Forum Discussion

unslog's avatar
unslog
Copper Contributor
Dec 28, 2024

Get-MpComputerStatus output is blank

 

Hello,

 

We recently transitioned from ESET AV to a solution that uses the Microsoft Defender engine. However, we're encountering an issue where domain-joined VMs running Windows Server 2022 return no output when executing the following command:

 

Get-MpComputerStatus | Select AntivirusEnabled

 

The antivirus application (Heimdal Next-Gen Antivirus) relies on this output to verify that real-time scanning is enabled.

 

We have tried several troubleshooting steps, including rebooting the machines, running the command D i s m /Online /Enable-Feature /FeatureName:Windows-Defender, and checking the registry to ensure that Defender is not in passive mode. However, the issue persists.

Has anyone encountered a similar issue, or can anyone suggest additional steps to resolve this?

Any help would be greatly appreciated!

 

 

 

 

 

9 Replies

  • SnowDev's avatar
    SnowDev
    Copper Contributor

    Try reregistering Defender's ProtectionManagement CIM Provider.

    Don't know why this randomly occurs but classes such as MSFT_MpComputerStatus (Get-MpComputerStatus) or MSFT_MpPreference (Set-MpPreference) randomly stop reporting / being accessible - even though properties are defined and Defender appears otherwise functional.

    I've found this to work on several recent devices ...

    Register-CimProvider -ProviderName ProtectionManagement -Namespace root\Microsoft\Windows\Defender -Path <path of ProtectionManagement.dll> -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate


    More complete version based on RealtimeProtectionEnabled state found to be missing, with path to DLL path declaration...

    $DefenderNamespace = "root\Microsoft\Windows\Defender"
    $DefenderClass = "MSFT_MpComputerStatus"
    
    function Get-LatestProtectionManagementDllPath {
        $defenderPlatformPath = Join-Path -Path $env:ProgramData -ChildPath "Microsoft\Windows Defender\Platform"
        $latestVersionDir = Get-ChildItem -Path $defenderPlatformPath -Directory | Sort-Object LastWriteTime -Descending | Select-Object -First 1
    
        if (-not $latestVersionDir) {
            Write-Error "No version directories found under: $defenderPlatformPath"
            return $null
        }
    
        $dllPath = Join-Path -Path $latestVersionDir.FullName -ChildPath "ProtectionManagement.dll"
        if (-not (Test-Path $dllPath)) {
            Write-Error "ProtectionManagement.dll not found in: $($latestVersionDir.FullName)"
            return $null
        }
    
        return $dllPath
    }
    
    function Reregister-ProtectionManagementDLL {
        $dllPath = Get-LatestProtectionManagementDllPath
        if (-not $dllPath) {
            return $false
        }
    
        try {
            Register-CimProvider -ProviderName ProtectionManagement `
                                 -Namespace $DefenderNamespace `
                                 -Path $dllPath `
                                 -Impersonation True `
                                 -HostingModel LocalServiceHost `
                                 -SupportWQL `
                                 -ForceUpdate
    
            Write-Host "Successfully re-registered ProtectionManagement provider."
            return $true
        } catch {
            Write-Error "Error during provider re-registration: $_"
            return $false
        }
    }
    
    function Check-RealtimeProtectionStatus {
        try {
            $status = Get-CimInstance -Namespace $DefenderNamespace -ClassName $DefenderClass -ErrorAction Stop
            switch ($status.RealTimeProtectionEnabled) {
                $true  { return "Running" }
                $false { return "NotRunning" }
                default { return "NotFound" }
            }
        } catch {
            Write-Warning "Unable to retrieve RealTimeProtectionEnabled instance from $DefenderClass in $DefenderNamespace. Exception: $_"
            return "Exception"
        }
    }
    
    # --- MAIN  ---
    
    $status = Check-RealtimeProtectionStatus
    Write-Host "Current RealTimeProtectionEnabled Status: $status"
    
    if ($status -eq "NotFound" -or $status -eq "Exception")  {
        Write-Host "Attempting to re-register Windows Defender's ProtectionManagement provider..."
        if (-not (Reregister-ProtectionManagementDLL)) {
            Write-Error "Failed to re-register the provider. Exiting."
            #exit 1
        }
    
        Start-Sleep -Seconds 5
        $status = Check-RealtimeProtectionStatus
        Write-Host "Post-registration RealTimeProtectionEnabled Status: $status"
    
       if ($status -eq "NotFound" -or $status -eq "Exception")  {
            Write-Error "ERROR: RealTimeProtectionEnabled instance still missing after re-registration."
            #exit 1
        }
    }


     


  • mew-tuesday's avatar
    mew-tuesday
    Copper Contributor

    Also experiencing this exact issue, somehow randomly out of nowhere three devices have started not responding to this command.

     

    Anyone know a fix?

    • yidong223's avatar
      yidong223
      Copper Contributor

      Same here, only one of our devices in our entire org started experiencing this issue last week

  • mp_marius's avatar
    mp_marius
    Copper Contributor

    Hi unslog ,

    I'm not sure if this applies to the issue you're facing, but we also observed in some cases that the Get-MpComputerStatus did not return any information. Defender Antivirus was running properly as we confirmed by using Defender operational logs from Event Viewer and run Eicar tests.

    In some cases we fixed the issue by reinstalling the antivirus platform or by reverting to a previous platform.

    Download platform from Microsoft update catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623

    Platform revert: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-updates#how-to-roll-back-an-update

     

     

     

  • TSaL's avatar
    TSaL
    Copper Contributor

    Does the command Get-MpComputerStatus work?

    • unslog's avatar
      unslog
      Copper Contributor

      Hi,

      No, Get-MpComputerStatus doesn't work

  • Tim Beer's avatar
    Tim Beer
    Copper Contributor

    Most common thing I have seen while migrating from another AV is the key here 

     

    HKLM:\Software\Microsoft\Windows Defender     

    and the Disable Antivirus being set to 1 by the 3rd party Product

     

     

    Also it's worth checking in  Local Group Policy  I've seen this a lot of times too

     

    gpedit.msc

    Computer Configuration > Windows Components> Microsoft Defender Antivirus >  

    Ensure Turn Off Defender is not Enabled

    Finally also check Domain Group policy is not turning it off

Resources