Created
February 22, 2019 20:24
-
-
Save alexverboon/057951af0c4978f5bd82f7e5b6292965 to your computer and use it in GitHub Desktop.
Get-DefenderATPStatus
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DefenderATPStatus | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get-DefenderATPStatus | |
| .DESCRIPTION | |
| Get-DefenderATPStatus retrieves the status of Windows Defender ATP | |
| .PARAMETER Computername | |
| Specifies the computers on which the command runs. The default is the local computer. | |
| When you use the ComputerName parameter, Windows PowerShell creates a temporary connection that is used only to run the specified command and is then closed. If you need a persistent connection, use the Session parameter. | |
| Type the NETBIOS name, IP address, or fully qualified domain name of one or more computers in a comma-separated list. To specify the local computer, type the computer name, localhost, or a dot (.). | |
| To use an IP address in the value of ComputerName , the command must include the Credential parameter. Also, the computer must be configured for HTTPS transport or the IP address of the remote computer must be included in the WinRM TrustedHosts list on the local computer. For instructions for adding a computer name to the TrustedHosts list, see "How to Add a Computer to the Trusted Host List" in about_Remote_Troubleshooting. | |
| On Windows Vista and later versions of the Windows operating system, to include the local computer in the value of ComputerName , you must open Windows PowerShell by using the Run as administrator option. | |
| .PARAMETER Credential | |
| Specifies a user account that has permission to perform this action. The default is the current user. | |
| Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, this cmdlet prompts you for a password. | |
| .PARAMETER UseSSL | |
| Indicates that this cmdlet uses the Secure Sockets Layer (SSL) protocol to establish a connection to the remote computer. By default, SSL is not used. | |
| WS-Management encrypts all Windows PowerShell content transmitted over the network. The UseSSL parameter is an additional protection that sends the data across an HTTPS, instead of HTTP. | |
| If you use this parameter, but SSL is not available on the port that is used for the command, the command fails. | |
| .PARAMETER ThrottleLimit | |
| Specifies the maximum number of concurrent connections that can be established to run this command. If you omit this parameter or enter a value of 0, the default value, 32, is used. | |
| The throttle limit applies only to the current command, not to the session or to the computer. | |
| .PARAMETER Authentication | |
| Specifies the mechanism that is used to authenticate the user's credentials. The acceptable values for this | |
| parameter are: | |
| - Default | |
| - Basic | |
| - Credssp | |
| - Digest | |
| - Kerberos | |
| - Negotiate | |
| - NegotiateWithImplicitCredential | |
| The default value is Default. | |
| CredSSP authentication is available only in Windows Vista, Windows Server 2008, and later versions of the Windows operating system. | |
| For information about the values of this parameter, see the description of the AuthenticationMechanismEnumeration (http://go.microsoft.com/fwlink/?LinkID=144382) in theMicrosoft Developer Network (MSDN) library. | |
| CAUTION: Credential Security Support Provider (CredSSP) authentication, in which the user's credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the | |
| network session. | |
| .EXAMPLE | |
| Get-DefenderATPStatus | |
| ComputerName : Computer1 | |
| OnboardingState : True | |
| OSBuild : 17763 | |
| OSEditionID : Enterprise | |
| OSProductName : Windows 10 Enterprise | |
| Machinebuildnumber : Microsoft Windows NT 10.0.17763.0 | |
| SenseID : 1973feeca6e13f533d09359f2c4e50bcc8041086 | |
| MMAAgentService : not required | |
| SenseConfigVersion : 5999.2835479 | |
| MachineIDCalculated : Windows Defender Advanced Threat Protection machine ID calculated: 1973feeca6e13f533d09359f2c4e50bcc8041086 | |
| SenseGUID : 000000-f79c-478d-1234-a3a9fdc43952 | |
| SenseOrdID : 35010645-0000-1111-1234-e8d5fc19fdfc | |
| SenseServiceState : Running | |
| DiagTrackServiceState : Running | |
| DefenderServiceState : Running | |
| MSASignInServiceStartup : Manual | |
| DefenderPassiveMode : False | |
| DefenderAVSignatureVersion : 1.285.617.0 Engine Version is: 1.1.15600.4 | |
| LastSenseTimeStamp : 2/1/2019 2:32:44 PM | |
| DiagTrackLastNormalUploadTime : False | |
| DiagTrackLastRealtimeUploadTime : False | |
| DiagTrackLastHeartBeatTime : 0 | |
| DiagTrackLastInvalidHttpCode : 0 | |
| .EXAMPLE | |
| $cred = Get-Credential | |
| Get-DefenderATPStatus -Computer W10Client1 -Credential $cred | |
| This example retrieves the LAPS CSE Debug Status from aremote computer using a credential | |
| .NOTES | |
| Version: 1.0 | |
| Author: Alex Verboon | |
| Creation Date: 22.02.2019 | |
| Purpose/Change: Initial script development | |
| #> | |
| [CmdletBinding()] | |
| [Alias()] | |
| #[OutputType([String])] | |
| Param | |
| ( | |
| # Param1 help description | |
| [Parameter(ValueFromPipeline, ValueFromPipelineByPropertyName,Position = 0)] | |
| [string[]]$Computername = $env:COMPUTERNAME, | |
| [PSCredential]$Credential, | |
| [switch]$UseSSL, | |
| [Int32]$ThrottleLimit, | |
| [ValidateSet('Default', 'Basic', 'Credssp', 'Digest', 'Kerberos', 'Negotiate', 'NegotiateWithImplicitCredential')] | |
| [ValidateNotNullorEmpty()] | |
| [string]$Authentication = "default" | |
| ) | |
| Begin | |
| { | |
| # function to read reg stuff | |
| $sb = { | |
| [int]$OSBuild = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty CurrentBuild | |
| [string]$OSEditionID = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty EditionID | |
| [string]$OSProductName = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty ProductName | |
| $MachineBuildNumber = [System.Environment]::OSVersion.VersionString | |
| if ((($OSBuild -ge 7601 -and $OSBuild -le 14393) -and ($OSProductName -notmatch 'Windows 10')) -and (($OSEditionID -match 'Enterprise') -or ($OSEditionID -match 'Pro') -or ($OSEditionID -match 'Ultimate') -or ($OSEditionID -match 'Server'))) | |
| # begin Windows 10 downlevel clients or Servers with MMA Agent | |
| { | |
| if ((Get-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "senseId")) | |
| { | |
| $SenseID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\" | Select-Object -ExpandProperty "senseId" ) | |
| $MMAService = (Get-Service -Name HealthService -ErrorAction SilentlyContinue).Status | |
| $SenseConfigVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "ConfigurationVersion") | |
| } | |
| else | |
| { | |
| $OnboardingState = $false | |
| } | |
| # end region Win10 downlevel/serverOS | |
| } | |
| else | |
| { | |
| # begin Windows native Windows 10 ATP | |
| if ((Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty OnboardingState ) -eq $True) | |
| { | |
| $OnboardingState = $True | |
| $MMAService = "not required" | |
| $SenseID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "senseId" ) | |
| $SenseConfigVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "ConfigurationVersion" ) | |
| $MachineIDCalculated = (Get-WinEvent -ProviderName Microsoft-Windows-SENSE | Where-Object -Property Message -Like "*ID calculated*" | Select-Object -L 1).Message | |
| $SenseGUID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "senseGuid" ) | |
| $SenseOrdID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "OrgID" ) | |
| $SenseServiceState = (Get-Service -Name Sense).Status | |
| $DiagTrackServiceState = (Get-Service -Name DiagTrack).Status | |
| $DefenderServiceState = (Get-Service -Name WinDefend).Status | |
| $MSAccountSignInAgentServiceStartType = (Get-Service -Name wlidsvc).StartType | |
| if (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" | Select-Object -ExpandProperty "PassiveMode" -ErrorAction SilentlyContinue) | |
| { | |
| $DefenderPassiveMode = $True | |
| } | |
| else | |
| { | |
| $DefenderPassiveMode = $false | |
| } | |
| $DefenderAVSignatureVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "AVSignatureVersion" ) | |
| $DefenderEngineVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty "EngineVersion" ) | |
| $LastConnectedraw = (Get-ItemProperty -Path "HKLM:\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\Status" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastConnected ) | |
| $LastSenseTimeStamp = [DateTime]::FromFiletime([Int64]::Parse($LastConnectedraw)) | |
| if ((Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty ReleaseId) -eq 1607 ) | |
| { | |
| $DiagTrackLastNormalUploadTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleSettings -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastNormalUploadTime) | |
| $DiagTrackLastNormalUploadTime = if (-not ($DiagTrackLastNormalUploadTimeraw -eq $null)) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastNormalUploadTimeraw)) } else {"$null"} | |
| $DiagTrackLastRealtimeUploadTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SevilleSettings -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastRealtimeUploadTime) | |
| $DiagTrackLastRealtimeUploadTime = if (-not ($DiagTrackLastRealtimeUploadTimeraw -eq $null)) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastRealtimeUploadTimeraw)) } else {"$null"} | |
| $DiagTrackLastHeartBeatTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Seville\ -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastHeartBeatTime) | |
| $DiagTrackLastHeartBeatTime = if (-not ($DiagTrackLastHeartBeatTimeraw -eq $null -or $DiagTrackLastHeartBeatTimeraw -eq 0 )) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastHeartBeatTimeraw)) } else {"$null"} | |
| $DiagTrackLastInvalidHttpCode = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Seville\ -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastInvalidHttpCode) | |
| } | |
| else | |
| { | |
| $DiagTrackLastNormalUploadTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\Tenants\P-WDATP -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastNormalUploadTime ) | |
| $DiagTrackLastNormalUploadTime = if (-not ($DiagTrackLastNormalUploadTimeraw -eq $null)) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastNormalUploadTimeraw)) } else {"$null"} | |
| $DiagTrackLastRealtimeUploadTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\Tenants\P-WDATP -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastRealtimeUploadTime) | |
| $DiagTrackLastRealtimeUploadTime = if (-not ($DiagTrackLastRealtimeUploadTimeraw -eq $null)) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastRealtimeUploadTimeraw)) } else {"$null"} | |
| $DiagTrackLastHeartBeatTimeraw = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Seville -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastHeartBeatTime) | |
| $DiagTrackLastHeartBeatTime = if (-not ($DiagTrackLastHeartBeatTimeraw -eq $null -or $DiagTrackLastHeartBeatTimeraw -eq 0 )) { [DateTime]::FromFiletime([Int64]::Parse($DiagTrackLastHeartBeatTimeraw)) } else {"$null"} | |
| $DiagTrackLastInvalidHttpCode = (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Seville -ErrorAction SilentlyContinue | Select-Object -ExpandProperty LastInvalidHttpCode) | |
| } | |
| } | |
| else { | |
| $OnboardingState = $false | |
| } | |
| } | |
| # prepare the output | |
| $object = [ordered]@{ | |
| "ComputerName" = $env:COMPUTERNAME | |
| "OnboardingState" = $OnboardingState | |
| "OSBuild" = $OSBuild | |
| "OSEditionID" = $OSEditionID | |
| "OSProductName" = $OSProductName | |
| "Machinebuildnumber" = $MachineBuildNumber | |
| "SenseID" = $SenseID | |
| "MMAAgentService" = $MMAService | |
| "SenseConfigVersion" = $SenseConfigVersion | |
| "MachineIDCalculated" = $MachineIDCalculated | |
| "SenseGUID" = $SenseGUID | |
| "SenseOrdID" = $SenseOrdID | |
| "SenseServiceState" = $SenseServiceState | |
| "DiagTrackServiceState" = $DiagTrackServiceState | |
| "DefenderServiceState" = $DefenderServiceState | |
| "MSASignInServiceStartup" = $MSAccountSignInAgentServiceStartType | |
| "DefenderPassiveMode" = $DefenderPassiveMode | |
| "DefenderAVSignatureVersion" = $DefenderAVSignatureVersion | |
| "DefenderEngineVersion" = $DefenderEngineVersion | |
| "LastSenseTimeStamp" = $LastSenseTimeStamp | |
| "DiagTrackLastNormalUploadTime" = $DiagTrackLastNormalUploadTime | |
| "DiagTrackLastRealtimeUploadTime" = $DiagTrackLastRealtimeUploadTime | |
| "DiagTrackLastHeartBeatTime" = $DiagTrackLastHeartBeatTime | |
| "DiagTrackLastInvalidHttpCode" = $DiagTrackLastInvalidHttpCode | |
| } | |
| $DefenderATPResult = (New-Object -TypeName PSObject -Property $object) | |
| $DefenderATPResult | |
| } #end scriptblock | |
| if ($PSBoundParameters.ContainsKey("Computername")) { | |
| $sbRemote = { | |
| # Get Remote Verbose Preference | |
| $VerbosePreference = $using:VerbosePreference | |
| } | |
| $newScriptBlock = [ScriptBlock]::Create($sbRemote.ToString() + $sb.ToString()) | |
| $sb = $newScriptBlock | |
| } | |
| #update PSBoundParameters so it can be splatted to Invoke-Command | |
| $PSBoundParameters.Add("ScriptBlock", $sb) | Out-Null | |
| $PSBoundParameters.Add("HideComputername", $True) | Out-Null | |
| } | |
| Process | |
| { | |
| if (-Not $PSBoundParameters.ContainsKey("Computername")) { | |
| # There is no computername provided so we run things locally. | |
| & $sb | |
| } | |
| else { | |
| #$PSBoundParameters | Out-String | Write-Verbose | |
| Invoke-Command @PSBoundParameters -ArgumentList $VerbosePreference | Select-Object -Property * -ExcludeProperty RunspaceID, PS* | |
| } | |
| } | |
| End | |
| { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment