline virus scan and press Enter: Start-MpWDOScan

Once you complete the steps, the device will restart automatically. It will boot into the recovery environment and perform a full scan to remove viruses that wouldn't be possible to detect during normal Windows 10 operation. After the scan, the device will restart automatically, and then you can view the scan report on Windows Security > Virus & Thread Protection > Protection history.

Check out my comprehensive guide to learn about offline scanning with Microsoft Defender Antivirus.

How to delete active threat on Microsoft Defender

To remove all active threats from your computer, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to eliminate active threats using Microsoft Defender and press Enter: Remove-MpThreat
(Image credit: Mauro Huculak)

After you complete the steps, the anti-malware feature will eliminate any active threats on the computer. Although this is an interesting command, it'll only work for threats that the antivirus hasn't already mitigated.

How to change preferences on Microsoft Defender

Various features of Microsoft Defender Antivirus can also be configured using PowerShell commands. For example, you can exclude locations and files, specify a quarantine retention period, run different scans, schedule virus scans, change scan preferences, and much more.

List preferences

To list all the available preferences for Microsoft Defender with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to get a full list of the current configurations for the Microsoft Defender Antivirus and press Enter: Get-MpPreference
(Image credit: Mauro Huculak)

Once you complete the steps, you'll understand all the settings that you can configure with the built-in antivirus.

The following commands are examples of the preferences you can customize using PowerShell.

Exclude locations

Microsoft Defender Antivirus includes an option to exclude folder locations from real-time and scheduled scanning.

To exclude a folder path with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to exclude a folder and press Enter: Set-MpPreference -ExclusionPath PATH\TO\FOLDER

In the command, make sure to replace "PATH\TO\FOLDER" with the path you want to exclude. For example, this command excludes the Users folder from being scanned: Set-MpPreference -ExclusionPath C:\Users

(Image credit: Mauro Huculak)

After you complete the steps, Microsoft Defender will ignore the folders you specified during real-time and scheduled scanning.

If you want to remove a folder from the exclusion list, you can use this command:  Remove-MpPreference -ExclusionPath "PATH\TO\FOLDER-FILES" , and don't forget to update the command with the path you wish to remove.

Exclude file type

Also, to exclude locations, you can prevent certain file types from being scan with Microsoft Defender.

To exclude a file type with PowerShell, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to exclude a file type and press Enter: Set-MpPreference -ExclusionExtension EXTENSION

In the command, make sure to replace "EXTENSION" with the extension you want to exclude. For example, this command excludes the Microsoft Word files from being scanned: Set-MpPreference -ExclusionExtension docx

(Image credit: Mauro Huculak)

Once you complete the steps, the file extension will be added to the database of formats that need to be ignored during malware real-time, custom, or scheduled scanning. If you need to remove an extension from the exclusion list, you can use the Remove-MpPreference -ExclusionExtension EXTENSION command and don't forget to update the command with the extension you wish to remove.

Quarantine time before deletion

You can also specify the number of days to keep threats in quarantine with these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to specify the days to keep items in quarantine and press Enter: Set-MpPreference -QuarantinePurgeItemsAfterDelay DAYS

In the command, replace "DAYS" with the number of days you want to keep items. For example, the Set-MpPreference -QuarantinePurgeItemsAfterDelay 30 command keeps items for 30 days before being deleted.

  • Quick tip: You can use the value of "0" (zero) or no value to set keep items indefinitely.
(Image credit: Mauro Huculak)

After you complete the steps, items in the Quarantine folder will be deleted automatically after the specified period.

Schedule quick scan

To schedule a daily quick malware scan with a PowerShell command, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to schedule a daily quick scan and press Enter: Set-MpPreference -ScanScheduleQuickScanTime SCAN-TIME

In the command, replace "SCAN-TIME" with the 24-hour time you want to run the scan. For example, the Set-MpPreference -ScanScheduleQuickScanTime 06:00:00 command schedules a quick daily scan at 6:00 a.m. local time.

Quick tip: You can specify no time value or set the time to two hours after midnight to reset the settings to their defaults.

(Image credit: Mauro Huculak)

Once you complete the steps, Microsoft Defender will perform a quick scan during the time you specified.

Schedule full scan

You can also specify the day and time to perform a full malware scan using PowerShell commands.

To schedule a full malware scan on Windows 10, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to schedule a full scan and press Enter: Set-MpPreference -ScanParameters 2
  • Quick note: The number "2" in the parameter is what specifies Microsoft Defender a full scan.
  1. Type the following command to set a scan day and press Enter: Set-MpPreference -RemediationScheduleDay SCAN-DAY

In the command, change the "SCAN-DAY" for the day (number) you want to run the scan. Here are the available options: For example, the Set-MpPreference -RemediationScheduleDay 1 command schedule the full scan for Sundays.

  • 0 – Everyday
  • 1 – Sunday
  • 2 – Monday
  • 3 – Tuesday
  • 4 – Wednesday
  • 5 – Thursday
  • 6 – Friday
  • 7 – Saturday
  • 8 – Never
  • Quick tip: You can revert to the default scanning schedule using option number "8."
(Image credit: Mauro Huculak)
  1. Type the following command to specify a time for the scan and press Enter: Set-MpPreference -RemediationScheduleTime SCAN-TIME

In the command, change "SCAN-TIME" with the time in 24-hour format you want to run the scan. For example, the Set-MpPreference -RemediationScheduleTime 06:00:00 command schedules a full scan at 6:00 am, local time.

After you complete the steps, Microsoft Defender Antivirus will run a full scan on the day and time you specified in the preferences.

Disable antivirus

Although Microsoft Defender offers a command to disable the antivirus, it's guarded by the "Tamper Protection" feature, which you can only disable through the "Virus & threat protection settings" available in the Windows Security app.

To disable the antivirus, turn off "Tamper Protection" from the Windows Security app, and then use these steps on PowerShell:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to temporarily disable Microsoft Defender Antivirus and press Enter: Set-MpPreference -DisableRealtimeMonitoring $true
(Image credit: Mauro Huculak)

Once you complete the steps, the real-time antivirus protection will be disabled until the next reboot. Or you can run the Set-MpPreference -DisableRealtimeMonitoring $false command to turn on real-time immediately through PowerShell.

Enable external drive scanning

By default, the antivirus built-in to Windows 10 doesn't scan for malicious and unwanted programs inside removable storage, but you can change this behavior with these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to allow scanning for removable drives during a quick or full scan and press Enter: Set-MpPreference -DisableRemovableDriveScanning $false
(Image credit: Mauro Huculak)

After you complete the steps, the anti-malware feature will scan external storage devices during a full scan.

If you want to revert the changes, use the same instructions, but in step 3, use the  Set-MpPreference -DisableRemovableDriveScanning $true command.

Disable archive scanning

By default, the antivirus scans .zip, .cab, and other archive files, but if you have a reason not to scan archives, you can disable the option with these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to allow scanning for archives files during a quick or full scan and press Enter: Set-MpPreference -DisableArchiveScanning $true
(Image credit: Mauro Huculak)

Once you complete the steps, Microsoft Defender won't scan archive files.

If you want to undo the settings, you can use the same instructions, but on step No. 3, use the Set-MpPreference -DisableArchiveScanning $false command.

Enable network drive scanning

To allow Microsoft Defender Antivirus to scan network drives, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to enable network drive scan during a quick or full scan and press Enter: Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $false
(Image credit: Mauro Huculak)

After you complete the steps, network drives will be scanned for malicious and unwanted programs during a full scan.

If you want to roll back the original settings, you can use the same instructions, but on step 3, use the Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true command.

You can always check this Microsoft support page to learn about the settings you can configure for the antivirus.

More resources

For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources: 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.