Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus

Applies to: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2, Microsoft Defender Antivirus

You can use PowerShell to perform various functions in Microsoft Defender Antivirus. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it in the PowerShell documentation.

For a list of the cmdlets and their functions and available parameters, see the Microsoft Defender Antivirus cmdlets topic.

PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.

Note

PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as Microsoft Configuration Manager, Group Policy Management Console, or Microsoft Defender Antivirus Group Policy ADMX templates.

Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Microsoft Defender for Endpoint security settings management, Microsoft Intune, Microsoft Configuration Manager Tenant Attach, or Group Policy can overwrite changes made with PowerShell.

You can configure which settings can be overridden locally with local policy overrides.

PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.

Prerequisites

Supported operating systems

Windows

Use Microsoft Defender Antivirus PowerShell cmdlets

In the Windows search bar, type powershell.
Select Windows PowerShell from the results to open the interface.
Enter the PowerShell command and any parameters.

Note

You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt.

To open online help for any of the cmdlets type the following:

Get-Help <cmdlet> -Online

Omit the -online parameter to get locally cached help.

Common Microsoft Defender Antivirus PowerShell cmdlets

Microsoft Defender Antivirus can be configured using PowerShell cmdlets. These are task-based commands for configuration and management. Common cmdlets include:

Get-MpComputerStatus: Check Microsoft Defender Antivirus status and protection settings.
Set-MpPreference: Configure preferences, such as exclusions, scan schedules, and cloud-delivered protection.
Update-MpSignature: Update security intelligence.
Start-MpScan: Trigger quick, full, or custom scans.
Get-MpThreat or Get-MpThreatDetection: Review detected and remediated threats.

For full syntax and parameter options, see Microsoft Defender Antivirus cmdlets.

Tip

If you're looking for Antivirus related information for other platforms, see:
Performance tip: Due to a variety of factors, anti-virus software (including Microsoft Defender Antivirus) can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. For example:
- Top paths that impact scan time.
- Top files that impact scan time.
- Top processes that impact scan time.
- Top file extensions that impact scan time.
- Combinations. For example:
  - Top files per extension.
  - Top paths per extension.
  - Top processes per path.
  - Top scans per file.
  - Top scans per file per process.
You can use this information to better assess performance issues and apply remediation actions. For more information, see Performance analyzer for Microsoft Defender Antivirus.

Feedback

Was this page helpful?

Last updated on 2026-01-27