Represents the Defender base status. Module Defender ships with Get-MpComputerStatus
that essentially delivers the same information.
Methods
MSFT_MpComputerStatus has no methods.
Properties
MSFT_MpComputerStatus returns 32 properties:
'AMEngineVersion','AMProductVersion','AMServiceEnabled','AMServiceVersion',
'AntispywareEnabled','AntispywareSignatureAge','AntispywareSignatureLastUpdated',
'AntispywareSignatureVersion','AntivirusEnabled','AntivirusSignatureAge','AntivirusSignatureLastUpdated',
'AntivirusSignatureVersion','BehaviorMonitorEnabled','ComputerID','ComputerState','FullScanAge',
'FullScanEndTime','FullScanStartTime','IoavProtectionEnabled','LastFullScanSource',
'LastQuickScanSource','NISEnabled','NISEngineVersion','NISSignatureAge','NISSignatureLastUpdated',
'NISSignatureVersion','OnAccessProtectionEnabled','QuickScanAge','QuickScanEndTime','QuickScanStartTime',
'RealTimeProtectionEnabled','RealTimeScanDirection'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property *
Most WMI classes return one or more instances.
When
Get-CimInstance
returns no result, then apparently no instances of class MSFT_MpComputerStatus exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
AMEngineVersion
The AM Engine version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMEngineVersion
AMProductVersion
Product version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMProductVersion
AMServiceEnabled
If the AM Engine is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMServiceEnabled
AMServiceVersion
Service version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AMServiceVersion
AntispywareEnabled
Specifies whether Antispyware protection is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareEnabled
AntispywareSignatureAge
Antispyware Signature age in days - if signatures have never been updated you will see an age of 65535 days
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureAge
AntispywareSignatureLastUpdated
Antispyware Last updated local time. If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureLastUpdated
AntispywareSignatureVersion
The Antispyware Signature version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntispywareSignatureVersion
AntivirusEnabled
Specifies whether Antivirus protection is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusEnabled
AntivirusSignatureAge
Antivirus Signature age in days- if signatures have never been updated you will see an age of 65535 days
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureAge
AntivirusSignatureLastUpdated
Antivirus Last updated local time - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureLastUpdated
AntivirusSignatureVersion
The Antivirus Signature version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, AntivirusSignatureVersion
BehaviorMonitorEnabled
Specifies whether behavior monitoring is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, BehaviorMonitorEnabled
ComputerID
Computer ID created by MAPS
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID
ComputerState
The current computer state
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, ComputerState
FullScanAge
Last full scan age in days- if signatures have never been updated you will see an age of 65535 days
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanAge
FullScanEndTime
Time of last Full Scan end - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanEndTime
FullScanStartTime
Time of last Full Scan start - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, FullScanStartTime
IoavProtectionEnabled
Scan all downloaded files and attachments
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, IoavProtectionEnabled
LastFullScanSource
Last scan source
LastFullScanSource returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$LastFullScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
default {"$value"}
}
Use Enum structure
Enum EnumLastFullScanSource
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
}
Examples
Use $LastFullScanSource_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "LastFullScanSource" to friendly text
Note: to use other properties than "LastFullScanSource", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "LastFullScanSource"
# to translate other properties, use their translation table instead
$LastFullScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "LastFullScanSource", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$LastFullScanSource = @{
Name = 'LastFullScanSource'
Expression = {
# property is an array, so process all values
$value = $_.LastFullScanSource
$LastFullScanSource_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "LastFullScanSource". The latter
# is defined by the hashtable in $LastFullScanSource:
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $LastFullScanSource
# ...or dump content of property LastFullScanSource:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus |
Select-Object -Property $LastFullScanSource |
Select-Object -ExpandProperty LastFullScanSource
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $LastFullScanSource_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpComputerStatus"
# to translate other properties, use their translation table instead
$LastFullScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.LastFullScanSource
# translate raw value to friendly text:
$friendlyName = $LastFullScanSource_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "LastFullScanSource" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "LastFullScanSource", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "LastFullScanSource", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$LastFullScanSource = @{
Name = 'LastFullScanSource'
Expression = {
# property is an array, so process all values
$value = $_.LastFullScanSource
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "LastFullScanSource". The latter is defined
# by the hashtable in $LastFullScanSource:
Select-Object -Property Caption, $LastFullScanSource
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumLastFullScanSource
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.LastFullScanSource
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **LastFullScanSource**
[EnumLastFullScanSource]$rawValue
# get a comma-separated string:
[EnumLastFullScanSource]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumLastFullScanSource]
#endregion
Enums must cover all possible values. If LastFullScanSource returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
LastQuickScanSource
Last scan source
LastQuickScanSource returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$LastQuickScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
default {"$value"}
}
Use Enum structure
Enum EnumLastQuickScanSource
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
}
Examples
Use $LastQuickScanSource_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "LastQuickScanSource" to friendly text
Note: to use other properties than "LastQuickScanSource", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "LastQuickScanSource"
# to translate other properties, use their translation table instead
$LastQuickScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "LastQuickScanSource", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$LastQuickScanSource = @{
Name = 'LastQuickScanSource'
Expression = {
# property is an array, so process all values
$value = $_.LastQuickScanSource
$LastQuickScanSource_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "LastQuickScanSource". The latter
# is defined by the hashtable in $LastQuickScanSource:
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $LastQuickScanSource
# ...or dump content of property LastQuickScanSource:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus |
Select-Object -Property $LastQuickScanSource |
Select-Object -ExpandProperty LastQuickScanSource
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $LastQuickScanSource_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpComputerStatus"
# to translate other properties, use their translation table instead
$LastQuickScanSource_map = @{
0 = 'Unknown'
1 = 'User'
2 = 'System'
3 = 'Real-time'
4 = 'IOAV'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.LastQuickScanSource
# translate raw value to friendly text:
$friendlyName = $LastQuickScanSource_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "LastQuickScanSource" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "LastQuickScanSource", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "LastQuickScanSource", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$LastQuickScanSource = @{
Name = 'LastQuickScanSource'
Expression = {
# property is an array, so process all values
$value = $_.LastQuickScanSource
switch([int]$value)
{
0 {'Unknown'}
1 {'User'}
2 {'System'}
3 {'Real-time'}
4 {'IOAV'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "LastQuickScanSource". The latter is defined
# by the hashtable in $LastQuickScanSource:
Select-Object -Property Caption, $LastQuickScanSource
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumLastQuickScanSource
{
Unknown = 0
User = 1
System = 2
Real_time = 3
IOAV = 4
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.LastQuickScanSource
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **LastQuickScanSource**
[EnumLastQuickScanSource]$rawValue
# get a comma-separated string:
[EnumLastQuickScanSource]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumLastQuickScanSource]
#endregion
Enums must cover all possible values. If LastQuickScanSource returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
NISEnabled
If the NRI Engine is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISEnabled
NISEngineVersion
NRI Engine version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISEngineVersion
NISSignatureAge
NRI Signature age in days- if signatures have never been updated you will see an age of 65535 days
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureAge
NISSignatureLastUpdated
NRI Last updated local time - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureLastUpdated
NISSignatureVersion
The NRI Signature version (major, minor, build, revision)
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureVersion
OnAccessProtectionEnabled
Specifies whether the computer is monitoring file and program activity on your computer
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, OnAccessProtectionEnabled
QuickScanAge
Last quick scan age in days- if signatures have never been updated you will see an age of 65535 days.
