cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Device Health Reporting for Microsoft Defender for Endpoint is now generally available
By
marysia_k
Published Aug 08 2022 02:42 PM 25.9K Views
marysia_k
Microsoft
‎Aug 08 2022 02:42 PM

New Device Health Reporting for Microsoft Defender for Endpoint is now generally available

‎Aug 08 2022 02:42 PM

Your security team now has a comprehensive view of the health and security of your endpoints. We are excited to announce new additions and improvements to the Device health dashboard (previously named Device health and compliance). We’ve redesigned the dashboard so that you can view sensor health and antivirus protection status across platforms and easily access detailed Microsoft Defender for Endpoint information.  

 

Here’s what to expect: 

  • A new, tabbed reporting page with cards that display high-level information and security snapshots 
  • Detailed information about Microsoft Defender Antivirus, including engine version, security intelligence version, platform version, antivirus mode, and recent scan results 
  • Easier access to the actionable information and insights you need, with drill downs to Threat and vulnerability management recommendations, device pages and the all-new Microsoft Defender Antivirus details flyout that is a rich source of device security details 

The following sections describe the new additions and improvements to the Device health dashboard and how to get to it. 

 

New tabbed reporting page with cards

Previously, the Device health and compliance reporting dashboard displayed views in two columns: Device trends and Device summary. We have redesigned the experience! In the new and improved dashboard, you’ll see two tabs:  

  • Sensor health & OS  
  • Microsoft Defender Antivirus health 

Let’s take a deeper look at these tabs. 

 

Sensor health & OS

The Sensor health & OS tab contains cards that show details about sensor health across devices and operating systems in use at your organization, as shown in the following image: marysia_k_0-1659465486144.png

 

Three, easy-to-use cards replace several of the views you previously saw in the former Device trends and Device summary columns. At a glance, you can see whether sensors are working correctly, what operating systems are in use at your organization, and which versions of Windows people are using. 

 

Microsoft Defender Antivirus health 

The Microsoft Defender Antivirus health tab contains detailed information about antivirus protection in your organization, as shown in the following image: 

marysia_k_1-1659465526499.png

This tab features eight new cards (please note the version reports show the most recent 3 versions and collects the rest under ‘Other’; the ‘View full report’ flyout shows the most recent 9 versions and collects the rest under ‘Other’): 

  • Antivirus mode, which tells you at a glance how many devices are running Microsoft Defender Antivirus in active mode, in passive mode, with EDR in block mode turned on, and more  
  • Antivirus engine version with a full report flyout available 
  • Antivirus security intelligence version with a full report flyout available 
  • Antivirus platform version with a full report flyout available 
  • Recent antivirus scan results with a link to learn more about error codes (if you’re seeing any) 
  • Antivirus engine updates with a link to engine/platform updates documentation 
  • Antivirus security intelligence updates with a link to security intelligence updates documentation 
  • Antivirus platform updates with a link to engine/platform updates documentation 

 

More detailed information about Microsoft Defender Antivirus 

The tabs and cards provide at-a-glance information about Microsoft Defender Antivirus. In the new experience, full report flyouts provide more detailed information, as shown in the following examples.  

 

Example #1: Antivirus engine version flyout 

The following image shows the flyout that is opened when the user selects the View full report button on the Antivirus engine version card. 

marysia_k_2-1659465595072.png

 

Example #2: Microsoft Defender Antivirus details 

The following image shows the flyout presenting detailed information about Microsoft Defender Antivirus. On the flyout, you can navigate to your security recommendations to view any actions you should take, such as initiating a scan on an endpoint, or getting required updates installed. 

marysia_k_3-1659465595075.png

 

 

Easier access to information 

With these updates and improvements to the Device health reporting dashboard, you have easier access to information. You start with summary information in cards, and then move to more detailed views as needed. You also get a more interactive experience. 

  • Select a tab to view summary information displayed in cards. 
  • On each card, select a bar to view more details about that category. Or select a button or link to view more information, such as a full report. 
  • In a report view, use filters and choose columns to view the information you are most interested in. 

 

How do I get to the Device health reporting dashboard? 

The new and improved Device health reporting dashboard is currently in preview and will soon replace your existing dashboard automatically. Follow these steps to access your dashboard: 

  1. Go to https://security.microsoft.com, and sign in.
  2. Choose Reports > Device health  

 

Learn more 

Want to learn more about the new device health reports? See Device health and compliance report in Microsoft Defender for Endpoint | Microsoft Docs for more details. 

 

Let us know what you think! 

We are excited to bring these reporting improvements to you and your security teams. Try out the new device health reports today and let us know what you think in the comments below! We take all feedback into account as we work to continue to improve your security experiences in Microsoft Defender for Endpoint.  

 

26 Comments
Neildup
Copper Contributor
‎Aug 09 2022 02:17 AM
‎Aug 09 2022 02:17 AM

Hi,

This is great news! Reporting improvement is desperately needed especially for MSSP  engagements. Will the report allow filtering on device tags, device groups, and other metadata?

Thanks 

0 Likes
Like
Kris Titeca
Copper Contributor
‎Aug 09 2022 03:48 AM
‎Aug 09 2022 03:48 AM

Hi,

This is great but can you please also think about the RBAC model. Today our helpdesk can't access MDE because with view data permission you can also go into advanced hunting which our Secops team don't want our helpdesk to have access to. So, we really need more granular control here. 

Also from my experience in troubleshooting devices with impaired communication or no sensor data is by the time you go and see on the client it's usually already resolved by itself. So, a better report would be: these are the devices that have impaired communication or no sensor data for more than x days. This way you can focus on troubleshooting what really matters. 

Thanks

Ciaran Ruane
Copper Contributor
‎Aug 09 2022 04:32 AM
‎Aug 09 2022 04:32 AM

+1 Requesting more granular RBAC control. 

effjaay
Copper Contributor
‎Aug 09 2022 07:12 AM
‎Aug 09 2022 07:12 AM

Finally, this would be a good one, reporting is a major draw back for MDE especially when compared with the 3rd party solutions clients are told to migrate off.

 

I also second the RBAC, it needs to be more granular.

 

Will commence a review and drop additional feedback from the experience after use.

 

Thanks

0 Likes
Like
LoicM
Brass Contributor
‎Aug 09 2022 07:45 AM
‎Aug 09 2022 07:45 AM

Really interesting update, it will be helpful to track device which have connectivity issues and are not updated.

Could you let us know if those data are available in an hunting table to ease querying and reporting on it?

0 Likes
Like
Antonio_Pires
Copper Contributor
‎Aug 09 2022 11:16 AM
‎Aug 09 2022 11:16 AM

Hi @marysia_k 

 

This is a massive improvement really glad Microsoft has added this report to be viewed in the console and consumed via API.

 

Three things I wanted to highlight:

 

1) Documentation here https://docs.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/device-health-api-methods-... does not highlight the TVM permissions requires for this operation

 

2) If these are just information to be consumed, what is the rational of adding ReadWrite permissions? Why not just Read?

 

3) I’ve tried to execute the GET https://api-us.securitycenter.contoso.com/api/machines/InfoGatheringExport method but seem to be unable to get the URL to export the report. Any ideas on why these are not being generated?


Many thanks!

0 Likes
Like
Sonali_Meshram
Microsoft
‎Aug 10 2022 04:35 PM
‎Aug 10 2022 04:35 PM

Hi @Antonio_Pires,

Please see my response to your queries:

1) Documentation here https://docs.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/device-health-api-methods-... does not highlight the TVM permissions requires for this operation

  The permissions can be found at Microsoft Defender Antivirus Device Health export device antivirus health reporting | Microsoft Docs

2) If these are just information to be consumed, what is the rational of adding ReadWrite permissions? Why not just Read?

  You are right and we will fix the documentation, we just need read permissions.

3) I’ve tried to execute the GET https://api-us.securitycenter.contoso.com/api/machines/InfoGatheringExport method but seem to be unable to get the URL to export the report. Any ideas on why these are not being generated?

In your URL - I see contoso.com, it should be api-us.securitycenter.microsoft.com

 

Thanks,

Sonali

Sonali_Meshram
Microsoft
‎Aug 10 2022 04:38 PM
‎Aug 10 2022 04:38 PM

@Neildup 

We do provide filtering using device group. Please go to MDAV tab and click on "Filter", you should see Device Group filter option at the end of the list.

 

Thanks,

Sonali

0 Likes
Like
Antonio_Pires
Copper Contributor
‎Aug 11 2022 01:22 AM
‎Aug 11 2022 01:22 AM

Hi @Sonali_Meshram 

 

Thanks for your reply. I checked the documentation and couldn’t see any reference in there to the vulnerability permissions.

 

Fair point on the URL, although I’m using the right URL in the testing, see  screenshots below:

 

61B0094A-DA9A-444A-8AE2-B4D7BCCFCDF8.png

0 Likes
Like
blancochupacabra
Copper Contributor
‎Aug 15 2022 06:15 AM
‎Aug 15 2022 06:15 AM

@Sonali_Meshram any ETA as to when the permissions will be adjusted to just require Read access?

0 Likes
Like
snehalchauhan
Copper Contributor
‎Aug 17 2022 12:21 AM
‎Aug 17 2022 12:21 AM

is this data available via graph api?

0 Likes
Like
marysia_k
Microsoft
‎Aug 17 2022 12:19 PM
‎Aug 17 2022 12:19 PM

@snehalchauhan, this data is currently not available via graph API. The current data export options are csv export (in M356D portal), custom Advanced Hunting query, JSON API, and file based API in public preview. For API docs, see: Microsoft Defender Antivirus export device antivirus health details API methods and properties | Mic...

 

Thanks, 

 

Marysia

0 Likes
Like
marysia_k
Microsoft
‎Aug 17 2022 12:20 PM
‎Aug 17 2022 12:20 PM

@blancochupacabra - The permissions should be up to date. We just needed to update the documentation. 

0 Likes
Like
marysia_k
Microsoft
‎Aug 17 2022 12:35 PM
‎Aug 17 2022 12:35 PM

@LoicM - Hi, custom Advanced Hunting query should be available in public preview. Does this answer your question?

0 Likes
Like
marysia_k
Microsoft
‎Aug 17 2022 12:39 PM
‎Aug 17 2022 12:39 PM

@effjaay@Ciaran Ruane , @Kris Titeca  - Thank you for your feedback on RBAC. Could you please provide more input on what type of granular controls would be most useful for your scenario?

 

0 Likes
Like
Kris Titeca
Copper Contributor
‎Aug 19 2022 12:16 AM
‎Aug 19 2022 12:16 AM

Hi @marysia_k ,

 

For this specific scenario, granting other people in the organisation access to reports I would suggest to add an additional permission ‘Device Inventory’ under view data that would allow for consulting basic information in the device inventory such as device properties, health, active alerts, risk level, exposure level but doesn’t grant access to the timeline or any advanced hunting options and also doesn’t grant any access to the actions or anything else.

 

Added to that you would also need a permission ‘view reports’ which would allow the user to access reports and ideally you can even be granular and for example only allow access to device health reports.

 

There are other things in terms of RBAC that I would like to see improve but this would already be a great start.

 

Thanks,

Kris

Christopher__
Copper Contributor
‎Sep 01 2022 11:10 AM
‎Sep 01 2022 11:10 AM

This is great!

 

I have a quick question. I could be missing it, but is there anywhere we can view the current EDR (MsSense) version? It looks like I can see the AV platform, AV engine, and intelligence versions but I can't seem to locate the EDR version anywhere.

 

Thank you!

0 Likes
Like
marysia_k
Microsoft
‎Sep 02 2022 09:48 AM
‎Sep 02 2022 09:48 AM

Hi @Christopher__ , thanks for your feedback. We do not surface EDR version today in the MDAV Health Reports. Currently, you can get this info in the M365D portal under Device Summary page >"Software Inventory" tab. Another option is running the following PowerShell command: (Get-Item "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe").VersionInfo | format-list

0 Likes
Like
Christopher__
Copper Contributor
‎Sep 02 2022 10:29 AM
‎Sep 02 2022 10:29 AM

@marysia_k Thank you! Do you happen to know where I can find a list of the EDR versions? I am having a hard time finding a list of the most recent EDR versions across operating systems. For example, one system is running version 10.8040.19041.1586 but I have no idea if that's the most recent one or when it came out/how old it is. 

 

Thanks again!

0 Likes
Like
marysia_k
Microsoft
‎Sep 07 2022 10:40 AM
‎Sep 07 2022 10:40 AM

@Christopher__ Since EDR is built into OS, it is included in csv's for the monthly Windows updates. For example, if you go to: August 9, 2022—KB5016616 (OS Builds 19042.1889, 19043.1889, and 19044.1889) (microsoft.com) > "File Information" section > download the file info for update > find "MsSense.exe" in the file. Please note that for EDR we release on the 2nd Tuesday of the month, so if you want to check what was released in May 2022, you would need to check the release from 2nd Tuesday of May. Hope this helps. 

Christopher__
Copper Contributor
‎Sep 07 2022 11:30 AM
‎Sep 07 2022 11:30 AM

Thank you @marysia_k !

0 Likes
Like
Vkare1
Copper Contributor
‎Oct 07 2022 11:04 PM
‎Oct 07 2022 11:04 PM

Hi @marysia_k why we can't see Device health reports, AV platform version, AV engine version for Windows 2012 R2 and Windows 2016 servers ?

0 Likes
Like
marysia_k
Microsoft
‎Oct 10 2022 09:06 AM
‎Oct 10 2022 09:06 AM

@Vkare1 , For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, devices must be onboarded using the modern unified solution package. For more information, see New functionality in the modern unified solution for Windows Server 2012 R2 and 2016.

0 Likes
Like
Vkare1
Copper Contributor
‎Oct 13 2022 03:44 AM
‎Oct 13 2022 03:44 AM

@marysia_k Thanks for info. I have couple of queries for Defender for Linux, we are trying to schedule the full scan for Linux servers from json policy. Can you help with query which we can add it in json file ? 

NOTE: We are aware of cron jobs method which can be scheduled manually for each server, however instead of this we want to schedule it centrally. Is it possible ?

 

2nd query is regarding "muteOpenFileEvents". We added this feature via json file on Linux server. We want to validate this feature. How it can be validated ??

0 Likes
Like
adairja44
Copper Contributor
‎Oct 30 2023 06:42 AM
‎Oct 30 2023 06:42 AM

Why the Device name field in this report include this extraneous information. " - security.microsoft.com/machines/"Device ID""? The Device ID is already in the report and renders the report useless. This kind of extra work required of Microsoft Defender for Endpoint makes the "MDE is free" claim, laughable.

0 Likes
Like
Praveen08
Copper Contributor
‎Nov 03 2023 02:40 AM
‎Nov 03 2023 02:40 AM

It would be great if MS enhances this report to add AV policy enforcement status report.

It is really hard to navigate to INTUNE to get the exact policy enforcement status.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Sep 01 2022 11:38 AM
Updated by: