Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Run AV scan and AIR on all devices

Copper Contributor

Is there any way to run AIR and AV scan on all devices using Microsoft Defender for Endpoint or Sentinel playbook?

1 Reply
There doesn't seem to be a way to run a scan on all devices. You can run a scan on devices that have reported unhealthy by going into the Endpoint manager and going >Endpoint Security > Antivirus > Unhealthy devices and starting a scan for all of them.

Maybe deploy a PowerShell script through the endpoint manager to run `Start-MpScan`. I don't think there is a PowerShell command to run AIR, it will only run if it finds something in the AV scan and you have policy set up for it to run.

To run both, you could probably script something using the API, documented here:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-list?view=o36...

Use the List machines method, loop through to get each ID and run the methods to start AV scans and AIRs, which are listed here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?vie...