MSFT_MpPreference

Represents Defender preferences. Module Defender ships with Get-MpPreference, Add-MpPreference, Set-MpPreference and Remove-MpPreference which essentially manage the same information.

Represents Defender preferences. Module Defender ships with Get-MpPreference, Add-MpPreference, Set-MpPreference and Remove-MpPreference which essentially manage the same information.

Methods

MSFT_MpPreference has 3 methods:
Method Description
Add TBD
Remove TBD
Set TBD

Learn more about Invoke-CimMethod and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.

Properties

MSFT_MpPreference returns 54 properties:

'CheckForSignaturesBeforeRunningScan','ComputerID','DisableArchiveScanning',
'DisableAutoExclusions','DisableBehaviorMonitoring','DisableCatchupFullScan','DisableCatchupQuickScan',
'DisableEmailScanning','DisableIntrusionPreventionSystem','DisableIOAVProtection','DisablePrivacyMode',
'DisableRealtimeMonitoring','DisableRemovableDriveScanning','DisableRestorePoint',
'DisableScanningMappedNetworkDrivesForFullScan','DisableScanningNetworkFiles','DisableScriptScanning','ExclusionExtension',
'ExclusionPath','ExclusionProcess','HighThreatDefaultAction','LowThreatDefaultAction',
'MAPSReporting','ModerateThreatDefaultAction','QuarantinePurgeItemsAfterDelay',
'RandomizeScheduleTaskTimes','RealTimeScanDirection','RemediationScheduleDay','RemediationScheduleTime',
'ReportingAdditionalActionTimeOut','ReportingCriticalFailureTimeOut','ReportingNonCriticalTimeOut',
'ScanAvgCPULoadFactor','ScanOnlyIfIdleEnabled','ScanParameters','ScanPurgeItemsAfterDelay',
'ScanScheduleDay','ScanScheduleQuickScanTime','ScanScheduleTime','SevereThreatDefaultAction',
'SignatureAuGracePeriod','SignatureDefinitionUpdateFileSharesSources',
'SignatureDisableUpdateOnStartupWithoutEngine','SignatureFallbackOrder','SignatureFirstAuGracePeriod','SignatureScheduleDay',
'SignatureScheduleTime','SignatureUpdateCatchupInterval','SignatureUpdateInterval','SubmitSamplesConsent',
'ThreatIDDefaultAction_Actions','ThreatIDDefaultAction_Ids','UILockdown','UnknownThreatDefaultAction'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class MSFT_MpPreference exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

CheckForSignaturesBeforeRunningScan

BOOLEAN

When set, Windows Defender will check for new signatures before running a scan. If new signatures are found they will be downloaded and installed before the scan begins. If no new signatures are found, the scan will start based on the existing signatures.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, CheckForSignaturesBeforeRunningScan

ComputerID

KEY PROPERTY STRING

Computer ID created by MAPS

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID

DisableArchiveScanning

BOOLEAN

Disable archive scanning.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableArchiveScanning

DisableAutoExclusions

BOOLEAN

Beginning in Windows 10: Allows an administrator to specify if the Automatic Exclusions feature for Server SKUs should be turned off.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableAutoExclusions

DisableBehaviorMonitoring

BOOLEAN

Disable behavior monitoring.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableBehaviorMonitoring

DisableCatchupFullScan

BOOLEAN

Disable catch-up full scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableCatchupFullScan

DisableCatchupQuickScan

BOOLEAN

Disable catch-up quick scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableCatchupQuickScan

DisableEmailScanning

BOOLEAN

Disable email scanning.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableEmailScanning

DisableIntrusionPreventionSystem

BOOLEAN

Disable intrusion prevention system.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableIntrusionPreventionSystem

DisableIOAVProtection

BOOLEAN

Disable IOAV protection.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableIOAVProtection

DisablePrivacyMode

BOOLEAN

Disable the privacy mode.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisablePrivacyMode

DisableRealtimeMonitoring

BOOLEAN

Disable real-time monitoring.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableRealtimeMonitoring

DisableRemovableDriveScanning

BOOLEAN

Disable removable drive scanning.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableRemovableDriveScanning

DisableRestorePoint

BOOLEAN

Disables restore point.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableRestorePoint

DisableScanningMappedNetworkDrivesForFullScan

BOOLEAN

Disable running full scan on mapped network drives.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableScanningMappedNetworkDrivesForFullScan

DisableScanningNetworkFiles

BOOLEAN

Disables scanning network files.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableScanningNetworkFiles

DisableScriptScanning

BOOLEAN

Disable script scanning.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, DisableScriptScanning

ExclusionExtension

STRING ARRAY

Allows an administrator to explicitly disable a scan from checking any of the extensions listed.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ExclusionExtension

ExclusionPath

STRING ARRAY

Allows an administrator to explicitly disable a scan from checking any of the paths listed.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ExclusionPath

ExclusionProcess

STRING ARRAY

Allows an administrator to explicitly disable a scan from checking any of the processes listed.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ExclusionProcess

HighThreatDefaultAction

UINT8

Default action for high severity threats.

HighThreatDefaultAction returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$HighThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumHighThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $HighThreatDefaultAction_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "HighThreatDefaultAction" to friendly text

  Note: to use other properties than "HighThreatDefaultAction", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "HighThreatDefaultAction" 
# to translate other properties, use their translation table instead
$HighThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "HighThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$HighThreatDefaultAction = @{
  Name = 'HighThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.HighThreatDefaultAction
    $HighThreatDefaultAction_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "HighThreatDefaultAction". The latter
# is defined by the hashtable in $HighThreatDefaultAction: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $HighThreatDefaultAction

# ...or dump content of property HighThreatDefaultAction:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $HighThreatDefaultAction |
    Select-Object -ExpandProperty HighThreatDefaultAction

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $HighThreatDefaultAction_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$HighThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.HighThreatDefaultAction  

# translate raw value to friendly text:
$friendlyName = $HighThreatDefaultAction_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "HighThreatDefaultAction" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "HighThreatDefaultAction", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "HighThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$HighThreatDefaultAction = @{
  Name = 'HighThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.HighThreatDefaultAction
    
    switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "HighThreatDefaultAction". The latter is defined
  # by the hashtable in $HighThreatDefaultAction:
  Select-Object -Property Caption, $HighThreatDefaultAction
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumHighThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.HighThreatDefaultAction

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **HighThreatDefaultAction** 
[EnumHighThreatDefaultAction]$rawValue 

# get a comma-separated string:
[EnumHighThreatDefaultAction]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumHighThreatDefaultAction]
#endregion

Enums must cover all possible values. If HighThreatDefaultAction returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

LowThreatDefaultAction

UINT8

Default action for low severity threats.

LowThreatDefaultAction returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$LowThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumLowThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $LowThreatDefaultAction_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "LowThreatDefaultAction" to friendly text

  Note: to use other properties than "LowThreatDefaultAction", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "LowThreatDefaultAction" 
# to translate other properties, use their translation table instead
$LowThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LowThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LowThreatDefaultAction = @{
  Name = 'LowThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.LowThreatDefaultAction
    $LowThreatDefaultAction_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "LowThreatDefaultAction". The latter
# is defined by the hashtable in $LowThreatDefaultAction: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $LowThreatDefaultAction

# ...or dump content of property LowThreatDefaultAction:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $LowThreatDefaultAction |
    Select-Object -ExpandProperty LowThreatDefaultAction

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $LowThreatDefaultAction_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$LowThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.LowThreatDefaultAction  

# translate raw value to friendly text:
$friendlyName = $LowThreatDefaultAction_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "LowThreatDefaultAction" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "LowThreatDefaultAction", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LowThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LowThreatDefaultAction = @{
  Name = 'LowThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.LowThreatDefaultAction
    
    switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "LowThreatDefaultAction". The latter is defined
  # by the hashtable in $LowThreatDefaultAction:
  Select-Object -Property Caption, $LowThreatDefaultAction
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumLowThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.LowThreatDefaultAction

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **LowThreatDefaultAction** 
[EnumLowThreatDefaultAction]$rawValue 

# get a comma-separated string:
[EnumLowThreatDefaultAction]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumLowThreatDefaultAction]
#endregion

Enums must cover all possible values. If LowThreatDefaultAction returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

MAPSReporting

UINT8

Join Microsoft MAPS.

MAPSReporting returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$MAPSReporting_map = @{
      0 = 'Disabled'
      1 = 'Basic'
      2 = 'Advanced'
}
Use a switch statement
switch([int]$value)
{
  0          {'Disabled'}
  1          {'Basic'}
  2          {'Advanced'}
  default    {"$value"}
}
Use Enum structure
Enum EnumMAPSReporting
{
  Disabled   = 0
  Basic      = 1
  Advanced   = 2
}

Examples

Use $MAPSReporting_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "MAPSReporting" to friendly text

  Note: to use other properties than "MAPSReporting", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MAPSReporting" 
# to translate other properties, use their translation table instead
$MAPSReporting_map = @{
      0 = 'Disabled'
      1 = 'Basic'
      2 = 'Advanced'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "MAPSReporting", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$MAPSReporting = @{
  Name = 'MAPSReporting'
  Expression = {
    # property is an array, so process all values
    $value = $_.MAPSReporting
    $MAPSReporting_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "MAPSReporting". The latter
# is defined by the hashtable in $MAPSReporting: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $MAPSReporting

# ...or dump content of property MAPSReporting:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $MAPSReporting |
    Select-Object -ExpandProperty MAPSReporting

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $MAPSReporting_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$MAPSReporting_map = @{
      0 = 'Disabled'
      1 = 'Basic'
      2 = 'Advanced'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.MAPSReporting  

# translate raw value to friendly text:
$friendlyName = $MAPSReporting_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "MAPSReporting" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "MAPSReporting", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "MAPSReporting", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$MAPSReporting = @{
  Name = 'MAPSReporting'
  Expression = {
    # property is an array, so process all values
    $value = $_.MAPSReporting
    
    switch([int]$value)
      {
        0          {'Disabled'}
        1          {'Basic'}
        2          {'Advanced'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "MAPSReporting". The latter is defined
  # by the hashtable in $MAPSReporting:
  Select-Object -Property Caption, $MAPSReporting
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumMAPSReporting
{
  Disabled   = 0
  Basic      = 1
  Advanced   = 2
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.MAPSReporting

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **MAPSReporting** 
[EnumMAPSReporting]$rawValue 

# get a comma-separated string:
[EnumMAPSReporting]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumMAPSReporting]
#endregion

Enums must cover all possible values. If MAPSReporting returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ModerateThreatDefaultAction

UINT8

Default action for moderate severity threats.

ModerateThreatDefaultAction returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$ModerateThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumModerateThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $ModerateThreatDefaultAction_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "ModerateThreatDefaultAction" to friendly text

  Note: to use other properties than "ModerateThreatDefaultAction", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "ModerateThreatDefaultAction" 
# to translate other properties, use their translation table instead
$ModerateThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ModerateThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ModerateThreatDefaultAction = @{
  Name = 'ModerateThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.ModerateThreatDefaultAction
    $ModerateThreatDefaultAction_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "ModerateThreatDefaultAction". The latter
# is defined by the hashtable in $ModerateThreatDefaultAction: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $ModerateThreatDefaultAction

# ...or dump content of property ModerateThreatDefaultAction:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $ModerateThreatDefaultAction |
    Select-Object -ExpandProperty ModerateThreatDefaultAction

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ModerateThreatDefaultAction_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$ModerateThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.ModerateThreatDefaultAction  

# translate raw value to friendly text:
$friendlyName = $ModerateThreatDefaultAction_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "ModerateThreatDefaultAction" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "ModerateThreatDefaultAction", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ModerateThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ModerateThreatDefaultAction = @{
  Name = 'ModerateThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.ModerateThreatDefaultAction
    
    switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "ModerateThreatDefaultAction". The latter is defined
  # by the hashtable in $ModerateThreatDefaultAction:
  Select-Object -Property Caption, $ModerateThreatDefaultAction
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumModerateThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.ModerateThreatDefaultAction

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **ModerateThreatDefaultAction** 
[EnumModerateThreatDefaultAction]$rawValue 

# get a comma-separated string:
[EnumModerateThreatDefaultAction]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumModerateThreatDefaultAction]
#endregion

Enums must cover all possible values. If ModerateThreatDefaultAction returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

QuarantinePurgeItemsAfterDelay

UINT32

Indicates how many days items should kept in Quarantine folder before being removed.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuarantinePurgeItemsAfterDelay

RandomizeScheduleTaskTimes

BOOLEAN

This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, RandomizeScheduleTaskTimes

RealTimeScanDirection

UINT8

Real-time scan direction - Enumeration

RealTimeScanDirection returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}
Use a switch statement
switch([int]$value)
{
  0          {'Both'}
  1          {'Incoming'}
  2          {'Outcoming'}
  default    {"$value"}
}
Use Enum structure
Enum EnumRealTimeScanDirection
{
  Both        = 0
  Incoming    = 1
  Outcoming   = 2
}

Examples

Use $RealTimeScanDirection_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "RealTimeScanDirection" to friendly text

  Note: to use other properties than "RealTimeScanDirection", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "RealTimeScanDirection" 
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RealTimeScanDirection = @{
  Name = 'RealTimeScanDirection'
  Expression = {
    # property is an array, so process all values
    $value = $_.RealTimeScanDirection
    $RealTimeScanDirection_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "RealTimeScanDirection". The latter
# is defined by the hashtable in $RealTimeScanDirection: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $RealTimeScanDirection

# ...or dump content of property RealTimeScanDirection:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $RealTimeScanDirection |
    Select-Object -ExpandProperty RealTimeScanDirection

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $RealTimeScanDirection_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.RealTimeScanDirection  

# translate raw value to friendly text:
$friendlyName = $RealTimeScanDirection_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "RealTimeScanDirection" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "RealTimeScanDirection", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RealTimeScanDirection = @{
  Name = 'RealTimeScanDirection'
  Expression = {
    # property is an array, so process all values
    $value = $_.RealTimeScanDirection
    
    switch([int]$value)
      {
        0          {'Both'}
        1          {'Incoming'}
        2          {'Outcoming'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "RealTimeScanDirection". The latter is defined
  # by the hashtable in $RealTimeScanDirection:
  Select-Object -Property Caption, $RealTimeScanDirection
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumRealTimeScanDirection
{
  Both        = 0
  Incoming    = 1
  Outcoming   = 2
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.RealTimeScanDirection

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **RealTimeScanDirection** 
[EnumRealTimeScanDirection]$rawValue 

# get a comma-separated string:
[EnumRealTimeScanDirection]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumRealTimeScanDirection]
#endregion

Enums must cover all possible values. If RealTimeScanDirection returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

RemediationScheduleDay

UINT8

Indicates what day of the week to perform the scheduled full scan to complete remediation.

RemediationScheduleDay returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$RemediationScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}
Use a switch statement
switch([int]$value)
{
  0          {'Every Day'}
  1          {'Sunday'}
  2          {'Monday'}
  3          {'Tuesday'}
  4          {'Wednesday'}
  5          {'Thursday'}
  6          {'Friday'}
  7          {'Saturday'}
  8          {'Never'}
  default    {"$value"}
}
Use Enum structure
Enum EnumRemediationScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

Examples

Use $RemediationScheduleDay_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "RemediationScheduleDay" to friendly text

  Note: to use other properties than "RemediationScheduleDay", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "RemediationScheduleDay" 
# to translate other properties, use their translation table instead
$RemediationScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RemediationScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RemediationScheduleDay = @{
  Name = 'RemediationScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.RemediationScheduleDay
    $RemediationScheduleDay_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "RemediationScheduleDay". The latter
# is defined by the hashtable in $RemediationScheduleDay: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $RemediationScheduleDay

# ...or dump content of property RemediationScheduleDay:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $RemediationScheduleDay |
    Select-Object -ExpandProperty RemediationScheduleDay

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $RemediationScheduleDay_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$RemediationScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.RemediationScheduleDay  

# translate raw value to friendly text:
$friendlyName = $RemediationScheduleDay_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "RemediationScheduleDay" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "RemediationScheduleDay", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RemediationScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RemediationScheduleDay = @{
  Name = 'RemediationScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.RemediationScheduleDay
    
    switch([int]$value)
      {
        0          {'Every Day'}
        1          {'Sunday'}
        2          {'Monday'}
        3          {'Tuesday'}
        4          {'Wednesday'}
        5          {'Thursday'}
        6          {'Friday'}
        7          {'Saturday'}
        8          {'Never'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "RemediationScheduleDay". The latter is defined
  # by the hashtable in $RemediationScheduleDay:
  Select-Object -Property Caption, $RemediationScheduleDay
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumRemediationScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.RemediationScheduleDay

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **RemediationScheduleDay** 
[EnumRemediationScheduleDay]$rawValue 

# get a comma-separated string:
[EnumRemediationScheduleDay]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumRemediationScheduleDay]
#endregion

Enums must cover all possible values. If RemediationScheduleDay returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

RemediationScheduleTime

DATETIME

Indicates what time to perform the scheduled full scan to complete remediation.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, RemediationScheduleTime

ReportingAdditionalActionTimeOut

UINT32

Configure timeout for detections requiring additional action.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ReportingAdditionalActionTimeOut

ReportingCriticalFailureTimeOut

UINT32

Time in minutes for a detection in the ‘critically failed’ state to move to either ‘additional action’ or ‘cleared’ state.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ReportingCriticalFailureTimeOut

ReportingNonCriticalTimeOut

UINT32

Time in minutes for a detection in the ‘failed’ state to move to the ‘cleared’ state.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ReportingNonCriticalTimeOut

ScanAvgCPULoadFactor

UINT8

Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ScanAvgCPULoadFactor

ScanOnlyIfIdleEnabled

BOOLEAN

Run scheduled scans only if system is idle.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ScanOnlyIfIdleEnabled

ScanParameters

UINT8

Specify the scan type to use for a scheduled scan.

ScanParameters returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$ScanParameters_map = @{
      1 = 'Quick Scan'
      2 = 'Full Scan'
}
Use a switch statement
switch([int]$value)
{
  1          {'Quick Scan'}
  2          {'Full Scan'}
  default    {"$value"}
}
Use Enum structure
Enum EnumScanParameters
{
  Quick_Scan   = 1
  Full_Scan    = 2
}

Examples

Use $ScanParameters_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "ScanParameters" to friendly text

  Note: to use other properties than "ScanParameters", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "ScanParameters" 
# to translate other properties, use their translation table instead
$ScanParameters_map = @{
      1 = 'Quick Scan'
      2 = 'Full Scan'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ScanParameters", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ScanParameters = @{
  Name = 'ScanParameters'
  Expression = {
    # property is an array, so process all values
    $value = $_.ScanParameters
    $ScanParameters_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "ScanParameters". The latter
# is defined by the hashtable in $ScanParameters: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $ScanParameters

# ...or dump content of property ScanParameters:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $ScanParameters |
    Select-Object -ExpandProperty ScanParameters

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ScanParameters_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$ScanParameters_map = @{
      1 = 'Quick Scan'
      2 = 'Full Scan'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.ScanParameters  

# translate raw value to friendly text:
$friendlyName = $ScanParameters_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "ScanParameters" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "ScanParameters", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ScanParameters", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ScanParameters = @{
  Name = 'ScanParameters'
  Expression = {
    # property is an array, so process all values
    $value = $_.ScanParameters
    
    switch([int]$value)
      {
        1          {'Quick Scan'}
        2          {'Full Scan'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "ScanParameters". The latter is defined
  # by the hashtable in $ScanParameters:
  Select-Object -Property Caption, $ScanParameters
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumScanParameters
{
  Quick_Scan   = 1
  Full_Scan    = 2
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.ScanParameters

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **ScanParameters** 
[EnumScanParameters]$rawValue 

# get a comma-separated string:
[EnumScanParameters]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumScanParameters]
#endregion

Enums must cover all possible values. If ScanParameters returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ScanPurgeItemsAfterDelay

UINT32

Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ScanPurgeItemsAfterDelay

ScanScheduleDay

UINT8

Specify the day of the week to run a scheduled scan.

