Check defender status#

If RealTimeProtectionEnabled is set to True, then it is on

Get-MpComputerStatus
sc query windefend

Disable defender (need admin)#

Set-MpPreference -DisableRealtimeMonitoring $true

Check exclusion (no priv)#

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -FilterXPath "*[System[(EventID=5007)]]" | Where-Object { $_.Message -like "*Exclusion*"} | Select-Object Message | FL
Backward Applocker Firewall Forward