Managing Windows Defender / System Center Endpoint Security with PowerShell

I just read a blog post from Ed Wilson (Scripting Guy) about Use PowerShell to Configure Windows Defender Preferences and wondered if there’s more here. And yes there is. If you have a default insallation of Windows 8 and have defender enabled or work in an enterprise environment and use Configuration Manager with the  System Center Endpoint Security agent deployed on your clients then you the below listed cmdlets available.

Windows Defender

To get a list of all available Defender cmdlets just run the following command within a powershell console

Get-command -Module defender

System Center Endpoint Protection

For a list of all available SCEP cmdlets, run the following command within a powershell console.

Get-command -Module MpProvider

If no cmdlets are returned try first loading the module using the following command
Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider”

You will notice that the cmdlet names are quite similar, the only difference is that the cmdlets for SCEP have “Prot” within the name.

Windows Defender System Center Endpoint Protection
Cmdlet ModuleName Cmdlet ModuleName
Add-MpPreference Defender Add-MProtPreference MpProvider
Get-MpComputerStatus Defender Get-MProtComputerStatus MpProvider
Get-MpPreference Defender Get-MProtPreference MpProvider
Get-MpThreat Defender Get-MProtThreat MpProvider
Get-MpThreatCatalog Defender Get-MProtThreatCatalog MpProvider
Get-MpThreatDetection Defender Get-MProtThreatDetection MpProvider
Remove-MpPreference Defender Remove-MProtPreference MpProvider
Remove-MpThreat Defender Remove-MProtThreat MpProvider
Set-MpPreference Defender Set-MProtPreference MpProvider
Start-MpScan Defender Start-MProtScan MpProvider
Update-MpSignature Defender Update-MProtSignature MpProvider

So what can we do here?

Update definitions

Antivirus and Spyware definitions can be updates as following:

Update-MProtSignature -UpdateSource MicrosoftUpdateServer

Starting a Scan

To start a scan use the following command. Available Scantypes are QuickScan, FullScan and CustomScan)

Start-MProtScan -ScanType QuickScan

When using the CustomScan option an the path must be provied using the -Scanpath parameter

Computer Protection Status

Computer protection status information is retrieved with the following command


Defender / SCEP Settings

Configuration settings can be gathered using


Find information about actual threat

To find out information about an actual threat on a client, run



Removing Threats

Although there is a Remove-MProtThreat cmdlet, it doesn’t seem to recognize the active threat, as i received the following message when executing it.


Configuration Changes

For configuratin settings, please refer to Ed Wilson’s blog post Use PowerShell to Configure Windows Defender Preferences

That’s it for today, now it has stopped raining and the sun starts to shine, so let’s get out of here Smile

2 Replies to “Managing Windows Defender / System Center Endpoint Security with PowerShell”

  1. Nice post – not many people talking about this. I have an issue perhaps you’ve run into – on “some” Windows 2008 R2 (happens on Standard and Enterprise) when I run any of the defender cmdlets I get an “invalid class” message. On “some” (again, Windows 2008 R2, Standard or Enterprise) it works. I have tried loading the modules explicitly and that seems to have no impact – modules load and I can list the cmdlets, I just can’t run them. I have found nothing online about this (some stuff about WMI and Invalid Class) and I would hate to open a Microsoft call if you’ve already seen the issue…
    Thanks again for an informative post.

Leave a Reply