Forum Discussion
AMRunningmode -Active or Passive
As Per Microsoft documentation, Get-mpcomputerstatus provide the output of Active or passive status of MDE i.e. via AMRunning Mode
When MDE is active, AMRunning Mode shows as Normal
When MDE is passive, AMRunning Mode shows as Passive Mode.
In our environment, EDR Block Mode is on, because of this, for passive status we are seeing the output in power shell as EDR Block Mode. We also noticed when the MDE GUI status output is showing as unsupported or not updated also the power shell output is showing as EDR Mode Mode.
As we are planning to automate the check of MDE readiness how to ensure, only the endpoints whose MDE status are only updated in GUI are showing as passive and exclude any unsupported/not updated devices for automation? Any thoughts on this is much appreciated
3 Replies
Sunny2024 Hi, using additional properties from Get-MpComputerStatus and checking the status of services, signature updates and security settings, you can effectively distinguish between devices that are properly in Passive Mode with EDR Block Mode enabled and those that are not supported or not updated.
You can use this:
if ($mpStatus.AMRunningMode -eq 'EDR Block Mode' -and $avSigVersion -and ((Get-Date) - $avSigLastUpdated).Days -lt 7 -and $mpStatus.RealTimeProtectionEnabled -and $mpStatus.AntivirusEnabled) {
# Device is in Passive Mode and healthy
} else {
# Device is unsupported, not updated, or unhealthy
}micheleariis >> Thanks for taking time to read the requests and provide a response with the required script. Much appreciated
Sunny2024 I hope it can help you 😊