ScanScheduleDay returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$ScanScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}
Use a switch statement
switch([int]$value)
{
  0          {'Every Day'}
  1          {'Sunday'}
  2          {'Monday'}
  3          {'Tuesday'}
  4          {'Wednesday'}
  5          {'Thursday'}
  6          {'Friday'}
  7          {'Saturday'}
  8          {'Never'}
  default    {"$value"}
}
Use Enum structure
Enum EnumScanScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

Examples

Use $ScanScheduleDay_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "ScanScheduleDay" to friendly text

  Note: to use other properties than "ScanScheduleDay", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "ScanScheduleDay" 
# to translate other properties, use their translation table instead
$ScanScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ScanScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ScanScheduleDay = @{
  Name = 'ScanScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.ScanScheduleDay
    $ScanScheduleDay_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "ScanScheduleDay". The latter
# is defined by the hashtable in $ScanScheduleDay: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $ScanScheduleDay

# ...or dump content of property ScanScheduleDay:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $ScanScheduleDay |
    Select-Object -ExpandProperty ScanScheduleDay

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ScanScheduleDay_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$ScanScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.ScanScheduleDay  

# translate raw value to friendly text:
$friendlyName = $ScanScheduleDay_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "ScanScheduleDay" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "ScanScheduleDay", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ScanScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ScanScheduleDay = @{
  Name = 'ScanScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.ScanScheduleDay
    
    switch([int]$value)
      {
        0          {'Every Day'}
        1          {'Sunday'}
        2          {'Monday'}
        3          {'Tuesday'}
        4          {'Wednesday'}
        5          {'Thursday'}
        6          {'Friday'}
        7          {'Saturday'}
        8          {'Never'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "ScanScheduleDay". The latter is defined
  # by the hashtable in $ScanScheduleDay:
  Select-Object -Property Caption, $ScanScheduleDay
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumScanScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.ScanScheduleDay

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **ScanScheduleDay** 
[EnumScanScheduleDay]$rawValue 

# get a comma-separated string:
[EnumScanScheduleDay]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumScanScheduleDay]
#endregion

Enums must cover all possible values. If ScanScheduleDay returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ScanScheduleQuickScanTime

DATETIME

Specify the time of day to run a scheduled quick scan.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ScanScheduleQuickScanTime

ScanScheduleTime

DATETIME

Specify the time of day to run a scheduled scan.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ScanScheduleTime

SevereThreatDefaultAction

UINT8

Default action for severe severity threats.

SevereThreatDefaultAction returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$SevereThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumSevereThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $SevereThreatDefaultAction_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "SevereThreatDefaultAction" to friendly text

  Note: to use other properties than "SevereThreatDefaultAction", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "SevereThreatDefaultAction" 
# to translate other properties, use their translation table instead
$SevereThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SevereThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SevereThreatDefaultAction = @{
  Name = 'SevereThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.SevereThreatDefaultAction
    $SevereThreatDefaultAction_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "SevereThreatDefaultAction". The latter
# is defined by the hashtable in $SevereThreatDefaultAction: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $SevereThreatDefaultAction

# ...or dump content of property SevereThreatDefaultAction:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $SevereThreatDefaultAction |
    Select-Object -ExpandProperty SevereThreatDefaultAction

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $SevereThreatDefaultAction_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$SevereThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.SevereThreatDefaultAction  

# translate raw value to friendly text:
$friendlyName = $SevereThreatDefaultAction_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "SevereThreatDefaultAction" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "SevereThreatDefaultAction", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SevereThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SevereThreatDefaultAction = @{
  Name = 'SevereThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.SevereThreatDefaultAction
    
    switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "SevereThreatDefaultAction". The latter is defined
  # by the hashtable in $SevereThreatDefaultAction:
  Select-Object -Property Caption, $SevereThreatDefaultAction
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumSevereThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.SevereThreatDefaultAction

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **SevereThreatDefaultAction** 
[EnumSevereThreatDefaultAction]$rawValue 

# get a comma-separated string:
[EnumSevereThreatDefaultAction]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumSevereThreatDefaultAction]
#endregion

Enums must cover all possible values. If SevereThreatDefaultAction returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

SignatureAuGracePeriod

UINT32

Overrides CheckForSignatureBeforeRunningScan. Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureAuGracePeriod

SignatureDefinitionUpdateFileSharesSources

STRING

Defines the file shares for downloading definition updates. setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: {\unc1 \unc2 }. The list is empty by default.
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureDefinitionUpdateFileSharesSources

SignatureDisableUpdateOnStartupWithoutEngine

BOOLEAN

When set to true, AM Service will not initiate definition update on start-up, regardless of whether an Engine is present or not.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureDisableUpdateOnStartupWithoutEngine

SignatureFallbackOrder

STRING

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureFallbackOrder

SignatureFirstAuGracePeriod

UINT32

Aborts any service-initiated update immediately after first install by the configured amount of time.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureFirstAuGracePeriod

SignatureScheduleDay

UINT8

Indicates the day of the week in which signature updates occur. If set to zero (0x0) then signature update occurs daily.

