Note
We recommend using Microsoft Endpoint Manager to manage your organization’s threat protection features for devices (also referred to as endpoints). Endpoint Manager includes Microsoft Intune and Microsoft Endpoint Configuration Manager.
You can manage some Microsoft Defender Antivirus settings on devices with PowerShell, Windows Management Instrumentation (WMI), and the Microsoft Malware Protection Command Line Utility (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
Important
Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
Configure Microsoft Defender for Endpoint with PowerShell
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
| Task | Resources to learn more |
|---|---|
| Manage Microsoft Defender Antivirus
View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.* |
Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus |
| Configure exploit protection to mitigate threats on your organization’s devices
We recommend using exploit protection in audit mode at first. That way, you can see how exploit protection affects apps your organization is using. |
Customize exploit protection |
| Configure attack surface reduction rules with PowerShell
You can use PowerShell to exclude files and folders from attack surface reduction rules. |
Customize attack surface reduction rules: Use PowerShell to exclude files & folders |
| Enable Network Protection with PowerShell
You can use PowerShell to enable Network Protection. |
Turn on Network Protection with PowerShell |
| Configure controlled folder access to protect against ransomware
Controlled folder access is also referred to as antiransomware protection. |
Enable controlled folder access with PowerShell |
| Configure Microsoft Defender Firewall to block unauthorized network traffic flowing into or out of your organization’s devices | Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell |
| Configure encryption and BitLocker to protect information on your organization’s devices running Windows | BitLocker PowerShell reference guide |
Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see Using WMI.
| Task | Resources to learn more |
|---|---|
| Enable cloud-delivered protection on a device | Use Windows Management Instruction (WMI) to enable cloud-delivered protection |
| Retrieve, modify, and update settings for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus
Review the list of available WMI classes and example scripts Also see the archived Windows Defender WMIv2 Provider reference information |
Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. Run it from a command prompt.
To learn more, see Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe.
Configure your Microsoft 365 Defender portal
If you haven’t already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization’s overall security posture.
You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
- Overview of the Microsoft Defender Security Center
- Endpoint protection: Microsoft Defender Security Center