Cyber Security

PowerShell: Getting Windows Defender Status from all Domain Joined Computers (Get-AntiMalwareStatus)

By on ( 2 Comments )

You are using Windows 10 and Windows Server 2016 or higher? Want to check the status of Windows Defender Anti-Malware from all computers? Then you’ve come to the right place. I’ll give you a tool to do just that.

The Goal

Without much talk, here’s what’s possible with an advanced PowerShell function called Get-AntiMalwareStatus.


Get-AntiMalwareStatus -Scope AllServer | Format-Table -AutoSize

Unbenannt.PNG

Cool, ha?

Without Format-Table, the output is displayed in list format. Here’s an example of getting the malware status from all domain joined computers.

Unbenannt.PNG

Possible values for the scope parameter are:

  • AllServer = All domain joined Windows Server
  • AllComputer = All domain joined Windows operating system computer

If no scope parameter is given, the function shows the Defender status of the local computer.

Unbenannt.PNG

All you need is an Active Directory domain and if you want to retrieve Windows Defender information from client computers, you have to enable WinRm on all client operating systems as described here: Group Policies: Enabling WinRM for Windows Client Operating Systems (Windows 10, Windows 8, Windows 7).

The function Get-AntiMalwareStatus

For using this function in your PowerShell session move on to the next point.


function Get-AntiMalwareStatus {

# .SYNOPSIS
# Get-AnitMalewareStatus is an advanced Powershell function.
# It gets the Windows Defender Status of the local computer and remote computer.

# .DESCRIPTION
# Uses Invoke-Command and Get-MpComputerStatus.

# .PARAMETER
# Scope
# Define a scope. Possible values:
# AllServer, AllComputer
# Default: localhost

# .EXAMPLE
# Get-AntiMalwareStatus -Scope AllComputer

# .NOTES
# Author: Patrick Gruenauer
# Web: https://sid-500.com 

[CmdletBinding()]

param

(

[Parameter(Position=0,Helpmessage = 'Possible Values: AllServer, AllComputer')]
[ValidateSet('AllServer','AllComputer')]
$Scope

)

$result=@()
$ErrorActionPreference="SilentlyContinue"
switch ($Scope) {

$null {

Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,BehaviorMonitorEnabled,IoavProtectionEnabled,`
NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated

}

AllServer {

$server=Get-ADComputer -Filter 'operatingsystem -like "*server*" -and enabled -eq "true"' | Select-Object -ExpandProperty Name

foreach ($s in $server) {

$rs=Invoke-Command -ComputerName $s {Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,` BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated}

If ($rs) {

$result+=New-Object -TypeName PSObject -Property ([ordered]@{

'Server'=$rs.PSComputername
'Anti-Virus'=$rs.AntivirusEnabled
'AV Update'=$rs.AntivirusSignatureLastUpdated
'Anti-Malware'=$rs.AMServiceEnabled
'Anti-Spyware'=$rs.AntispywareEnabled
'Behavior Monitor'=$rs.BehaviorMonitorEnabled
'Office-Anti-Virus'=$rs.IoavProtectionEnabled
'NIS'=$rs.NISEnabled
'Access Prot'=$rs.OnAccessProtectionEnabled
'R-T Prot'=$rs.RealTimeProtectionEnabled

})

}

}
}

AllComputer {

$comp=Get-ADComputer -Filter 'enabled -eq "true"' | Select-Object -ExpandProperty Name

foreach ($c in $comp) {

$rs=Invoke-Command -ComputerName $c {Get-MpComputerStatus | Select-Object -Property Antivirusenabled,AMServiceEnabled,AntispywareEnabled,` BehaviorMonitorEnabled,IoavProtectionEnabled,NISEnabled,OnAccessProtectionEnabled,RealTimeProtectionEnabled,AntivirusSignatureLastUpdated}

If ($rs) {

$result+=New-Object -TypeName PSObject -Property ([ordered]@{

'Computer'=$rs.PSComputername
'Anti-Virus'=$rs.AntivirusEnabled
'AV Update'=$rs.AntivirusSignatureLastUpdated
'Anti-Malware'=$rs.AMServiceEnabled
'Anti-Spyware'=$rs.AntispywareEnabled
'Behavior Monitor'=$rs.BehaviorMonitorEnabled
'Office-Anti-Virus'=$rs.IoavProtectionEnabled
'NIS'=$rs.NISEnabled
'Access Prot'=$rs.OnAccessProtectionEnabled
'R-T Prot'=$rs.RealTimeProtectionEnabled

})

}
}
}

}
Write-Output $result
}

How to use it

Copy the code above into PowerShell ISE (ise.exe) and run the code. Then type the command and have fun with it.

If you want to make the function permanently available, so that the function is available every time you start PowerShell, you have to create a folder in C:\Program Files\WindowsPowerShell\Modules. Name the folder Get-AntiMalwareStatus. Then save the code as .psm1 file in that folder. The screenshot below will help you.

Unbenannt.PNG

See you next time, again with PowerShell!

Categories: Cyber Security, PowerShell, Windows Server

Tagged as: , , , , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2020], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor, CCNA Routing und Switching, CCNA Security

2 replies »

  2. Pingback: PowerShell: Getting Windows Defender Status from all Domain Joined Computers (Get-AntiMalwareStatus) | | PowerShell Usergroup Austria

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.