Forum Discussion
Solved
Help with machine is using out of date antimalware client version in the organization script
This is the script provided by Microsoft to know which machine is using out of date antimalware client version in the organization: //check the antimalware client version DeviceFileEvents |wher...
- That didn't work, but thanks for trying. I managed to find another way to fix the issue. As the device name also contains the UPN, I used the follow example to get it to work:
|where FileName == "MsMpEng.exe" and DeviceName contains "contoso"
AmjadGov
Please see if the below query works:
DeviceProcessEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|where AccountDomain contains "contoso"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
| where AccountDomain contains "bp") on PlatformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
Please see if the below query works:
DeviceProcessEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|where AccountDomain contains "contoso"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
| where AccountDomain contains "bp") on PlatformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
- Hi AnuragSrivastava,
Thanks for this, I noticed the extra line further down "| where AccountDomain contains "bp") on PlatformVersion" was that a typo?
I removed and tried, but no luck, btw the reason I had used 'InitiatingProcessAccountDomain' is because that field in a previous script displayed the domain that I was looking for.
Many Thanks- AmjadGov
That was just a dummy keyword for domain name. Presently I could also "nt authority" in the domain name field and not the actual domain name.- That didn't work, but thanks for trying. I managed to find another way to fix the issue. As the device name also contains the UPN, I used the follow example to get it to work:
|where FileName == "MsMpEng.exe" and DeviceName contains "contoso"