Check Antivirus status Windows Defender or 3rd Party via ConfigMgr SCCM

Target: Get the status of Antivirus Windows Defender or any other 3rd party Antivirus software via “Run a Script” from ConfigMgr into a Log-File.

In the WMI namespace “root\SecurityCenter2” you find the list of installed Antivirus products and their status. I created two scripts to detect the status of Windows Defender and one for Sophos Antivirus. The scripts will show clients where either Windows Defender or Sophos Antivirus is in no clean status or not up to date.

The Scripts converts the product state to an hex-value and outputs the clients with an non-compliant Antivirus into an log file which can be opened with cmtrace.exe or MS Excel.

Windows Defender needs an Hex-Code of 061100 if it’s enabled and up to date.
The following hex-states can occur for Windows Defender:

Windows Defender

060100= disabled and up2date

061110 = enabled and outdated

061100 = enabled and up2date

Sophos Antivirus needs a an Hex-Code of 051000 if it’s enabled and up to date.

Prerequisites: Create a UNC-share and provide everyone full-access in additional modify the NTFS-Permission to provide “Domain Computers” at least write permission on the folder.

Here you can find the script for Windows Defender copy the script and follow the steps below:

The script for Sophos Antivirus is at the end of that blog post.

#currentdate

$CuDate = Get-Date

$CuDate.ToUniversalTime()

#generate random sleep time between 1-10 milliseconds

$rdom= Get-Random -Maximum 10

#logdestination

$destination = "\\servername\sharename$\AvInfo_Defender_SCCM.log"

#get Antivirus

$avWMIres = get-wmiobject -namespace root\SecurityCenter2 -computername localhost -Query "Select * from AntiVirusProduct" | where {$_.Displayname -eq "Windows Defender"}

if ($avWMIres -eq $null)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + "no Windows Defender found" + "; " + "0" + "; " + $CuDate

$Log | Out-File -FilePath $aFilePath -append -Force

}

else

{

foreach ($av in $avWMIres)

{

#Defender enabled and up to date has a hex state of 061100

#Windows Defender

#(060100) = disabled and u2d

#(061110) = enabled and not u2d

#(061100) = enabled and u2d

$tohex = [Convert]::ToString($av.productState, 16)

#add zero for hex

$tohex = "0" + $tohex

$successavstate = "061100"

#if not good AV is installed -> add to LOG

If ($tohex -ne $successavstate)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + $av.displayName + "; " + $tohex + "; " + $CuDate

$Log | Out-File -FilePath $destination -append -Force

}

}

}

Open the ConfigMgr console and navigate to \Software Library\Overview\Scripts

Select Create Script:1_av
Paste the script with your modified UNC-Share Path:

2_av

Save the Script:
3_av

Approve the Script:
4_av
5_av
6_Av

Run the Script against the required device collection:
7_av

Check the result in the log / in my case all clients have a disabled Microsoft Defender and they are up to date. As we are using Sophos Antivirus the result is as expected:
8_av

You can modify the script to check also the state of your 3rd party Antivirus Software. Here you can find the script for Sophos:

#currentdate

$CuDate = Get-Date

$CuDate.ToUniversalTime()

#generate random sleep time between 1-10 milliseconds

$rdom = Get-Random -Maximum 10

#logdestination

$destination = "\\servername\sharename$\AvInfo_Sophos_SCCM.log"

#get Antivirus

$avWMIres = get-wmiobject -namespace root\SecurityCenter2 -computername localhost -Query "Select * from AntiVirusProduct" | where { $_.displayName -eq "Sophos Anti-Virus" }

if ($avWMIres -eq $null)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + "no Sophos found" + "; " + "0" + "; " + $CuDate

$Log | Out-File -FilePath $aFilePath -append -Force

}

else

{

foreach ($av in $avWMIres)

{

#Sophos enabled and up to date has a hex state of 051000

#Windows Defender

#05 = AV installed

#10 = Active

#00 = u2d

$tohex = [Convert]::ToString($av.productState, 16)

#add zero for hex

$tohex = "0" + $tohex

$successavstate = "051000"

#if not good AV is installed -> add to LOG

If ($tohex -ne $successavstate)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + $av.displayName + "; " + $tohex + "; " + $CuDate

$Log | Out-File -FilePath $destination -append -Force

}

}

}

The result in the Logs looks like the following. In my case I have a few Clients where Sophos is not up to date and the Antivirus-Team needs to check the clients:
9_av.png

OSD progress hidden behind a “Just a moment” screen Windows 10 1709 -> Fix

OSD progress hidden behind a “Just a moment” screen Windows 10 1709 -> Fix

I noticed an issue when deploying Windows 10 1709 via Task-Sequence-> after the first reboot during the step “Setup Windows and Configuration Manager” the machine came back with “Just a moment” and the progress bar was hidden. My task-sequence had no unattend file applied during the capture. I found the solution by creating an unattend file that hide’s Wifi Setup and disabled user and computer OOBE. The step was added during the step “Apply Operating System”:

The XML-File includes the following:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="‪http://schemas.microsoft.com/WMIConfig/2002/State‬" xmlns:xsi="‪http://www.w3.org/2001/XMLSchema-instance‬">
<OOBE>
<HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
<NetworkLocation>Work</NetworkLocation>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:c:/mount/install.wim#Windows 10 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>