Windows Defender Antivirus (Active or Passive)

Frequent Contributor

Hi,

I need to get a report of machines with status of Windows Defender Antivirus (Active or Passive).

 

As per the document -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/symantec-... it says to run Get-MpComputerStatus cmdlet in Powershell and check the value for AMRunningMode.

 

When I ran this on a machine where a 3rd party AV was installed with Windows Defender AV running in passive mode, I got the value Normal under AMRunningMode instead of Passive.

 

Is there any other way we can get the status of Windows Defender AV from MDATP Security Center or Intune.

5 Replies

@AnuragSrivastavaCurrently having the same issue. Cannot find anything else in the documentation to suggest any other methods to determine MDE's status.

Why it isn't showing as Passive when a 3rd party AV solution is present (as per MS documentation) is beyond me.

@Wintermute110

Use TVM data in Advanced Hunting to get that info. Windows 10 and Windows Server 2019 supported.

Example:

let avmodetable = DeviceTvmSecureConfigurationAssessment

| where ConfigurationId == "scid-2010" and isnotnull(Context)

| extend avdata=parsejson(Context)

| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked' ,'Unknown')))

| project DeviceId, AVMode;

DeviceTvmSecureConfigurationAssessment

| where ConfigurationId == "scid-2011" and isnotnull(Context)

| extend avdata=parsejson(Context)

| extend AVSigVersion = tostring(avdata[0][0])

| extend AVEngineVersion = tostring(avdata[0][1])

| extend AVSigLastUpdateTime = tostring(avdata[0][2])

| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable

| join avmodetable on DeviceId

| project-away DeviceId1
Thanks, that has worked.

Really should be available in the GUI though!
There are 2 other states that need including:
3 = SxS Passive (side-by-side mode with limited periodic scanning)
2 = Other ?
I'd like to know what 2 means - in our shop we have quite a few devices reporting this value.
@GeoffYoung - could be the devices where Defender is disabled or uninstalled.