SignatureScheduleDay returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$SignatureScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}
Use a switch statement
switch([int]$value)
{
  0          {'Every Day'}
  1          {'Sunday'}
  2          {'Monday'}
  3          {'Tuesday'}
  4          {'Wednesday'}
  5          {'Thursday'}
  6          {'Friday'}
  7          {'Saturday'}
  8          {'Never'}
  default    {"$value"}
}
Use Enum structure
Enum EnumSignatureScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

Examples

Use $SignatureScheduleDay_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "SignatureScheduleDay" to friendly text

  Note: to use other properties than "SignatureScheduleDay", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "SignatureScheduleDay" 
# to translate other properties, use their translation table instead
$SignatureScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SignatureScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SignatureScheduleDay = @{
  Name = 'SignatureScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.SignatureScheduleDay
    $SignatureScheduleDay_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "SignatureScheduleDay". The latter
# is defined by the hashtable in $SignatureScheduleDay: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $SignatureScheduleDay

# ...or dump content of property SignatureScheduleDay:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $SignatureScheduleDay |
    Select-Object -ExpandProperty SignatureScheduleDay

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $SignatureScheduleDay_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$SignatureScheduleDay_map = @{
      0 = 'Every Day'
      1 = 'Sunday'
      2 = 'Monday'
      3 = 'Tuesday'
      4 = 'Wednesday'
      5 = 'Thursday'
      6 = 'Friday'
      7 = 'Saturday'
      8 = 'Never'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.SignatureScheduleDay  

# translate raw value to friendly text:
$friendlyName = $SignatureScheduleDay_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "SignatureScheduleDay" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "SignatureScheduleDay", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SignatureScheduleDay", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SignatureScheduleDay = @{
  Name = 'SignatureScheduleDay'
  Expression = {
    # property is an array, so process all values
    $value = $_.SignatureScheduleDay
    
    switch([int]$value)
      {
        0          {'Every Day'}
        1          {'Sunday'}
        2          {'Monday'}
        3          {'Tuesday'}
        4          {'Wednesday'}
        5          {'Thursday'}
        6          {'Friday'}
        7          {'Saturday'}
        8          {'Never'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "SignatureScheduleDay". The latter is defined
  # by the hashtable in $SignatureScheduleDay:
  Select-Object -Property Caption, $SignatureScheduleDay
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumSignatureScheduleDay
{
  Every_Day   = 0
  Sunday      = 1
  Monday      = 2
  Tuesday     = 3
  Wednesday   = 4
  Thursday    = 5
  Friday      = 6
  Saturday    = 7
  Never       = 8
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.SignatureScheduleDay

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **SignatureScheduleDay** 
[EnumSignatureScheduleDay]$rawValue 

# get a comma-separated string:
[EnumSignatureScheduleDay]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumSignatureScheduleDay]
#endregion

Enums must cover all possible values. If SignatureScheduleDay returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

SignatureScheduleTime

DATETIME

Specifies the time at which signature update check happens. By default the signatures are checked before the scheduled scan.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureScheduleTime

SignatureUpdateCatchupInterval

UINT32

Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureUpdateCatchupInterval

SignatureUpdateInterval

UINT32

The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, SignatureUpdateInterval

SubmitSamplesConsent

UINT8

Beginning in Windows 10: For certain samples the service checks for user consent. If the required consent has already been granted, the service submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent when opt-in for MAPS telemetry is set (MAPSReporting != 0).

SubmitSamplesConsent returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$SubmitSamplesConsent_map = @{
      0 = 'Always Prompt'
      1 = 'Send safe samples automatically'
      2 = 'Never send'
      3 = 'Send all samples automatically'
}
Use a switch statement
switch([int]$value)
{
  0          {'Always Prompt'}
  1          {'Send safe samples automatically'}
  2          {'Never send'}
  3          {'Send all samples automatically'}
  default    {"$value"}
}
Use Enum structure
Enum EnumSubmitSamplesConsent
{
  Always_Prompt                     = 0
  Send_safe_samples_automatically   = 1
  Never_send                        = 2
  Send_all_samples_automatically    = 3
}

Examples

Use $SubmitSamplesConsent_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "SubmitSamplesConsent" to friendly text

  Note: to use other properties than "SubmitSamplesConsent", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "SubmitSamplesConsent" 
# to translate other properties, use their translation table instead
$SubmitSamplesConsent_map = @{
      0 = 'Always Prompt'
      1 = 'Send safe samples automatically'
      2 = 'Never send'
      3 = 'Send all samples automatically'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SubmitSamplesConsent", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SubmitSamplesConsent = @{
  Name = 'SubmitSamplesConsent'
  Expression = {
    # property is an array, so process all values
    $value = $_.SubmitSamplesConsent
    $SubmitSamplesConsent_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "SubmitSamplesConsent". The latter
# is defined by the hashtable in $SubmitSamplesConsent: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $SubmitSamplesConsent

# ...or dump content of property SubmitSamplesConsent:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $SubmitSamplesConsent |
    Select-Object -ExpandProperty SubmitSamplesConsent

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $SubmitSamplesConsent_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$SubmitSamplesConsent_map = @{
      0 = 'Always Prompt'
      1 = 'Send safe samples automatically'
      2 = 'Never send'
      3 = 'Send all samples automatically'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.SubmitSamplesConsent  

# translate raw value to friendly text:
$friendlyName = $SubmitSamplesConsent_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "SubmitSamplesConsent" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "SubmitSamplesConsent", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "SubmitSamplesConsent", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$SubmitSamplesConsent = @{
  Name = 'SubmitSamplesConsent'
  Expression = {
    # property is an array, so process all values
    $value = $_.SubmitSamplesConsent
    
    switch([int]$value)
      {
        0          {'Always Prompt'}
        1          {'Send safe samples automatically'}
        2          {'Never send'}
        3          {'Send all samples automatically'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "SubmitSamplesConsent". The latter is defined
  # by the hashtable in $SubmitSamplesConsent:
  Select-Object -Property Caption, $SubmitSamplesConsent
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumSubmitSamplesConsent
{
  Always_Prompt                     = 0
  Send_safe_samples_automatically   = 1
  Never_send                        = 2
  Send_all_samples_automatically    = 3
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.SubmitSamplesConsent

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **SubmitSamplesConsent** 
[EnumSubmitSamplesConsent]$rawValue 

# get a comma-separated string:
[EnumSubmitSamplesConsent]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumSubmitSamplesConsent]
#endregion

Enums must cover all possible values. If SubmitSamplesConsent returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ThreatIDDefaultAction_Actions

UINT8 ARRAY

Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.

ThreatIDDefaultAction_Actions returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$ThreatIDDefaultAction_Actions_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumThreatIDDefaultAction_Actions
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $ThreatIDDefaultAction_Actions_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "ThreatIDDefaultAction_Actions" to friendly text

  Note: to use other properties than "ThreatIDDefaultAction_Actions", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "ThreatIDDefaultAction_Actions" 
# to translate other properties, use their translation table instead
$ThreatIDDefaultAction_Actions_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ThreatIDDefaultAction_Actions", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ThreatIDDefaultAction_Actions = @{
  Name = 'ThreatIDDefaultAction_Actions'
  Expression = {
    # property is an array, so process all values
    $result = foreach($value in $_.ThreatIDDefaultAction_Actions)
    {
        # important: convert original value to [int] because
        # hashtable keys are type-aware:
        $ThreatIDDefaultAction_Actions_map[[int]$value]
    }
    # uncomment to get a comma-separated string instead
    # of a string array:
    $result <#-join ', '#>
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "ThreatIDDefaultAction_Actions". The latter
# is defined by the hashtable in $ThreatIDDefaultAction_Actions: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $ThreatIDDefaultAction_Actions

# ...or dump content of property ThreatIDDefaultAction_Actions:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $ThreatIDDefaultAction_Actions |
    Select-Object -ExpandProperty ThreatIDDefaultAction_Actions

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ThreatIDDefaultAction_Actions_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when there
  is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$ThreatIDDefaultAction_Actions_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property (hint: the property is an array!)
$rawValues = $instance.ThreatIDDefaultAction_Actions  

# translate all raw values into friendly names:
$friendlyNames = foreach($rawValue in $rawValues)
{ $ThreatIDDefaultAction_Actions_map[[int]$rawValue] }

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "ThreatIDDefaultAction_Actions" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "ThreatIDDefaultAction_Actions", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "ThreatIDDefaultAction_Actions", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$ThreatIDDefaultAction_Actions = @{
  Name = 'ThreatIDDefaultAction_Actions'
  Expression = {
    # property is an array, so process all values
    $result = foreach($value in $_.ThreatIDDefaultAction_Actions)
    {
        switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
    }
    $result
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "ThreatIDDefaultAction_Actions". The latter is defined
  # by the hashtable in $ThreatIDDefaultAction_Actions:
  Select-Object -Property Caption, $ThreatIDDefaultAction_Actions
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumThreatIDDefaultAction_Actions
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.ThreatIDDefaultAction_Actions

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **ThreatIDDefaultAction_Actions** 
[EnumThreatIDDefaultAction_Actions[]]$rawValue 

# get a comma-separated string:
[EnumThreatIDDefaultAction_Actions[]]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumThreatIDDefaultAction_Actions[]]
#endregion

Enums must cover all possible values. If ThreatIDDefaultAction_Actions returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

ThreatIDDefaultAction_Ids

SINT64 ARRAY

The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ThreatIDDefaultAction_Ids

UILockdown

BOOLEAN

Enable UI Lockdown mode.

Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, UILockdown

UnknownThreatDefaultAction

UINT8

Default action for unknown threats.

UnknownThreatDefaultAction returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$UnknownThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}
Use a switch statement
switch([int]$value)
{
  1          {'Clean'}
  2          {'Quarantine'}
  3          {'Remove'}
  6          {'Allow'}
  8          {'UserDefined'}
  9          {'NoAction'}
  10         {'Block'}
  default    {"$value"}
}
Use Enum structure
Enum EnumUnknownThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

Examples

Use $UnknownThreatDefaultAction_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "UnknownThreatDefaultAction" to friendly text

  Note: to use other properties than "UnknownThreatDefaultAction", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "UnknownThreatDefaultAction" 
# to translate other properties, use their translation table instead
$UnknownThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "UnknownThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$UnknownThreatDefaultAction = @{
  Name = 'UnknownThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.UnknownThreatDefaultAction
    $UnknownThreatDefaultAction_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "UnknownThreatDefaultAction". The latter
# is defined by the hashtable in $UnknownThreatDefaultAction: 
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $UnknownThreatDefaultAction

