Windows - Security - Windows Defender Scan Scheduler

What the Defender scan scheduler does

This Automox Worklet™ manages Microsoft Defender scheduled scan settings on Windows endpoints. The Worklet validates and configures the scan schedule, scan type (quick or full), and real-time protection status to match your defined security policy.

The Worklet uses the Set-MpPreference cmdlet to configure Defender settings programmatically. You can customize scan timing using 24-hour format, select specific days of the week or daily scanning, and choose between quick scans and full system scans.

Before applying changes, the Worklet checks whether Microsoft Defender is the active antivirus product. If a third-party security solution has disabled Defender, the Worklet exits gracefully without generating errors. This prevents false failures in mixed antivirus environments.

Why schedule Defender scans through Automox

Consistent antivirus scanning represents a fundamental security control required by frameworks like Cyber Essentials, CIS Benchmarks, and PCI-DSS. Organizations need verification that endpoints maintain active protection and regular scanning schedules.

Managing Defender settings through Group Policy requires Active Directory infrastructure and reliable domain connectivity. Remote and hybrid workers may miss policy updates or have settings drift over time. This Worklet applies settings directly regardless of domain membership or network location.

The Worklet also validates real-time protection status. Users or applications sometimes disable Defender components. Running this Worklet on a schedule detects and corrects these changes automatically, maintaining your security baseline.

How Defender scan scheduling works

1. Evaluation phase: The Worklet retrieves current Defender preferences using Get-MpPreference and compares them against the configured values for scan-only-if-idle, real-time protection, scan type (1=quick, 2=full), scan time, and scan day. Any mismatch triggers remediation.

2. Remediation phase: The Worklet first confirms Defender is active by querying the SecurityCenter2 WMI namespace for registered antivirus products. For each setting that deviates from policy, it applies the correct value using Set-MpPreference. Settings include ScanOnlyIfIdleEnabled, DisableRealtimeMonitoring, ScanParameters, ScanScheduleTime, and ScanScheduleDay.

Defender scan configuration requirements

• Windows 10 or Windows 11 workstations, Windows Server 2016 or later

• Microsoft Defender as the active antivirus product (not disabled by third-party AV)

• Administrative privileges to modify Defender preferences

• Configurable parameters: scanOnlyIfIdleEnabled, enableRealtimeProtection, scanType, scanTime, scanDay

• Scan time uses the local endpoint timezone (24-hour format)

Expected Defender scan configuration state

After successful remediation, Microsoft Defender performs scheduled scans according to your configured parameters. The default configuration runs quick scans daily at 11 PM local time. Real-time protection remains enabled with antimalware, antispyware, and antivirus engines active. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Verify the configuration by running Get-MpPreference in PowerShell on any endpoint. The ScanScheduleDay, ScanScheduleTime, and ScanParameters values reflect your policy settings. Subsequent Worklet executions confirm compliance or remediate any drift.

How to validate microsoft defender scan scheduler changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for microsoft defender scan scheduler.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-MpPreference, Write-Output, Select-Object.

4. Validate remediation effects from script operations such as Get-CimInstance, Where-Object, Write-Output, then rerun evaluation for compliance.