Configures scheduled Microsoft Defender antivirus scans and validates real-time protection is enabled
This Automox Worklet™ manages Microsoft Defender scheduled scan settings on Windows endpoints. The Worklet validates and configures the scan schedule, scan type (quick or full), and real-time protection status to match your defined security policy.
The Worklet uses the Set-MpPreference cmdlet to configure Defender settings programmatically. You can customize scan timing using 24-hour format, select specific days of the week or daily scanning, and choose between quick scans and full system scans.
Before applying changes, the Worklet checks whether Microsoft Defender is the active antivirus product. If a third-party security solution has disabled Defender, the Worklet exits gracefully without generating errors. This prevents false failures in mixed antivirus environments.
Consistent antivirus scanning represents a fundamental security control required by frameworks like Cyber Essentials, CIS Benchmarks, and PCI-DSS. Organizations need verification that endpoints maintain active protection and regular scanning schedules.
Managing Defender settings through Group Policy requires Active Directory infrastructure and reliable domain connectivity. Remote and hybrid workers may miss policy updates or have settings drift over time. This Worklet applies settings directly regardless of domain membership or network location.
The Worklet also validates real-time protection status. Users or applications sometimes disable Defender components. Running this Worklet on a schedule detects and corrects these changes automatically, maintaining your security baseline.
Evaluation phase: The Worklet retrieves current Defender preferences using Get-MpPreference and compares them against the configured values for scan-only-if-idle, real-time protection, scan type (1=quick, 2=full), scan time, and scan day. Any mismatch triggers remediation.
Remediation phase: The Worklet first confirms Defender is active by querying the SecurityCenter2 WMI namespace for registered antivirus products. For each setting that deviates from policy, it applies the correct value using Set-MpPreference. Settings include ScanOnlyIfIdleEnabled, DisableRealtimeMonitoring, ScanParameters, ScanScheduleTime, and ScanScheduleDay.
Windows 10 or Windows 11 workstations, Windows Server 2016 or later
Microsoft Defender as the active antivirus product (not disabled by third-party AV)
Administrative privileges to modify Defender preferences
Configurable parameters: scanOnlyIfIdleEnabled, enableRealtimeProtection, scanType, scanTime, scanDay
Scan time uses the local endpoint timezone (24-hour format)
After successful remediation, Microsoft Defender performs scheduled scans according to your configured parameters. The default configuration runs quick scans daily at 11 PM local time. Real-time protection remains enabled with antimalware, antispyware, and antivirus engines active. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.
Verify the configuration by running Get-MpPreference in PowerShell on any endpoint. The ScanScheduleDay, ScanScheduleTime, and ScanParameters values reflect your policy settings. Subsequent Worklet executions confirm compliance or remediate any drift.
Run this Worklet on a pilot Windows endpoint and review evaluation output for microsoft defender scan scheduler.
Confirm Automox activity logs show successful completion and exit code 0.
Verify endpoint state using checks aligned to evaluation script logic, such as Get-MpPreference, Write-Output, Select-Object.
Validate remediation effects from script operations such as Get-CimInstance, Where-Object, Write-Output, then rerun evaluation for compliance.


By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy