Microsoft Defender is on by default and has a green checkmark in the GUI. That tells you almost nothing. The interesting questions are: are Attack Surface Reduction (ASR) rules enabled in Block mode or only Audit, is Tamper Protection on, are signatures fresh, and how many path / process exclusions has someone added "just for one app" over the last three years?
This guide shows you how to audit all of that from PowerShell, includes the full ASR rule ID-to-name mapping (Microsoft only documents the IDs), and ships the Dargslan.WinDefenderAudit module plus a free PDF cheat sheet.
Table of Contents
Step 1: Defender real-time + tamper protection
Get-MpComputerStatus returns the live state of the Defender engine. The fields that matter for an audit are RealTimeProtectionEnabled, BehaviorMonitorEnabled, IsTamperProtected, AntivirusSignatureAge and AMServiceEnabled:
Get-MpComputerStatus | Select RealTimeProtectionEnabled,
BehaviorMonitorEnabled, IsTamperProtected,
AntivirusSignatureAge, AMServiceEnabled
Tamper Protection is the single most important field. With it off, any local admin (or malware running as admin) can disable Defender with one PowerShell command. With it on, Defender refuses to be turned off except through Intune / Endpoint Manager.
Step 2: ASR rule mapping
ASR rules are exposed as two parallel arrays in Get-MpPreference: AttackSurfaceReductionRules_Ids and AttackSurfaceReductionRules_Actions. The IDs are GUIDs, the actions are integers (0 Disabled, 1 Block, 2 Audit, 6 Warn). Microsoft does not ship a mapping, so you have to keep one.
The 15 GUIDs you care about cover Office macros, JS / VBS launching executables, credential theft from LSASS, persistence via WMI, ransomware protection and child-process blocks. The cheat sheet has the full list. The module exposes them with friendly names:
Import-Module Dargslan.WinDefenderAudit
Get-DargslanAsrRules | Sort State, Name | Format-Table
Anything in Audit mode after the first month of deployment is a finding β Audit is for the rollout phase only.
Step 3: Exclusions audit
Defender exclusions are the most abused setting in any AV. Every app vendor has at one point asked for "C:\\Program Files" to be excluded "for performance". You should know what is excluded and you should be able to defend each entry:
$p = Get-MpPreference
$p.ExclusionPath
$p.ExclusionExtension
$p.ExclusionProcess
Practical rule: more than five path exclusions is a yellow flag. Anything excluding a writable directory like C:\\Users or a temp path is a red flag. Wildcards on extensions like *.exe are immediate fails.
Step 4: Signature freshness
AntivirusSignatureAge is in days. Anything over three days means the machine is missing scheduled updates β usually a WSUS / Defender platform delivery problem, sometimes a network issue. The module flags signatures older than 3 days.
A defensible scoring rule
- Real-time protection enabled (1 pt)
- Tamper Protection on (1 pt)
- Signature age ≤ 3 days (1 pt)
- At least 8 ASR rules in Block mode (1 pt)
- 5 or fewer path exclusions (1 pt)
5/5 PASS, 3-4 WARN, 0-2 FAIL.
Dargslan.WinDefenderAudit module
Install-Module Dargslan.WinDefenderAudit -Scope CurrentUser
Import-Module Dargslan.WinDefenderAudit
Export-DargslanDefenderAuditReport -OutDir C:\reports
Returns an HTML report with engine state, the ASR rule table with friendly names, every exclusion, and the verdict at the top.
FAQ
Does this work on Server 2019 / 2022?
Yes β Defender is built in and the cmdlets are identical.
Why is Tamper Protection sometimes greyed out?
It can only be enabled through Windows Security UI, Intune, or registry under SYSTEM context. PowerShell can read it but not flip it.
What about Endpoint Manager / Intune managed devices?
The audit still works β it reads the live engine state regardless of who configured it.
Will it alert Defender as suspicious?
No, the cmdlets are read-only PowerShell and explicitly designed for management.
Cheat sheet?
Free PDF at /cheat-sheets/windows-defender-asr-audit-2026.
