Forum Discussion
Defender AV - Active/Passive Mode - Advanced Hunting
While researching how to verify if Defender AV is in active or passive mode I found an Advanced Hunting query that searches "DeviceTvmSecureConfigurationAssessment" and then filters "ConfigurationId...
Judging by the new screenshots, I agree that it looks like the unknown status means that AV is completely disabled (service not running or is not installed).
AVmode will also show Unknown if SCEP is installed, like I have on a few VERY old machines.