Introduction to Windows Defender Antivirus on Windows Server 2022

Windows Defender Antivirus is built into Windows Server 2022 and provides real-time protection against malware, ransomware, spyware, and other threats without requiring a third-party antivirus solution. On Windows Server 2022, Defender AV behaves differently depending on whether the server has a Desktop Experience or is running as Server Core. Understanding how to configure, update, and manage Defender AV through both graphical tools and PowerShell is essential for any Windows Server administrator.

When the Desktop Experience is installed, Windows Defender Antivirus integrates with the Windows Security application and the Windows Defender Security Center. On Server Core deployments, all management must be done through PowerShell cmdlets or via Group Policy managed remotely. This article covers both scenarios in depth.

Checking Defender AV Status with Get-MpComputerStatus

Before configuring anything, you should verify that Windows Defender Antivirus is active and report its current state. The Get-MpComputerStatus PowerShell cmdlet provides a comprehensive snapshot of the antivirus engine status, signature versions, and protection features.

Open an elevated PowerShell session and run the following command to view the full status report:

Get-MpComputerStatus

Key fields to check in the output include:

  • AntivirusEnabled — should be True for active protection
  • RealTimeProtectionEnabled — confirms real-time scanning is active
  • AntispywareEnabled — spyware protection status
  • AntivirusSignatureVersion — the current signature definition version
  • AntivirusSignatureLastUpdated — timestamp of the last definition update
  • FullScanEndTime — when the last full scan completed

To filter only specific properties for a quick health check:

Get-MpComputerStatus | Select-Object -Property AntivirusEnabled, RealTimeProtectionEnabled, AntivirusSignatureVersion, AntivirusSignatureLastUpdated

Configuring Windows Defender Antivirus with Set-MpPreference

The Set-MpPreference cmdlet is used to configure Windows Defender Antivirus behavior. It allows you to control real-time protection settings, scan schedules, remediation actions, cloud-delivered protection, and much more — all from PowerShell.

To enable cloud-delivered protection and automatic sample submission:

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

To configure when scheduled scans run. The following sets a daily quick scan at 3:00 AM:

Set-MpPreference -ScanScheduleDay Everyday
Set-MpPreference -ScanScheduleTime 03:00:00
Set-MpPreference -ScanParameters QuickScan

To schedule a full scan on Sundays at 2:00 AM instead:

Set-MpPreference -ScanScheduleDay Sunday
Set-MpPreference -ScanScheduleTime 02:00:00
Set-MpPreference -ScanParameters FullScan

To control the remediation action taken when a threat is detected. The following sets the default action for severe threats to Remove:

Set-MpPreference -SevereThreatDefaultAction Remove
Set-MpPreference -HighThreatDefaultAction Remove
Set-MpPreference -ModerateThreatDefaultAction Quarantine
Set-MpPreference -LowThreatDefaultAction Quarantine

To toggle real-time protection off temporarily (not recommended in production, but sometimes required for troubleshooting or software installation):

Set-MpPreference -DisableRealtimeMonitoring $true

Re-enable it immediately afterward:

Set-MpPreference -DisableRealtimeMonitoring $false

Updating Virus Definitions with Update-MpSignature

Keeping Windows Defender Antivirus signatures up to date is critical for protection against the latest threats. Windows Update typically handles this automatically, but in isolated environments, enterprise WSUS environments, or when you need an immediate update, you can trigger a manual update using Update-MpSignature.

To update signatures from the default source (Windows Update or WSUS as configured):

Update-MpSignature

To update from a specific source such as the Microsoft Malware Protection Center:

Update-MpSignature -UpdateSource MicrosoftUpdateServer

Available update sources include: MicrosoftUpdateServer, MMPC, InternalDefinitionUpdateServer, FileShares. In an air-gapped environment where servers cannot reach Windows Update, you can download the definition update package manually from the Microsoft Security Intelligence website and deploy it as a file-share update source.

To verify the signature was updated after running the command:

Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AntivirusSignatureLastUpdated

Running On-Demand Scans with Invoke-MpScan

Windows Defender allows you to run on-demand scans at any time using the Invoke-MpScan cmdlet. This is particularly useful after deploying new software, restoring backups, or responding to a potential incident.

To run a quick scan (scans common malware locations and running processes):

Invoke-MpScan -ScanType QuickScan

To run a full scan (scans the entire file system — can take hours on large volumes):

Invoke-MpScan -ScanType FullScan

To scan a specific path or directory:

Invoke-MpScan -ScanType CustomScan -ScanPath "C:UsersAdministratorDownloads"

Scans run asynchronously by default. You can monitor active threats after the scan using:

Get-MpThreatDetection

To see all threats currently in the quarantine store:

Get-MpThreat

Configuring Exclusions with Add-MpPreference

In server environments, Windows Defender Antivirus often needs exclusions configured to prevent false positives and performance degradation. Common scenarios requiring exclusions include database data files (SQL Server .mdf/.ldf), antivirus scanning exclusions for Hyper-V VMs, Exchange Server working directories, and application log directories with high write activity.

To add a path exclusion so that an entire directory is not scanned:

Add-MpPreference -ExclusionPath "C:SQLData"
Add-MpPreference -ExclusionPath "C:Program FilesMicrosoft SQL Server"

To exclude files by extension (for example, database files):

Add-MpPreference -ExclusionExtension ".mdf"
Add-MpPreference -ExclusionExtension ".ldf"
Add-MpPreference -ExclusionExtension ".ndf"

To exclude a specific process from being scanned when it accesses files:

Add-MpPreference -ExclusionProcess "sqlservr.exe"
Add-MpPreference -ExclusionProcess "w3wp.exe"

To view currently configured exclusions:

Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess

To remove an exclusion that is no longer needed:

Remove-MpPreference -ExclusionPath "C:OldData"

Be cautious with exclusions. Each exclusion is a potential blind spot. Only exclude paths and processes that are well understood and have a documented business justification. Avoid blanket exclusions like entire drive letters or the Windows directory.

Managing Windows Defender AV via Group Policy

For enterprise environments with multiple servers, Group Policy is the preferred way to manage Windows Defender Antivirus settings centrally. The relevant GPO settings are located under:

Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus

Key policy nodes and settings include:

  • Turn off Microsoft Defender Antivirus — Enable only if a third-party AV is present; otherwise this disables all protection
  • Real-time Protection > Turn off real-time protection — Policy to control real-time monitoring
  • Scan > Specify the scan type to use for a scheduled scan — Set to QuickScan or FullScan
  • Scan > Specify the day of the week to run a scheduled scan — 0=Every Day, 1=Sunday, 2=Monday, etc.
  • Scan > Specify the time of day to run a scheduled scan — Time in minutes after midnight (e.g., 120 = 2:00 AM)
  • Exclusions > Path Exclusions — Value name is the path, value data is 0
  • Exclusions > Extension Exclusions — Value name is the extension without the dot
  • MAPS > Join Microsoft MAPS — Configure cloud participation level

After configuring a GPO, apply it to the target OU containing your servers and force a policy refresh:

gpupdate /force

Verify the applied policies with:

gpresult /H C:GPReport.html /F

Using MpCmdRun.exe for Command-Line Management

MpCmdRun.exe is the command-line interface for Windows Defender Antivirus. It is located at C:Program FilesWindows DefenderMpCmdRun.exe and is useful in scripts, scheduled tasks, and recovery scenarios where PowerShell may not be available.

To run a quick scan from the command line:

"C:Program FilesWindows DefenderMpCmdRun.exe" -Scan -ScanType 1

To run a full scan:

"C:Program FilesWindows DefenderMpCmdRun.exe" -Scan -ScanType 2

To scan a custom path:

"C:Program FilesWindows DefenderMpCmdRun.exe" -Scan -ScanType 3 -File "C:Uploads"

To update signature definitions:

"C:Program FilesWindows DefenderMpCmdRun.exe" -SignatureUpdate

To remove all items from quarantine:

"C:Program FilesWindows DefenderMpCmdRun.exe" -RemoveDefinitions -All

To collect diagnostic information for support cases:

"C:Program FilesWindows DefenderMpCmdRun.exe" -GetFiles

This collects logs into a cabinet file at C:ProgramDataMicrosoftWindows DefenderSupportMpSupportFiles.cab.

Windows Defender Firewall Integration

Windows Defender Antivirus works alongside Windows Defender Firewall as part of the broader Windows Defender security stack. While Defender AV handles file-system and process-level threats, the Firewall controls network traffic. Together they provide layered protection.

On Windows Server 2022, the firewall can be managed from the same Windows Security interface on Desktop Experience builds. For PowerShell management, the NetSecurity module provides the necessary cmdlets.

To check the firewall profile state:

Get-NetFirewallProfile | Select-Object Name, Enabled

To enable all firewall profiles:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Defender AV can block network-based malware through network protection (part of Microsoft Defender for Endpoint), which blocks connections to malicious IPs and URLs at the network layer. This feature can be enabled via:

Set-MpPreference -EnableNetworkProtection Enabled

The combination of real-time antivirus scanning, network protection, and Defender Firewall forms a strong baseline security posture for Windows Server 2022. Always review Defender event logs in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational to monitor detection and remediation events regularly.