SOLVED

Help with machine is using out of date antimalware client version in the organization script

%3CLINGO-SUB%20id%3D%22lingo-sub-3005362%22%20slang%3D%22en-US%22%3EHelp%20with%20machine%20is%20using%20out%20of%20date%20antimalware%20client%20version%20in%20the%20organization%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3005362%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20the%20script%20provided%20by%20Microsoft%20to%26nbsp%3Bknow%20which%20machine%20is%20using%20out%20of%20date%20antimalware%20client%20version%20in%20the%20organization%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2Fcheck%20the%20antimalware%20client%20version%3CBR%20%2F%3EDeviceFileEvents%3CBR%20%2F%3E%7Cwhere%20FileName%20%3D%3D%20%22MsMpEng.exe%22%3CBR%20%2F%3E%7Cwhere%20FolderPath%20contains%20%40%22C%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%5CPlatform%5C%22%3CBR%20%2F%3E%7Cextend%20PlatformVersion%3Dtostring(split(FolderPath%2C%20%22%5C%5C%22%2C%205))%3CBR%20%2F%3E%2F%2F%7Cproject%20DeviceName%2C%20PlatformVersion%20%2F%2F%20check%20which%20machine%20is%20using%20legacy%20platformVersion%3CBR%20%2F%3E%7Csummarize%20dcount(DeviceName)%20by%20PlatformVersion%20%2F%2F%20check%20how%20many%20machines%20are%20using%20which%20platformVersion%3CBR%20%2F%3E%7Corder%20by%20PlatformVersion%20desc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*********************************%3C%2FP%3E%3CP%3EI%20need%20to%20fine%20tune%20it%20to%20users%20at%20domain%20level%2C%20ie%20we%20have%20users%20in%20DfE%20from%20several%20domains%2C%20and%20I%20want%20to%20filter%20reporting%20back%20on%20just%20the%20one%20domain%2C%20so%20in%20the%20example%20in%20%3CSTRONG%3EBOLD%3C%2FSTRONG%3E%20below%2C%20I%20wanted%20all%20users%20for%20'contoso'%20domain%2C%20but%20results%20are%20ZERO%2C%20any%20ideas%20pls%20as%20to%20what%20I%20am%20doing%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2Fcheck%20the%20antimalware%20client%20version%3CBR%20%2F%3EDeviceFileEvents%3CBR%20%2F%3E%7Cwhere%20FileName%20%3D%3D%20%22MsMpEng.exe%22%3CBR%20%2F%3E%7Cwhere%20FolderPath%20contains%20%40%22C%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%5CPlatform%5C%22%3C%2FP%3E%3CP%3E%3C!--%20%20StartFragment%20%20%20--%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22%22%3E%7C%20where%20InitiatingProcessAccountDomain%20%3D%3D%20%22contoso%22%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%7Cextend%20PlatformVersion%3Dtostring(split(FolderPath%2C%20%22%5C%5C%22%2C%205))%3CBR%20%2F%3E%2F%2F%7Cproject%20DeviceName%2C%20PlatformVersion%20%2F%2F%20check%20which%20machine%20is%20using%20legacy%20platformVersion%3CBR%20%2F%3E%7Csummarize%20dcount(DeviceName)%20by%20PlatformVersion%20%2F%2F%20check%20how%20many%20machines%20are%20using%20which%20platformVersion%3CBR%20%2F%3E%7Corder%20by%20PlatformVersion%20desc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3008311%22%20slang%3D%22en-US%22%3ERe%3A%20Help%20with%20machine%20is%20using%20out%20of%20date%20antimalware%20client%20version%20in%20the%20organization%20script%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3008311%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1174387%22%20target%3D%22_blank%22%3E%40AmjadGov%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20see%20if%20the%20below%20query%20works%3A%3CBR%20%2F%3E%3CBR%20%2F%3EDeviceProcessEvents%3CBR%20%2F%3E%7Cwhere%20FileName%20%3D%3D%20%22MsMpEng.exe%22%3CBR%20%2F%3E%7Cwhere%20FolderPath%20contains%20%40%22C%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%5CPlatform%5C%22%3CBR%20%2F%3E%7Cwhere%20AccountDomain%20contains%20%22contoso%22%3CBR%20%2F%3E%7Cextend%20PlatformVersion%3Dtostring(split(FolderPath%2C%20%22%5C%5C%22%2C%205))%3CBR%20%2F%3E%7Cproject%20DeviceName%2C%20PlatformVersion%20%2F%2F%20check%20which%20machine%20is%20using%20legacy%20platformVersion%3CBR%20%2F%3E%7C%20where%20AccountDomain%20contains%20%22bp%22)%20on%20PlatformVersion%3CBR%20%2F%3E%7Csummarize%20dcount(DeviceName)%20by%20PlatformVersion%20%2F%2F%20check%20how%20many%20machines%20are%20using%20which%20platformVersion%3CBR%20%2F%3E%7Corder%20by%20PlatformVersion%20desc%3C%2FLINGO-BODY%3E
Occasional Contributor

This is the script provided by Microsoft to know which machine is using out of date antimalware client version in the organization:

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc

 

*********************************

I need to fine tune it to users at domain level, ie we have users in DfE from several domains, and I want to filter reporting back on just the one domain, so in the example in BOLD below, I wanted all users for 'contoso' domain, but results are ZERO, any ideas pls as to what I am doing wrong?

 

//check the antimalware client version
DeviceFileEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"

| where InitiatingProcessAccountDomain == "contoso"

|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc

4 Replies
@AmjadGov

Please see if the below query works:

DeviceProcessEvents
|where FileName == "MsMpEng.exe"
|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
|where AccountDomain contains "contoso"
|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
| where AccountDomain contains "bp") on PlatformVersion
|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
|order by PlatformVersion desc
Hi @AnuragSrivastava,
Thanks for this, I noticed the extra line further down "| where AccountDomain contains "bp") on PlatformVersion" was that a typo?
I removed and tried, but no luck, btw the reason I had used 'InitiatingProcessAccountDomain' is because that field in a previous script displayed the domain that I was looking for.
Many Thanks
@AmjadGov
That was just a dummy keyword for domain name. Presently I could also "nt authority" in the domain name field and not the actual domain name.
best response confirmed by AmjadGov (Occasional Contributor)
Solution
That didn't work, but thanks for trying. I managed to find another way to fix the issue. As the device name also contains the UPN, I used the follow example to get it to work:
|where FileName == "MsMpEng.exe" and DeviceName contains "contoso"