The Management Pack for Windows Defender enables you to monitor the health of your devices running Windows Defender. The management pack uses public Windows Defender PowerShell cmdlets to gather information about various Windows Defender events. These events range from malware detections, to the health state of Windows Defender on the devices. These events can be set-up as alerts, so the admin can take action once they recieve alerts from their end-user devices. There are three different monitoring groups that Windows Defender places devices under based on the state of Windows Defender on them. Protected Endpoints - Inventory will show up under this group if the endpoint has Windows Defender up and running and protected Unprotected Endpoints - Inventory will show up under this group if the endpoint does not have Windows Defender up and running Protected Candidate - Inventory will show up under this group if the endpoint has Windows Defender up and running