Check Antivirus status Windows Defender or 3rd Party via ConfigMgr SCCM

Target: Get the status of Antivirus Windows Defender or any other 3rd party Antivirus software via “Run a Script” from ConfigMgr into a Log-File.

In the WMI namespace “root\SecurityCenter2” you find the list of installed Antivirus products and their status. I created two scripts to detect the status of Windows Defender and one for Sophos Antivirus. The scripts will show clients where either Windows Defender or Sophos Antivirus is in no clean status or not up to date.

The Scripts converts the product state to an hex-value and outputs the clients with an non-compliant Antivirus into an log file which can be opened with cmtrace.exe or MS Excel.

Windows Defender needs an Hex-Code of 061100 if it’s enabled and up to date.
The following hex-states can occur for Windows Defender:

Windows Defender

060100= disabled and up2date

061110 = enabled and outdated

061100 = enabled and up2date

Sophos Antivirus needs a an Hex-Code of 051000 if it’s enabled and up to date.

Prerequisites: Create a UNC-share and provide everyone full-access in additional modify the NTFS-Permission to provide “Domain Computers” at least write permission on the folder.

Here you can find the script for Windows Defender copy the script and follow the steps below:

The script for Sophos Antivirus is at the end of that blog post.

#currentdate

$CuDate = Get-Date

$CuDate.ToUniversalTime()

#generate random sleep time between 1-10 milliseconds

$rdom= Get-Random -Maximum 10

#logdestination

$destination = "\\servername\sharename$\AvInfo_Defender_SCCM.log"

#get Antivirus

$avWMIres = get-wmiobject -namespace root\SecurityCenter2 -computername localhost -Query "Select * from AntiVirusProduct" | where {$_.Displayname -eq "Windows Defender"}

if ($avWMIres -eq $null)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + "no Windows Defender found" + "; " + "0" + "; " + $CuDate

$Log | Out-File -FilePath $aFilePath -append -Force

}

else

{

foreach ($av in $avWMIres)

{

#Defender enabled and up to date has a hex state of 061100

#Windows Defender

#(060100) = disabled and u2d

#(061110) = enabled and not u2d

#(061100) = enabled and u2d

$tohex = [Convert]::ToString($av.productState, 16)

#add zero for hex

$tohex = "0" + $tohex

$successavstate = "061100"

#if not good AV is installed -> add to LOG

If ($tohex -ne $successavstate)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + $av.displayName + "; " + $tohex + "; " + $CuDate

$Log | Out-File -FilePath $destination -append -Force

}

}

}

Open the ConfigMgr console and navigate to \Software Library\Overview\Scripts

Select Create Script:
Paste the script with your modified UNC-Share Path:

Save the Script:

Approve the Script:

Run the Script against the required device collection:

Check the result in the log / in my case all clients have a disabled Microsoft Defender and they are up to date. As we are using Sophos Antivirus the result is as expected:

You can modify the script to check also the state of your 3rd party Antivirus Software. Here you can find the script for Sophos:

#currentdate

$CuDate = Get-Date

$CuDate.ToUniversalTime()

#generate random sleep time between 1-10 milliseconds

$rdom = Get-Random -Maximum 10

#logdestination

$destination = "\\servername\sharename$\AvInfo_Sophos_SCCM.log"

#get Antivirus

$avWMIres = get-wmiobject -namespace root\SecurityCenter2 -computername localhost -Query "Select * from AntiVirusProduct" | where { $_.displayName -eq "Sophos Anti-Virus" }

if ($avWMIres -eq $null)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + "no Sophos found" + "; " + "0" + "; " + $CuDate

$Log | Out-File -FilePath $aFilePath -append -Force

}

else

{

foreach ($av in $avWMIres)

{

#Sophos enabled and up to date has a hex state of 051000

#Windows Defender

#05 = AV installed

#10 = Active

#00 = u2d

$tohex = [Convert]::ToString($av.productState, 16)

#add zero for hex

$tohex = "0" + $tohex

$successavstate = "051000"

#if not good AV is installed -> add to LOG

If ($tohex -ne $successavstate)

{

#create the Log and save

Start-Sleep -Milliseconds $rdom

$Log = $env:COMPUTERNAME + "; " + $av.displayName + "; " + $tohex + "; " + $CuDate

$Log | Out-File -FilePath $destination -append -Force

}

}

}

The result in the Logs looks like the following. In my case I have a few Clients where Sophos is not up to date and the Antivirus-Team needs to check the clients: