Jul 26 2021 12:06 AM
Oct 24 2021 11:21 PM
Oct 26 2021 03:51 AM
@peter_georgeCertainly. I found the script at https://www.reddit.com/r/DefenderATP/comments/lfd5zy/comment/gmynulv/?utm_source=share&utm_medium=we.... Here it is:
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
Oct 26 2021 08:46 AM - edited Oct 26 2021 08:48 AM
I noticed the server that shows unknown is running Windows Server 2012 R2
The query looks for Microsoft Defender AV data, which is not integrated in 2012 R2,
so I am going to assume this query is not able to get the info in question on Windows 2012 R2 machines since Defender does not exist.
(The link on reddit also does not mention any other platform than Windows 10 and Server 2019)
Oct 27 2021 01:27 AM - edited Oct 27 2021 01:29 AM
I just ran this script in a production environment and there are around 500 Windows 10 devices with AVMode "Unknown" which I assume means that Defender AV is completely disabled.
And this is a screenshot of when I run the script in my demo environment (with the "new" MDE agent installed on it ... https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012.... Defender AV AVMode shows up as "Active" on Windows Server 2012 R2.
Oct 28 2021 07:48 PM - edited Oct 28 2021 07:49 PM
Judging by the new screenshots, I agree that it looks like the unknown status means that AV is completely disabled (service not running or is not installed).
Apr 13 2023 08:33 PM
Nov 03 2023 04:47 AM
Nov 05 2023 07:35 PM