Privacy and Security View Windows Security Protection History in Windows 11

  • Staff

This tutorial will show you how to view the protection history of Microsoft Defender Antivirus in Windows Security in Windows 11.

The Protection History page in the Windows Security app is where you can go to view recommendations and actions that Microsoft Defender Antivirus has taken on your behalf, Potentially Unwanted Apps that have been removed, or key services (ex: SmartScreen) that are turned off.

Protection History only retains events for 15 days by default, after which they will automatically be cleared from history.


Here's How:

1 Open Windows Security.

2 Click/tap on Protection history. (see screenshot below)


3 If wanted, you can click/tap on the Filters button to select an option to filter your protection history by. (see screenshot below)


4 Events are shown as a series of cards in the protection history. If a card needs your attention you will see one of two colored badges on the card's icon. (see screenshots below step 5)
  • Red - This is a serious item that requires immediate attention.
  • Yellow - This item is not urgent, but should be checked when you can.
Here are a few of the most common entries you may see:

 Malware alerts
If Microsoft Defender Antivirus detects a piece of malware it will be recorded in Protection History.​

Threat found - action needed
This indicates that Microsoft Defender Antivirus has detected a possible threat and needs you to make a decision on how to handle it. Selecting the Actions dropdown at the bottom right corner will let you Quarantine the threat, rendering it harmless, or if you're confident that this item has been falsely identified as a threat you can choose to Allow on device.​

Caution: If you're not sure if the item is safe or not it's best to choose Quarantine. Choosing Allow on device will let the file proceed and if it was in fact a threat, your data. personal information, or device may now be at risk.​

If you choose Allow and later want to undo that action go to the Allowed threats page and you can remove it from the allowed list.​

Threat quarantined
This indicates that the threat has been blocked and quarantined. It has not yet been removed, but should not pose a risk to your data or device at present. There are two actions you can take:​
  • Remove - This removes the threat from your device.
  • Restore - This puts the file back on your device where Defender will once again detect it as a threat and create a new Threat found - action needed item in Protection History. You'll need to go into there and select Allow on device if you're confident this idem is safe.
Threat blocked
This indicates that Defender has blocked and removed a threat on your device. There's no action necessary on your part, though you might want to consider how the threat reached your machine so you can reduce the risk of that occurring again. Common ways a threat might arrive include as an unsafe attachment in email, downloaded from an unsafe web site, or via an infected USB storage device.​

If you believe this to be a "false positive" and that the file is safe you can select Actions and then choose Allow. This threat has already been removed, so Allow only applies to the next time we see this file. You'll need to redownload the file if you want to use it.​

Remediation incomplete
This indicates that Microsoft Defender Antivirus took steps to fix a threat but was unable to successfully finish that cleaning. Select the card to expand it and see what additional steps you need to take.​

 Potentially unwanted apps (PUA)
Potentially unwanted applications are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which may be more harmful or annoying. It doesn't sink to the level of malware but it still does things that you'd probably prefer it not do.​

This app has been blocked
Microsoft Defender SmartScreen has the ability to block potentially unwanted apps before they're installed and if that happens you'll see a blocked event in the Protection History.​

If you believe the block was a mistake and you want to allow the file to run you can select Actions, then Allow. At that point you'll need to redownload the file in order to use it.​

If you choose Allow and later want to undo that action go to the Allowed threats page and you can remove it from the allowed list.​

 An important service is off
Protection history can also notify you if an important service, such as SmartScreen for Microsoft Edge, is turned off. Select the card for that alert, and under Actions you can turn that feature on.​

5 You can click/tap on a listed event to see more details on it. (see screenshots below)

You will be prompted by UAC for administrator approval before allowed to see more details on an event.


That's it,
Shawn Brink

Last edited:

Latest Support Threads

Top Bottom