Windows Defender Commands
This is a reference for the some useful Windows Defender options and commands I have used in the past. By no means is this a comprehensive list of Microsoft Learn pages can be found at the bottom of this page in the references. If you have to use Windows Defender as your primary antivirus then I highly recommend you check those pages out. The commands I will list out were inspired by the Huntress implementation guides which can also be found in the references.
Note that Windows Defender must be running and enabled before attempting these commands and it may be advisable to run sfc /scannow in an administrative command prompt to ensure that Windows Defender and other system files that it may rely on have not been corrupted.
PowerShell
There are 12 Command-lets for Windows Defender. I have found the Set-MpPreference and Get-MpPreference the most useful for monitoring and resetting settings. There is also Start-MpScan, Start-MpWDOScan, and Get-MpThreat which can be used to run scans online and offline and then actually report what was found. There are also capabilities for adding and removing exclusions which can be super useful in an active defense scenario where you need to monitor for changes in exclusion sets.
Always be sure to use Import-Module Defender at the beginning of your scripts. This will import the Windows Defender PowerShell modules which, if missing, will cause most if not all of the following commands to fail. The below will also get Windows Defender "feature" enabled on server if it is missing.
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender -PackageName Microsoft.Windows.Defender
Enable-WindowsOptionalFeature -PackageName Windows-Defender-Gui
Enable-WindowsOptionalFeature -PackageName Windows-Defender-Features
Running Manual Scans
There are two methods for running scans, through the binary file and through PowerShell. It may be advantageous to preform them both in different ways at different times to ensure that the system is being scanned.
First the cmd way.
Note that the location of the binary MpCmdRun.exe will be located in "C:\ProgramData\Microsoft\Windows Defender\Platform<antimalware platform version>\MpCmdRun.exe" It would be up to you to figure out how to make that path available if it is not in the system path.
Full scan
MpCmdRun.exe -Scan -ScanType 2
Quick Scan
MpCmdRun.exe -Scan -ScanType 1
Custom Scan for an attached storage device or drive Z:
MpCmdRun.exe -Scan -ScanType 3 -File Z:\
Next the PowerShell way.
Full scan
Start-MpScan -scantype FullScan -AsJob
Quick Scan
Start-MpScan -scantype QuickScan -AsJob
Custom Scan for an attached storage device, we have to make sure that removable drive scanning is enabled and network files in case the Z: drive is on the network or on a removable drive.
Set-MpPreference -DisableRemovableDriveScanning $false
Set-MpPreference -DisableScanningNetworkFiles $false
$Path="Z:\"
Start-MpScan -scantype CustomScan -AsJob -ScanPath $Path
Updating Things
To set Polices for when and how Windows Defender will receive updates use the following commands. The default fallback order is the Microsoft Update Server then the Microsoft Malware Protection Center. The Signature update interval below is set to be every hour and the catchup interval is defined to preform a catchup update if the device misses updates after a single day.
Set-MpPreference -SignatureFallbackOrder "MMPC|MicrosoftUpdateServer"
Set-MpPreference -SignatureUpdateInterval 1
Set-MpPreference -SignatureUpdateCatchupInterval 1
The following commands will end up forcing a Windows security update which is different than a full Windows update.
$Source="MMPC"
Update-MpSignature -UpdateSource $Source
$Source="MicrosoftUpdateServer"
Update-MpSignature -UpdateSource $Source
# Make sure things are updating on startup even without the MpPreference Engine
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $false
Scheduling Scans
The following is used to schedule a quick scan using the defender scheduler at 2am every day. The RandomizeScheduleTaskTimes will randomize the actual start time to be within 30 minutes after or before the scheduled time.
Set-MpPreference -ScanParameters 1
Set-MpPreference -ScanScheduleDay 0
Set-MpPreference -ScanScheduleTime 02:00
Set-MpPreference -RandomizeScheduleTaskTimes $true
If you are not satisfied with relying on the built in Windows Defender scheduler because reasonable paranoia the following can be used to create and register a scheduled task. this one I had to rip from chat GPT and adjust accordingly. You can use the TAG parameter to define an easily identifiable name if you need to rip it out later.
$Command="C:\Program Files\Windows Defender\MpCmdRun.exe"
$Args="-Scan -ScanType 1"
$Description = "TAG WinDefend Scan"
$Time = "2:00"
$Name = "TAG WinDefend Scan"
$FullCommand = New-ScheduledTaskAction -Execute $Command -Argument $Args
$Trigger = New-ScheduledTaskTrigger -Daily -At $TriggerTime
Register-ScheduledTask -TaskName $Name -Action $FullCommand -Trigger $Trigger -Description $Description
Restarting Services
The following will attempt to restart the underlying services that run Windows Defender. The last command will throw an error but sometimes it wakes defender up.
Start-Service windefend
sleep 2
Start-Service wdnissvc
sleep 2
restart-service Sense
Checking on Things
The following commands will display the status of Windows Defender as well as threat detections
get-MpComputerStatus
get-MpThreat
Exclusions, Exclusions, Exclusions
Here is a simple way to remove all exclusions on a system if you dont need any. I have included the verbose option in order because I like explicit output when testing and where possible. If you wanted to you could set up some logging to show when an item was added to the exclusion path.
$ExcludedPaths=(Get-MpPreference).ExclusionPath
foreach ($Path in $ExcludedPaths) {
Remove-MpPreference -ExclusionPath $Path -Verbose
}
$ExcludedExtensions=(Get-MpPreference).ExclusionExtension
foreach ($Extension in $ExcludedExtensions) {
Remove-MpPreference -ExclusionExtension $Extension -Verbose
}
If you need to add in an exclusion to reduce the risk that personally identifiable information gets accidentally uploaded Set-MpPreference can be used in place of Remove-MpPreference
Settings Commands
Archive scanning can take up a lot of time if they are commonly used, I have run into issues with this when scanning a directory with ISO files it ends up making the scan hang forever and can actually degrade performance of Windows Defender. The last two settings are for removable and network file storage scanning. Depending on how things are set up disabling or enabling these features can prevent Windows Defender DoS attacks.
Set-MpPreference -DisableArchiveScanning $true|$false
Set-MpPreference -DisableRemovableDriveScanning $true|$false
Set-MpPreference -DisableScanningNetworkFiles $true|$false
In the event that a scan is missed these settings will make sure that catchup scans will occur.
Set-MpPreference -DisableCatchupFullScan $false
Set-MpPreference -DisableCatchupQuickScan $false
Registry Keys
The following are PowerShell commands to change registry keys that can be set if the commandlets or Windows binaries are misbehaving.
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Real-Time Protection" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0 -PropertyType DWORD -Force
References
Huntress Reset Defender Guide: https://support.huntress.io/hc/en-us/articles/4402989131283-Enable-Microsoft-Defender-via-PowerShell
Huntress Enable Defender Guide: https://support.huntress.io/hc/en-us/articles/4402989131283-Enable-Microsoft-Defender-via-PowerShell
PowerShell Cmd-lets: https://learn.Microsoft.com/en-us/PowerShell/module/defender/?view=Windowsserver2025-ps
Cmd options: https://learn.Microsoft.com/en-us/defender-endpoint/command-line-arguments-Microsoft-defender-antivirus