How Do I Know if Microsoft Defender Is Installed, Running, or Working?

To know whether Microsoft Defender is really available, answer three separate questions: is it installed, is it running, and is it actively protecting the device. For lean teams, the fastest path is to confirm Antivirus and Real-time Protection status in DefenderReporter, then validate suspicious endpoints with Get-MpComputerStatus. For the fleet-level view behind this check, start with the endpoint posture monitoring guide.

Installed means Microsoft Defender Antivirus components exist on the Windows device.

Running means the Defender service is active and not pushed out of the protection path by another antivirus product or policy mode.

Working means active protection controls such as Antivirus and Real-time Protection are enabled and current enough to reduce risk.

Those are related checks, but they are not the same thing. A device can have Defender installed without being the active antivirus engine.

Open the Devices page and review the columns for Antispyware, Antivirus, Real-time Protection, NIS, and IOAV. A Yes value means that control was enabled on the last reported check-in. A No value means it is disabled and needs follow-up. If the device reports those fields recently, that is usually the fastest answer to whether Defender is running and working on that endpoint. If you need to review many devices at once, continue with the multi-computer status guide.

Start by confirming Windows Security shows Microsoft Defender Antivirus rather than only a third-party antivirus provider.

On managed endpoints, the more reliable operational signal is that Defender-specific posture fields are reporting back through DefenderReporter or Get-MpComputerStatus.

If another antivirus product is installed, Defender may still be present on disk but no longer be the active protection engine.

On Windows endpoints, Defender can be active, passive, or effectively out of the protection path depending on policy and whether another antivirus product is installed. If you need a local endpoint check, review Get-MpComputerStatus values like AntivirusEnabled, RealTimeProtectionEnabled, and AMRunningMode instead of relying only on the tray icon.

Defender is working when it is not only present, but actively protecting the endpoint with enabled Antivirus, Real-time Protection, and current signatures. If protection is enabled but signatures are stale, continue with the update-status guide before assuming coverage is healthy. If Defender is present but clearly not active, switch to the passive mode guide.

Yes means Defender reported that control as enabled at last check-in. No means the control is disabled. A dash or missing value usually means the endpoint has not reported that field yet, which often happens on newly onboarded or recently offline devices.

Start with devices showing No for Real-time Protection or Antivirus and assign an owner for same-day remediation. Then verify the endpoint checked in recently and confirm policy enforcement so the setting does not drift again.

When a device looks unprotected in the dashboard, validate it locally and compare the result with the latest check-in.

PS> Get-MpComputerStatus | Select-Object AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled, NISEnabled

If you also need to verify installation and service presence, expand the check slightly:

PS> Get-MpComputerStatus | Select-Object AMProductVersion, AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled, NISEnabled

If the command output and dashboard view disagree, check telemetry freshness before assuming a real protection mismatch.

The most common causes are local tamper changes, competing AV products, stale endpoint telemetry, and policy drift. Document which class each exception belongs to so your team can separate one-off host issues from broad policy failures.

Treat Antivirus or Real-time Protection disabled states as same-day remediation items for business-critical endpoints and next-business-day for lower-risk systems. Explicit response windows improve consistency when small teams are juggling multiple priorities.

Report total endpoints, protected endpoints, and unprotected endpoints with owner and ETA for each exception. This keeps leadership updates factual and focused on closure progress, not just raw alert volume.