Defender PowerShell Module

As an IT professional it's almost a given that you provide free support to your immediate family, perhaps your not-so-immediate family, occasionally your good friends and sometimes your neighbour's dog!

The other day I was helping the father-in-law remove a third party anti-virus product to reactivate Windows Defender on his laptop. 

I thought it would be a good opportunity to introduce him to some PowerShell!

Here's what we looked at...


Defender Status

This cmdlet gives you a view of how Defender is doing:



This command shows your signature file was lasted updated. It also shows you how many days ago the last full scan was performed:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated,FullScanAge


This one shows whether the defender subcomponents are enabled:

Get-MpComputerStatus |

Select-Object -Property AMServiceEnabled, `

AntispywareEnabled, `

AntivirusEnabled, `

BehaviorMonitorEnabled, `

IoavProtectionEnabled, `

NISEnabled, `

OnAccessProtectionEnabled, `




What about exclusions?

Get-MPPreference | Select Exclusion*



Has anything been detected?



If anything comes back, pay particular attention to the IsActive and DidThreatExecute properties.

Want to know what threats defender checks for? This makes for very interesting reading:

(Get-MpThreatCatalog).ThreatName | Sort-Object | Out-File .\threat_names.txt


Defender Module

Run this:

Get-Command -Module defender


Notice the Start-MPScan cmdlet. Have a play; go on now; don't be shy!


Well, I'm sad to say that the father-in-law struggled to see the awesomeness of PowerShell, but this was a good start - one battle a war does not make!


Comments (5)

  1. JC says:

    Was the intent here that such a detailed response to his query would discourage him from asking again? 😉

  2. Cybil Shepherd says:

    Get-MpComputerStatus : The extrinsic Method could not be executed

    1. Matt Tatum says:

      Cybil – I ran into this same issue, turns out that this only works on Windows 10 or higher. If you’re on Windows 7 then you have to query the event logs for this info.

      For example:

      (get-eventlog -LogName system | Where {$_.Message -like ‘*scan has finished*’} |Sort TimeWritten -descending)[0].timewritten

      Should give you the last time a scan was finished

  3. JC: of course!
    Cybil: what OS? running as admin?

  4. hscowan says:

    Hi, I’m wondering what needs to be turned on or off for Defender commands to work.
    – Using Windows 10 Pro / 64 bit / Powershell ISE in Admin mode.
    – (Commodo AV installed)

    The only Defender command that seems to work is: Get-Command -Module defender
    CommandType Name Version Source
    ———– —- ——- ——
    Function Add-MpPreference 1.0 defender
    Function Get-MpComputerStatus 1.0 defender
    Function Get-MpPreference 1.0 defender
    Function Get-MpThreat 1.0 defender
    Function Get-MpThreatCatalog 1.0 defender
    Function Get-MpThreatDetection 1.0 defender
    Function Remove-MpPreference 1.0 defender
    Function Remove-MpThreat 1.0 defender
    Function Set-MpPreference 1.0 defender
    Function Start-MpScan 1.0 defender
    Function Start-MpWDOScan 1.0 defender
    Function Update-MpSignature 1.0 defender

    i.e. these don’t execute:

    PS C:\WINDOWS\system32> Get-MpComputerStatus Get-MpComputerStatus : The extrinsic Method could not be executed. At line:1 char:5 + Get-MpComputerStatus + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : MetadataError: (MSFT_MpComputerStatus:ROOT\Microsoft\…pComputerStatus) [Get-MpComp uterStatus], CimException + FullyQualifiedErrorId : MI RESULT 16,Get-MpComputerStatus

    PS C:\WINDOWS\system32> Start-MpScan -ScanType QuickScan Start-MpScan : Errors were encountered when attempted to scan your device. At line:1 char:7 + Start-MpScan -ScanType QuickScan + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (MSFT_MpScan:ROOT\Microsoft\…der\MSFT_MpScan) [Start-MpScan], CimExc eption + FullyQualifiedErrorId : HRESULT 0x800106ba,Start-MpScan

    I tried many others but to no avail.
    Any enlightenment would be most appreciated.

    Thanks, Scott

Skip to main content