AMRunningmode -Active or Passive

As Per Microsoft documentation, Get-mpcomputerstatus provide the output of Active or passive status of MDE i.e. via AMRunning Mode When MDE is active, AMRunning Mode shows as Normal When MDE...

micheleariis

MCT

Oct 24, 2024

Sunny2024 Hi, using additional properties from Get-MpComputerStatus and checking the status of services, signature updates and security settings, you can effectively distinguish between devices that are properly in Passive Mode with EDR Block Mode enabled and those that are not supported or not updated.

You can use this:

if ($mpStatus.AMRunningMode -eq 'EDR Block Mode' -and $avSigVersion -and ((Get-Date) - $avSigLastUpdated).Days -lt 7 -and $mpStatus.RealTimeProtectionEnabled -and $mpStatus.AntivirusEnabled) {
# Device is in Passive Mode and healthy
} else {
# Device is unsupported, not updated, or unhealthy
}

Sunny2024
Copper Contributor
Oct 24, 2024
micheleariis >> Thanks for taking time to read the requests and provide a response with the required script. Much appreciated
- micheleariis
  MCT
  Oct 24, 2024
  Sunny2024 I hope it can help you 😊

Forum Discussion

AMRunningmode -Active or Passive

Resources