Windows Defender is the default real-time (always on) protection program in Windows 8, 8.1 and 10. Unlike the one in Windows XP, Vista and 7, the Windows 8/8.1/10 version does protect from viruses and other types of malware, not only spyware. It is similar to the free Microsoft Security Essentials for Windows Vista and 7, but it lacks a few features, such as the ability to select a time or limit CPU resources used for scheduled scanning in GUI (Graphical User Interface) and right-click menus in Windows (File) Explorer.
Windows Defender uses Windows Update to download and install new virus and spyware definitions once a day. If updates fail constantly, follow instructions in this Reinstall Windows Update article.
Please note that you cannot install Microsoft Security Essentials in Windows 8, 8.1 or 10. If you choose to install any other real-time anti-virus program (such as Avast Free Antivirus), Windows Defender will be automatically turned off – there is no point in hogging system resources by running multiple virus protection software.
Configuring Windows Defender in Windows 8, 8.1 and 10
In Windows 8 and 8.1, open Apps search using keyboard shortcut WINDOWS KEY+Q, type “defender” into Search box and click the result. Touch screen users should reveal Charms bar by swiping in from the right edge of screen and then tap/touch Search.
In Windows 10, open Start menu or Cortana keyboard search (WINDOWS KEY+S), type “defender” and click or tap Windows Defender settings. Because all Defender settings are now in the Modern UI Settings app, there is no point in opening the Windows Defender desktop program in Windows 10 just yet.
If you’ve previously uninstalled a third-party antivirus product (Avast, AVG, Norton/Symantec, McAfee or some other product), you might see a dialog that states that Windows Defender is turned off. In such case, either click Action Center icon in Taskbar Notification Area (aka System Tray) and click Turn on virus protection (Important) or Turn on spyware protection (Important), or open Control Panel (WINDOWS KEY+X has a nice shortcut), type action into Search field, click Action Center and then click one of the Turn on now buttons in Security section.
Please note that in Windows 8 and 8.1, Action Center might have no red warning icon for several days after you’ve removed a third-party virus protection tool.
Windows Defender settings in Windows 8 and 8.1
Open Settings tab and click Real-time protection on the left. Make sure there is a check mark in the Turn on real-time protection (recommended) check box. That’s how you activate or enable Windows Defender in Windows 8 and 8.1 after uninstalling some competing free or paid anti-virus product.
If something seems to be blocking the activation, run RKill to terminate malware processes and services that might interfere enabling Windows Defender. Then retry the process, without rebooting your PC.
Next three tabs deal with exclusions: you can prevent Windows Defender from scanning certain files and locations (folders), file types or processes. These are to be used by IT pros only who understand the possible consequences.
Click Advanced in the left part of the window. Enable Scan archive files and Scan removable drives options. The first one will scan compressed folders (.zip files) for malicious software. The latter one enables scanning connected USB drives during a full scan. This is very important, as malicious software can spread via such media.
Then check the Create a system restore point box. This will create a System Restore point each time before a detected malware or virus is removed or quarantined. In case something goes wrong, you can use System Restore to recover your computer to a working state.
If you want all users (including those who are not administrators) to be able to see detected items on History tab, tick the Allow all users to view the full History results check box.
Set Remove quarantined files after to 3 months. This helps to free some space on your computer’s hard drive.
In Windows 8.1, there is an additional option – Send samples automatically when further analysis is required. Enabling it prevents the somewhat annoying sample submission dialog from appearing. I recommend leaving this one ticked unless you must follow extremely strict privacy rules.
Those very concerned about their privacy can open the MAPS tab and select the I don’t want to join MAPS option. This will disable sending basic information about detected items to Microsoft.
Others can safely choose Basic membership here.
Finally, open the Administrator tab and make sure the Turn on Windows Defender (in Windows 8) or Turn on this app(Windows 8.1) check box is ticked.
Click Save changes.
You can now safely close Windows Defender. Did you know that keyboard shortcut for closing most desktop programs and Modern UI/Windows Store/Metro apps is ALT+F4?
Windows 10 simplifies Windows Defender settings even more, and uses Modern UI (aka Metro) Settings app for configuration.
First, enable the Real-time protection switch to turn on Windows Defender. If this switch is off, other settings are unavailable (grayed out).
The Cloud-based protection switch is safe for most of us. Only those who require extreme privacy can disable this option.
Sample submission is similar to the previous settings, so leave this one on.
