Back to Scripts
Windows Defender Definition Update
Checks if Windows Defender definitions are current (within 48 hours). Returns exit code 1 if definitions are outdated.
Remediation
Author: Ugur Koc
Version: 1.0
All Tests PassedTested on 08-30-2025
Required Permissions
DeviceManagementManagedDevices.ReadWrite.All
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device's owner
antivirus-definition-updates.ps1
<#
.TITLE
Windows Defender Definition Update Detection
.SYNOPSIS
Detects if Windows Defender antivirus definitions are outdated
.DESCRIPTION
Checks if Windows Defender definitions are current (within 48 hours).
Returns exit code 1 if definitions are outdated.
.TAGS
Remediation,Detection
.REMEDIATIONTYPE
Detection
.PAIRSCRIPT
remediate-antivirus-definitions.ps1
.PLATFORM
Windows
.MINROLE
Intune Service Administrator
.PERMISSIONS
DeviceManagementManagedDevices.ReadWrite.All
.AUTHOR
Ugur Koc
.VERSION
1.0
.CHANGELOG
1.0 - Initial version
.LASTUPDATE
2025-06-09
.EXAMPLE
.\detect-antivirus-definitions-outdated.ps1
.NOTES
Runs in SYSTEM context
#>
$ErrorActionPreference = "Stop"
$script:MaxDefinitionAgeHours = 48
try {
# Get Defender status
$mpStatus = Get-MpComputerStatus -ErrorAction Stop
# Check definition age
$now = Get-Date
$definitionAge = ($now - $mpStatus.AntivirusSignatureLastUpdated).TotalHours
Write-Output "Definition age: $([math]::Round($definitionAge, 1)) hours"
Write-Output "Last updated: $($mpStatus.AntivirusSignatureLastUpdated)"
Write-Output "Version: $($mpStatus.AntivirusSignatureVersion)"
if ($definitionAge -gt $script:MaxDefinitionAgeHours) {
Write-Output "Definitions are outdated (threshold: $script:MaxDefinitionAgeHours hours)"
exit 1
}
Write-Output "Windows Defender definitions are up to date"
exit 0
}
catch {
Write-Error "Detection failed: $_"
exit 2
}