Announcing new Endpoint Security Antivirus reports!

Published 09-21-2020 08:02 AM 19.9K Views

By: Laura Arrizza - Program Manager | Microsoft Endpoint Manager - Intune


We are introducing new Microsoft Defender Antivirus reports in the Microsoft Endpoint Manager admin center to help you monitor your devices for status on malware and Antivirus states. You will be able to use two new operational reports to see which devices need your attention and two organizational reports to view general AV information.


New Operational Reports in Endpoint Security

Under the “Endpoint Security” node, you can navigate to the “Antivirus” section to see summary aggregates and new operational reports to help you monitor the devices that need your attention.


On the “Summary” tab, you can see aggregate information for the count of devices with a given threat agent status and active malware category. Both aggregates show the top eight categories and correspond to the operational reports in the other tabs. If there are no devices in any of the states, you will be informed that there are no results to display.


AV Reports.png


On the “Windows 10 unhealthy endpoints” tab, you can view the operational report for the threat agent status on devices and users to outline which are in a state that requires your attention. Each record will tell you if malware protection, real-time protection, and network protection are enabled or disabled. You can view the state of the device and additional information found in the extra columns to help identify next steps for troubleshooting.


AV Reports 2.png


As with all of the reports, you have the ability to use upgraded grid controls to search across the records, sort on every column, view the number of records in the report, use paging controls for large sets of records, and export the list of records to a .csv file to save locally. The reports will refresh the data around ~20 minutes or so.


AV Reports 3.png


On the “Windows 10 detected malware” tab, you can view the operational report to see the list of devices and users with detected malware with details of the malware category. This will show the malware state of the device and counts of malware found on the device. You can take remote actions here including restart, quick scan, full scan, or update signatures to help remediate your devices.


AV Reports 4.png


Organizational Reports

Under the “Reports” node, you can navigate to the “Windows Defender Antivirus Reports (preview)” page to see links to two new organizational reports.


AV Reports 5.png


The first report, “Antivirus agent status” allows you to generate a report to view the list of devices, users and antivirus agent status information. You can start by selecting the filter for device state (i.e. clean, critical, reboot pending etc.) and select the columns you wish to have in view. Once the report has been generated, a timestamp shows how fresh the data is. You can search across the results, sort, use paging controls, see the number of records, and export to a .csv file. The data within the report will remain in your console up to 3 days before requiring you to generate again.


AV Reports 6.png


The second organizational report, “Detected malware”, works the same in such you can select the filters for severity and execution state to generate your report. This will show the list of devices and users with the count of detections found, the execution state, detection time, and malware state/category.


AV Reports 7.png


Existing Threat Agent Status Report

The new reports are meant to replace the existing “Threat Agent Status” report which is found under the Devices > Monitor > Threat Agent Status section of the console. The new reports provide more information, better organization, fresher data, and improved data usability. We will maintain the existing report to give you time to get used to the new reports, update any helpdesk training, and migrate any existing automation to use the new reports. Note, the existing report uses the Intune Graph API from:$expand=windowsProtectionState, and the new reports reference:


We encourage you to try out the new reports and provide any feedback in the comments below. We will be adding more functionality to the reports in the future too!


AV Reports 8.png


How can you reach us?

Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

Occasional Contributor

@Intune Support Team is this reporting working with the "normal" defender or is ATP needed for this feature.

Hi @trebelow, thanks for the question! Yes, normal Microsoft Defender should be fine.

New Contributor

These look great, but one thing I'm really missing from both Intune/Endpoint Manager and Defender Security Center is where to find the result of a scan I initiate from the console. All I can see right now is that the scan completed, but not the actual results, which is really the thing I care about. Is this coming?




Senior Member

Hi, is there any possibility for email alerts on Malware-Detection-Events without MDATP? 

Frequent Contributor

This is AWESOME, been waiting years for this. Going forward should we use AV Profiles here or Configuration Profiles in Intune to configure our clients - what is your stratehy long-term? Do they offer the same settings or does one offer more detailed settings than the other? 

Occasional Contributor

@Jonas Back  I was going to say the same thing... too may places where to apply and accomplish the same thing. Just like Windows Hello too.

Frequent Contributor

Tagging @Intune Support Team  so they get a notification reagarding our question.

Frequent Visitor

As I can see there was no anwser to the question from @Jonas Back.
@Intune Support Team can you give us a little insight on this one?

@IntuneSuppTeam those are great reports.


Would it be possible to have some other columns added for better scoping, like corporate/personal and if co-managed/intune/configmgr.


This would really to scope where we need to focus our energies/priorities.


Thank you in advance and don't hesitate if you have any questions.

Thank you all for the questions! We've reached out to the PM, and will get back to your questions as soon as we have more info to share.

Occasional Contributor

Great addition to Intune! Thanks.


@Jonas Back you should use the new profiles under Endpoint security over the configuration profiles.

Occasional Visitor

@Coert Kastelein What happens if they're both configured? I'd like to overlap until all devices are on the new policy, but don't want to break things.

Hi @Ryan Helmer, thanks for the feedback! Nothing on the immediate roadmap, but stay tuned to our In development and What's new docs!

Hi @Daniel Kaufmann, not currently, but we appreciate your feedback! Could you expand on this more over on our UserVoice? Thanks!

Hi @Jonas Back, Endpoint security profiles are for security specific settings & scenarios whereas configuration profiles cover more breadth. The two configuration types offer similar capabilities, but we recommend using the AV profiles under Endpoint security for security related settings as there may be improved controls/configurations here.

Hi @Stephane Lalancette, we’ll take this into consideration! Thanks for the feedback.

Hi @ImScavok, we're guessing this is between an endpoint security AV policy vs configuration profile. If there is overlap, we take the more stringent value down to the device and report it as a conflict within the MEM admin console.

Frequent Visitor

Hello, Any reason why malware detection's are not only stored in Security Center if you have MDATP enabled?
In some cases we see malware events missing for a device in Security Center and only see them in MEM.
Is there an API to export the Detected malware from MEM?

Version history
Last update:
‎Sep 28 2020 10:12 PM
Updated by: