Create or edit a configuration profile with the following information:

Create or edit the following script and configure it to run when the check fails:

SELECT 1 from windows_security_center wsc CROSS JOIN windows_security_products wsp WHERE antivirus = 'Good' AND type = 'Antivirus' AND signatures_up_to_date=1;

$avProducts = Get-CimInstance -Namespace "root/SecurityCenter2" -ClassName
AntiVirusProduct -ErrorAction SilentlyContinue

if ($avProducts) {
    $goodProducts = $avProducts | Where-Object {
        # Check that the antivirus appears enabled (bit 0x10) and definitions are up‐to‐date (bit 0x100)
        ($_.productState -band 0x10) -eq 0x10 -and ($_.productState -band 0x100) -eq 0x100
    }
    if ($goodProducts) {
        Write-Output "1"
    }
}