Protection History in the Windows Security App
Applies To
Windows 11 Windows 10One of the Windows Security app features is protection history, which provides a comprehensive list of actions that Microsoft Defender Antivirus has taken on your behalf, potentially unwanted apps that have been removed, and key services that are turned off.
Note: protection history only retains events for two weeks, after which they'll disappear from the list.
To access this page, open Windows Security and select Protection history, or use the following link:
Protection history
Events are shown as a series of cards in the protection history. Events that need attention are color-coded:
-
Red indicates a serious item that requires immediate attention
-
Yellow indicates an item that is not urgent but that should be checked when you can
By selecting a card, you can expand it and get more details.
Important: You must have admin privileges on this device to review the details of threats in protection history.
The following sections describe the most common events in protection history. Expand each section to learn more:
If Microsoft Defender Antivirus detects malware, it will be recorded under protection history.
|
Alert type |
Description |
|---|---|
|
Threat found - action needed |
Microsoft Defender Antivirus detected a possible threat and needs you to make a decision on how to handle it. Selecting the Actions dropdown lets you Quarantine the threat, rendering it harmless, or if you're confident that this item has been falsely identified as a threat you can choose to Allow on device. Caution: If you're not sure if the item is safe or not it's best to choose Quarantine. Choosing Allow on device will let the file proceed and if it was in fact a threat, your data. personal information, or device may now be at risk. If you choose Allow and later want to undo that action go to the Allowed threats page and you can remove it from the allowed list. |
|
Threat quarantined |
This indicates that the threat has been blocked and quarantined. It has not yet been removed, but should not pose a risk to your data or device at present. There are two actions you can take:
|
|
Threat blocked |
This indicates that Defender has blocked and removed a threat on your device. There's no action necessary on your part, though you might want to consider how the threat reached your machine so you can reduce the risk of that occurring again. Common ways a threat might arrive include as an unsafe attachment in email, downloaded from an unsafe web site, or via an infected USB storage device. If you believe this to be a "false positive" and that the file is safe you can select Actions and then choose Allow. This threat has already been removed, so Allow only applies to the next time we see this file. You'll need to redownload the file if you want to use it. |
|
Remediation incomplete |
This indicates that Microsoft Defender Antivirus took steps to fix a threat but was unable to successfully finish that cleaning. Select the card to expand it and see what additional steps you need to take. |
Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which may be more harmful or annoying. It doesn't sink to the level of malware but it still does things that you'd probably prefer it not do.
If you want to confirm that PUA blocking is turned on for your device see Protect your PC from potentially unwanted applications.
Microsoft Defender SmartScreen has the ability to block potentially unwanted apps before they're installed and if that happens you'll see a blocked event in the Protection History.
If you believe the block was a mistake and you want to allow the file to run you can select Actions, then Allow. At that point you'll need to redownload the file in order to use it.
If you choose Allow and later want to undo that action go to the Allowed threats page and you can remove it from the allowed list.
Protection history can also notify you if an important service, such as SmartScreen for Microsoft Edge, is turned off. Select the card for that alert, and under Actions you can turn that feature on.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
