Skip to content
Go to k12panel.com
  • There are no suggestions because the search field is empty.

Detections: Microsoft Defender Monitoring

Watch Microsoft Defender across your managed Windows devices and surface threat detections in near real time, from one place.

Detections: Microsoft Defender Monitoring

K12Panel can watch Microsoft Defender on your managed Windows devices and surface threat detections in near real time — so your team learns about malware from one place instead of a separate console or after the fact. This article covers what it does, how to turn it on, where to see results, and how to get notified.

What It Does

When Defender monitoring is enabled for a device, the K12Panel agent reports Microsoft Defender threat detections (the same events Defender records) up to K12Panel as they happen. You get:

  • A fleet-wide Detections view — every threat across your managed Windows devices in one list.
  • Per-device Defender details — what was found on a machine, plus its antivirus status.
  • Antivirus awareness — which antivirus is actually active on each device, so you can tell whether Defender is really protecting it.
  • Email alerts when a serious threat is detected.

Because schools run a mix of antivirus products, the feature is opt-in and can be turned on or off per organization and per device. It covers Microsoft Defender on Windows only — third-party antivirus threats are not included.

Turning Monitoring On or Off

There are two levels of control, and a per-device setting always wins over the org default.

Organization default

  • Go to Settings and set Defender Monitoring (default) ON or OFF.
  • Every device that hasn’t been individually overridden updates automatically — connected devices within moments, others at their next check-in.

Per-device override

  • Open the device from Assets and click the Defender tab.
  • Under Defender Monitoring, choose Inherit org default, Force ON, or Force OFF.

The tab shows the device’s current effective state (Enabled or Disabled). When you first enable monitoring on a device, K12Panel starts watching from that moment forward — it does not pull in past detections. If you later turn monitoring off, detections already captured are still delivered.

Where to Find Detections

The Detections view (whole fleet)

Open Detections from the left menu. At the top is a fleet coverage summary of your Windows devices:

  • Protected — monitored, with Defender active.
  • Monitored but passive — monitoring is on but Defender is running passively (a blind spot).
  • Not monitored — monitoring is off for the device.
  • Awaiting inventory — monitored, but the device hasn’t reported antivirus status yet.

Below are quick counts (Active/uncontained, Contained, Acknowledged, Gap) and filter tabs. You can filter by date range and Export CSV (the export includes the full set for the selected filter and dates). Each row links to its device and shows when that device was last seen.

The Defender tab (one device)

On any device, the Defender tab shows monitoring status and controls, antivirus status (whether Defender is present and active, its running mode, real-time protection state, signature/engine versions, and any other registered AV products), and every detection recorded on that device.

Understanding What You See

A detection

Each detection shows when it was detected, the threat name, severity (Severe, High, Moderate, Low), category, the action Defender took (Quarantine, Remove, Allow), and the file path involved. If Defender finds a threat and then acts on it, K12Panel keeps everything on a single row and updates it to the latest outcome — one clear entry per threat.

Active threats vs. handled detections

  • Contained — Defender quarantined, removed, cleaned, or blocked it. Nothing to do.
  • Active (uncontained) — detected but not neutralized (Defender allowed it, or cleanup failed). These need a human.

K12Panel highlights active threats: a red counter appears next to Detections in the left menu, a badge appears on each device’s Defender tab, and active rows are highlighted in the Detections view. EICAR test detections auto-quarantine, so they show as Contained.

Acknowledging an Active Threat

Sometimes an active threat is expected or already handled out of band — a known tool, a false positive, or a machine you’ve already reimaged. A manager or above can Acknowledge it: on the device’s Defender tab, click Acknowledge, pick a reason (false positive, allowed tool, remediated out-of-band, accepted risk, or other), and add an optional note.

  • Acknowledging removes it from the active count but stays honest — it doesn’t pretend the threat was cleaned. The detection remains visible under the Acknowledged filter, with who acknowledged it and why, and the action is logged.
  • It’s reversible — Un-acknowledge brings it back to active.
  • It’s sticky: if the same threat recurs it stays acknowledged, but a genuinely new detection shows up normally.

Antivirus Status and the “Passive” Warning

K12Panel reports which antivirus is active on each device, independent of the monitoring toggle. This matters because if a third-party antivirus is installed, Defender often steps back into a passive mode and stops raising detections. If monitoring is on but Defender is passive, you’d get a false sense of security. When that happens, K12Panel flags a monitoring/passive mismatch — on the device’s Defender tab and in the Detections view summary — so you can decide whether to rely on Defender or turn monitoring off for that device.

Finding Devices by Antivirus (Assets columns + search)

Two optional Assets columns extend this across the fleet: Real-time AV (the product actively protecting the device) and AV Definitions (whether those definitions are up to date). Both are hidden by default; enable them from the Columns dropdown. Natural-language search reaches even more, for example: “show assets running Defender as real-time,” “devices with out-of-date AV definitions,” “machines where Defender is passive,” “assets with no real-time antivirus,” or “Windows devices where Defender monitoring is disabled.” A blank value means “no data reported yet,” not “unprotected.”

Gap Markers

If a device is offline for a long stretch, more history may be missed than K12Panel can backfill. It then records a gap marker — a flagged entry meaning “some detections during this period may not have been captured.” It’s a transparency signal, not a threat.

Email Notifications

K12Panel emails you when an active (uncontained) threat appears — the ones that actually need attention. Auto-contained detections don’t email.

  • Manage this on your Profile → Notifications page, where “Defender threat detected” appears alongside other alert types.
  • Administrators are subscribed automatically so active threats aren’t missed; you can opt out anytime.
  • You’re notified once per threat — follow-up updates don’t repeat. An active threat also raises a dashboard alert that clears automatically once the threat is contained or acknowledged.

Who Can Do What

How It Works (the short version)

  • The agent already running on your Windows devices watches Defender’s own threat log and reports detections in near real time.
  • Delivery is reliable: if a device briefly loses connection, captured threats are held and delivered once it’s back.
  • K12Panel is always the source of truth for the on/off setting; each device keeps itself in sync.
  • Detections are retained for 180 days, then automatically aged out.
  • Monitoring requires agent version 0.5.0 or higher; older agents don’t relay the telemetry (agents update automatically).

Common Questions

I turned monitoring on but see no detections — is something wrong?
Usually not; it means Defender hasn’t found anything. But check the Defender tab: a passive running mode or mismatch warning means Defender isn’t the active AV. Also confirm the agent is version 0.5.0 or higher.

Does this slow down or change protection?
No. K12Panel only reads and reports what Defender already detects; it doesn’t change protection or take remediation actions itself.

Does enabling it pull in past detections?
No. Monitoring starts from the moment you enable it and goes forward.

A device runs a different antivirus — what should I do?
Set that device’s Defender tab to Force OFF, or leave the org default off if you don’t standardize on Defender.

What’s the difference between Acknowledged and Defender remediating it?
Acknowledging is your decision to stop tracking a threat as active; it never changes what Defender actually did. Remediation (quarantine/remove) is Defender’s own action.

How long are detections kept?
180 days, then they age out automatically.