Microsoft Defender for Endpoint (MDE), Common Actions

Summary

The purpose of this article is to give quick access to instructions for typical administrative activities related to antivirus software.

Required Microsoft Defender for Cloud Plan 1 or Plan 2 Deployment to the appropriate Virtual Machine subscription.

System details: Windows, Linux, and Azure Virtual Machines. Not AKS Clusters, not virtual machine scale sets.

Windows

• Get protection status: Get-MpComputerStatus
• Get history of incidents: Get-MpThreat
• Run full scan: start-mpscan -ScanType FullScan
• Get history of protection: Get-MpThreatDetection
  Note. The difference between the above two commands is, while Get-MpThreat pulls up the threat history, the Get-MpThreatDetection command pulls up the protection history.
• Get scan configuration details: Get-MpPreference
• Disable realtime protection: Set-MpPreference -DisableRealtimeMonitoring $true
• Enable realtime protection: Set-MpPreference -DisableRealtimeMonitoring $false
• Force update definitions: Update-MpSignature
• Performance troubleshooting: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide

Linux

• Get protection status: mdatp health
• Get the history of incidents: mdatp threat list
• Run full scan: mdatp scan full
• Advanced topics and performance diag: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide
• Force update definitions: mdatp definitions update
• Create false positive incident: wget "https://secure.eicar.org/eicar.com.txt"

View security alerts

1. Log into the Azure Portal.
2. In the top search box, type defender for the cloud.
3. Select Defender for Cloud
   
4. On the left, select Security Alerts.