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanAge
QuickScanEndTime
Time of last Quick Scan end - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanEndTime
QuickScanStartTime
Time of last Quick Scan start - If this has never updated you will see a null value in this property
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, QuickScanStartTime
RealTimeProtectionEnabled
Specifies whether real-time protection is enabled
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, RealTimeProtectionEnabled
RealTimeScanDirection
Real-time scan direction enumeration
RealTimeScanDirection returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$RealTimeScanDirection_map = @{
0 = 'Both'
1 = 'Incoming'
2 = 'Outcoming'
}
Use a switch statement
switch([int]$value)
{
0 {'Both'}
1 {'Incoming'}
2 {'Outcoming'}
default {"$value"}
}
Use Enum structure
Enum EnumRealTimeScanDirection
{
Both = 0
Incoming = 1
Outcoming = 2
}
Examples
Use $RealTimeScanDirection_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "RealTimeScanDirection" to friendly text
Note: to use other properties than "RealTimeScanDirection", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "RealTimeScanDirection"
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
0 = 'Both'
1 = 'Incoming'
2 = 'Outcoming'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$RealTimeScanDirection = @{
Name = 'RealTimeScanDirection'
Expression = {
# property is an array, so process all values
$value = $_.RealTimeScanDirection
$RealTimeScanDirection_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "RealTimeScanDirection". The latter
# is defined by the hashtable in $RealTimeScanDirection:
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property Caption, $RealTimeScanDirection
# ...or dump content of property RealTimeScanDirection:
$friendlyValues = Get-CimInstance -Class MSFT_MpComputerStatus |
Select-Object -Property $RealTimeScanDirection |
Select-Object -ExpandProperty RealTimeScanDirection
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $RealTimeScanDirection_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "MSFT_MpComputerStatus" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "MSFT_MpComputerStatus"
# to translate other properties, use their translation table instead
$RealTimeScanDirection_map = @{
0 = 'Both'
1 = 'Incoming'
2 = 'Outcoming'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.RealTimeScanDirection
# translate raw value to friendly text:
$friendlyName = $RealTimeScanDirection_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "RealTimeScanDirection" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "RealTimeScanDirection", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "RealTimeScanDirection", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$RealTimeScanDirection = @{
Name = 'RealTimeScanDirection'
Expression = {
# property is an array, so process all values
$value = $_.RealTimeScanDirection
switch([int]$value)
{
0 {'Both'}
1 {'Incoming'}
2 {'Outcoming'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender |
# ...and output properties "Caption" and "RealTimeScanDirection". The latter is defined
# by the hashtable in $RealTimeScanDirection:
Select-Object -Property Caption, $RealTimeScanDirection
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "MSFT_MpComputerStatus", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumRealTimeScanDirection
{
Both = 0
Incoming = 1
Outcoming = 2
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.RealTimeScanDirection
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **RealTimeScanDirection**
[EnumRealTimeScanDirection]$rawValue
# get a comma-separated string:
[EnumRealTimeScanDirection]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumRealTimeScanDirection]
#endregion
Enums must cover all possible values. If RealTimeScanDirection returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
Examples
List all instances of MSFT_MpComputerStatus
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender
Learn more about Get-CimInstance
and the deprecated Get-WmiObject
.
View all properties
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property *
View key properties only
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c
with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance
always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object
if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'AMEngineVersion',
'AMProductVersion',
'AMServiceEnabled',
'AMServiceVersion',
'AntispywareEnabled',
'AntispywareSignatureAge',
'AntispywareSignatureLastUpdated',
'AntispywareSignatureVersion',
'AntivirusEnabled',
'AntivirusSignatureAge',
'AntivirusSignatureLastUpdated',
'AntivirusSignatureVersion',
'BehaviorMonitorEnabled',
'ComputerID',
'ComputerState',
'FullScanAge',
'FullScanEndTime',
'FullScanStartTime',
'IoavProtectionEnabled',
'LastFullScanSource',
'LastQuickScanSource',
'NISEnabled',
'NISEngineVersion',
'NISSignatureAge',
'NISSignatureLastUpdated',
'NISSignatureVersion',
'OnAccessProtectionEnabled',
'QuickScanAge',
'QuickScanEndTime',
'QuickScanStartTime',
'RealTimeProtectionEnabled',
'RealTimeScanDirection'
Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion FROM MSFT_MpComputerStatus WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender
Any property you did not specify is still present but empty. You might need to use
Select-Object
to remove all unwanted properties:Get-CimInstance -Query "SELECT ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion FROM MSFT_MpComputerStatus WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerID, NISSignatureAge, QuickScanAge, NISEngineVersion
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance MSFT_MpComputerStatus -Namespace root/microsoft/windows/defender -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use MSFT_MpComputerStatus, the following requirements apply:
PowerShell
Get-CimInstance
was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
MSFT_MpComputerStatus was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].
Namespace
MSFT_MpComputerStatus lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..
Implementation
MSFT_MpComputerStatus is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem
:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof