Ad Hoc PowerShelling – Getting data from Windows Defender

Most managing solutions (SCCM/ConfigMgr, Intune, or just scheduled PowerShell tasks 🙂 ) makes use of an agent type method for control, to make sure the computer can do the work when it's capable of doing so (like being on the network, powered on etc.). However, sometimes you have to get some Ad Hoc work done quickly, on as many machines as possible at that moment, and for that PowerShell and CIM sessions can be very useful.

Here is a quick example on how to, Ad Hoc, query all online machines in an OU for their Windows Defender status.

488637418   
Maybe not technically defending, but close enough🙂

Requirements

This example assumes that the clients are either Windows 8.x or Windows 10, and that PowerShell remoting is enabled on each of the clients (Enable-PSRemoting). It also requires that you have installed the Remote Server Administration Tools (RSAT) on the client you run the script on.

Sample Code

This PowerShell snippet gather detailed defender data from each of the clients, stores it in a file per computer, and also generate a summary report with the Windows Defender versions and definitions from all the clients.

# Get Windows Defender Status
 
$i = 0
$DefenderStatusSummary = @()
 
foreach ($COMPUTER in $(Get-ADComputer -Filter * -Searchbase 'OU=Workstations,OU=ViaMonstra,DC=corp,DC=viamonstra,DC=com')){
 
    $ComputerName = $($COMPUTER.Name)
    $Session = New-CimSession -ComputerName $ComputerName
 
    # Get Windows Defender status 
    $DefenderStatus = Get-MpComputerStatus -CimSession $Session
         
    # Detailed output to file for each computer
    $DateAndTime = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
    $WindowsDefenderStatusReport = 'C:\Setup\WindowsDefenderStatus_'+"$ComputerName"+"_"+$DateAndTime+".txt"
    $DefenderStatus | Out-File $WindowsDefenderStatusReport
     
    # Combine for summary report 
    $DefenderStatusSummary = $DefenderStatusSummary + ($DefenderStatus | select PSComputerName, *updated,*version)
 
    # Close the CIM Session
    Remove-CimSession -CimSession $Session
       
    $i = $i + 1
     
}
 
Write-OutPut "Number of Computers queried are: $i"
 
# Create Summary Report
$DefenderStatusSummary | ConvertTo-Html | Out-File 'C:\Setup\WindowsDefenderStatusSummary.html'
Write-OutPut "C:\Setup\WindowsDefenderStatusSummary.html summary report created, detailed reports for each PC in C:\Setup"

Happy Deployment, Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>