How to Get Windows Defender Status in Batch Script

Knowing the current health and status of your Windows Defender antivirus is crucial for ensuring your system is protected against threats. For IT administrators, this information is vital for auditing fleet-wide security compliance. While you can check the status via the Windows Security GUI, a Batch script allows you to programmatically verify if the engine is running, if its definitions are up-to-date, and if any threats have been recently detected.

This guide explains how to use MpCmdRun.exe and WMI (via wmic) to pull a comprehensive security status report.

Why Check Defender Status via Script?

Security Compliance: Ensuring that real-time protection is active across all machines in a network.
Health Monitoring: Proactively identifying machines that have outdated virus definitions or have disabled their antivirus.
Incident Response: Automating a system "Health Check" before allowing a remote connection or a sensitive software deployment.

No Special Installer Needed

The diagnostic tool MpCmdRun.exe is part of every Windows 10 and 11 installation. It is located in the Windows Defender folder within Program Files.

Method 1: Using the Defender Command Line (MpCmdRun)

The most direct way to get a "snapshot" of the system's security health is using the -GetDeviceHealth flag.

@echo off
setlocal

:: Dynamically locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
    set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
    for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)

if not defined MP_PATH (
    echo [ERROR] Could not locate MpCmdRun.exe.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving Windows Defender Health Status...
echo.

"%MP_PATH%" -GetDeviceHealth

pause

Method 2: Using WMIC (Antivirus Product Status)

On Desktop versions of Windows (Pro/Home), Windows tracks the status of all installed antivirus software in the SecurityCenter2 namespace. Note that the status code is a complex bitmask.

@echo off
echo [PROCESS] Querying AntiVirus Product Status via WMI...
echo.

wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName, productState 2>nul

if %errorlevel% neq 0 (
    echo [WARNING] SecurityCenter2 query failed.
    echo [INFO] This namespace is not available on Windows Server editions.
    echo [HELP] Use Method 1 (MpCmdRun^) or Method 3 (sc query^) instead.
)

echo.
echo [INFO] Common productState values:
echo   397568 = Active / Up-to-date
echo   393472 = Active / Out-of-date
echo   393264 = Disabled
pause

Method 3: Checking the Service State (SC)

A low-level way to verify if the antivirus engine is technically running in the background is to check the WinDefend service.

@echo off
echo [PROCESS] Verifying WinDefend service status...
echo.

sc query WinDefend >nul 2>&1

if %errorlevel% equ 0 (
    sc query WinDefend | findstr /i /c:"RUNNING" >nul
    if %errorlevel% equ 0 (
        echo [STATUS] WinDefend service is RUNNING.
    ) else (
        echo [WARNING] WinDefend service exists but is NOT running.
    )
) else (
    echo [INFO] WinDefend service not found.
    echo [NOTE] A third-party antivirus may be managing protection.
)
pause

Creating a Security Audit Report

A professional script combines these methods to provide a clear "Protected / At Risk" status for the user.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Microsoft Defender Security Audit
echo ============================================================

:: 1. Locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
    set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
    for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)

:: 2. Check Service Status
echo.
echo [CHECK 1] Antivirus Engine Service:
set "STATE=NOT FOUND"
sc query WinDefend >nul 2>&1
if !errorlevel! equ 0 (
    for /f "tokens=4" %%s in ('sc query WinDefend ^| findstr /i "STATE"') do set "STATE=%%s"
)

if "!STATE!"=="RUNNING" (
    echo   [PASS] WinDefend service is RUNNING.
) else if "!STATE!"=="STOPPED" (
    echo   [FAIL] WinDefend service is STOPPED.
) else (
    echo   [WARN] WinDefend service state: !STATE!
)

:: 3. Check Device Health (if MpCmdRun is available)
echo.
echo [CHECK 2] Device Health Report:
if defined MP_PATH (
    "!MP_PATH!" -GetDeviceHealth 2>nul | findstr /i /c:"Antivirus" /c:"Engine" /c:"Signature" /c:"Real"
    if !errorlevel! neq 0 (
        echo   [INFO] Could not retrieve detailed health data.
    )
) else (
    echo   [WARN] MpCmdRun.exe not found. Cannot query device health.
)

:: 4. Summary and Recommendations
echo.
echo ============================================================
if "!STATE!"=="RUNNING" (
    echo   OVERALL: System appears PROTECTED.
) else (
    echo   OVERALL: System may be AT RISK.
    echo.
    echo   [ACTION] Verify that Windows Defender or another antivirus
    echo           is active. To start WinDefend, run as Administrator:
    echo           net start WinDefend
)
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

While some basic status commands work without elevation, querying sc or wmic for security information is more reliable when run as an Administrator.

Wrong Way:

:: Querying SecurityCenter as a limited user
wmic...
:: This may return "Access Denied" or an empty result on enterprise systems.

Server vs. Workstation

Note that the SecurityCenter2 WMI namespace does NOT exist on Windows Server editions.

SEO and UX Tip

If you are writing a script for Windows Server, rely on the sc query WinDefend method or the MpCmdRun.exe tool, as those are consistent across both server and desktop environments.

Best Practices for Security Monitoring

Check for Other AVs: If WinDefend is stopped, it might be because a third-party antivirus (like Norton or McAfee) has taken over. Your script should check if another AV is listed in the AntiVirusProduct list.
Verify Definition Age: If the machine is "Active" but hasn't updated in 7 days, it is practically unprotected. Use the MpCmdRun.exe -GetDeviceHealth output to check the "Definition Version."
Automatic Repairs: If your script finds the service is stopped, you can attempt to start it: net start WinDefend

Real-Time Protection

Note that the service can be running while Real-Time Protection is toggled off in the settings. Always use the -GetDeviceHealth command to verify the actual protection state.

Conclusion

Getting the Windows Defender status via Batch script is a critical competency for any Windows administrator. By utilizing both the command-line engine and WMI queries, you can create robust security audits that ensure every machine in your care is healthy, active, and fully protected. This professional approach to system monitoring maintains the security perimeter of your organization, providing a clear and automated view of your defense status and enabling rapid response to any lapses in protection.

Why Check Defender Status via Script?​

Method 1: Using the Defender Command Line (MpCmdRun)​

Method 2: Using WMIC (Antivirus Product Status)​

Method 3: Checking the Service State (SC)​

Creating a Security Audit Report​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Server vs. Workstation​

Best Practices for Security Monitoring​

Conclusion​

Table of Contents