Forum Discussion

Copper Contributor

Aug 06, 2024

Solved

Get Device Inventory list using graph/powershell/cli

Hello, I am currently in the process of onboarding a set of Windows and Linux servers into Defender for Servers. I am trying to figure out how I can pull the Device Inventory list located under Mi...

Chris_toffer0707
Aug 07, 2024
JasonW1580

I have written a PowerShell script for you to use for the export of inventory.
Only thing you need to do before it will work, is to create an app registration, create a secret in that app registration, and add WindowsDefenderATP "Machine.Read.All" application permission under API Permissions.

# PLEASE UPDATE THESE 3 VARIABLES - REMOVE {} ALSO
$clientID = "{INSERT-APPREGISTRATION-APPID-HERE}"
$clientSecret = "{INSERT-APPREGISTRATION-SECRET-HERE}"
$tenantID = "{INSERT-TENANTID-HERE}"

# DO NOT CHANGE BELOW THIS LINE
$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
$oAuthUri = "https://login.microsoftonline.com/$TenantID/oauth2/token"
$body = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$clientID"
client_secret = "$clientSecret"
grant_type = 'client_credentials'
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token

$Headers = @{
"Authorization" = "Bearer $($AccessToken)"
"Content-type" = "application/json"
}

$url = "https://api.security.microsoft.com/api/machines"
$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $aadToken"
}

$webResponse = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json

$response | format-table

lybinhlap

Copper Contributor

Sep 11, 2024

Hi Chris, using https://api.security.microsoft.com/api/machines still missing Antivirus Status information when comparing with exporting Device Inventory from portal. Any idea?

Chris_toffer0707

Iron Contributor

Sep 11, 2024

Hi.
If I browse Defender portal for device inventory, I do not see antivirus status field 🙂
https://security.microsoft.com/machines?category=all-devices.

Could you share the exact location in Defender portal where you see the antivirus status? 🙂

lybinhlap
Copper Contributor
Sep 11, 2024
Chris_toffer0707 Hi Chris, in Device Inventory page, "Antivirus status" will not be presented, but you should see it in Filter section. Also, when you export device inventory to .csv file, you will see "Antivirus status" field.
https://learn.microsoft.com/en-us/defender-endpoint/machines-view-overview
- Chris_toffer0707
  Iron Contributor
  Sep 13, 2024
  From my point of view, it looks like Antivirus status is data kept in Intune, and then joined for the view in Defender but I could be wrong.
  
  Would suspect it beeing something for Microsoft to develop in the API, so we can export it for servers.
  - lybinhlap
    Copper Contributor
    Sep 16, 2024
    I totally agree that we should use Intune AV reports. But I am trying to get "Antivirus status" info from Device Inventory from Defender portal because in some of my client's scenarios, they cannot get Av status information from Intune, they must utilize Av status info from Defender portal for Windows Defender management.
    During waiting for any update from MS, I have built a RPA flow using Power Automate Desktop to help them automating export Device Inventory from Defender portal and send it to Sentinel workspace daily.
    Thank you for your support.