AMRunningmode -Active or Passive
As Per Microsoft documentation, Get-mpcomputerstatus provide the output of Active or passive status of MDE i.e. via AMRunning Mode
When MDE is active, AMRunning Mode shows as Normal
When MDE is passive, AMRunning Mode shows as Passive Mode.
In our environment, EDR Block Mode is on, because of this, for passive status we are seeing the output in power shell as EDR Block Mode. We also noticed when the MDE GUI status output is showing as unsupported or not updated also the power shell output is showing as EDR Mode Mode.
As we are planning to automate the check of MDE readiness how to ensure, only the endpoints whose MDE status are only updated in GUI are showing as passive and exclude any unsupported/not updated devices for automation? Any thoughts on this is much appreciated
As Per Microsoft documentation, Get-mpcomputerstatus provide the output of Active or passive status of MDE i.e. via AMRunning Mode When MDE is active, AMRunning Mode shows as Normal When MDE is passive, AMRunning Mode shows as Passive Mode. In our environment, EDR Block Mode is on, because of this, for passive status we are seeing the output in power shell as EDR Block Mode. We also noticed when the MDE GUI status output is showing as unsupported or not updated also the power shell output is showing as EDR Mode Mode. As we are planning to automate the check of MDE readiness how to ensure, only the endpoints whose MDE status are only updated in GUI are showing as passive and exclude any unsupported/not updated devices for automation? Any thoughts on this is much appreciated Read More