PowerShell: Getting Windows Defender Status from all Domain Joined Computers (Get-AntiMalwareStatus)

By Patrick Gruenauer on 27. August 2018 • ( 13 Comments )

You are using Windows 10 and Windows Server 2016 or higher? Want to check the status of Windows Defender Anti-Malware from all computers? Then you’ve come to the right place. I’ll give you a tool to do just that.

The Goal

Without much talk, here’s what’s possible with an advanced PowerShell function called Get-AntiMalwareStatus.


Get-AntiMalwareStatus -Scope AllServer | Format-Table -AutoSize

Cool, ha?

Without Format-Table, the output is displayed in list format. Here’s an example of getting the malware status from all domain joined computers.

Possible values for the scope parameter are:

AllServer = All domain joined Windows Server
AllComputer = All domain joined Windows operating system computer

If no scope parameter is given, the function shows the Defender status of the local computer.

All you need is an Active Directory domain and if you want to retrieve Windows Defender information from client computers, you have to enable WinRm on all client operating systems as described here: Group Policies: Enabling WinRM for Windows Client Operating Systems (Windows 10, Windows 8, Windows 7).

The function Get-AntiMalwareStatus

For using this function in your PowerShell session move on to the next point.


function Get-AntiMalwareStatus {

# .SYNOPSIS
# Get-AnitMalewareStatus is an advanced Powershell function.
# It gets the Windows Defender Status of the local computer and remote computer.

# .DESCRIPTION
# Uses Invoke-Command and Get-MpComputerStatus.

# .PARAMETER
# Scope
# Define a scope. Possible values:
# AllServer, AllComputer
# Default: localhost

# .EXAMPLE
# Get-AntiMalwareStatus -Scope AllComputer

# .NOTES
# Author: Patrick Gruenauer
# Web: https://sid-500.com 

[CmdletBinding()]

param

(

[Parameter(Position=0,Helpmessage = 'Possible Values: AllServer, AllComputer')]
[ValidateSet('AllServer','AllComputer')]
$Scope

)

$result=@()
$ErrorActionPreference="SilentlyContinue"
switch ($Scope) {

$null {

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,`
NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated

}

AllServer {

$server=Get-ADComputer -Filter 'operatingsystem -like "*server*" -and enabled -eq "true"' | Select-Object -ExpandProperty Name

foreach ($s in $server) {

$rs=Invoke-Command -ComputerName $s {Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,` BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated}

If ($rs) {

$result+=New-Object -TypeName PSObject -Property ([ordered]@{

'Server'=$rs.PSComputername
'Anti-Virus'=$rs.AntivirusEnabled
'AV Update'=$rs.AntivirusSignatureLastUpdated
'Anti-Malware'=$rs.AMServiceEnabled
'Anti-Spyware'=$rs.AntispywareEnabled
'Behavior Monitor'=$rs.BehaviorMonitorEnabled
'Office-Anti-Virus'=$rs.IoavProtectionEnabled
'NIS'=$rs.NISEnabled
'Access Prot'=$rs.OnAccessProtectionEnabled
'R-T Prot'=$rs.RealTimeProtectionEnabled

})

}

}
}

AllComputer {

$comp=Get-ADComputer -Filter 'enabled -eq "true"' | Select-Object -ExpandProperty Name

foreach ($c in $comp) {

$rs=Invoke-Command -ComputerName $c {Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,` BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated}

If ($rs) {

$result+=New-Object -TypeName PSObject -Property ([ordered]@{

'Computer'=$rs.PSComputername
'Anti-Virus'=$rs.AntivirusEnabled
'AV Update'=$rs.AntivirusSignatureLastUpdated
'Anti-Malware'=$rs.AMServiceEnabled
'Anti-Spyware'=$rs.AntispywareEnabled
'Behavior Monitor'=$rs.BehaviorMonitorEnabled
'Office-Anti-Virus'=$rs.IoavProtectionEnabled
'NIS'=$rs.NISEnabled
'Access Prot'=$rs.OnAccessProtectionEnabled
'R-T Prot'=$rs.RealTimeProtectionEnabled

})

}
}
}

}
Write-Output $result
}

How to use it

Copy the code above into PowerShell ISE (ise.exe) and run the code. Then type the command and have fun with it.

If you want to make the function permanently available, so that the function is available every time you start PowerShell, you have to create a folder in C:\Program Files\WindowsPowerShell\Modules. Name the folder Get-AntiMalwareStatus. Then save the code as .psm1 file in that folder. The screenshot below will help you.

See you next time, again with PowerShell!

Categories: Cyber Security, PowerShell, Windows Server

Tagged as: Active Directory, Cyber Security, English, PowerShell, Windows 10, Windows Server, Windows Server 2016

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2021], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor. View all posts by Patrick Gruenauer

13 replies »

Mark Dalton says:

17. August 2021 at 17:19

Is there a way to get this command to write to a file?

LikeLike

Reply
Lars says:

10. August 2021 at 10:24

Hi Patrick,
I have saved the script as described above in a .psm1 file in the directory “C:\Program Files\WindowsPowerShell\Modules”. So far everything is also ok. If I run the script with the parameters -Scope and Format-Table -AutoSize nothing happens. No error message or similar. I have run the script with the parameter -Scope All Computer for 2 hours without any result. What am I doing wrong?

LikeLike

Reply
- Patrick Gruenauer says:
  
  10. August 2021 at 10:32
  
  Check if WinRM is enabled on client computers. Best, P
  
  LikeLike
  
  Reply
  - Lars says:
    
    10. August 2021 at 10:44
    
    I have checked the WinRM service, it is running.
    
    LikeLike
Karthi says:

27. May 2021 at 7:39

Thank you. It worked very well. Saved me lot of time.

LikeLike

Reply
- Patrick Gruenauer says:
  
  27. May 2021 at 7:40
  
  Thank you!
  
  LikeLike
  
  Reply
Vee says:

12. May 2021 at 10:14

PS C:\windows\system32> Get-AntiMalwareStatus -Scope Allcomputer | Format-Table -AutoSize

Get-AntiMalwareStatus : The term ‘Get-AntiMalwareStatus’ is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:1
+ Get-AntiMalwareStatus -Scope Allcomputer | Format-Table -AutoSize
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AntiMalwareStatus:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

LikeLike

Reply
- Patrick Gruenauer says:
  
  12. May 2021 at 11:30
  
  I recommend reviewing your work. The function seems not implemented correctly. You will find help in the last part of the blog post.
  
  LikeLike
  
  Reply
Vee says:

12. May 2021 at 10:11

didn’t work for me

LikeLike

Reply
Mike says:

4. May 2021 at 16:19

Is there a way to limit the scope to a certain within AD? Domain/OU

LikeLike

Reply
- Patrick Gruenauer says:
  
  4. May 2021 at 17:34
  
  Unfortunately not in this example
  
  LikeLike
  
  Reply
Jakob says:

2. April 2019 at 13:00

Works very well. Thanks for the manual.

LikeLiked by 1 person

Reply
Pingback: PowerShell: Getting Windows Defender Status from all Domain Joined Computers (Get-AntiMalwareStatus) | | PowerShell Usergroup Austria