Forum Discussion

AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Feb 08, 2021

Windows Defender Antivirus (Active or Passive)

Hi, I need to get a report of machines with status of Windows Defender Antivirus (Active or Passive).   As per the document -https://docs.microsoft.com/en-us/windows/security/threat-protection/m...
Microsoft Defender ATP
Wintermute110's avatar
Wintermute110
Copper Contributor
Aug 25, 2021

AnuragSrivastavaCurrently having the same issue. Cannot find anything else in the documentation to suggest any other methods to determine MDE's status.

Why it isn't showing as Passive when a 3rd party AV solution is present (as per MS documentation) is beyond me.

  • AnuragSrivastava's avatar
    AnuragSrivastava
    Iron Contributor
    Aug 26, 2021
    Wintermute110

    Use TVM data in Advanced Hunting to get that info. Windows 10 and Windows Server 2019 supported.

    Example:

    let avmodetable = DeviceTvmSecureConfigurationAssessment

    | where ConfigurationId == "scid-2010" and isnotnull(Context)

    | extend avdata=parsejson(Context)

    | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))

    | project DeviceId, AVMode;

    DeviceTvmSecureConfigurationAssessment

    | where ConfigurationId == "scid-2011" and isnotnull(Context)

    | extend avdata=parsejson(Context)

    | extend AVSigVersion = tostring(avdata[0][0])

    | extend AVEngineVersion = tostring(avdata[0][1])

    | extend AVSigLastUpdateTime = tostring(avdata[0][2])

    | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable

    | join avmodetable on DeviceId

    | project-away DeviceId1
    • Wintermute110's avatar
      Wintermute110
      Copper Contributor
      Aug 26, 2021
      Thanks, that has worked.

      Really should be available in the GUI though!

Resources