Product still listed as enabled in Antivirusproduct class even though uninstalled 5 days ago
I uninstalled F-Secure 5 days ago and have restarted/powered down this device several times since. It seems that either the data returned by this query is outdated (and a refresh/reload may solve the issue, if at all possible) or that Windows truly believes the F-Secure product is still installed and enabled. Function ConvertTo-NPHex { Param([int]$Number)"0x{0:x}" -f $Number } $Products = @(); Get-CimInstance -Namespace root/SecurityCenter2 -ClassName Antivirusproduct -ErrorAction Stop | ForEach-Object{ $hex = ConvertTo-NPHex $_.ProductState; $mid = $hex.Substring(3,2); $end = $hex.Substring(5); $Products += [ordered]@{ DisplayName = $_.DisplayName; Enabled = $( If( $mid -match "00|01" ){ $False }Else{ $True } ); UpToDate = $( If($end -eq "00"){ $True }Else{ $False } ); Updated = $( (Get-Date -Date $_.Timestamp).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") ) } }; Return $Products | ConvertTo-Json; Output from snippet above: [ { "DisplayName": "F-Secure SAFE", "ProductState": 270336, "Enabled": true, "UpToDate": true, "Updated": "2020-06-17T08:09:16Z" }, { "DisplayName": "Windows Defender", "ProductState": 393472, "Enabled": false, "UpToDate": true, "Updated": "2020-06-17T07:59:53Z" }, { "DisplayName": "ESET Security", "ProductState": 266240, "Enabled": true, "UpToDate": true, "Updated": "2020-06-22T12:28:56Z" } ] I am absolutely certain that F-Secure is not installed. Not only did I remove it manually, but it's also not visible in the Security Center UI, not under installed programs and not detected by a PowerShell script that looks through the registry for installed programs. This device is also not listed in my F-Secure web administration console, so I know it's uninstalled. Expected situation: F-Secure isn't listed at all (it's not installed) Windows Defender is listed and not enabled ESET is listed and enabled Questions: Is it possible to 'force' a refresh of this class? Is it known when this class is 'organically' updated? Any tacit knowledge as to why the product is still in the response?