How to Check if Windows Defender is Running in Passive Mode using PowerShell
Table of Contents
Introduction
Windows Defender, now known as Microsoft Defender Antivirus, is a built-in security solution for Windows operating systems. It provides real-time protection against malware, viruses, and other threats. By default, Windows Defender operates in active mode, actively scanning files and monitoring system activity. However, there are scenarios where you might want to check if Windows Defender is running in passive mode. For example, if you’re using another antivirus solution alongside Windows Defender, you may need to ensure that Windows Defender is not conflicting with the other software.
In this article, we’ll cover how to determine if Windows Defender is in passive mode using PowerShell.
Checking Windows Defender Status
- Open PowerShell as Administrator: To run the necessary commands, open PowerShell with administrative privileges. You can do this by searching for “PowerShell” in the Start menu, right-clicking on “Windows PowerShell,” and selecting “Run as administrator.”
- Use the Get-MpComputerStatus Cmdlet: The Get-MpComputerStatus cmdlet provides information about the status of Windows Defender services, signature versions, last updates, and more. To check if Windows Defender is running in passive mode, execute the following command:
Get-MpComputerStatus | Select-Object AntivirusEnabled, AMRunningMode
If the value of AntivirusEnabled is True and AMRunningMode is Passive, Windows Defender is in passive mode. If AMRunningMode is Normal, Windows Defender is in active mode.
- Registry Key for Passive Mode: You can set Windows Defender to passive mode using a registry key. This is useful when you want to prevent conflicts with other antivirus products. Create the following registry entry:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Type: REG_DWORD
Value: 1
This registry key forces Windows Defender into passive mode.
Example Powershell Script
Here’s an example PowerShell script that prompts the user for a hostname, establishes a CIM session, and checks if Windows Defender is running in passive mode on the specified computer:
$hostname = Read-Host "Enter Hostname"
$session = New-CimSession -ComputerName $hostname
$defenderStatus = Get-MpComputerStatus -CimSession $session
if ($defenderStatus.AMRunningMode -eq "Passive" -and $defenderStatus.AntivirusEnabled -eq $True) {
Write-Host -ForegroundColor Green "Defender on", $hostname, "is in Passive Mode"
} else {
Write-Host -ForegroundColor Red "Defender on", $hostname, "is not in Passive mode"
}
Conclusion
In this article, we’ve explored how to check if Windows Defender is running in passive mode using PowerShell. Whether you’re troubleshooting conflicts with other antivirus software or simply verifying the status, these steps will help you determine whether Windows Defender is actively protecting your system or operating in passive mode.
Feel free to leave any comments or questions below!
I hope you find this article helpful! If you have any further questions or need additional assistance, feel free to ask.