cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Help with machine is using out of date antimalware client version in the organization script

AmjadGov
Copper Contributor

‎Nov 25 2021 03:36 AM

‎Nov 25 2021 03:36 AM

Help with machine is using out of date antimalware client version in the organization script

This is the script provided by Microsoft to know which machine is using out of date antimalware client version in the organization:

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc

 

*********************************

I need to fine tune it to users at domain level, ie we have users in DfE from several domains, and I want to filter reporting back on just the one domain, so in the example in BOLD below, I wanted all users for 'contoso' domain, but results are ZERO, any ideas pls as to what I am doing wrong?

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"

| where InitiatingProcessAccountDomain == "contoso"

|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc

504 Views
0 Likes
4 Replies
Reply
4 Replies
AnuragSrivastava

‎Nov 26 2021 03:10 AM

‎Nov 26 2021 03:10 AM

Re: Help with machine is using out of date antimalware client version in the organization script

@AmjadGov

Please see if the below query works:

DeviceProcessEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|where AccountDomain contains "contoso"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
| where AccountDomain contains "bp") on PlatformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
0 Likes
Reply
AmjadGov

‎Nov 26 2021 07:13 AM

‎Nov 26 2021 07:13 AM

Re: Help with machine is using out of date antimalware client version in the organization script

Hi @AnuragSrivastava,
Thanks for this, I noticed the extra line further down "| where AccountDomain contains "bp") on PlatformVersion" was that a typo?
I removed and tried, but no luck, btw the reason I had used 'InitiatingProcessAccountDomain' is because that field in a previous script displayed the domain that I was looking for.
Many Thanks
0 Likes
Reply
AnuragSrivastava

‎Nov 29 2021 12:28 AM

‎Nov 29 2021 12:28 AM

Re: Help with machine is using out of date antimalware client version in the organization script

@AmjadGov
That was just a dummy keyword for domain name. Presently I could also "nt authority" in the domain name field and not the actual domain name.
0 Likes
Reply
best response confirmed by AmjadGov (Copper Contributor)
AmjadGov

‎Nov 29 2021 09:19 AM

‎Nov 29 2021 09:19 AM

Solution

Re: Help with machine is using out of date antimalware client version in the organization script

That didn't work, but thanks for trying. I managed to find another way to fix the issue. As the device name also contains the UPN, I used the follow example to get it to work:
|where FileName == "MsMpEng.exe" and DeviceName contains "contoso"
1 Like
Reply