A user created a PowerShell script to check if a machine is running MS Defender Endpoint in EDR Block Mode and asked about setting up a trigger for alerts. Another user suggested using event log entries to trigger actions, citing a thread discussing it on the ControlUp Community Slack. The original script is provided in the discussion for reference and the user updates it to address false positive reports. The final version of the script is tested and confirmed to work.
Read the entire ‘How to Create Triggers for MS Defender Endpoint Scripts in ControlUp’ thread below:
Hello – I created a PowerShell script to check if a machine is running MS Defender Endpoint in EDR Block Mode.
My question is, how can I setup a trigger where we can be alerted if the monitored machines are NOT running in EDR Block Mode (running in active, passive, etc)
Does the script return data?
Also is this for physical or virtual machines?
Yes – this would be for virtual machines.
Here is the script:
Function to check if Defender is running in EDR Block Mode
function Confirm-DefenderEDRBlockMode {
try {
# Get the Defender configuration
$DefenderConfig = Get-MpComputerStatus
# Check if Defender is running and in EDR Block Mode
if ($DefenderConfig.AMRunningMode -eq "EDR Block Mode") {
Write-Host "Defender is running in EDR Block Mode." -ForegroundColor Green
return $true
} else {
Write-Host "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -ForegroundColor Red
return $false
}
}
catch {
Write-Host "Error checking Defender status: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
Call the function and store the result
$IsEDRBlockMode = Confirm-DefenderEDRBlockMode
Gotcha. So the virtual product doesn’t have an easy way to directly trigger on script output. But you can write an event log entry and then trigger on the event log entry.
Do you have a way to run the original script or do you want ControlUp to run the initial script as well?
As of now we do not – basically we want the script running on all machines every 5 minutes and then alerting us if MDE falls out of EDR Block Mode
Alright. So my suggestion would be
Trigger 1 – scheduled trigger
This trigger will run your EDR check
Add this to your script (modify where needed/desired)
“`$eventLogName = "EDR status"
$eventID = 123
$exists = [System.Diagnostics.EventLog]::SourceExists($eventLogName);
if(-not $exists)
{
New-EventLog -LogName "Application" -Source $eventLogName -erroraction stop
}
Write-EventLog -LogName Application -Source $eventLogName -EntryType Warning -Message "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -EventId $eventID“`
Trigger 2 – event log trigger
Create a trigger for the event listed above. This will send you an email or perform any other follow up action
Awesome, thank you!!
And now I see this thread…LOL
https://controlupcommunity.slack.com/archives/C0473N33S00/p1745511086150859
So when I run the new script I am getting false positive reports that EDR Block is NOT running despite that it is, review below:
Requires the Defender module to be installed (usually pre-installed on Windows Server)
Function to check if Defender is running in EDR Block Mode
function Confirm-DefenderEDRBlockMode {
try {
# Get the Defender configuration
$DefenderConfig = Get-MpComputerStatus
# Check if Defender is running and in EDR Block Mode
if ($DefenderConfig.AMRunningMode -eq "EDR Block Mode") {
Write-Host "Defender is running in EDR Block Mode." -ForegroundColor Green
return $true
} else {
Write-Host "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -ForegroundColor Red
return $false
}
}
catch {
Write-Host "Error checking Defender status: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
$eventLogName = "EDR status"
$eventID = 123
$exists = [System.Diagnostics.EventLog]::SourceExists($eventLogName);
if(-not $exists)
{
New-EventLog -LogName "Application" -Source $eventLogName -erroraction stop
}
Write-EventLog -LogName Application -Source $eventLogName -EntryType Warning -Message "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -EventId $eventID
Call the function and store the result
$IsEDRBlockMode = Confirm-DefenderEDRBlockMode
Optional: Output the raw Defender configuration for debugging
Get-MpComputerStatus | Format-List *
“`# Requires the Defender module to be installed (usually pre-installed on Windows Server)
Function to check if Defender is running in EDR Block Mode
$eventLogName = "EDR status"
$eventID = 123
$exists = [System.Diagnostics.EventLog]::SourceExists($eventLogName);
if(-not $exists)
{
New-EventLog -LogName "Application" -Source $eventLogName -erroraction stop
}
function Confirm-DefenderEDRBlockMode {
try {
# Get the Defender configuration
$DefenderConfig = Get-MpComputerStatus
# Check if Defender is running and in EDR Block Mode
if ($DefenderConfig.AMRunningMode -eq "EDR Block Mode") {
Write-Host "Defender is running in EDR Block Mode." -ForegroundColor Green
return $true
} else {
Write-Host "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -ForegroundColor Red
Write-EventLog -LogName Application -Source $eventLogName -EntryType Warning -Message "Defender is NOT running in EDR Block Mode. Current AMRunningMode: $($DefenderConfig.AMRunningMode)" -EventId $eventID
return $false
}
}
catch {
Write-Host "Error checking Defender status: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
Call the function and store the result
$IsEDRBlockMode = Confirm-DefenderEDRBlockMode
Optional: Output the raw Defender configuration for debugging
Get-MpComputerStatus | Format-List *“`
try that version
Looks like that one worked, thank you very much!
Continue reading and comment on the thread ‘How to Create Triggers for MS Defender Endpoint Scripts in ControlUp’. Not a member? Join Here!
Categories: All Archives, ControlUp Scripts & Triggers