Announcing new Endpoint Security Antivirus reports!
Published Sep 21 2020 08:02 AM 31.1K Views

By: Laura Arrizza - Program Manager | Microsoft Endpoint Manager - Intune

 

We are introducing new Microsoft Defender Antivirus reports in the Microsoft Endpoint Manager admin center to help you monitor your devices for status on malware and Antivirus states. You will be able to use two new operational reports to see which devices need your attention and two organizational reports to view general AV information.

 

New Operational Reports in Endpoint Security

Under the “Endpoint Security” node, you can navigate to the “Antivirus” section to see summary aggregates and new operational reports to help you monitor the devices that need your attention.

 

On the “Summary” tab, you can see aggregate information for the count of devices with a given threat agent status and active malware category. Both aggregates show the top eight categories and correspond to the operational reports in the other tabs. If there are no devices in any of the states, you will be informed that there are no results to display.

 

AV Reports.png

 

On the “Windows 10 unhealthy endpoints” tab, you can view the operational report for the threat agent status on devices and users to outline which are in a state that requires your attention. Each record will tell you if malware protection, real-time protection, and network protection are enabled or disabled. You can view the state of the device and additional information found in the extra columns to help identify next steps for troubleshooting.

 

AV Reports 2.png

 

As with all of the reports, you have the ability to use upgraded grid controls to search across the records, sort on every column, view the number of records in the report, use paging controls for large sets of records, and export the list of records to a .csv file to save locally. The reports will refresh the data around ~20 minutes or so.

 

AV Reports 3.png

 

On the “Windows 10 detected malware” tab, you can view the operational report to see the list of devices and users with detected malware with details of the malware category. This will show the malware state of the device and counts of malware found on the device. You can take remote actions here including restart, quick scan, full scan, or update signatures to help remediate your devices.

 

AV Reports 4.png

 

Organizational Reports

Under the “Reports” node, you can navigate to the “Windows Defender Antivirus Reports (preview)” page to see links to two new organizational reports.

 

AV Reports 5.png

 

The first report, “Antivirus agent status” allows you to generate a report to view the list of devices, users and antivirus agent status information. You can start by selecting the filter for device state (i.e. clean, critical, reboot pending etc.) and select the columns you wish to have in view. Once the report has been generated, a timestamp shows how fresh the data is. You can search across the results, sort, use paging controls, see the number of records, and export to a .csv file. The data within the report will remain in your console up to 3 days before requiring you to generate again.

 

AV Reports 6.png

 

The second organizational report, “Detected malware”, works the same in such you can select the filters for severity and execution state to generate your report. This will show the list of devices and users with the count of detections found, the execution state, detection time, and malware state/category.

 

AV Reports 7.png

 

Existing Threat Agent Status Report

The new reports are meant to replace the existing “Threat Agent Status” report which is found under the Devices > Monitor > Threat Agent Status section of the console. The new reports provide more information, better organization, fresher data, and improved data usability. We will maintain the existing report to give you time to get used to the new reports, update any helpdesk training, and migrate any existing automation to use the new reports. Note, the existing report uses the Intune Graph API from: https://graph.microsoft.com/beta/deviceManagement/managedDevices$expand=windowsProtectionState, and the new reports reference: https://graph.microsoft.com/beta/deviceManagement/reports/getUnhealthyDefenderAgentsReport.

 

We encourage you to try out the new reports and provide any feedback in the comments below. We will be adding more functionality to the reports in the future too!

 

AV Reports 8.png

 

How can you reach us?

Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

24 Comments
Brass Contributor

@Intune_Support_Team is this reporting working with the "normal" defender or is ATP needed for this feature.

Hi @trebelow, thanks for the question! Yes, normal Microsoft Defender should be fine.

Iron Contributor

These look great, but one thing I'm really missing from both Intune/Endpoint Manager and Defender Security Center is where to find the result of a scan I initiate from the console. All I can see right now is that the scan completed, but not the actual results, which is really the thing I care about. Is this coming?

 

Thanks!

Ryan

Copper Contributor

Hi, is there any possibility for email alerts on Malware-Detection-Events without MDATP? 

Steel Contributor

This is AWESOME, been waiting years for this. Going forward should we use AV Profiles here or Configuration Profiles in Intune to configure our clients - what is your stratehy long-term? Do they offer the same settings or does one offer more detailed settings than the other? 

Brass Contributor

@Jonas Back  I was going to say the same thing... too may places where to apply and accomplish the same thing. Just like Windows Hello too.

Steel Contributor

Tagging @Intune_Support_Team  so they get a notification reagarding our question.

Copper Contributor

As I can see there was no anwser to the question from @Jonas Back.
@Intune_Support_Team can you give us a little insight on this one?

Brass Contributor

@IntuneSuppTeam those are great reports.

 

Would it be possible to have some other columns added for better scoping, like corporate/personal and if co-managed/intune/configmgr.

 

This would really to scope where we need to focus our energies/priorities.

 

Thank you in advance and don't hesitate if you have any questions.

Thank you all for the questions! We've reached out to the PM, and will get back to your questions as soon as we have more info to share.

Brass Contributor

Great addition to Intune! Thanks.

 

@Jonas Back you should use the new profiles under Endpoint security over the configuration profiles.

Copper Contributor

@Coert Kastelein What happens if they're both configured? I'd like to overlap until all devices are on the new policy, but don't want to break things.

Hi @Ryan Helmer, thanks for the feedback! Nothing on the immediate roadmap, but stay tuned to our In development and What's new docs!

Hi @Daniel Kaufmann, not currently, but we appreciate your feedback! Could you expand on this more over on our UserVoice? Thanks!

Hi @Jonas Back, Endpoint security profiles are for security specific settings & scenarios whereas configuration profiles cover more breadth. The two configuration types offer similar capabilities, but we recommend using the AV profiles under Endpoint security for security related settings as there may be improved controls/configurations here.

Hi @Stephane Lalancette, we’ll take this into consideration! Thanks for the feedback.

Hi @ImScavok, we're guessing this is between an endpoint security AV policy vs configuration profile. If there is overlap, we take the more stringent value down to the device and report it as a conflict within the MEM admin console.

Copper Contributor

Hello, Any reason why malware detection's are not only stored in Security Center if you have MDATP enabled?
In some cases we see malware events missing for a device in Security Center and only see them in MEM.
Is there an API to export the Detected malware from MEM?

Microsoft

Hello,

 

Quick question....

 

Please can you confirm how long the "Windows 10 Active Malware" shows threat data for in Endpoint Manager?

This does not appear to sync in real time with Defender for Endpoint.

Once the Alert has been mitigated in Defender which can confirmed on the timeline you can still see this information for sometime in Endpoint Manager under Endpoint Security > Antivirus > Windows 10 Active Malware.

 

 

Copper Contributor

@Intune_Support_Team is it possible to get an Email alert when a client is infected? In our current setup there is no way of knowing what is going on besides visiting the Endpoint Antivirus page. And that is not something I do on a daily basis. 

Hi @MRBoelen great question! We have looked into this, and you can set the alert severity levels that trigger email notifications. To apply this setting and add or remove recipients of the email notification we have a doc here that can help. See Configure alert notifications in Microsoft Defender for Endpoint | Microsoft Docs. The email notification includes information about the alert and a link to the portal where you can do further investigation. We hope this helps! ^IH

Hi @Amar_Ahmed, to start off, here's something from our Intune Graph API docs we think might help: https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/intune/fundamentals/reports-export-graph-....

 

@DeanS81, The data showing in Microsoft Endpoint Manager is obtained via device check-in and when that takes place, the data will be updated which can be the reason why the data may take some time to update from the time it is available in Microsoft Defender for Endpoint

Copper Contributor

Dear @Intune_Support_Team


I need to,

  • run Quick scan daily at 12 PM
  • run Full scan on Thursdays at 10 AM
  • run catchup scan for quick scans

    Is this is possible? If yes could you please help me.
Occasional Reader

Dear @Intune_Support_Team 

In Windows Defender Antivirus Reports have Microsoft removed Device Name section, as it is not showing when I am generating report, I have attached the ss.

Ravi_Sharma_26_0-1711520933150.png

 

Version history
Last update:
‎Nov 30 2023 03:59 PM
Updated by: