Use PowerShell to Explore Windows Defender Preferences

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell 4.0 in Windows 8.1 to explore Windows Defender preferences.

Microsoft Scripting Guy, Ed Wilson, is here. Well things are certainly shaping up to be exciting. Last weekend, I upgraded my Surface Pro to Windows 8.1 via the store. It took about 30 minutes, and it was absolutely painless. The long part was downloading the 3 GB file. Then it started the installation, and I had to agree with the license statement. Finally, it wanted to know how to personalize the device. Besides that, it was gravy.

The Scripting Wife and I are getting ready to go to Atlanta this weekend for the PowerShell Saturday 005 event. I am making two presentations, and there are several other awesome speakers who will be there. There are still some tickets available for this event, so it is not too late to sign up. I know there are some people who are driving to the event from as far away as Texas, so it will be a great time to see some of your favorite Windows PowerShell people. Check it out, you will be glad you did.

Because Windows 8.1 is now in general availability, I thought I would take some time to write about one of the cool new modules. I am running Windows PowerShell 4.0 on Windows 8.1.

Note  This is the second post in a three-part series about the Windows Defender module in Windows 8.1. For basic information about the Windows Defender module, please see Exploring the Windows Defender Catalog.

One of the cool things about Windows PowerShell is that it always (at least nearly always) works the same. This means that I can use the Get-Help cmdlet to find out how to use a cmdlet or CIM function. I can use the Help function, to see Help information one page at a time. It does not matter what the module, or what the cmdlet.

But with most of the Get* type of cmdlets and functions, I do not even need to use Help. I can simply type the cmdlet (or function) name, and voila, it spews forth data—at least that is the way that well designed cmdlets generally behave. I should not have to look at Help to find out how to get information.

Note  The Windows Defender commands are technically functions. They are CIM wrapped, based on a new WMI namespace that is added to Windows 8.1. I will refer to them as functions, or occasionally as a command. But I will not call them cmdlets (unless I slip up and make a mistake) because they are not technically cmdlets. Using Get-Member or Get-Command easily reveals this information.

I can use the Get-MpPreference cmdlet to obtain information about my Windows Defender preference settings. The command and the output associated with the command are shown here.

Image of command output

The bad thing is that some of the output does not make sense. For example, the value of the ScanScheduleDay is 0. What does that mean? Is it Sunday, or Monday, or whatever? I know that “computer numbers” often begin with 0 instead of 1, so I guess that maybe it means scan on the first day of the week. So I use the Get-Culture cmdlet and I look at the DateTimeFormat property to see what the first day of the week is. The command and output are shown here.

Image of command output

I can see that the value of the FirstDayOfWeek property from the DateTimeFormat object is Sunday. So, I guess that my ScanScheduleDay value of 0 is Sunday. But that is just a guess. I would like to make sure. So I check the value of Get-Help to see if there is any Help here.

I use the command Get-Help Get-MpPreference –full, and I obtain the following output:

Image of command output

I can tell you that in this case, the Help is no help. Then it dawns on me. Wait! In reality, this is WMI. Hey, it is a CIM function, which means that under the covers, there is bound to be a WMI class. Groovy. On MSDN, most WMI classes are well documented.

However, searching for “Windows PowerShell Help” in this case does not help. This is because, as I found, all it does is document the way Windows PowerShell works—and well, duh, I know HOW Windows PowerShell works. I need to know what the output means.

So I need to look up WMI. I type a Bing query for “PowerShell Defender ScanScheduleDay” and I get back nothing worthwhile. I do the same search on MSDN. Again, I get no hits. Hmmm…time to go “old school” on this issue.

So I pipe the results from the Get-MpPreference function to Get-Member, and I look at the object that returns. Ahhhhh…now I can see some sense. The command and output are shown in the image that follows.

Image of command output

So I now search for “MSFT_MpPreference” directly on MSDN, and I discover that Windows Defender WMIv2 APIs is documented. The page on MSDN lists all of the WMI classes. Sweet!

As it turns out, it was a good thing I looked up the answer because 0 is not Sunday. Sunday, as it turns out, is 1. The MSDN portion is shown here.

Image of webpage

So, that is it. I am able to discover the information I need to bring clarity the output.

That is all there is to using the Windows Defender module. Join me tomorrow when I will talk about using the Windows Defender functions to initiate scans and to update the files.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • Lee Seeman 0

    Thank you for the article. Is there a way to get Defender properties on remote computers using powershell. This is to streamline validating new systems are configured properly.

Feedback usabilla icon