Knowing how to check results in Microsoft Defender helps you confirm whether a device is protected, a threat was blocked, or an incident still needs attention.
This guide shows where to find scan outcomes, detection details, and security reports without guessing.
Where Microsoft Defender shows results
Microsoft Defender presents results in several places depending on the product you use.
On Windows, you may review antivirus scan history and protection history.
In Microsoft 365 Defender, you may see alerts, incidents, and investigation timelines.
In Microsoft Defender for Endpoint, results often appear in device pages, action center records, and advanced hunting data.
- Windows Security for local antivirus and scan outcomes
- Microsoft 365 Defender portal for alerts, incidents, and recommendations
- Microsoft Defender for Endpoint for device-level detections and response actions
- Security logs and reports for centralized review and auditing
How to check results in Microsoft Defender on Windows?
If you want to see the outcome of a scan on a Windows PC, start with the Windows Security app.
This is the easiest place to verify whether Microsoft Defender Antivirus found anything and what action it took.
Check Protection history
Open Windows Security, then go to Virus & threat protection and select Protection history.
Here you can review detected threats, blocked items, quarantine actions, and remediation status.
Each entry usually shows the threat name, date, severity, and the action taken.
Common result states include:
- No current threats when the system appears clean
- Threat quarantined when Defender isolated a suspicious file
- Threat removed when the file was deleted or cleaned
- Allowed threat when a user or admin restored access
Review scan details
Under Virus & threat protection, look at the most recent scan information.
Microsoft Defender typically displays the scan type, date and time, and whether threats were discovered.
A quick scan checks common locations, while a full scan inspects more of the system and may take longer.
Use Event Viewer for deeper detail
For advanced troubleshooting, open Event Viewer and review Microsoft Defender logs under Applications and Services Logs.
This is useful if you need timestamps, detection events, or technical records that are not visible in the Windows Security interface.
How to check results in Microsoft 365 Defender?
Microsoft 365 Defender gives security teams a broader view across email, identity, endpoints, and cloud apps.
If you manage a tenant, this portal is where you can confirm alert results and incident status.
Review incidents
Sign in to the Microsoft 365 Defender portal and open Incidents & alerts.
Incidents group related alerts into a single investigation.
You can see whether the incident is active, resolved, or under review, along with the affected assets and timelines.
Look for these details in each incident:
- Severity such as low, medium, high, or informational
- Status such as new, in progress, or resolved
- Affected users and devices
- Evidence and alert count
- Recommended actions from Microsoft Defender
Open alert details
Each alert contains evidence, affected entities, and response history.
This helps you understand whether Defender isolated a device, blocked a payload, detected suspicious behavior, or flagged a phishing attempt.
Alert timelines are especially helpful when you need to verify the order of events.
Check action center results
The Action center shows remediation actions that Microsoft Defender has taken or is waiting to complete.
These actions may include file quarantine, device isolation, URL blocking, or automated investigation results.
Reviewing the action center is important when you need to confirm whether a response succeeded.
How to check Microsoft Defender for Endpoint results?
Microsoft Defender for Endpoint is built for enterprise monitoring.
It shows device-level results that can help you confirm whether detections were contained and whether remediation finished correctly.
Open the device page
From the Defender portal, go to Assets or Devices and open a specific endpoint.
The device page often displays risk level, active alerts, logged-on users, antivirus status, and evidence of recent security actions.
Check machine timeline
The machine timeline is one of the most useful result views in Microsoft Defender for Endpoint.
It lists events such as file creation, process execution, network connections, and alert triggers.
Use it to trace what happened before and after a detection.
Verify remediation status
After Microsoft Defender detects a threat, the platform may take automatic action.
You can confirm whether the response finished by checking the status of the alert, incident, and related action items.
Typical statuses include successful, pending, failed, or partially completed.
How do you tell if Microsoft Defender blocked a threat?
Microsoft Defender usually leaves clear evidence when it blocks or contains something suspicious.
The exact wording depends on the product and platform, but the signs are similar.
- Protection history shows a quarantined or removed item
- The portal generates an alert tied to a malicious file, process, or URL
- An incident is created with one or more correlated alerts
- The action center records isolation, cleanup, or blocking activity
If you are checking whether a file was actually stopped, confirm both the detection and the remediation action.
A detection without a completed remediation may still require follow-up.
How to check scan and security report results?
Microsoft Defender also provides reporting views that are useful for administrators who need trends instead of single-event details.
Reports can help you identify repeated detections, coverage gaps, and devices that need attention.
Security reports in Microsoft 365 Defender
Depending on your license and configuration, you may have access to reports that summarize threat activity, endpoint exposure, phishing attempts, and attack surface trends.
These reports can show whether security posture is improving over time.
Microsoft Defender for Endpoint advanced hunting
Advanced hunting is a query-based feature that lets you investigate detections using Kusto Query Language, or KQL.
It is valuable when you need to check results across multiple devices, users, or time periods.
Queries can reveal alert frequency, remediation outcomes, and related process activity.
Microsoft Defender Antivirus logs
On individual Windows machines, antivirus logs and event records can supplement the built-in interface.
This is helpful when you need to document scan results for troubleshooting or compliance.
What should you do after reviewing the results?
Once you know how to check results in Microsoft Defender, the next step is deciding whether action is still needed.
If Defender removed the threat and the device is clean, you may only need to monitor for repeat detections.
If the threat remains active or the alert is unresolved, investigate immediately.
- Confirm the device is up to date with security intelligence updates
- Review affected accounts and endpoints for signs of lateral movement
- Check whether quarantine or remediation completed successfully
- Use isolation or manual cleanup when automatic actions fail
- Document the incident for future reference or compliance needs
Common reasons results may be unclear
Sometimes Microsoft Defender results are harder to interpret than expected.
This usually happens when the scan type, management layer, or licensing level changes what is visible in the interface.
- No alert appears because the activity was blocked before detection
- Protection history is empty because filtering or retention settings hide older entries
- Incident status is unresolved because investigation is still running
- Device data is missing because onboarding or telemetry is incomplete
If the results do not match what you expect, check the correct portal, verify the device is onboarded, and confirm the user has the right permissions to view security data.
Best places to confirm Microsoft Defender status quickly
For a fast check, use the view that matches your task.
Windows users should start with Protection history, while administrators should review the incident and alert pages in Microsoft 365 Defender.
Endpoint teams can use the device page and machine timeline for deeper analysis.
Matching the result view to the question saves time and reduces confusion.