On Windows 10, Microsoft Defender Antivirus is part of the Windows Security app, providing real-time protection against unwanted viruses, ransomware, spyware, rootkits, and many other malware and hackers. It even happens to be one of our best antivirus software picks.
Although you can easily control everyday security tasks through the Windows Security app, you can also manage the anti-malware solution using PowerShell commands, which can come in handy in many scenarios. For example, when you're trying to customize an option that is unavailable through the graphical interface, such as scheduling a quick or full scan or signature update. You need to create scripts to automate some Microsoft Defender tasks. Also, using commands instead of a graphical interface can speed up the configuration process, especially when you need to apply the same settings on multiple computers.
In this how-to guide, I will explain how to start managing Microsoft Defender Antivirus with PowerShell commands.
How to check status of Microsoft Defender
To check the current status of Microsoft Defender using PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to see the Microsoft Defender Antivirus status and press Enter: Get-MpComputerStatus
- Confirm the AntivirusEnabled setting reads True to know if the security solution is running.
In addition to checking whether the antivirus is running, the command output also displays other important information, such as the version of the engine and product version, real-time protection status, last time updated, and more.
How to check for updates on Microsoft Defender
To use PowerShell to update Microsoft Defender Antivirus with the latest definition, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to check to update Microsoft Defender Antivirus and press Enter: Update-MpSignature
Once you complete the steps, if new updates are available, they will download and install on your device.
How to perform quick virus scan with Microsoft Defender
To complete a quick scan using PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to start a quick virus scan and press Enter: Start-MpScan -ScanType QuickScan
After you complete the steps, Microsoft Defender Antivirus will perform a quick virus scan on your device.
How to perform full virus scan with Microsoft Defender
To complete a full scan using commands on Windows 10, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to start a full virus scan and press Enter: Start-MpScan -ScanType FullScan
Once you complete the steps, the Windows 10 antivirus will scan the entire system for malware and malicious code.
How to perform custom virus scan with Microsoft Defender
To set up a custom scan using PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to perform a custom Microsoft Defender Antivirus scan and press Enter: Start-MpScan -ScanType CustomScan -ScanPath PATH\TO\FOLDER-FILES
In the command, make sure to update the path to match the folder location you want to scan. For example, this command scans the "Downloads" folder: Start-MpScan -ScanType CustomScan -ScanPath "C:\Users\user\Downloads"
After you complete the steps, Microsoft Defender will only scan for viruses in the location you specified.
How to perform offline virus scan with Microsoft Defender
Microsoft Defender Antivirus also provides an offline scan option, which will come in handy when unwanted malware infects the device, and the antivirus cannot remove it while Windows 10 is fully loaded.
Quick note: Before proceeding, save any work you may have open, as the command will immediately restart the device to perform an offline scan.
To start an offline scan, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to start an offline virus scan and press Enter: Start-MpWDOScan
Once you complete the steps, the device will restart automatically. It will boot into the recovery environment and perform a full scan to remove viruses that wouldn't be possible to detect during normal Windows 10 operation. After the scan, the device will restart automatically, and then you can view the scan report on Windows Security > Virus & Thread Protection > Protection history.
Check out my comprehensive guide to learn about offline scanning with Microsoft Defender Antivirus.
How to delete active threat on Microsoft Defender
To remove all active threats from your computer, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to eliminate active threats using Microsoft Defender and press Enter: Remove-MpThreat
After you complete the steps, the anti-malware feature will eliminate any active threats on the computer. Although this is an interesting command, it'll only work for threats that the antivirus hasn't already mitigated.
How to change preferences on Microsoft Defender
Various features of Microsoft Defender Antivirus can also be configured using PowerShell commands. For example, you can exclude locations and files, specify a quarantine retention period, run different scans, schedule virus scans, change scan preferences, and much more.
List preferences
To list all the available preferences for Microsoft Defender with PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to get a full list of the current configurations for the Microsoft Defender Antivirus and press Enter: Get-MpPreference
Once you complete the steps, you'll understand all the settings that you can configure with the built-in antivirus.
The following commands are examples of the preferences you can customize using PowerShell.
Exclude locations
Microsoft Defender Antivirus includes an option to exclude folder locations from real-time and scheduled scanning.
To exclude a folder path with PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to exclude a folder and press Enter: Set-MpPreference -ExclusionPath PATH\TO\FOLDER
In the command, make sure to replace "PATH\TO\FOLDER" with the path you want to exclude. For example, this command excludes the Users folder from being scanned: Set-MpPreference -ExclusionPath C:\Users
After you complete the steps, Microsoft Defender will ignore the folders you specified during real-time and scheduled scanning.
If you want to remove a folder from the exclusion list, you can use this command: Remove-MpPreference -ExclusionPath "PATH\TO\FOLDER-FILES" , and don't forget to update the command with the path you wish to remove.
Exclude file type
Also, to exclude locations, you can prevent certain file types from being scan with Microsoft Defender.
To exclude a file type with PowerShell, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to exclude a file type and press Enter: Set-MpPreference -ExclusionExtension EXTENSION
In the command, make sure to replace "EXTENSION" with the extension you want to exclude. For example, this command excludes the Microsoft Word files from being scanned: Set-MpPreference -ExclusionExtension docx
Once you complete the steps, the file extension will be added to the database of formats that need to be ignored during malware real-time, custom, or scheduled scanning. If you need to remove an extension from the exclusion list, you can use the Remove-MpPreference -ExclusionExtension EXTENSION command and don't forget to update the command with the extension you wish to remove.
Quarantine time before deletion
You can also specify the number of days to keep threats in quarantine with these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to specify the days to keep items in quarantine and press Enter: Set-MpPreference -QuarantinePurgeItemsAfterDelay DAYS
In the command, replace "DAYS" with the number of days you want to keep items. For example, the Set-MpPreference -QuarantinePurgeItemsAfterDelay 30 command keeps items for 30 days before being deleted.
- Quick tip: You can use the value of "0" (zero) or no value to set keep items indefinitely.
After you complete the steps, items in the Quarantine folder will be deleted automatically after the specified period.
Schedule quick scan
To schedule a daily quick malware scan with a PowerShell command, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to schedule a daily quick scan and press Enter: Set-MpPreference -ScanScheduleQuickScanTime SCAN-TIME
In the command, replace "SCAN-TIME" with the 24-hour time you want to run the scan. For example, the Set-MpPreference -ScanScheduleQuickScanTime 06:00:00 command schedules a quick daily scan at 6:00 a.m. local time.
Quick tip: You can specify no time value or set the time to two hours after midnight to reset the settings to their defaults.
Once you complete the steps, Microsoft Defender will perform a quick scan during the time you specified.
Schedule full scan
You can also specify the day and time to perform a full malware scan using PowerShell commands.
To schedule a full malware scan on Windows 10, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to schedule a full scan and press Enter: Set-MpPreference -ScanParameters 2
- Quick note: The number "2" in the parameter is what specifies Microsoft Defender a full scan.
- Type the following command to set a scan day and press Enter: Set-MpPreference -RemediationScheduleDay SCAN-DAY
In the command, change the "SCAN-DAY" for the day (number) you want to run the scan. Here are the available options: For example, the Set-MpPreference -RemediationScheduleDay 1 command schedule the full scan for Sundays.
- 0 – Everyday
- 1 – Sunday
- 2 – Monday
- 3 – Tuesday
- 4 – Wednesday
- 5 – Thursday
- 6 – Friday
- 7 – Saturday
- 8 – Never
- Quick tip: You can revert to the default scanning schedule using option number "8."
- Type the following command to specify a time for the scan and press Enter: Set-MpPreference -RemediationScheduleTime SCAN-TIME
In the command, change "SCAN-TIME" with the time in 24-hour format you want to run the scan. For example, the Set-MpPreference -RemediationScheduleTime 06:00:00 command schedules a full scan at 6:00 am, local time.
After you complete the steps, Microsoft Defender Antivirus will run a full scan on the day and time you specified in the preferences.
Disable antivirus
Although Microsoft Defender offers a command to disable the antivirus, it's guarded by the "Tamper Protection" feature, which you can only disable through the "Virus & threat protection settings" available in the Windows Security app.
To disable the antivirus, turn off "Tamper Protection" from the Windows Security app, and then use these steps on PowerShell:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to temporarily disable Microsoft Defender Antivirus and press Enter: Set-MpPreference -DisableRealtimeMonitoring $true
Once you complete the steps, the real-time antivirus protection will be disabled until the next reboot. Or you can run the Set-MpPreference -DisableRealtimeMonitoring $false command to turn on real-time immediately through PowerShell.
Enable external drive scanning
By default, the antivirus built-in to Windows 10 doesn't scan for malicious and unwanted programs inside removable storage, but you can change this behavior with these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to allow scanning for removable drives during a quick or full scan and press Enter: Set-MpPreference -DisableRemovableDriveScanning $false
After you complete the steps, the anti-malware feature will scan external storage devices during a full scan.
If you want to revert the changes, use the same instructions, but in step 3, use the Set-MpPreference -DisableRemovableDriveScanning $true command.
Disable archive scanning
By default, the antivirus scans .zip, .cab, and other archive files, but if you have a reason not to scan archives, you can disable the option with these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to allow scanning for archives files during a quick or full scan and press Enter: Set-MpPreference -DisableArchiveScanning $true
Once you complete the steps, Microsoft Defender won't scan archive files.
If you want to undo the settings, you can use the same instructions, but on step No. 3, use the Set-MpPreference -DisableArchiveScanning $false command.
Enable network drive scanning
To allow Microsoft Defender Antivirus to scan network drives, use these steps:
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator option.
- Type the following command to enable network drive scan during a quick or full scan and press Enter: Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $false
After you complete the steps, network drives will be scanned for malicious and unwanted programs during a full scan.
If you want to roll back the original settings, you can use the same instructions, but on step 3, use the Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true command.
You can always check this Microsoft support page to learn about the settings you can configure for the antivirus.
More resources
For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources: