Skip to content
Go to k12panel.com
  • There are no suggestions because the search field is empty.

Detections: Microsoft Defender Monitoring

K12Panel can watch Microsoft Defender on your managed Windows devices and surface threat detections to you in near real time — so your team learns about malware and other threats from one place, instead of logging into a separate console or finding out after the fact. This article explains what the feature does, how to turn it on, where to see results, and how to get notified.

 What it does

When Defender monitoring is enabled for a device, the K12Panel agent reports Microsoft Defender threat detections (the same events Defender records on the machine) up to K12Panel as they happen. You get:

  • A fleet-wide Detections view — every threat across your managed Windows devices in one list.
  • Per-device Defender details — what was found on a specific machine, plus that device's antivirus status.
  • Antivirus awareness — K12Panel shows which antivirus is actually active on each device, so you can tell whether Defender is really protecting it.
  • Email alerts — get notified by email when a serious threat is detected.

Because schools run a mix of antivirus products, the feature is opt-in and can be turned on or off per organization and per device.

Good to know: This feature is for Microsoft Defender on Windows devices. Threats from third-party antivirus products are not covered.

Turning monitoring on or off

There are two levels of control. A per-device setting always wins over the organization default.

Organization default

Sets the starting behavior for every Windows device in your organization.

  1. Go to Settings (the gear in the left menu).
  2. Find Defender Monitoring (default) and switch it ON or OFF.

When you change this, every device that hasn't been individually overridden updates automatically — connected devices within moments, others the next time they check in.

Per-device override

Sometimes one machine should differ from the org default (for example, a device that runs a third-party antivirus instead of Defender).

  1. Open the device from Assets.
  2. Click the Defender tab.
  3. Under Defender Monitoring, choose one of:
    • Inherit org default — follow the organization-wide setting.
    • Force ON — always monitor this device.
    • Force OFF — never monitor this device.

The tab shows the device's current effective state (Enabled or Disabled) so you always know what's actually in force.

A note on history: When you first enable monitoring on a device, K12Panel starts watching from that moment forward — it does not pull in older, past detections. If you turn monitoring off, any detections already captured are still delivered.

Where to find detections

The Detections view (whole fleet)

Open Detections from the left menu to see threats across all your managed devices. At the top you'll find quick counts:

  • Total detections
  • Severe — the most serious threats
  • Gap markers — see "Understanding the list" below
  • Devices with a monitoring/passive mismatch — devices where monitoring is on but Defender isn't the active antivirus (so it won't actually catch anything)

Below the counts is the list of detections, newest first. Each row links to the device it came from.

The Defender tab (one device)

On any device, the Defender tab shows:

  • Monitoring status — whether monitoring is on for this device, and the controls to change it.
  • Antivirus status — whether Defender is present and active, its running mode, real-time protection state, and signature/engine versions. If other antivirus products are registered on the machine, they're listed too.
  • Detections — every threat recorded on this specific device.

Understanding what you see

A detection

Each detection includes the essentials at a glance:

  • Detected — when Defender found it
  • Threat — the threat name (e.g., a virus or trojan name)
  • Severity — how serious it is (Severe, High, Moderate, Low)
  • Category — the type of threat (virus, trojan, etc.)
  • Action — what Defender did about it (e.g., Quarantine, Remove, Allow)
  • Path — the file or location involved

If Defender finds a threat and then takes action on it, K12Panel keeps everything on a single row and updates it to show the latest outcome — so you see one clear entry per threat, not a stream of partial updates.

Active threats vs. handled detections

Not every detection still needs your attention. What matters is whether Defender contained the threat:

  • Contained — Defender quarantined, removed, cleaned, or blocked it. Handled; nothing to do.
  • Active (uncontained) — detected but not neutralized: Defender allowed it, or its cleanup failed. These are the ones that need a human.

K12Panel highlights the active ones for you:

  • A red counter appears next to Detections in the left menu showing how many active threats exist across your fleet (similar to the On-ramp counter).
  • The same count appears as a badge on each device's Defender tab, with a banner listing the active threats at the top.
  • In the Detections view, use the Active / Contained / Acknowledged / All filter to focus. Active rows are highlighted in red.

EICAR test detections auto-quarantine, so they show as Contained — they confirm the feature works but won't appear as active threats.

Acknowledging an active threat

Sometimes an active threat is expected or already handled outside K12Panel — a known/allowed tool, a false positive, or a machine you've already reimaged. Rather than leaving the counter red forever, an administrator can Acknowledge it:

  • On the device's Defender tab, click Acknowledge on an active detection, pick a reason (false positive, allowed tool, remediated out-of-band, accepted risk, or other), and add an optional note.
  • Acknowledging removes it from the active count but is honest about reality — it does not pretend the threat was cleaned. The detection stays visible (under the Acknowledged filter) with who acknowledged it and why, and the action is recorded in the activity log.
  • It's reversible — Un-acknowledge brings it back to active.
  • Acknowledging is sticky: if the same threat recurs it stays acknowledged, but a genuinely new threat (a new detection) shows up normally, so you're never blinded to something new.

Only administrators can acknowledge.

Antivirus status and the "passive" warning

K12Panel reports which antivirus is active on each device, independent of the toggle. This matters because of a common trap: if a third-party antivirus is installed, Microsoft Defender often steps back into a "passive" mode and stops raising detections. If monitoring is on but Defender is passive, you'd get a false sense of security — monitoring is "on," but Defender is silent.

When that happens, K12Panel flags a monitoring/passive mismatch — both on the device's Defender tab and in the count at the top of the Detections view — so you can decide whether to rely on Defender or turn monitoring off for that device.

Gap markers

If a device is offline or disconnected for a long stretch, there can be more missed history than K12Panel will backfill. In that case it records a gap marker — a flagged entry that means "some detections during this period may not have been captured." It's a transparency signal, not a threat itself.

Email notifications

K12Panel emails you when an active (uncontained) threat appears — the ones that actually need attention. Auto-contained detections (quarantined/removed) don't email; they just appear in the Detections list and history.

  • Manage this on your Profile → Notifications page, where "Defender threat detected" appears alongside the other alert types you can subscribe to.
  • Administrators are subscribed automatically so active threats aren't missed. You can opt out anytime by unchecking it on that page — your choice is remembered.
  • You're notified once per threat; follow-up updates to the same threat won't spam you with repeats. An active threat also raises a dashboard alert linking to the device, which clears automatically once the threat is contained or acknowledged.

Who can do what

Access follows your role in the organization:

Action Who can do it
See a device's Defender tab (status + detections) Managers and above
Change the monitoring toggle (org default or per-device) Administrators only
See the fleet-wide Detections view Administrators
Subscribe to email alerts Administrators (subscribed by default; can opt out)

How it works (the short version)

  • The K12Panel agent already running on your Windows devices watches Defender's own threat log and reports detections to K12Panel in near real time.
  • Detections are delivered reliably: if a device briefly loses its connection, captured threats are held and delivered once it's back — nothing is silently dropped.
  • K12Panel is always the source of truth for the on/off setting; each device keeps itself in sync with whatever you've chosen.
  • Detections are retained for 180 days, then automatically aged out.

Frequently asked questions

I turned monitoring on but see no detections. Is something wrong? Usually not. No detections simply means Defender hasn't found anything — which is the goal. But check the device's Defender tab: if it shows a passive running mode or a monitoring/passive mismatch warning, Defender isn't the active antivirus on that machine and won't raise detections until it is.

Does this slow down or change protection on the device? No. K12Panel only reads and reports what Defender already detects. It does not change how Defender protects the machine, and it doesn't take remediation actions itself — Defender handles the response (quarantine, removal, etc.).

Does enabling it pull in past detections? No. Monitoring starts from the moment you enable it on a device and goes forward.

A device runs a different antivirus. What should I do? Set that device's Defender tab override to Force OFF, or leave the org default off for organizations that don't standardize on Defender.

Why did I get a "gap marker"? The device was offline long enough that some detection history couldn't be recovered. It's an honesty flag that there may be a blind spot for that period — not a threat.

Will every admin get flooded with emails? You're emailed only for active (uncontained) threats, once per threat — auto-quarantined detections don't email at all. If it's still too much, opt out under Profile → Notifications.

What's the difference between "Acknowledged" and Defender remediating it? Acknowledging is your decision to stop tracking a threat as active (it's expected, a false positive, or you handled it on the device yourself). It never changes what Defender actually did — the record stays truthful and auditable. Remediation (quarantine/remove) is Defender's own action on the endpoint.