Defender AV - Active/Passive Mode - Advanced Hunting

%3CLINGO-SUB%20id%3D%22lingo-sub-2585781%22%20slang%3D%22en-US%22%3EDefender%20AV%20-%20Active%2FPassive%20Mode%20-%20Advanced%20Hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585781%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%3EWhile%20researching%20how%20to%20verify%20if%20Defender%20AV%20is%20in%20active%20or%20passive%20mode%20I%20found%20an%20Advanced%20Hunting%20query%20that%20searches%20%22%3CEM%3EDeviceTvmSecureConfigurationAssessment%3C%2FEM%3E%22%20and%20then%20filters%20%22%3CEM%3EConfigurationId%3C%2FEM%3E%22%20by%20%22%3CEM%3Escid-2010%3C%2FEM%3E%22%20as%20the%20%22%3CEM%3EContext%3C%2FEM%3E%22%20column%20contains%20the%20status%20of%20Defender%20AV.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ESo%20far%2C%20I%20discovered%20that%3A%3C%2FDIV%3E%3CUL%3E%3CLI%3E%220%22%20%3D%20Defender%20AV%20is%20active%2C%3C%2FLI%3E%3CLI%3E%221%22%20%3D%20Defender%20AV%20is%20passive%2C%3C%2FLI%3E%3CLI%3E%224%22%20%3D%20Defender%20AV%20is%20in%20%22EDR%20Block%20Mode%22%3C%2FLI%3E%3C%2FUL%3E%3CDIV%3EI%20am%20not%20sure%20what%20%22%3CEM%3EUnknown%3C%2FEM%3E%22%20in%20the%20%22%3CEM%3EContext%3C%2FEM%3E%22%20column%20means%20though.%20Does%20it%20mean%20that%20Defender%20AV%20is%20not%20installed%2C%20or%20that%20it%20was%20manually%20disabled%20(via%20registry%20keys%2C%20GPO%2C%20...)%20or%20that%20it%20running%20but%20not%20reporting%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22amuellertf_0-1627282851412.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F298323i30AE2C25521968AF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22amuellertf_0-1627282851412.jpeg%22%20alt%3D%22amuellertf_0-1627282851412.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2585781%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20AV%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor
While researching how to verify if Defender AV is in active or passive mode I found an Advanced Hunting query that searches "DeviceTvmSecureConfigurationAssessment" and then filters "ConfigurationId" by "scid-2010" as the "Context" column contains the status of Defender AV.
 
So far, I discovered that:
  • "0" = Defender AV is active,
  • "1" = Defender AV is passive,
  • "4" = Defender AV is in "EDR Block Mode"
I am not sure what "Unknown" in the "Context" column means though. Does it mean that Defender AV is not installed, or that it was manually disabled (via registry keys, GPO, ...) or that it running but not reporting?
 
amuellertf_0-1627282851412.jpeg

 

0 Replies