Defender PowerShell Module

As an IT professional it's almost a given that you provide free support to your immediate family, perhaps your not-so-immediate family, occasionally your good friends and sometimes your neighbour's dog!

The other day I was helping the father-in-law remove a third party anti-virus product to reactivate Windows Defender on his laptop. 

I thought it would be a good opportunity to introduce him to some PowerShell!

Here's what we looked at...


Defender Status

This cmdlet gives you a view of how Defender is doing:



This command shows your signature file was lasted updated. It also shows you how many days ago the last full scan was performed:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated,FullScanAge


This one shows whether the defender subcomponents are enabled:

Get-MpComputerStatus |

Select-Object -Property AMServiceEnabled, `

AntispywareEnabled, `

AntivirusEnabled, `

BehaviorMonitorEnabled, `

IoavProtectionEnabled, `

NISEnabled, `

OnAccessProtectionEnabled, `




What about exclusions?

Get-MPPreference | Select Exclusion*



Has anything been detected?



If anything comes back, pay particular attention to the IsActive and DidThreatExecute properties.

Want to know what threats defender checks for? This makes for very interesting reading:

(Get-MpThreatCatalog).ThreatName | Sort-Object | Out-File .\threat_names.txt


Defender Module

Run this:

Get-Command -Module defender


Notice the Start-MPScan cmdlet. Have a play; go on now; don't be shy!


Well, I'm sad to say that the father-in-law struggled to see the awesomeness of PowerShell, but this was a good start - one battle a war does not make!


Comments (4)

  1. JC says:

    Was the intent here that such a detailed response to his query would discourage him from asking again? 😉

  2. Cybil Shepherd says:

    Get-MpComputerStatus : The extrinsic Method could not be executed

    1. Matt Tatum says:

      Cybil – I ran into this same issue, turns out that this only works on Windows 10 or higher. If you’re on Windows 7 then you have to query the event logs for this info.

      For example:

      (get-eventlog -LogName system | Where {$_.Message -like ‘*scan has finished*’} |Sort TimeWritten -descending)[0].timewritten

      Should give you the last time a scan was finished

  3. JC: of course!
    Cybil: what OS? running as admin?

Skip to main content