Device inventory

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The Device inventory shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.

Note

The device inventory is available in Microsoft Defender XDR services. The available information might differ depending on your license. To get the most complete set of capabilities, use Microsoft Defender for Endpoint Plan 2.

Risk Level, which can influence enforcement of Conditional Access and other security policies in Microsoft Intune, is now available for Windows devices.

There are several options you can choose from to customize the devices list view. On the top navigation you can:

  • Add or remove columns.
  • Export the entire list in CSV format.
  • Select the number of items to show per page.
  • Apply filters.

During the onboarding process, the Devices list is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.

Note

If you export the devices list, it contains every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file includes all devices in the organization, regardless of any filtering applied in the view itself.

In addition, when you export the devices list, the antivirus status shows as Not-Supported. For antivirus status, use the recently released Microsoft Defender Antivirus health report instead. This report allows you to export even more details.

The following image depicts the devices list:

The list of devices

Sort and filter the device list

You can apply the following filters to limit the list of alerts and get a more focused view.

Device name

During the Microsoft Defender for Endpoint onboarding process, devices onboarded to Defender for Endpoint are gradually populated into the device inventory as they begin to report sensor data. The device inventory is also populated by devices that are discovered in your network through the device discovery process. The device inventory has the following tabs:

  • All devices
  • Computers & mobile: Enterprise endpoints (workstations, servers, and mobile devices).
  • Network devices: Devices like routers and switches.
  • IoT/OT devices: Enterprise internet of things (IoT) devices like printers and cameras, and operational technology (OT) devices like servers or packaging systems.
  • Uncategorized devices: Devices that couldn't be properly classified.

In the Defender portal at https://security.microsoft.com, go to Assets > Devices. Or, to go directly to the Device inventory page, use https://security.microsoft.com/machines.

Device inventory overview

The device inventory opens on the All devices tab. You can see information such as device name, domain, risk level, exposure level, OS platform, criticality level, onboarding status, sensor health state, mitigation status, and other details for easy identification of devices most at risk.

The Classify critical assets card allows you to define device groups as business critical. You might also see the Attack path warning card, which takes you to Attack paths to examine if any of your assets are part of an attack path. For more information, see Overview of attack paths.

Note

Classify critical assets and attack path information is part of Microsoft Security Exposure Management, which is currently in public preview.

Use the Onboarding Status column to sort and filter by discovered devices, and devices that are already onboarded to Microsoft Defender for Endpoint.

Image of devices list with list of devices.

From the Network devices and IoT/OT devices tabs, you also see information such as vendor, model, and device type:

Image of network devices list.

Note

Device discovery integration with Microsoft Defender for IoT in the Defender portal (Preview) is available to help locate, identify, and secure your complete OT/IOT asset inventory. Devices discovered with this integration appear on the IoT/OT devices tab.

With Defender for IoT, you can also view and manage Enterprise IoT devices (like printers, smart TVs, and conferencing systems) as part of enterprise IoT monitoring. For more information, see Enable Enterprise IoT security with Defender for Endpoint.

At the top of each device inventory tab, the following device counts are available:

  • Total: The total number of devices.
  • Critical assets: The number of your business critical assets (All devices tab only).
  • High risk: The number of devices that are identified as a higher risk to your organization.
  • High exposureThe number of devices with high exposure.
  • Not onboarded: The number of devices that aren't yet onboarded. (All devices and Computers & mobile tabs only).
  • Newly discovered: The number of newly discovered devices within the last 7 days (all tabs except Computers & mobile).

You can use this information to help you prioritize devices for security posture improvements.

Explore the device inventory

There are several options to customize the device inventory view. On the top navigation for each tab you can:

  • Search for a device by name.
  • Search for a device by the most recently used IP or Mac address or IP address prefix.
  • Add or remove columns.
  • Export the entire list in CSV format for offline analysis.
  • Select the date range to display.
  • Apply filters.

Note

If you export the device list to CSV, it contains every device in your organization, so it might take a long time to download the CSV file. The CSV file contains unfiltered data for all devices in the organization, regardless of any filters.

You can use the sort and filter functionality on each device inventory tab to get a more focused view. These controls also help you assess and manage the devices in your organization.

The counts on the top of each tab are updated based on the current view.

Use filters to customize the device inventory views

The available device properties to use as filters vary based on the device inventory tab as described in the following table:

Property Tabs Description
Antivirus status
  • All devices
  • Computers & mobile
The antivirus status of the device. The available values are:
  • Disabled
  • Not updated
  • Unknown
Cloud platforms
  • All devices
  • Computers & mobile
The cloud platform that the device belongs to. The available values are:
  • Azure
  • AWS
  • GCP
  • Arc
  • None
Criticality level
  • All devices
  • Computers & mobile
The assigned criticality level of the device (how critical a device is for your organization). The available values are:
  • Very high: The device is considered a business critical asset
  • High
  • Medium
  • Low
  • None

For more information, see Overview of critical asset management.
Device category All devices The category value assigned to the device. Enter a value or select from the available values:
  • BMS
  • Computers and Mobile
  • IoT
  • Medical
  • Network Device
  • OT
  • Unknown
Device subtype
  • All devices
  • IoT/OT
The subtype value assigned to the device. Enter a value or select an available value (for example, Video conference).
Device type
  • All devices
  • IoT/OT
The type value assigned to the device. Enter a value or select an available value (for example, Audio and Video).
Device value All The assigned value of the device. The available values are High and Low.
Discovery sources All The source reporting on the device.
Exclusion state All The available values are Not excluded and Excluded. For more information, see Exclude devices.
Exposure level All The exposure level of the device based on pending security recommendations. The available values are:
  • High
  • Medium
  • Low: Devices are less vulnerable to exploitation.
  • No data available: Possible causes for this value include:
First seen All tabs except Network devices How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are Last 7 days or Over 7 days ago.
Group
  • All devices
  • Computers & mobile
  • Network devices
Device groups. Enter a value in the box.
Internet facing
  • All devices
  • Computers & mobile
Whether the device is internet facing. The available values are Yes and No.
Managed by
  • All devices
  • Computers & mobile
How the device is being managed. The available values are:
  • Intune
  • Intune: Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach.
  • ConfigMgr: Microsoft Configuration manager.
  • MDE: Microsoft Defender for Endpoint.
  • Unknown: This value is caused by one of the following conditions:
    • An outdated version of Windows.
    • GPO management.
    • Non-Microsoft mobile device management (MDM).
Mitigation status
  • All devices
  • Computers & mobile
The available values are Contained and Isolated.
Model All devices The model of the device. Enter a value or select from the available values.
Onboarding status
  • All devices
  • Computers & mobile
Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are:
  • Onboarded: The device is onboarded to Defender for Endpoint.
  • Can be onboarded: The supported device was discovered, but it isn't currently onboarded. We highly recommend onboarding these devices.
  • Unsupported: The unsupported device was discovered.
  • Insufficient info: The system couldn't determine the supportability of the device.
OS Platform
  • All devices
  • Computers & mobile
The operating system on the device. The available values are:
  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • Linux
  • macOS
  • iOS
  • Android
  • Windows 10 WVD
  • Other
OS Version All devices The version of the operating system, which includes Windows versions. On the Computers & mobile tab, the Windows version filter is also available.
Risk level All The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are:
  • High
  • Medium
  • Low
  • Informational
  • No known risk

Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
Sensor health state
  • All devices
  • Computers & mobile
The available values for onboarded devices are:
  • Active: Devices that are actively reporting sensor data to the service.
  • Inactive: Devices that stopped sending signals for more than seven days.
  • Misconfigured: Devices with impaired communications or devices that can't send sensor data. For more information on how to address issues on misconfigured devices, see, Fix unhealthy sensors
.
Site
  • All devices
  • IoT/OT
Used for Defender for IoT site security (requires a Defender for IoT license).
Tags All The grouping and tagging that you added to individual devices. For more information, see Create and manage device tags.
Transient device All The available values are No and Yes. By default, transient devices are filtered to reduce inventory noise. For more information, see Identifying transient devices.
Vendor All devices The vendor of the device. Enter a value or select from the available values.
Windows version Computers & mobile The version of Windows. The OS version filter is also available.
The value Future version for this property is caused by one of the following scenarios:
  • A prerelease build of a future Windows release.
  • The build has no version name.
  • The build version name isn't yet supported

The full OS version is visible on the device details page.

Use columns to customize the device inventory views

You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • All devices tab:

    • Name<sup*
    • IP<sup*
    • MAC address
    • Criticality level<sup*
    • Device category<sup*
    • Device type<sup*
    • Device subtype
    • Vendor
    • Model
    • Domain<sup*
    • Device AAD id<sup*
    • Risk level<sup*
    • Exposure level<sup*
    • OS platform<sup*
    • OS distribution
    • OS version<sup*
    • Sensor health state<sup*
    • Onboarding status<sup*
    • Discovery sources
    • First seen
    • Last device update<sup*
    • Tags<sup*
    • Exclusion state
    • Managed by<sup*
    • Managed by status<sup*
    • Mitigation status<sup*
    • Cloud platforms<sup*

    Firmware information for OT devices is displayed in the OS version and Model columns.

  • Computers & mobile tab:

    • Name<sup*
    • Domain<sup*
    • Device AAD id<sup*
    • Device type
    • Device subtype
    • Risk level<sup*
    • Exposure level<sup*
    • OS platform<sup*
    • OS distribution
    • Windows version<sup*
    • MAC address
    • Criticality level<sup*
    • Sensor health state<sup*
    • Onboarding status<sup*
    • Discovery sources
    • Last device update<sup*
    • First seen
    • Tags<sup*
    • Exclusion state
    • Managed by<sup*
    • Managed by status<sup*
    • Mitigation status<sup*
    • Cloud platforms<sup*
  • Network devices tab

    • IP*
    • MAC address
    • Vendor*
    • Model*
    • Name*
    • Discovery sources
    • Domain
    • Device type
    • Device subtype
    • Risk level*
    • Exposure level*
    • OS distribution*
    • OS version*
    • Last device update*
    • First seen
    • Tags*
    • Exclusion state
  • IoT/OT devices tab

    • IP*
    • MAC address*
    • Name*
    • Device type*
    • Device subtype*
    • Vendor*
    • Model*
    • Risk level*
    • Exposure level*
    • Discovery sources
    • OS distribution*
    • OS version*
    • First seen
    • Last device update*
    • Domain
    • Tags*
    • Exclusion state
  • Uncategorized devices tab:

    • Name*
    • Vendor*
    • IP*
    • Discovery sources
    • MAC address
    • Risk level
    • Exposure level
    • OS distribution*
    • OS version*
    • Last device update*
    • First seen
    • Tags*
    • Exclusion state

Tip

To see all columns, you likely need to do one or more of the following steps:

  • Horizontally scroll in your web browser.
  • Narrow the width of appropriate columns.
  • Zoom out in your web browser.

Investigate devices in the Microsoft Defender for Endpoint Devices list.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.