How to Check if Windows Defender Real-Time Protection is Enabled in Batch Script

Real-time protection is the "Always-on" watchdog of Windows Defender, scanning every file you open, download, or execute for malware. If this feature is disabled, whether by a user error, a conflicting piece of software, or a malicious script, the system is left wide open to attack. For IT professionals and automated system auditors, verifying that this core defense is active is a top priority. While the Windows Security GUI shows this information, a Batch script can query the system state programmatically.

This guide explains how to use PowerShell via Batch to audit your real-time protection status.

Why Audit Real-Time Protection?

Security Compliance: Ensuring that no machine in a lab or corporate environment has bypassed its security policies.
Pre-flight Installation Checks: Verifying the system is "Protected" before allowing a Batch script to connect the computer to a production network.
Incident Response: Identifying machines that have "Silently" lost their protection due to a failing antivirus engine or a malware payload.

Desktop vs. Server

Modern Windows Defender (Antivirus) and Microsoft Defender for Endpoint use the same underlying preference objects. The detection method below works for both Windows 10/11 and Windows Server 2016/2019/2022.

Method 1: Using Get-MpPreference (The Professional Way)

The most accurate way to check the "True" state of the protection engine is to query the Get-MpPreference object.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required for an accurate query.
    pause
    exit /b 1
)

echo [PROCESS] Querying Real-Time Protection status...

:: 'DisableRealtimeMonitoring' is a boolean.
:: If it is False, then protection is ENABLED.
for /f "tokens=*" %%a in ('powershell -NoProfile -Command "(Get-MpPreference).DisableRealtimeMonitoring"') do set "RT_DISABLED=%%a"

if /i "%RT_DISABLED%"=="False" (
    echo [SUCCESS] Real-Time Protection is ACTIVE and monitoring.
) else if /i "%RT_DISABLED%"=="True" (
    echo [WARNING] Real-Time Protection is DISABLED!
) else (
    echo [ERROR] Could not determine Real-Time Protection status.
)
pause

Method 2: Using WMI (Bitmask Check)

On Desktop editions, you can use wmic to check the SecurityCenter2 namespace. Note that this reports on the overall "Antivirus Product" status rather than just the specific "Real-Time" toggle.

@echo off
echo [PROCESS] Querying Security Center Status...
echo.

:: productState is a bitmask.
:: 397568 usually indicates Active and Up-to-date.
:: 393472 usually indicates Active but Out-of-date.
:: 393264 usually indicates Disabled.

wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName, productState 2>nul

if %errorlevel% neq 0 (
    echo [WARNING] SecurityCenter2 query failed.
    echo [INFO] This namespace is not available on Windows Server.
    echo [HELP] Use Method 1 (Get-MpPreference) instead.
)

echo.
echo [INFO] Common productState values:
echo   397568 = Active / Up-to-date
echo   393472 = Active / Out-of-date
echo   393264 = Disabled
pause

Creating a Security Enforcement Script

A professional script will audit the status and, if it finds protection is disabled, attempt to re-enable it automatically.

@echo off
setlocal

echo ============================================================
echo   Security Guard Health Auditor
echo ============================================================

:: 1. Check Administrative Rights (Required for re-enabling)
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Administrator privileges are required.
    pause
    exit /b 1
)

:: 2. Check if WinDefend service is running first
sc query WinDefend >nul 2>&1
if %errorlevel% neq 0 (
    echo [INFO] WinDefend service not found.
    echo [NOTE] A third-party antivirus may be managing protection.
    echo ============================================================
    pause
    exit /b 0
)

sc query WinDefend | findstr /i /c:"RUNNING" >nul
if %errorlevel% neq 0 (
    echo [WARNING] WinDefend service is installed but NOT running.
    echo [ACTION] Try starting it with: net start WinDefend
    echo ============================================================
    pause
    exit /b 1
)

:: 3. Perform the Real-Time Protection Audit
for /f "tokens=*" %%a in ('powershell -NoProfile -Command "(Get-MpPreference).DisableRealtimeMonitoring"') do set "RT_DISABLED=%%a"

if /i "%RT_DISABLED%"=="False" (
    echo [OK] Real-Time Protection is running.
) else if /i "%RT_DISABLED%"=="True" (
    echo [CRITICAL] Real-Time Protection is turned OFF!
    echo [PROCESS] Attempting to re-enable protection...

    :: Attempt to turn it back on
    powershell -NoProfile -Command "Set-MpPreference -DisableRealtimeMonitoring $false" 2>nul

    :: Verify success
    set "VERIFY="
    for /f "tokens=*" %%b in ('powershell -NoProfile -Command "(Get-MpPreference).DisableRealtimeMonitoring"') do set "VERIFY=%%b"

    if /i "!VERIFY!"=="False" (
        echo [SUCCESS] Protection restored.
    ) else (
        echo [FAIL] Could not re-enable protection.
        echo [INFO] Tamper Protection may be preventing script changes.
        echo [ACTION] Re-enable manually via Windows Security settings.
    )
) else (
    echo [ERROR] Could not determine protection status.
)

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Querying detailed security preferences via PowerShell or WMI requires Administrator privileges in most enterprise or "Hardened" environments.

Wrong Way:

:: Querying settings from a limited user CMD
powershell -Command "(Get-MpPreference)..."
:: May return "Access Denied" or an empty result.

Conflicting Antivirus

If you have a 3rd-party antivirus (e.g., Sophos or Norton) installed, Windows Defender will often be in "Passive Mode" or "Secondary Mode," and the DisableRealtimeMonitoring flag might be $true by design.

SEO and UX Tip

Advise your users that a status of "Disabled" is only an error if no other antivirus is active. Your script should check for other entries in the AntiVirusProduct list before sounding a critical alarm.

Best Practices for Security Monitoring

Check Service Status: Use sc query WinDefend alongside this check. Real-time protection can't run if the underlying Windows service is stopped.
Audit Logs: When protection fails, check the Windows Event Log (System) or the dedicated "Windows Defender" event log for the specific Error ID (e.g., Service crash).
Scheduled Checks: Run your audit script as a Scheduled Task every day at logon to ensure the user hasn't accidentally toggled the protection off.

Tamper Protection

Note that if Tamper Protection is enabled in the GUI, your Batch script cannot turn real-time protection back on. This is a security feature to prevent malware from using scripts to disable the antivirus.

Conclusion

Detecting the status of Windows Defender real-time protection via Batch script is a vital component of a resilient security strategy. By accurately identifying whether the watchdog is active, you can maintain a high security perimeter and rapidly respond to lapses in protection. This professional approach to system auditing ensures that your machines remain monitored and secure, providing a well-documented and automated layer of defense against the evolving landscape of digital threats.

Why Audit Real-Time Protection?​

Method 1: Using Get-MpPreference (The Professional Way)​

Method 2: Using WMI (Bitmask Check)​

Creating a Security Enforcement Script​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Conflicting Antivirus​

Best Practices for Security Monitoring​

Conclusion​

Table of Contents