What is Windows Defender?

Windows Defender, officially known as Microsoft Defender Antivirus, is the built-in security solution that comes pre-installed with Windows 10 and Windows 11. It provides real-time protection against viruses, malware, spyware, and other threats without requiring any additional software or subscriptions.

Unlike third-party antivirus programs, Defender is deeply integrated into the operating system. It receives updates through Windows Update, runs with minimal performance impact, and is maintained by Microsoft's dedicated security research team. For most users, it provides all the protection needed when properly configured.

i
Defender vs. third-party antivirus

Independent testing labs like AV-TEST and AV-Comparatives consistently rate Windows Defender alongside premium paid solutions. Unless you have specific enterprise requirements, Defender is a strong choice for personal and small office use.

Verifying Defender is Active

Before configuring anything, you should confirm that Windows Defender is actually running on your system. Third-party antivirus software can disable Defender automatically during installation, so it is important to verify.

Method 1: Windows Security App

1
Open Windows Security. Click the Start menu and type Windows Security, then click the app from the search results. Alternatively, click the shield icon in the system tray (bottom-right corner of the taskbar).
2
Check the home screen. The Windows Security dashboard shows the status of all protection areas. Look for Virus & threat protection — it should display a green checkmark with "No action needed."
3
Click "Virus & threat protection." On this page, you should see "Microsoft Defender Antivirus is on" under the Current threats section. If it says another antivirus is active, Defender is running in passive mode.

Method 2: PowerShell Verification

For a quick command-line check, open PowerShell as Administrator and run:

Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AMServiceEnabled

All three values should return True. If AntivirusEnabled shows False, another antivirus product has taken over and Defender is in passive mode.

!
Do not run two active antivirus programs.

Running multiple real-time antivirus engines simultaneously causes performance degradation, false positives, and can actually reduce your security. If you install a third-party antivirus, let it disable Defender automatically. If you want to switch back to Defender, uninstall the third-party product first.

Running Scans

Windows Defender offers several scan types, each suited to different situations. Understanding when to use each type helps you maintain thorough protection without wasting time on unnecessary full system scans.

Quick Scan

A Quick Scan checks the areas where malware is most commonly found: running processes, the Windows registry, common startup folders, and the system directories. It typically completes in 5 to 15 minutes and is sufficient for routine daily checks.

1
Open Windows Security and navigate to Virus & threat protection.
2
Click Quick scan. The scan begins immediately and you can continue using your computer while it runs.

From PowerShell (as Administrator):

Start-MpScan -ScanType QuickScan

Full Scan

A Full Scan examines every file on every drive connected to your computer. This includes external USB drives and mapped network shares. It can take anywhere from one to several hours depending on the amount of data on your system.

Use a Full Scan when:

  • You suspect your computer is infected despite a clean Quick Scan result
  • You have just removed malware and want to verify the system is clean
  • You have not run a full scan in over a month
  • You have connected an external drive from an untrusted source

To start a Full Scan, go to Virus & threat protection, click Scan options, select Full scan, and click Scan now.

Start-MpScan -ScanType FullScan

Custom Scan

A Custom Scan lets you target specific files or folders. This is useful when you want to scan a downloaded file, a USB drive, or a particular directory without scanning the entire system.

To run a Custom Scan from PowerShell on a specific path:

Start-MpScan -ScanType CustomScan -ScanPath "D:\Downloads"

Microsoft Defender Offline Scan

The Offline Scan restarts your computer into a minimal recovery environment and scans before Windows fully loads. This is effective against rootkits and other threats that can hide from scans while the operating system is running.

!
Save your work before running an Offline Scan.

Your computer will restart immediately. The scan takes approximately 15 minutes, and the computer will restart again when finished. Make sure all unsaved work is saved and all important applications are closed.

Start-MpWDOScan

Updating Virus Definitions

Virus definitions (also called security intelligence) are the database that Defender uses to identify known threats. Microsoft releases definition updates multiple times per day. Keeping definitions current is one of the most important things you can do for your security.

Automatic Updates

By default, Windows Defender downloads definition updates automatically through Windows Update. As long as your computer is connected to the internet and Windows Update is not paused, definitions should stay current without any action on your part.

Manual Update

If you want to force an immediate update (for example, before running a scan), you can trigger it manually:

1
Open Windows Security and go to Virus & threat protection.
2
Scroll down to Virus & threat protection updates and click Protection updates.
3
Click Check for updates. Windows will download and install the latest definitions.

From PowerShell:

Update-MpSignature

To check when definitions were last updated:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, AntivirusSignatureVersion
i
Definitions age matters.

If your definitions are more than two days old, your protection is significantly reduced. New malware variants are discovered constantly, and old definitions cannot detect them. If automatic updates are not working, investigate your Windows Update settings immediately.

Configuring Real-Time Protection

Real-time protection is the core feature of Windows Defender. It monitors file system activity, network connections, and process behavior continuously, intercepting threats as they appear rather than waiting for a scheduled scan to find them.

Verifying Real-Time Protection

1
Open Windows Security and go to Virus & threat protection.
2
Click Manage settings under Virus & threat protection settings.
3
Confirm that Real-time protection is toggled On. This page also shows Cloud-delivered protection, Automatic sample submission, and Tamper Protection.

Recommended Settings

Real-time protection On — Monitors files as they are opened, downloaded, or executed.
Cloud-delivered protection On — Sends suspicious file metadata to Microsoft for rapid analysis against a cloud database of known threats.
Automatic sample submission On — Automatically sends suspicious files to Microsoft for analysis. Disable if you handle sensitive or confidential files and do not want them uploaded.
Tamper Protection On — Prevents malware from disabling Defender through registry edits or command-line manipulation. Always keep this enabled.
!
Never disable real-time protection permanently.

If you temporarily disable it (for example, to install software that triggers a false positive), Windows will automatically re-enable it after a short period. If real-time protection stays off, your computer is exposed to every threat it encounters.

Managing Exclusions

Exclusions tell Defender to skip certain files, folders, file types, or processes during scans and real-time monitoring. This is useful for development environments, virtual machines, or applications that Defender incorrectly flags as threats.

Adding an Exclusion

1
Open Windows Security > Virus & threat protection > Manage settings.
2
Scroll down to Exclusions and click Add or remove exclusions.
3
Click Add an exclusion and choose the type: File, Folder, File type, or Process.

Common exclusion scenarios:

  • Development folders: Exclude project build directories (e.g., node_modules, target, .cargo) to improve build performance.
  • Virtual machines: Exclude VM disk files (.vhd, .vhdx, .vmdk) to avoid scan overhead.
  • Trusted applications: Exclude processes for software you trust that triggers false positives.

To add an exclusion via PowerShell:

# Exclude a folder
Add-MpPreference -ExclusionPath "C:\Projects\my-app"

# Exclude a file type
Add-MpPreference -ExclusionExtension ".vmdk"

# Exclude a process
Add-MpPreference -ExclusionProcess "myapp.exe"

# View current exclusions
Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess
!
Exclusions create blind spots.

Every exclusion is a location or process that Defender will never inspect. Malware authors know this and may target common exclusion paths. Only exclude what is strictly necessary, and review your exclusions periodically to remove entries you no longer need.

Scheduling Scans

While real-time protection catches threats as they appear, periodic scheduled scans provide an additional layer of assurance by checking files that may have been missed or that existed before a definition update was applied.

Using Task Scheduler

Windows Defender uses Task Scheduler for its scan schedules. You can customize when and how scans run:

1
Open Task Scheduler by pressing Win + R, typing taskschd.msc, and pressing Enter.
2
Navigate to Task Scheduler Library > Microsoft > Windows > Windows Defender.
3
Double-click Windows Defender Scheduled Scan. Go to the Triggers tab to set the schedule (daily, weekly, or at specific times). The Conditions tab lets you configure whether the scan runs on battery power or only when idle.

PowerShell Scan Scheduling

You can configure the scheduled scan type and day using PowerShell:

# Set scan to run every Sunday at 2:00 AM
Set-MpPreference -ScanScheduleQuickScanTime 02:00:00

# Set the scheduled scan day (0=Everyday, 1=Sunday, 2=Monday, ..., 7=Saturday)
Set-MpPreference -ScanScheduleDay 1

# Set scan type (1=Quick, 2=Full)
Set-MpPreference -ScanParameters 2

# Check current schedule
Get-MpPreference | Select-Object ScanScheduleDay, ScanScheduleQuickScanTime, ScanParameters
i
Recommended schedule.

A weekly Quick Scan is sufficient for most users with real-time protection enabled. Schedule a Full Scan monthly. Set scans to run during off-hours (e.g., 2:00 AM or during lunch) to minimize performance impact during work.

Summary

In this tutorial, you learned how to:

  • Verify that Windows Defender is active and running properly
  • Run different scan types (Quick, Full, Custom, and Offline) for different situations
  • Update virus definitions manually and verify they are current
  • Configure real-time protection settings for optimal security
  • Set up exclusions for development tools and virtual machines
  • Schedule automatic scans using Task Scheduler and PowerShell
+
Well done!

Your Windows Defender is now properly configured. In the next tutorial, you will learn about advanced Defender features including Controlled Folder Access, Exploit Protection, and Attack Surface Reduction rules that provide additional layers of defense.

Related Tutorials