Again, please leave all exclusion options alone unless you are an IT professional and you really know possible consequences of what you are doing.
You can close the Settings app now.
In Windows 8 and 8.1, Windows Defender has no icon in Taskbar Notification Area (aka System Tray), so it is best to check Action Center icon (the white flag) once in a while. If it has a red circle with white X mark, something is wrong. Click the icon to see the list of detected problems – these might or might not be related to Windows Defender.
Windows 10 version of Windows Defender brings back the System Tray icon. If it has no overlay icons, everything is working fine. You can click or right-click the icon to open the desktop program.
If the icon has a red circle with white cross, something is wrong – for example, a malware detection ocurred and cleanup requires your attention.
In case the icon has a green spinning circle, a scheduled or manual scan is in progress – you do not need to take any action.
In case of “Windows Defender needs to scan your computer” message in Action Center, click or tap it to run a quick scan. The program runs a malware scan during every scheduled maintenance plan (3:00 AM daily by default), and you see the warning below if Windows Defender misses several scans in a row.
If Action Center displays Update virus protection (Important) and Update spyware protection (Important)messages, click either one to open Windows Defender and download the latest signatures using the Update tab.
In case updates fail all the time, follow instructions in the Reinstall Windows Update tutorial.
If you see the Turn on virus protection (Important) and Turn on spyware protection (Important) messages or toasts, click either one and wait until Windows Defender launches. PC status on top of Windows Defender window should soon turn green. After it does, you can safely close the window. Such messages appear if Windows Defender’s real-time scanning has been turned off.
If you see the “Couldn’t start the Windows Defender service” error message, the service has probably been disabled. Click Close.
In Windows 8 and 8.1, open Settings Search (WINDOWS KEY+W), type “services” and click View local services. In Windows 10, open Start menu or Cortana keyboard search (WINDOWS KEY+S) instead.
Scroll down to the Windows Defender Service and verify its Startup Type setting.
In Windows 8 only: if the service has been disabled, right-click the service and select Properties. In Windows 8.1 and 10, you cannot change Windows Defender service settings while Windows is running in normal mode.
Again, in Windows 8 only: in the Windows Defender Service Properties window, set Startup type to Automatic and click Apply. Then click Start in the Service status section and finish by clicking OK.
In Windows 8.1 and 10, you need to boot into Safe Mode first. After signing in, open Start screen or Start menu, type regedit, right-click the result and choose Run as administrator.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and click or tap on WinDefend. Locate Start in the right pane – if its data is set to 0x00000004 (4), the service has been disabled. Double-click the Start entry.
Type 2 (verify that Base is set to Hexadecimal on the right) and click OK. This sets Windows Defender Service to start automatically.
Next, repeat the same action with Start value for WdNisSvc service (Windows Defender Network Inspection Service). Please do not mess with any other values – Registry Editor is a very powerful tool and you might make Windows unbootable.
Close Registry Editor and restart Windows normally to check if Windows Defender starts properly now.
If Windows Defender is unable to start no matter what, run RKill first and then perform a full anti-malware scan with Malwarebytes Anti-Malware without rebooting your computer.
In case malware is detected, a message (aka Toast notification) appears on top right of screen in Windows 8 and 8.1. In Windows 10, the notification pops up right above Taskbar Notification area. You do not need to do anything, because Windows Defender automatically removes or quarantines the threat.
The Toast notification disappears automatically. If no other messages pop up, your computer has been cleaned successfully.
If cleaning needs restarting your device, the following notification appears. Click it to launch Windows Defender, or reboot your PC or tablet.
Click the large Restart now button in Windows Defender window.
Just like with Microsoft Security Essentials, the duplicate message appears. Click Yes to restart your computer.
Your computer will then reboot and Windows Defender will delete the remains of the malware.
In case you see repeating messages about malware detection and/or removal, run RKill to end malicious processes and then launch a full scan with Malwarebytes Anti-Malware.
By default, most infected items are moved to quarantine – a secured folder where these malicious files can not harm your computer. Windows Defender completely deletes the items after three months.
To check or manage quarantined items, open Apps Search in Windows 8 and 8.1 using keyboard shortcut WINDOWS KEY+Q, type “defender” into Search box and click the result. Touch screen users should reveal Charms bar by swiping in from the right edge of screen and then tap/touch Search.
In Windows 10, open Start menu, type “defender” and click or tap the topmost result Windows Defender (Desktop app).
Click History tab and make sure Quarantined items is selected. If you did not enable the Allow all users to view the full History results option (available in Windows 8 and 8.1 only) in Windows Defender settings, you need to click the View details button first (even if you are logged in as an administrator).
If you are just curious and want to know what files got quarantined for what reason, you can click an item in the list and read its description and previous location from the field on the very bottom.
You can select any detected item by ticking its check box on the left and then delete these items by clicking Remove. Or you can use the Remove all button if your device desperately needs more free disk space.
The Restore button is for pros only. Be very-very careful with that – false detection are really rare! Never restore items with Alert level“Severe”, “High” or “Medium”!
Unlike Microsoft Security Essentials, Windows Defender has no configuration options for scheduled scanning in its GUI (Graphical User Interface), but you still might want to automatically run a full monthly scan.
In Windows 8.1 and 10, a quick scan is performed during the daily scheduled maintenance (3:00 AM by default) along with Windows Update and other tasks. If the schedule is missed or cancelled by a restart/shutdown, the scan runs shortly after starting or restarting your device the next time.
Action Center’s white flag in Windows 8 and 8.1 has a black clock overlay during the automatic maintenance.
In case no scanning has been performed for a prolonged time, Action Center will notify about this, stating “Windows Defender needs to scan your computer”.
To schedule Windows Defender scanning in Windows 8 and 8.1, open Settings Search using keyboard shortcut WINDOWS KEY+W, type “schedule” into Search box and click Schedule tasks. Touch screen owners should first swipe in from the right edge of screen – this opens Charms bar where you can click the Search icon.
In Windows 10, open Start menu, type “schedule” and click Task Scheduler.
Right-click Task Scheduler (Local) on the left side and select Create Basic Task.
Create Basic Task Wizard opens. Type a descriptive name for the scanning task and click Next.
If you want to run quick weekly scans in Windows 8, set the frequency to Weekly (Windows 8.1 and 10 already have a quick scan scheduled by default).
For full scans, choose Monthly instead – these scans might take hours to complete.
Set a weekday and time for quick scans; or select all months and a specific day and time for full scans.
Because you cannot limit CPU usage, choose a time when your device is most probably running, but not in very active use – during scanning, your computer slows down.
In action selection, the default Start a program is fine.
Navigate to C:\Program Files\Windows Defender folder and double-click MpCmdRun.exe. This is the executable file that allows performing common tasks in Windows Defender.
Depending on folder options, you might not see the “.exe” and “.dll” extensions.
For a weekly quick scan, type “-Scan -ScanType 1” into Add arguments (optional) field. To perform a full scan, type “-Scan -ScanType 2” instead.
We’re almost finished here. Enable the Open the Properties dialog for this task when I click Finish option before clicking or tapping the Finish button.
Task Properties window opens in General tab. Click Change User or Group button in Security options section.
In the Enter the object name to select field, type system and click Check Names. The name should then turn into capital letters and become underlined. Click OK.
This chooses a built-in account with highest level of user rights for the Windows Defender scan. SYSTEM account is also always logged on.
Back in the General tab of the Task, tick the Run with highest privileges check box. This allows Windows Defender to run with elevated rights and ensures all malware really is removed.
Open Settings tab and turn on the Run task as soon as possible after a scheduled start is missed option. If your computer is turned off or you are not signed in at scheduled time, the scanning will start after you log in to Windows the next time.
Click OK to close the Task Properties window.
At scheduled times, a black Command Prompt window appears. It will close automatically after the scanning is complete.
If you are not satisfied that Windows Defender signature databases are updated only when Windows Update checks for patches (once a day), you can follow almost the same steps above.
Create a new Basic Task, but set its frequency to Daily and set start time to 12:00 AM (or 00:00 in 24-hour format).
In the Action, Start a Program dialog, browse to the same MpCmdRun.exe file, but set its argument to “-SignatureUpdate”.
After you’ve created the task and opened its properties, click Triggers tab, click the existing schedule and click Edit.
Enable the Repeat task every option and set the frequency to 4 hours. The item is not in the list, but you can select 1 hour and replace “1” with “4”.
Then click OK and close Task Properties.
Now Windows Defender updates its signatures every 4 hours. Every time, a black Command Prompt window opens and closes automatically.
Please note that this does not mean that Windows Update runs every 4 hours – you’ve only scheduled Windows Defender update