How to check if Microsoft Defender for Endpoint is running

To check if Microsoft Defender for Endpoint is running on a Windows machine, follow these steps:

1. Check Security Center

• Open the Windows Security Center by going to Settings > Update & Security > Windows Security.
• Select Virus & Threat Protection. This screen will show if Microsoft Defender Antivirus is actively protecting the system.
• Look for Microsoft Defender for Endpoint settings, which indicate whether the Endpoint protection module is active.

2. Using PowerShell

• Open PowerShell as an Administrator.
• Run the following command to check the status:
  Get-MpComputerStatus | Select-Object AMRunningMode

• The output will show if Microsoft Defender Antivirus is active and whether it is in passive or active mode.

3. Event Viewer

• Open Event Viewer (type eventvwr.msc in the Run dialog).
• Go to Applications and Services Logs > Microsoft > Windows > SENSE (if SENSE is available, it typically indicates that Defender for Endpoint is running).
• Look for events related to Microsoft Defender for Endpoint or SENSE to confirm it’s actively monitoring the system.

4. Microsoft Defender for Endpoint Portal

• If you have admin access to the Microsoft Defender for Endpoint portal, go to security.microsoft.com.
• Under Devices, you can check the endpoint status for each device managed under your organization’s license.

5. Task Manager

• Open Task Manager (Ctrl + Shift + Esc).
• Go to the Details tab and look for the MsSense.exe process, which is associated with Defender for Endpoint

6. Command prompt

• Simply run sc query sense in command the prompt.  If service is running, the endpoint is running.

More on Microsoft Defender for Endpoint:

Introduction to Microsoft Defender for Endpoint