The WMI namespace root/microsoft/windows/defender contains classes to manage the built-in Defender Anti-Virus and Threat-detection engine.
root/microsoft/windows/defender contains the following 10 classes:
The namespace root/microsoft/windows/defender contains many more classes that may serve internal purposes (link classes to define relationships, abstract classes that serve as a template for inherited classes, etc.). If you feel our documentation is missing an important class, please take the time and leave a comment at the bottom of this page.
BaseStatus
This is an abstract class that shows the base status.
MSFT_MpComputerStatus
Represents the Defender base status. Module Defender ships with Get-MpComputerStatus that essentially delivers the same information.
MSFT_MpEvent
This class is used for event queries and returned when threat events fire. There are no instances of this class that can be queried by Get-CimInstance.
MSFT_MpPreference
Represents Defender preferences. Module Defender ships with Get-MpPreference, Add-MpPreference, Set-MpPreference and Remove-MpPreference which essentially manage the same information.
MSFT_MpScan
Starts a Defender threat scan. Module Defender ships with Start-MpScan which essentially calls the method in this class.
MSFT_MpSignature
Updates the Defender threat signatures. Module Defender ships with Update-MpSignature which essentially calls the method of this class.
MSFT_MpThreat
Represents the Microsoft Antimalware service infection status. Module Defender ships with Get-MpThreat and Remove-MpThreat which essentially manage the same information.
MSFT_MpThreatCatalog
Represents the catalog of recognized threats. Module Defender ships with Get-MpThreatCatalog that essentially delivers the same information.
MSFT_MpThreatDetection
This is a class that represents the current detailed state of a threat. For a detailed list of error codes, see Get-MpThreatDetection.
MSFT_MpWDOScan
Windows Defender Offline Scan Class