Every Windows machine in your fleet already runs Microsoft Defender. The problem has never been detection - it's visibility. Defender's findings live on each machine, scattered across hundreds of devices, with no single place to see what's active right now.
Today that changes. K12 Panel now monitors Microsoft Defender across your entire Windows fleet and brings every threat into one place, in near real time. This is one of the biggest additions to Panel this year.
The agent you're already running watches Defender's own threat log and reports detections up to K12 Panel as they happen. Here's what that gets you.
Open Detections from the left menu to see threats across every managed Windows device in one list — no more logging into machines one at a time. At the top, a fleet coverage summary tells you how protected you actually are: how many devices are Protected (monitored, Defender active), Monitored but passive (a blind spot — more on that below), Not monitored, or Awaiting inventory.
Below that: quick counts for Active (uncontained), Contained, and Acknowledged threats, filter tabs to focus, date-range filtering, and Export CSV for audits. Every row links back to the device it came from and shows when that device was last seen.
Not every detection needs you. What matters is whether Defender actually contained the threat:
K12 Panel surfaces the active ones everywhere you're already looking:
Open any Windows asset and you'll find a Defender tab showing that machine's monitoring status, its full antivirus status, and every threat recorded on it — name, severity, category, the action Defender took, and the file path. When Defender finds a threat and then acts on it, Panel keeps everything on one row and updates it to the latest outcome, so you see one clear entry per threat instead of a stream of partial events.
Here's the trap this feature was built to catch: when a third-party antivirus is installed, Microsoft Defender often drops into a "passive" mode and stops raising detections. Monitoring looks "on," but Defender is silent — a false sense of security.
K12 Panel reads which antivirus is actually active on each device and flags a monitoring/passive mismatch when monitoring is on but Defender has stepped back. Two optional Assets columns — Real-time AV and AV Definitions — let you see and sort this across the whole fleet, so you can spot machines with no real-time protection or out-of-date signatures at a glance.
The new fields work in AI Search out of the box, on the Assets screen and in Cross Org Search. Try:
If you manage multiple organizations, Cross Org Search now understands all of these too — "devices with active threats except at Sunnydale" checks every org you administer in a single query.
You get an email the moment an active (uncontained) threat appears — auto-contained detections don't email, so you're not buried in noise. Each active threat also raises a dashboard alert linking straight to the device, which clears automatically once the threat is contained. Administrators are subscribed by default; tune it any time under Profile → Notifications.
And when an active threat is expected — a known tool, a false positive, or a machine you've already reimaged — a manager can Acknowledge it with a reason and note. That clears it from the active counter without pretending it was cleaned: the record stays visible and auditable, and it's reversible. Honest by design.
Because schools run a mix of antivirus products, Defender monitoring is off until you enable it. Flipping it on takes about ten seconds:
That sets the default for every Windows device in your organization. Connected devices pick it up within moments; the rest update the next time they check in. Need an exception — say, a machine that runs a third-party AV? Open that device's Defender tab and set its override to Force OFF. Per-device always wins over the org default.
Until you turn this on in Settings, the Detections view, the Threats column, and the alerts above will stay empty. This is the one step that unlocks everything in this post.
For the full walkthrough — coverage states, gap markers, the acknowledge workflow, and who-can-do-what by role — see Knowledge Base → Microsoft Defender Monitoring.
Questions or feedback? Reply to this post or open a support case from any page in K12 Panel.