Microsoft included Defender Antivirus by default in Windows 10/11 and Windows Server. This security component can be managed by Group Policies, PowerShell, or the Settings app. Defender for Endpoint, which requires a monthly subscription, is the only option for reporting and monitoring functions. As an alternative, you can accomplish this using Intune. Although Microsoft Defender Antivirus may be used independently and is preloaded on most recent versions of Windows, it is more effective when used in conjunction with Microsoft Defender for Endpoint (MDfE), Microsoft’s whole cloud-based security platform for safeguarding your endpoints. Microsoft Defender Antivirus serves as the enterprise endpoint security component of this umbrella solution. You can manage the antivirus engine included with Windows in Intune to get many of MDfE’s capabilities, at least in terms of central administration. This is especially true for remotely monitoring and activating Defender functions. To learn more about Microsoft Defender Antivirus, please review the following related guides: How to manage Microsoft Defender Antivirus with Group Policy and Microsoft Malware Protection from the Command Line, How to restore quarantined files in Microsoft Defender Antivirus, How to update Microsoft Defender Antivirus into the install image of Windows (install.wim) and Install.wim: How to view Microsoft Defender Antivirus update details on Windows 10 image
Tracking and reporting for Microsoft Defender Antivirus using PowerShell
In order to secure their endpoints, organizations utilizing Microsoft Defender Antivirus in Windows across the board require a reliable method of monitoring and reporting. The
Get-MpComputerStatus cmdlet in PowerShell can be used to run simple status checks. You can use the cmdlet to get information on the engine and product versions, the service and antispyware status, the full scan age, and the state of the behavior monitor, among other things.
In spite of the fact that PowerShell may be used to check the status of Microsoft Defender Antivirus, it can be difficult to utilize across a whole enterprise and does not scale when you have endpoints outside of the corporate network.
Utilizing Microsoft Endpoint Manager for Monitoring
You receive thorough monitoring and reporting for Microsoft Defender Antivirus for endpoints that are onboarded into Microsoft Endpoint Manager with Intune. The endpoint security dashboard gives you an overview of the condition of Microsoft Defender Antivirus on all of your devices, including those that still need updates, complete scans, restarts, manual actions, or offline scans. You are also alerted about critical failures, inactive agents, and status unknowns.
To access the Endpoint Manager, visit the Admin center and login with your details. While in the Admin center, locate and click on Endpoint Security and then click on Antivirus to track the reporting dashboard.
You receive dashboards showing shabby endpoints and Active malware in addition to the overall status dashboard, enabling IT administrators to swiftly identify devices with serious security flaws. The ability to customize and create settings to cover the overall setup of Defender Antivirus, exclusions, etc., is also provided by the ability to develop robust Antivirus policies.
To create a policy, simply click on
"Create Profile". Select Windows 10, Windows 11 and Windows Server in the platform and Microsoft Defender Antivirus in the Profile column, and click on Create as shown in the screenshot below.
When the next page displays, type the profile name, description (optional) and click next
Go ahead and configure all the tabs to suite your needs including the assignment options which gives the opportunity to include or exclude users, groups or devices.
Additionally, Intune offers reporting tools that make it easier to create and deliver reports for compliance, SecOps, and other needs. You may find the Summary tab presenting data similar to that of the Endpoint Security -> Antivirus dashboard above by going to Microsoft Endpoint Manager admin center -> Reports->Microsoft Defender Antivirus.
The Antivirus agent status report and the Detected Malware report are both accessible by clicking the Reports tab. The status of your devices including which ones offer real- time or network protection, is displayed in the antivirus agent status while the detected malware displays the state of devices, identifies any that have malware, and also provides additional information about it.
If you click on the Antivirus Agent Status, you will see the status as similar to the screenshot below:
You can also access the Detected malware report, which lists any malware found as well as specifics about the harmful program.
Both reports give IT administrators insight into the health of endpoint security as well as any malware that has been found in the environment, allowing the security team to monitor and manage Microsoft Defender within the company.
In conclusion, modern versions of Windows come with a Microsoft Defender Antivirus as a built-in security solution. It is a different product than Microsoft Defender for Endpoint, as this cloud-based solution includes Defender Antivirus as the endpoint security component. Microsoft Defender Antivirus is more powerful when used in conjunction with Endpoint Manager’s monitoring, reporting, and configuration tools even though it may run in a standalone setup.