Windows Defender Antivirus (Active or Passive)

%3CLINGO-SUB%20id%3D%22lingo-sub-2117756%22%20slang%3D%22en-US%22%3EWindows%20Defender%20Antivirus%20(Active%20or%20Passive)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%2C%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20need%20to%20get%20a%20report%20of%20machines%20with%20status%20of%20Windows%20Defender%20Antivirus%20(Active%20or%20Passive).%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20per%20the%20document%20-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fsymantec-to-microsoft-defender-atp-setup%23verify-that-microsoft-defender-antivirus-is-in-passive-mode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fsymantec-to-microsoft-defender-atp-setup%23verify-that-microsoft-defender-antivirus-is-in-passive-mode%3C%2FA%3E%20it%20says%20to%20run%20Get-MpComputerStatus%20cmdlet%20in%20Powershell%20and%20check%20the%20value%20for%20AMRunningMode.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20I%20ran%20this%20on%20a%20machine%20where%20a%203rd%20party%20AV%20was%20installed%20with%20Windows%20Defender%20AV%20running%20in%20passive%20mode%2C%20I%20got%20the%20value%20Normal%20under%20AMRunningMode%20instead%20of%20Passive.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20any%20other%20way%20we%20can%20get%20the%20status%20of%20Windows%20Defender%20AV%20from%20MDATP%20Security%20Center%20or%20Intune.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2117756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hi,

I need to get a report of machines with status of Windows Defender Antivirus (Active or Passive).

 

As per the document -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/symantec-... it says to run Get-MpComputerStatus cmdlet in Powershell and check the value for AMRunningMode.

 

When I ran this on a machine where a 3rd party AV was installed with Windows Defender AV running in passive mode, I got the value Normal under AMRunningMode instead of Passive.

 

Is there any other way we can get the status of Windows Defender AV from MDATP Security Center or Intune.

3 Replies

@AnuragSrivastavaCurrently having the same issue. Cannot find anything else in the documentation to suggest any other methods to determine MDE's status.

Why it isn't showing as Passive when a 3rd party AV solution is present (as per MS documentation) is beyond me.

@Wintermute110

Use TVM data in Advanced Hunting to get that info. Windows 10 and Windows Server 2019 supported.

Example:

let avmodetable = DeviceTvmSecureConfigurationAssessment

| where ConfigurationId == "scid-2010" and isnotnull(Context)

| extend avdata=parsejson(Context)

| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))

| project DeviceId, AVMode;

DeviceTvmSecureConfigurationAssessment

| where ConfigurationId == "scid-2011" and isnotnull(Context)

| extend avdata=parsejson(Context)

| extend AVSigVersion = tostring(avdata[0][0])

| extend AVEngineVersion = tostring(avdata[0][1])

| extend AVSigLastUpdateTime = tostring(avdata[0][2])

| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable

| join avmodetable on DeviceId

| project-away DeviceId1
Thanks, that has worked.

Really should be available in the GUI though!