Introduction
Migrating from one endpoint protection solution to another can be a daunting task. It requires careful planning, execution, and testing to ensure a seamless transition without impacting business operations. However, with the Defender for Endpoint Migration Toolkit, the process can be simplified and streamlined.
We have compiled several PowerShell examples for migrating from third-party antivirus solutions to Defender for Endpoint.
Leveraging PowerShell for Migration
PowerShell is a powerful tool that can be used to create collections and queries for migrating to Defender for Endpoint. These collections and queries are crucial for managing and monitoring your endpoints, ensuring they are protected and functioning optimally.
Creating Collections and Queries
The process of creating collections and queries involves importing the Configuration Manager PowerShell module. Once imported, you can create queries for various programs such as the Azure Connected Machine Agent, Microsoft Defender for Endpoint, Microsoft Monitoring Agent, and System Center Endpoint Protection.
After creating the queries, you can then create device collections for each program. These collections allow you to manage and monitor the devices running these programs, providing you with valuable insights into their operation and security status.
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#You need to import the Configuration Manager PowerShell module before you can create the Queries and Collections
#Queries
$AzureConnectedMachineAgent = 'select SMS_R_System.Name, SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName, SMS_G_System_ADD_REMOVE_PROGRAMS_64.Version from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Azure Connected Machine Agent"'
$MicrosoftDefenderforEndpoint = 'select SMS_R_System.Name, SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName, SMS_G_System_ADD_REMOVE_PROGRAMS_64.Version from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Defender for Endpoint"'
$MicrosoftMonitoringAgent = 'select SMS_R_System.Name, SMS_G_System_ADD_REMOVE_PROGRAMS_64.Version, SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Monitoring Agent"'
$SystemCenterEndpointProtection = 'select SMS_R_System.Name, SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName, SMS_G_System_ADD_REMOVE_PROGRAMS_64.Version from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "System Center Endpoint Protection"'
New-CMQuery -Name "Azure Connected Machine Agent" -Expression $AzureConnectedMachineAgent -TargetClassName "SMS_R_System"
New-CMQuery -Name "Microsoft Defender for Endpoint" -Expression $MicrosoftDefenderforEndpoint -TargetClassName "SMS_R_System"
New-CMQuery -Name "Microsoft Monitoring Agent" -Expression $MicrosoftMonitoringAgent -TargetClassName "SMS_R_System"
New-CMQuery -Name "System Center Endpoint Protection" -Expression $SystemCenterEndpointProtection -TargetClassName "SMS_R_System"
#Device Collections
$LimitingCollectionName = "All Systems"
New-CMCollection -Name "Azure Connected Machine Agent" -LimitingCollectionName $LimitingCollectionName -CollectionType Device
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "Azure Connected Machine Agent" -QueryExpression $AzureConnectedMachineAgent -RuleName "AzureConnectedMachineAgent"
New-CMCollection -Name "Microsoft Defender for Endpoint" -LimitingCollectionName $LimitingCollectionName -CollectionType Device
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "Microsoft Defender for Endpoint" -QueryExpression $MicrosoftDefenderforEndpoint -RuleName "MicrosoftDefenderforEndpoint"
New-CMCollection -Name "Microsoft Monitoring Agent" -LimitingCollectionName $LimitingCollectionName -CollectionType Device
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "Microsoft Monitoring Agent" -QueryExpression $MicrosoftMonitoringAgent -RuleName "MicrosoftMonitoringAgent"
New-CMCollection -Name "System Center Endpoint Protection" -LimitingCollectionName $LimitingCollectionName -CollectionType Device
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "System Center Endpoint Protection" -QueryExpression $SystemCenterEndpointProtection -RuleName "SystemCenterEndpointProtection"
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#Check if the Defender AV is in Passive, Not Running or EDR Block Mode.
Get-MpComputerStatus | Select-Object -ExpandProperty AMRunningMode
#Get the Windows Defender AV service path
Get-CimInstance -ClassName Win32_Service -Filter "Name='WinDefend'" | Select-Object -Property PathName
#Get Windows Defender information directly from WMI
Get-CimInstance -Namespace "ROOT/Microsoft/Windows/Defender"-ClassName MSFT_MpComputerStatus
#Check if the third-party AV still installed
Get-CimInstance -Namespace "ROOT\SecurityCenter2" -ClassName AntiVirusProduct
#Windows Defender should run under the C:\ProgramData folder.If this folder is empty, then something is wrong.
$MDEVersions = Get-ChildItem -Directory -Path "C:\programdata\Microsoft\Windows Defender\Platform"
$MDECount = $MDEVersions | Measure-Object
If($MDECount.Count -eq 0){
Write-Output -InputObject "BROKEN"
}
Else{
Write-Output -InputObject "NOTBROKEN"
}
#Check Windows Server 2019 and 2022 Windows Defender Feature
$DefenderAVRole = Get-WindowsFeature -Name "Windows-Defender"
If($DefenderAVRole.InstallState -eq "Installed"){
Write-Host -Object "OK"
}
Else{
Write-Host -Object "NOTOK"
}
#Check Windows Server 2016 Windows Defender Feature
$DefenderAVRole = Get-WindowsFeature -Name "Windows-Defender-Features"
If($DefenderAVRole.InstallState -eq "Installed"){
Write-Host -Object "OK"
}
Else{
Write-Host -Object "NOTOK"
}
#On some servers enhanced Defender AV package does not install and you need to make sure that DisableAntiSpyware key is removed before the installation
#Affected servers mostly 2012R2 servers
$RegKey = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -ErrorAction SilentlyContinue
If($RegKey -and $RegKey.DisableAntiSpyware -eq 1){
Write-Host "BROKEN"
}
Else{
Write-Host "NOTBROKEN"
}
#On some servers enhanced Defender AV package does not install and you need to make sure that WinDefend key is removed before the installation
#Affected servers mostly 2012R2 servers
Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"
#Check Defender for Endpoint Onboarding state through registry
$RegKey = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" -Name OnboardingState -ErrorAction SilentlyContinue
If($RegKey -and $RegKey.OnboardingState -eq 1){
Write-Host "OK"
}
Else{
Write-Host "BROKEN"
}