# ...or dump content of property UnknownThreatDefaultAction:
$friendlyValues = Get-CimInstance -Class MSFT_MpPreference | 
    Select-Object -Property $UnknownThreatDefaultAction |
    Select-Object -ExpandProperty UnknownThreatDefaultAction

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $UnknownThreatDefaultAction_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpPreference" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpPreference" 
# to translate other properties, use their translation table instead
$UnknownThreatDefaultAction_map = @{
      1 = 'Clean'
      2 = 'Quarantine'
      3 = 'Remove'
      6 = 'Allow'
      8 = 'UserDefined'
      9 = 'NoAction'
     10 = 'Block'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.UnknownThreatDefaultAction  

# translate raw value to friendly text:
$friendlyName = $UnknownThreatDefaultAction_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "UnknownThreatDefaultAction" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "UnknownThreatDefaultAction", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "UnknownThreatDefaultAction", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$UnknownThreatDefaultAction = @{
  Name = 'UnknownThreatDefaultAction'
  Expression = {
    # property is an array, so process all values
    $value = $_.UnknownThreatDefaultAction
    
    switch([int]$value)
      {
        1          {'Clean'}
        2          {'Quarantine'}
        3          {'Remove'}
        6          {'Allow'}
        8          {'UserDefined'}
        9          {'NoAction'}
        10         {'Block'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "UnknownThreatDefaultAction". The latter is defined
  # by the hashtable in $UnknownThreatDefaultAction:
  Select-Object -Property Caption, $UnknownThreatDefaultAction
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpPreference", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumUnknownThreatDefaultAction
{
  Clean         = 1
  Quarantine    = 2
  Remove        = 3
  Allow         = 6
  UserDefined   = 8
  NoAction      = 9
  Block         = 10
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.UnknownThreatDefaultAction

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **UnknownThreatDefaultAction** 
[EnumUnknownThreatDefaultAction]$rawValue 

# get a comma-separated string:
[EnumUnknownThreatDefaultAction]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumUnknownThreatDefaultAction]
#endregion

Enums must cover all possible values. If UnknownThreatDefaultAction returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

Examples

List all instances of MSFT_MpPreference
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'CheckForSignaturesBeforeRunningScan',
              'ComputerID',
              'DisableArchiveScanning',
              'DisableAutoExclusions',
              'DisableBehaviorMonitoring',
              'DisableCatchupFullScan',
              'DisableCatchupQuickScan',
              'DisableEmailScanning',
              'DisableIntrusionPreventionSystem',
              'DisableIOAVProtection',
              'DisablePrivacyMode',
              'DisableRealtimeMonitoring',
              'DisableRemovableDriveScanning',
              'DisableRestorePoint',
              'DisableScanningMappedNetworkDrivesForFullScan',
              'DisableScanningNetworkFiles',
              'DisableScriptScanning',
              'ExclusionExtension',
              'ExclusionPath',
              'ExclusionProcess',
              'HighThreatDefaultAction',
              'LowThreatDefaultAction',
              'MAPSReporting',
              'ModerateThreatDefaultAction',
              'QuarantinePurgeItemsAfterDelay',
              'RandomizeScheduleTaskTimes',
              'RealTimeScanDirection',
              'RemediationScheduleDay',
              'RemediationScheduleTime',
              'ReportingAdditionalActionTimeOut',
              'ReportingCriticalFailureTimeOut',
              'ReportingNonCriticalTimeOut',
              'ScanAvgCPULoadFactor',
              'ScanOnlyIfIdleEnabled',
              'ScanParameters',
              'ScanPurgeItemsAfterDelay',
              'ScanScheduleDay',
              'ScanScheduleQuickScanTime',
              'ScanScheduleTime',
              'SevereThreatDefaultAction',
              'SignatureAuGracePeriod',
              'SignatureDefinitionUpdateFileSharesSources',
              'SignatureDisableUpdateOnStartupWithoutEngine',
              'SignatureFallbackOrder',
              'SignatureFirstAuGracePeriod',
              'SignatureScheduleDay',
              'SignatureScheduleTime',
              'SignatureUpdateCatchupInterval',
              'SignatureUpdateInterval',
              'SubmitSamplesConsent',
              'ThreatIDDefaultAction_Actions',
              'ThreatIDDefaultAction_Ids',
              'UILockdown',
              'UnknownThreatDefaultAction'
Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpPreference -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT ExclusionExtension, RemediationScheduleDay, DisableRealtimeMonitoring, SignatureUpdateInterval FROM MSFT_MpPreference WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT ExclusionExtension, RemediationScheduleDay, DisableRealtimeMonitoring, SignatureUpdateInterval FROM MSFT_MpPreference WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property ExclusionExtension, RemediationScheduleDay, DisableRealtimeMonitoring, SignatureUpdateInterval

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpPreference -Namespace root/microsoft/windows/defender -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance MSFT_MpPreference -Namespace root/microsoft/windows/defender -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use MSFT_MpPreference, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpPreference was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].

Namespace

MSFT_MpPreference lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpPreference is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof