MSFT_MpComputerStatus

Represents the Defender base status. Module Defender ships with Get-MpComputerStatus that essentially delivers the same information.

Represents the Defender base status. Module Defender ships with Get-MpComputerStatus that essentially delivers the same information.

Methods

MSFT_MpComputerStatus has no methods.

Properties

MSFT_MpComputerStatus returns 32 properties:

'AMEngineVersion','AMProductVersion','AMServiceEnabled','AMServiceVersion',
'AntispywareEnabled','AntispywareSignatureAge','AntispywareSignatureLastUpdated',
'AntispywareSignatureVersion','AntivirusEnabled','AntivirusSignatureAge','AntivirusSignatureLastUpdated',
'AntivirusSignatureVersion','BehaviorMonitorEnabled','ComputerID','ComputerState','FullScanAge',
'FullScanEndTime','FullScanStartTime','IoavProtectionEnabled','LastFullScanSource',
'LastQuickScanSource','NISEnabled','NISEngineVersion','NISSignatureAge','NISSignatureLastUpdated',
'NISSignatureVersion','OnAccessProtectionEnabled','QuickScanAge','QuickScanEndTime','QuickScanStartTime',
'RealTimeProtectionEnabled','RealTimeScanDirection'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class MSFT_MpComputerStatus exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

AMEngineVersion

STRING

The AM Engine version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMEngineVersion

AMProductVersion

STRING

Product version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMProductVersion

AMServiceEnabled

BOOLEAN

If the AM Engine is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMServiceEnabled

AMServiceVersion

STRING

Service version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMServiceVersion

AntispywareEnabled

BOOLEAN

Specifies whether Antispyware protection is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareEnabled

AntispywareSignatureAge

UINT32

Antispyware Signature age in days - if signatures have never been updated you will see an age of 65535 days

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureAge

AntispywareSignatureLastUpdated

DATETIME

Antispyware Last updated local time. If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureLastUpdated

AntispywareSignatureVersion

STRING

The Antispyware Signature version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureVersion

AntivirusEnabled

BOOLEAN

Specifies whether Antivirus protection is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusEnabled

AntivirusSignatureAge

UINT32

Antivirus Signature age in days- if signatures have never been updated you will see an age of 65535 days

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureAge

AntivirusSignatureLastUpdated

DATETIME

Antivirus Last updated local time - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureLastUpdated

AntivirusSignatureVersion

STRING

The Antivirus Signature version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureVersion

BehaviorMonitorEnabled

BOOLEAN

Specifies whether behavior monitoring is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, BehaviorMonitorEnabled

ComputerID

KEY PROPERTY STRING

Computer ID created by MAPS

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID

ComputerState

UINT32

The current computer state

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ComputerState

FullScanAge

UINT32

Last full scan age in days- if signatures have never been updated you will see an age of 65535 days

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanAge

FullScanEndTime

DATETIME

Time of last Full Scan end - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanEndTime

FullScanStartTime

DATETIME

Time of last Full Scan start - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanStartTime

IoavProtectionEnabled

BOOLEAN

Scan all downloaded files and attachments

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, IoavProtectionEnabled

LastFullScanSource

UINT8

Last scan source

LastFullScanSource returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$LastFullScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}
Use a switch statement
switch([int]$value)
{
  0          {'Unknown'}
  1          {'User'}
  2          {'System'}
  3          {'Real-time'}
  4          {'IOAV'}
  default    {"$value"}
}
Use Enum structure
Enum EnumLastFullScanSource
{
  Unknown     = 0
  User        = 1
  System      = 2
  Real_time   = 3
  IOAV        = 4
}

Examples

Use $LastFullScanSource_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "LastFullScanSource" to friendly text

  Note: to use other properties than "LastFullScanSource", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "LastFullScanSource" 
# to translate other properties, use their translation table instead
$LastFullScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LastFullScanSource", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LastFullScanSource = @{
  Name = 'LastFullScanSource'
  Expression = {
    # property is an array, so process all values
    $value = $_.LastFullScanSource
    $LastFullScanSource_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "LastFullScanSource". The latter
# is defined by the hashtable in $LastFullScanSource: 
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $LastFullScanSource

# ...or dump content of property LastFullScanSource:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus | 
    Select-Object -Property $LastFullScanSource |
    Select-Object -ExpandProperty LastFullScanSource

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $LastFullScanSource_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpComputerStatus" 
# to translate other properties, use their translation table instead
$LastFullScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.LastFullScanSource  

# translate raw value to friendly text:
$friendlyName = $LastFullScanSource_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "LastFullScanSource" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "LastFullScanSource", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LastFullScanSource", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LastFullScanSource = @{
  Name = 'LastFullScanSource'
  Expression = {
    # property is an array, so process all values
    $value = $_.LastFullScanSource
    
    switch([int]$value)
      {
        0          {'Unknown'}
        1          {'User'}
        2          {'System'}
        3          {'Real-time'}
        4          {'IOAV'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "LastFullScanSource". The latter is defined
  # by the hashtable in $LastFullScanSource:
  Select-Object -Property Caption, $LastFullScanSource
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumLastFullScanSource
{
  Unknown     = 0
  User        = 1
  System      = 2
  Real_time   = 3
  IOAV        = 4
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.LastFullScanSource

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **LastFullScanSource** 
[EnumLastFullScanSource]$rawValue 

# get a comma-separated string:
[EnumLastFullScanSource]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumLastFullScanSource]
#endregion

Enums must cover all possible values. If LastFullScanSource returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

LastQuickScanSource

UINT8

Last scan source

LastQuickScanSource returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$LastQuickScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}
Use a switch statement
switch([int]$value)
{
  0          {'Unknown'}
  1          {'User'}
  2          {'System'}
  3          {'Real-time'}
  4          {'IOAV'}
  default    {"$value"}
}
Use Enum structure
Enum EnumLastQuickScanSource
{
  Unknown     = 0
  User        = 1
  System      = 2
  Real_time   = 3
  IOAV        = 4
}

Examples

Use $LastQuickScanSource_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "LastQuickScanSource" to friendly text

  Note: to use other properties than "LastQuickScanSource", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "LastQuickScanSource" 
# to translate other properties, use their translation table instead
$LastQuickScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LastQuickScanSource", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LastQuickScanSource = @{
  Name = 'LastQuickScanSource'
  Expression = {
    # property is an array, so process all values
    $value = $_.LastQuickScanSource
    $LastQuickScanSource_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "LastQuickScanSource". The latter
# is defined by the hashtable in $LastQuickScanSource: 
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $LastQuickScanSource

# ...or dump content of property LastQuickScanSource:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus | 
    Select-Object -Property $LastQuickScanSource |
    Select-Object -ExpandProperty LastQuickScanSource

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $LastQuickScanSource_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpComputerStatus" 
# to translate other properties, use their translation table instead
$LastQuickScanSource_map = @{
      0 = 'Unknown'
      1 = 'User'
      2 = 'System'
      3 = 'Real-time'
      4 = 'IOAV'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.LastQuickScanSource  

# translate raw value to friendly text:
$friendlyName = $LastQuickScanSource_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "LastQuickScanSource" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "LastQuickScanSource", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "LastQuickScanSource", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$LastQuickScanSource = @{
  Name = 'LastQuickScanSource'
  Expression = {
    # property is an array, so process all values
    $value = $_.LastQuickScanSource
    
    switch([int]$value)
      {
        0          {'Unknown'}
        1          {'User'}
        2          {'System'}
        3          {'Real-time'}
        4          {'IOAV'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "LastQuickScanSource". The latter is defined
  # by the hashtable in $LastQuickScanSource:
  Select-Object -Property Caption, $LastQuickScanSource
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumLastQuickScanSource
{
  Unknown     = 0
  User        = 1
  System      = 2
  Real_time   = 3
  IOAV        = 4
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.LastQuickScanSource

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **LastQuickScanSource** 
[EnumLastQuickScanSource]$rawValue 

# get a comma-separated string:
[EnumLastQuickScanSource]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumLastQuickScanSource]
#endregion

Enums must cover all possible values. If LastQuickScanSource returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

NISEnabled

BOOLEAN

If the NRI Engine is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISEnabled

NISEngineVersion

STRING

NRI Engine version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISEngineVersion

NISSignatureAge

UINT32

NRI Signature age in days- if signatures have never been updated you will see an age of 65535 days

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureAge

NISSignatureLastUpdated

DATETIME

NRI Last updated local time - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureLastUpdated

NISSignatureVersion

STRING

The NRI Signature version (major, minor, build, revision)

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureVersion

OnAccessProtectionEnabled

BOOLEAN

Specifies whether the computer is monitoring file and program activity on your computer

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, OnAccessProtectionEnabled

QuickScanAge

UINT32

Last quick scan age in days- if signatures have never been updated you will see an age of 65535 days.

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanAge

QuickScanEndTime

DATETIME

Time of last Quick Scan end - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanEndTime

QuickScanStartTime

DATETIME

Time of last Quick Scan start - If this has never updated you will see a null value in this property

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanStartTime

RealTimeProtectionEnabled

BOOLEAN

Specifies whether real-time protection is enabled

Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, RealTimeProtectionEnabled

RealTimeScanDirection

UINT8

Real-time scan direction enumeration

RealTimeScanDirection returns a numeric value. To translate it into a meaningful text, use any of the following approaches:

Use a PowerShell Hashtable
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}
Use a switch statement
switch([int]$value)
{
  0          {'Both'}
  1          {'Incoming'}
  2          {'Outcoming'}
  default    {"$value"}
}
Use Enum structure
Enum EnumRealTimeScanDirection
{
  Both        = 0
  Incoming    = 1
  Outcoming   = 2
}

Examples

Use $RealTimeScanDirection_map in a calculated property for Select-Object
<# 
  this example uses a hashtable to translate raw numeric values for 
  property "RealTimeScanDirection" to friendly text

  Note: to use other properties than "RealTimeScanDirection", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "RealTimeScanDirection" 
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}

#endregion define hashtable

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RealTimeScanDirection = @{
  Name = 'RealTimeScanDirection'
  Expression = {
    # property is an array, so process all values
    $value = $_.RealTimeScanDirection
    $RealTimeScanDirection_map[[int]$value]
  }  
}
#endregion define calculated property

# retrieve the instances, and output the properties "Caption" and "RealTimeScanDirection". The latter
# is defined by the hashtable in $RealTimeScanDirection: 
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $RealTimeScanDirection

# ...or dump content of property RealTimeScanDirection:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus | 
    Select-Object -Property $RealTimeScanDirection |
    Select-Object -ExpandProperty RealTimeScanDirection

# output values
$friendlyValues

# output values as comma separated list
$friendlyValues -join ', '

# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $RealTimeScanDirection_map to directly translate raw values from an instance
<# 
  this example uses a hashtable to manually translate raw numeric values 
  for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
  there is just one instance to work with.

  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  translation hashtable for the property you would like to use instead.
#>

#region define hashtable to translate raw values to friendly text

# Please note: this hashtable is specific for property "MSFT_MpComputerStatus" 
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
      0 = 'Both'
      1 = 'Incoming'
      2 = 'Outcoming'
}

#endregion define hashtable

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to illustrate
  the number-to-text translation. To process all instances, replace
  "Select-Object -First 1" with a "Foreach-Object" loop, and use
  the iterator variable $_ instead of $instance
#>

# query the property
$rawValue = $instance.RealTimeScanDirection  

# translate raw value to friendly text:
$friendlyName = $RealTimeScanDirection_map[[int]$rawValue]

# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<# 
  this example uses a switch clause to translate raw numeric 
  values for property "RealTimeScanDirection" to friendly text. The switch
  clause is embedded into a calculated property so there is
  no need to refer to external variables for translation.

  Note: to use other properties than "RealTimeScanDirection", look up the appropriate 
  translation switch clause for the property you would like to use instead.
#>

#region define calculated property (to be used with Select-Object)

<#
  a calculated property is defined by a hashtable with keys "Name" and "Expression"
  "Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
  "Expression" defines a scriptblock that calculates the content of this property
  in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
  value to its friendly text counterpart:
#>
 
$RealTimeScanDirection = @{
  Name = 'RealTimeScanDirection'
  Expression = {
    # property is an array, so process all values
    $value = $_.RealTimeScanDirection
    
    switch([int]$value)
      {
        0          {'Both'}
        1          {'Incoming'}
        2          {'Outcoming'}
        default    {"$value"}
      }
      
  }  
}
#endregion define calculated property

# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | 
  # ...and output properties "Caption" and "RealTimeScanDirection". The latter is defined
  # by the hashtable in $RealTimeScanDirection:
  Select-Object -Property Caption, $RealTimeScanDirection
Use the Enum from above to auto-translate the code values
<# 
  this example translates raw values by means of type conversion
  the friendly names are defined as enumeration using the
  keyword "enum" (PowerShell 5 or better)
  
  The raw value(s) are translated to friendly text by 
  simply converting them into the enum type.
  
  Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate 
  enum definition for the property you would like to use instead.
#>


#region define enum with value-to-text translation:
Enum EnumRealTimeScanDirection
{
  Both        = 0
  Incoming    = 1
  Outcoming   = 2
}

#endregion define enum

# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1

<#
  IMPORTANT: this example processes only one instance to focus on
  the number-to-text type conversion. 
  
  To process all instances, replace   "Select-Object -First 1" 
  with a "Foreach-Object" loop, and use the iterator variable 
  $_ instead of $instance
#>

# query the property:
$rawValue = $instance.RealTimeScanDirection

#region using strict type conversion

<#
  Note: strict type conversion fails if the raw value is 
  not defined by the enum. So if the list of allowable values
  was extended and the enum does not match the value,
  an exception is thrown
#>

# convert the property to the enum **RealTimeScanDirection** 
[EnumRealTimeScanDirection]$rawValue 

# get a comma-separated string:
[EnumRealTimeScanDirection]$rawValue -join ',' 
#endregion

#region using operator "-as"

<#
  Note: the operator "-as" accepts values not defined
  by the enum and returns $null instead of throwing
  an exception
#>

$rawValue -as [EnumRealTimeScanDirection]
#endregion

Enums must cover all possible values. If RealTimeScanDirection returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.

Examples

List all instances of MSFT_MpComputerStatus
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'AMEngineVersion',
              'AMProductVersion',
              'AMServiceEnabled',
              'AMServiceVersion',
              'AntispywareEnabled',
              'AntispywareSignatureAge',
              'AntispywareSignatureLastUpdated',
              'AntispywareSignatureVersion',
              'AntivirusEnabled',
              'AntivirusSignatureAge',
              'AntivirusSignatureLastUpdated',
              'AntivirusSignatureVersion',
              'BehaviorMonitorEnabled',
              'ComputerID',
              'ComputerState',
              'FullScanAge',
              'FullScanEndTime',
              'FullScanStartTime',
              'IoavProtectionEnabled',
              'LastFullScanSource',
              'LastQuickScanSource',
              'NISEnabled',
              'NISEngineVersion',
              'NISSignatureAge',
              'NISSignatureLastUpdated',
              'NISSignatureVersion',
              'OnAccessProtectionEnabled',
              'QuickScanAge',
              'QuickScanEndTime',
              'QuickScanStartTime',
              'RealTimeProtectionEnabled',
              'RealTimeScanDirection'
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion FROM MSFT_MpComputerStatus WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion FROM MSFT_MpComputerStatus WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use MSFT_MpComputerStatus, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpComputerStatus was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].

Namespace

MSFT_MpComputerStatus lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpComputerStatus is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof