+ Title: Get scan history by definition

+description: Learn how to use the get scan history by definition api

+keywords: apis, graph api, supported apis, scan history, definition

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Get scan history by definition

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## API description

+Retrieves a list of the scan history by definitions.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.Read.All| Read all scan information.

+Delegated (work or school account)|Machine.Read.All|Read all scan information.

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)

+## HTTP request

+```http

+POST api/DeviceAuthenticatedScanDefinitions/ScanHistoryByScanDefinitionId

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+Content-Type|string|application/json. **Required**.

+## Request body

+In the request body, supply a JSON object with the following parameters:

+Parameter|Type|Description

+:|:|:

+ScanDefinitionIds |String|The scan Id. **Required**.

+## Response

+If successful, this method returns 200 - OK response code with a list of the scan history by definition.

+## Example request

+Here is an example of the request.

+```http

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/ScanHistoryByScanDefinitionId

+```

+```json

+{

+ "ScanDefinitionId": ["4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae", "60c4aa57-c573-4488-8d18-230914792a92", "c6220f67-2cad-4ba3-a2fa-7ded6384da56"]

+}

+```

+## Response example

+```json

+{

+"@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/ScanHistoryByScanDefinitionId",

+ "value": [

+ {

+ "ScanDefinitionId": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

+ "LastScanned": "2022-12-20T11:14:24.5561791Z",

+ "ScanStatus": "Partial Success",

+ "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

+ },

+ {

+ "ScanDefinitionId": "60c4aa57-c573-4488-8d18-230914792a92",

+ "LastScanned": "2022-11-17T15:13:24.5561791Z",

+ "ScanStatus": "Partial Success",

+ "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

+ },

+ {

+ "ScanDefinitionId": "c6220f67-2cad-4ba3-a2fa-7ded6384da56",

+ "LastScanned": "2022-11-10T18:15:24.5561791Z",

+ "ScanStatus": "Partial Success",

+ "ScannerId": "625431694b7d2ca9d07e77ca1b029ef216bebb6d"

+ },

+ ]

+}

+```

+ Title: Get scan history by session

+description: Learn how to use the get scan history by session api

+keywords: apis, graph api, supported apis, scan history by session

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Get scan history by session

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## API description

+Retrieves a list of the scan history by session.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.Read.All| Read all scan information.

+Delegated (work or school account)|Machine.Read.All|Read all scan information.

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)

+## HTTP request

+```http

+POST /api/DeviceAuthenticatedScanDefinitions/ScanHistoryBySessionId

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|string|Bearer {token}. **Required**.

+Content-Type|string|application/json. **Required**.

+## Request body

+In the request body, supply a JSON object with the following parameters:

+Parameter|Type|Description

+:|:|:

+SessionIds |String|The session Id. **Required**.

+## Response

+If successful, this method returns 200 - OK response code with a list of the scan history for a session.

+## Example request

+Here is an example of the request.

+```http

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/ScanHistoryBySessionId

+```

+```json

+{

+ "SessionId": ["01decc497f4b4ec49a5fc4e12597f8c8"]

+}

+```

+## Response example

+```json

+{

+ "@odata.context": "https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/ScanHistoryBySessionId",

+ "value": [

+ {

+ "orgId": "asdf781a0c-792d-46d3-bbea-a93dbc0bfcaa",

+ "ScanDefinitionId": "4ad8d463-6b3a-4894-b42a-a2de9ea0a8ae",

+ "SessionId": "01decc497f4b4ec49a5fc4e12597f8c8",

+ "NumberOfSuccessfullyScannedTargets": 3,

+ "NumberOfTargets": 3,

+ "ScanStatus": "Success",

+ "LastScanned": "2022-12-19T15:14:24.5561791Z",

+ "ListScannedTargets": {

+ "Ip": "127.0.0.1",

+ "Hostname": "DESKTOP-Test",

+ "ScannedDeviceDescription": "Network device",

+ "ErrorMessage": "",

+ "ScanStatus": "Success",

+ "ScanDuration": "00:08:30",

+ },

+ {

+ "Ip": "127.0.0.2",

+ "Hostname": "DESKTOP-Test2",

+ "ScannedDeviceDescription": "Network device 2",

+ "ErrorMessage": "",

+ "ScanStatus": "Success",

+ "ScanDuration": "00:08:00",

+ },

+{

+ "Ip": "127.0.0.3",

+ "Hostname": "DESKTOP-Test3",

+ "ScannedDeviceDescription": "Network device 3",

+ "ErrorMessage": "",

+ "ScanStatus": "Success",

+ "ScanDuration": "00:08:50",

+ },

+ }

+ ]

+}

+```

+### [Authenticated scans]()

+#### [Network devices](network-devices.md)

+#### [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md)

+###### [Authenticated scan]()

+####### [Authenticated scan methods and properties](get-authenticated-scan-properties.md)

+####### [Get all scan definitions](get-all-scan-definitions.md)

+####### [Add, delete or update a scan definition](add-a-new-scan-definition.md)

+####### [Get all scan agents](get-all-scan-agents.md)

+####### [Get scan history by definition](get-scan-history-by-definition.md)

+####### [Get scan history by session](get-scan-history-by-session.md)

+ Title: Add, update or delete a scan definition

+description: Learn how to use the Add, update or delete scan definitions.

+keywords: apis, graph api, supported apis, scans, network scans, authenticated scan

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Add, update or delete a scan definition

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## API description

+API to add, update or delete an authenticated scan.

+## Limitations

+Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+You can post on machines last seen according to your configured retention period.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.ReadWrite.All| Read and write all scan information.

+Delegated (work or school account)|Machine.Read.Write|Read and write all scan information.

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)

+> - To edit data the user needs to have at least the following role permission: 'ManageSecurity' (See [Create and manage roles](user-roles.md) for more information)

+## HTTP request

+```http

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+Content-Type|string|application/json. **Required**.

+## Request body

+In the request body, supply a JSON object with the following parameters:

+Parameter|Type|Description

+:|:|:

+ScanDefinitionIds|String|The scan Id. **Required**.

+## Response

+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.

+## Example request to add a new scan

+Here is an example of a request that adds a new scan.

+```http

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions

+```

+```json

+ {

+"scanType":ΓÇ»"Windows",

+"scanName": "Test Windows scan",

+"isActive": true,

+"target":ΓÇ»"127.0.0.1",

+"intervalInHours": 1,

+"targetType": "Ip",

+"scannerAgent": {

+ "machineId": "eb663a27ae9d032f61bc268a79eedf14c4b90f77",

+ "machineName": "DESKTOP-TEST",

+"scanAuthenticationParams": {

+    "@odata.type": "#microsoft.windowsDefenderATP.api.WindowsAuthParams",

+ "type":ΓÇ»"Kerberos",

+ΓÇ» "username":ΓÇ»"username",

+ "domain":ΓÇ»"password",

+ "isGmsaUser": true

+ },

+ },

+ },

+ {

+"scanType":ΓÇ»"Network",

+"scanName":ΓÇ»"Test Network scan",

+"isActive": true,

+"target":ΓÇ»"127.0.0.1",

+"intervalInHours": 1,

+"targetType": "Ip",

+"scannerAgent": {

+ "machineId": "eb663a27678ik2f61bc268a79eeasdf450f77",

+ "machineName": "DESKTOP-TEST",

+"scanAuthenticationParams": {

+ "@odata.type":ΓÇ»"#microsoft.windowsDefenderATP.api.SnmpAuthParams",

+ "type":ΓÇ»"AuthPriv",

+        "username": "username",

+        "authProtocol": "authProtocol",

+        "authPassword": "authPassword",

+        "privProtocol": "privProtocol",

+        "privPassword": "privPassword",

+        "communityString": "community-string"

+ },

+ },

+ }

+```

+## Example request to delete scans

+Here is an example of a request that deletes scans.

+```http

+POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/BatchDelete

+```

+```json

+{

+ "ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"],

+}

+```

+## Example request to update a scan

+Here is an example of a request that updates a scan.

+```http

+PATCH https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions/a07c400a-f8e1-4329-ae66-7d3be65df0ec

+```

+```json

+{

+"scanName": "Test Network scan",

+"intervalInHours": 8,

+"isActive": "True",

+"targetType": "Ip",

+"target": "10.5.0.8",

+"scanAuthenticationParams": {

+ "@odata.type": "#microsoft.windowsDefenderATP.api.SnmpAuthParams",

+ "type":ΓÇ»"Kerberos",

+ΓÇ» "username":ΓÇ»"username",

+ "domain":ΓÇ»"password",

+ "isGmsaUser": true

+ }

+}

+```

+ Title: Get all scan agents

+description: Learn how to use the Get all scan agents API

+keywords: apis, graph api, supported apis, scan, authenticated scan, agent

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Get all scan agents

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## API description

+Retrieves a list of all scan agents.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.Read.All| Read all scan information.

+Delegated (work or school account)|Machine.Read.All|Read all scan information.

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)

+## HTTP request

+```http

+GET /api/DeviceAuthenticatedScanAgents

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+## Request body

+Empty

+## Response

+If successful, this method returns 200 - OK response code with a list of authenticated scan agents.

+## Example

+### Request example

+Here is an example of the request.

+```http

+https://api-us.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents

+```

+### Response example

+Here is an example of the response.

+```json

+{

+ "@odata.context": "https://api-us.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents",

+ "value": [

+ {

+ "id": "47df41a0c-asad-4fd6d3-bbea-a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",

+ "machineId": "4ejh675b240118fbehiuiy5b64d704b4e53d15",

+ "lastSeen": "2022-05-08T12:18:41.538203Z",

+ "computerDnsName": "TEST_DOMAIN"

+ },

+ {

+ "id": "47d41a0c-1dfd-46d3-bbea-a93dbc0bfcaa_eb663a27ae9d032f61bc268oiu4c4b90f77",

+ "machineId": "eb663a27ae9d032sdf9dfd79eedf14c4b90f77",

+ "lastSeen": "2022-12-19T20:29:04.8242449Z",

+ "computerDnsName": "TEST_DOMAIN2"

+ },

+ ]

+}

+```

+ Title: Get scan definitions

+description: Learn how to use the Get all scan definition APIs

+keywords: apis, graph api, supported apis, scan, authenticated scan

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Get scan definitions

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## API description

+Retrieves a list of all scan definitions.

+## Limitations

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.Read.All| Read all scan information.

+Delegated (work or school account)|Machine.Read.All|Read all scan information.

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - To view data the user needs to have at least the following role permission: 'ViewData' or 'TvmViewData' (See [Create and manage roles](user-roles.md) for more information)

+## HTTP request

+```http

+GET /api/DeviceAuthenticatedScanDefinitions

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+## Request body

+Empty

+## Response

+If successful, this method returns 200 - OK response code with a list of authenticated scan definitions.

+## Example

+### Request example

+Here is an example of the request.

+```http

+GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinitions

+```

+### Response example

+Here is an example of the response.

+```json

+{

+"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanDefinitions",

+ "value": [

+ {

+ "id":ΓÇ»"60c4vv57-asdf-3454-a456-2e45t9d79ec9d",

+ "scanType":ΓÇ»"Windows",

+ "scanName": "Test Windows scan",

+ "isActive": true,

+ "target":ΓÇ»"127.0.0.1",

+ "orgId": "47d21a0c-cccd-45d3-bffa-a93dbc0bfcaa",

+ "intervalInHours": 1,

+ "createdBy": "test@contoso.com",

+ "targetType": "Ip",

+ "scanAuthenticationParams": {

+ "@odata.type":ΓÇ»"#microsoft.windowsDefenderATP.api.WindowsAuthParams",

+ "type":ΓÇ»"Kerberos",

+ΓÇ» "username":ΓÇ»"username",

+ "domain":ΓÇ»"password",

+ "isGmsaUser": true

+ },

+ "scannerAgent": {

+ "id": "47d41a0c-xxx-46d3-bbea-93dbc0bfcaa_1bc268a79eedf14c4b90f77",

+ "machineId": "eb663asadf345dfg4bc268a79eedf14c4b90f77",

+ "machineName": "DESKTOP-TEST",

+ "lastSeen": "2021-12-19T20:29:04.8242449Z"

+ },

+ "latestScan": {

+ "status": "Fail",

+ "failureReason": null,

+ "executionDateTime": "2021-12-19T20:06:55.2295854Z"

+     },

+ {

+ "id": "60c4aa57-ioi3-1290-7ff6-09fr14792a92",

+ "scanType": "Network",

+ "scanName": "Network-test-scan",

+ "isActive": true,

+ "target":ΓÇ»"127.0.0.1",

+ "orgId": "asdf781a0c-792d-46d3-bbea-a93dbc0bfcaa",

+ "intervalInHours": 1,

+ "createdBy": "test@contoso.com",

+ "targetType": "Ip",

+ "scanAuthenticationParams": {

+ "@odata.type":ΓÇ»"#microsoft.windowsDefenderATP.api.SnmpAuthParams"",

+ type":ΓÇ»"AuthPriv",

+        "username": "username",

+        "authProtocol": "authProtocol",

+        "authPassword": "authPassword",

+        "privProtocol": "privProtocol",

+        "privPassword": "privPassword",

+        "communityString": "community-string"

+ },

+ "scannerAgent": {

+ "id": "4asdff0c-3344-46d3-bxxe-a9334rtgfcaa_eb6df89dfdf9032f61eedf14c4b90f77",

+ "machineId": "eb663a27676kjhj61bc268a79eedf14c4t78u7",

+ "machineName": "DESKTOP-Test",

+ "lastSeen": "2022-12-21T14:34:19.5698988Z"

+ },

+ "latestScan": {

+ "status": "Fail",

+ "failureReason": null,

+ "executionDateTime": "2022-12-21T14:35:55.6702703Z"

+ }

+ },

+ }

+ ]

+}

+```

+ Title: Authenticated scan methods and properties

+description: The API response contains Microsoft Defender Vulnerability Management authenticated scans created in your tenant. You can request all the scans, all the scan definitions or add a new network our authenticated scan.

+keywords: apis, scan, authenticated scan, get, authenticated methods, authenticated properties,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Authenticated scan methods and properties

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+## Methods

+Method|Description

+:|:|:

+[Get all scan definitions](get-all-scan-definitions.md)|List all scan definitions.

+[Add, delete or update a scan definition](add-a-new-scan-definition.md)|Add, delete, or update a new scan definition.

+[Get all scan agents](get-all-scan-agents.md)|List all scan agents.

+[Get scan history by definition](get-scan-history-by-definition.md)|List scan definition history.

+[Get scan history by session](get-scan-history-by-session.md)|List scan history for a session.

+Learn more about [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md) and [Network authenticated scans](./network-devices.md).

+## Properties

+Property ID|Data type|Description

+:|:|:

+id|String| Scan id.

+scanType|Enum|The type of scan. Possible values are: "Windows", "Network".

+scanName|String|Name of the scan.

+isActive|Boolean|Status of whether the scan actively running.

+orgId |String| Related organization id.

+intervalInHours|Int|The interval at which the scan will run.

+createdBy|String| Unique identity of the user that created the scan.

+targetType|String|The target type in the target field. Possible types are "IP Address" or "Hostname". Default value is IP Address.

+target|String| A comma separated list of targets to scan, either IP addresses or hostnames.

+scanAuthenticationParams|Object|Set of authenticated scan objects, contains: authentication type string, username string, password string. See [Get all scan definitions](./get-all-scan-definitions.md).

+scannerAgent|Object|Set of scanner agent objects, contains: scanning agent id string, scanning agent device id string, scanning agent device name string, the date and time (in UTC) the device was last seen. See [Get all scan definitions](./get-all-scan-definitions.md).

+latestScan|Object|Latest scan object contains: scan status string, failure string, the date and time (in UTC) the scan was executed. See [Get all scan definitions](./get-all-scan-definitions.md).

+- **Scanning device**: A device that's already onboarded that you'll use to scan the network devices.

+2. SNMP traffic between the Defender for Endpoint scanning device and the targeted network devices must be allowed (for example, by the Firewall).

+4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint scanning device to query the configured network devices. 'SNMP write' isn't needed for the proper functionality of this feature.

+6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). You'll be required to provide the credentials when configuring a new scan job.

+8. To allow the scanner to be authenticated and work properly, it's essential that you add the following domains/URLs:

+To configure scan jobs, the following user permission option is required: **Manage security settings in Defender**. You can find the permission by going to **Settings** \> **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md).

+## Windows version pre-requisite for the scanner

+The scanner is supported on Windows 10, version 1903 and Windows Server, version 1903 and later. For more information, see [Windows 10, version 1903 and Windows Server, version 1903](https://support.microsoft.com/topic/windows-10-update-history-e6058e7c-4116-38f1-b984-4fcacfba5e5d).

+## Install the scanner

+1. Go to **Microsoft 365 security** \> **Settings** \> **Device discovery** \> **Authenticated scans**.

+2. Download the scanner and install it on the designated Defender for Endpoint scanning device.

+ :::image type="content" source="../../media/defender-endpoint/network-authenticated-scan-new.png" alt-text="Screenshot of the add new authenticated scan screen" lightbox="../../media/defender-endpoint/network-authenticated-scan-new.png":::

+## Scanner installation & registration

+The signing-in process can be completed on the designated scanning device itself or any other device (for example, your personal client device).

+To complete the scanner registration process:

+### Updates for scanner

+The scanner has a scheduled task that, by default, is configured to look for updates on a regular basis. When the task runs, it compares the version of the scanner on the client device to the version of the agent on the update location. The update location is where Windows looks for updates, such as on a network share or from the internet.

+If there's a difference between the two versions, the update process determines which files are different and need to be updated on the local computer. Once the required updates are determined, the downloading of the updates will start.

+It's possible to disable automatic updates of the scanner by going to the **MDATP Network Scanner Updater** inside the Windows Task Scheduler. To do this:

+- In Windows, go to **Computer Management** > **Task Scheduler** > **Task Scheduler Library**.

+- Select **MDATP Network Scanner Updater** > right-click > and select **Disable**.

+- To re-enable, right-click on **MDATP Network Scanner Updater** and select **Enable**.

+## Configure a new network device authenticated scan

+1. Go to **Settings** > **Device discovery** > **Authenticated scans** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select **Add new scan** and choose **Network device authenticated scan** and select **Next**.

+ :::image type="content" source="../../media/defender-endpoint/network-authenticated-scan.png" alt-text="Screenshot of the add new network device authenticated scan screen" lightbox="../../media/defender-endpoint/network-authenticated-scan.png":::

+3. Choose whether to **Activate scan**.

+4. Enter a **Scan name**.

+5. Select the **Scanning device:** The onboarded device you'll use to scan the network devices.

+6. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file will override any manually added addresses.

+7. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting ΓÇÿDo not repeatΓÇÖ.

+8. Choose your **Authentication method**.

+ - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials.

+9. Select **Next** to run or skip the test scan.

+10. Select **Next** to review the settings and the select **Submit** to create your new network device authenticated scan.

+>[!Note]

+>To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple scanning devices.

+- There is connectivity between the Defender for Endpoint scanning device and the configured target network devices.

+Each scanning device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you will be able to scan 1,400 IP additional addresses from other subnets on the same scanning device.

+Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network device authenticated scan (regardless of the device's response). The scan results can also be exported.

+Newly discovered devices will be shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding an scanning job until the devices are updated.

+### Scanner installation has failed

+The scan results should be updated a few hours after the initial scan that took place after completing the network device authenticated scan configuration.

+If devices are still not shown, verify that the service 'MdatpNetworkScanService' is running on your devices being scanned, on which you installed the scanner, and perform a "Run scan" in the relevant network device authenticated scan configuration.

+### My scanner is configured but scans aren't running

+As the authenticated scanner currently uses an encryption algorithm that is not compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.

+To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner will run:

+Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named **Enabled** and value of **0x0**

+FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.

+- [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md)

+ Title: Windows authenticated scan in Defender Vulnerability Management

+description: Find out about how to create windows authenticated scans

+keywords: Microsoft Defender Vulnerability Management, authenticated scans

+search.appverid: MET150

+audience: Admin

+ms.localizationpriority: medium

+ - m365-security

+ - m365-security-compliance

+ - tier1

+# Windows authenticated scan

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+>[!Note]

+>Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+Windows authenticated scan provides the ability to run scans on unmanaged Windows devices. You can remotely target by IP ranges or hostnames and scan Windows services by providing Microsoft Defender Vulnerability Management with credentials to remotely access the devices. Once configured the targeted unmanaged devices will be scanned regularly for software vulnerabilities.

+This is applicable for devices that don't have the Defender Vulnerability Management or Defender for Endpoint agent deployed.

+## Scanner Installation

+Similar to [network device](../defender-endpoint/network-devices.md) authenticated scan, you'll need a scanning device with the scanner installed. If you donΓÇÖt already have the scanner installed, see [Install the scanner](../defender-endpoint/network-devices.md#install-the-scanner) for steps on how to download and install it.

+>[!NOTE]

+> No changes are required for pre-existing installed scanners.

+## Pre-requisites

+The following section lists the pre-requisites you need to configure to use Windows authenticated scan.

+### Scanning account

+A scanning account is required to remotely access the devices. This must be a [Group Managed Service Account (gMsa)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/). To create a gMsa account:

+1. On your domain controller in a PowerShell window, run:

+```powershell

+New-ADServiceAccount -name gmsa1 -PrincipalsAllowedToRetrieveManagedPassword scanner-win11-i$ -KerberosEncryptionType RC4, AES128, AES256 ΓÇôverbose

+```

+ - gmsa1 stands for the name of the account you are creating, and scanner-win11-I$ stands for the machine name where the scanner agent will run. Only this machine will be able to retrieve the account password. You can provide a comma separated list of machines.

+ - Modifying an existing account can be done with *Get-ADServiceAccount* and *Set-ADServiceAccount*

+2. To Install the AD Service Account, on the machine where the scanner agent will run using an elevated PowerShell window, run:

+```powershell

+Install-ADServiceAccount -Identity gmsa1

+```

+If your PowerShell doesnΓÇÖt recognize those commands, it probably means you're missing a required PowerShell module. Instructions on how to install the module vary depending on your operating system. For more information, see [Getting Started with Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts/).

+### Devices to be scanned

+Use the table below for guidance on what needs to be configured on the devices that will be scanned.

+>[!Note]

+> The account to be used for scanning requires all the permissions below. The below steps are only one recommended way to configure the permissions on the devices to be scanned and uses the Performance Monitor Users group. You can also add the account to a different user group and give all the permissions required to that group, or you can give these permissions explicitly to the scanning account.

+| Devices to be scanned requirements | Description |

+|:|:|

+|Windows Management Instrumentation (WMI) and Registry is enabled| To enable remote Windows Management Instrumentation (WMI): </br> </br> - Verify the Windows Management Instrumentation service is running. </br> - Go to **Control Panel** &gt; **All Control Panel Items** &gt; **Windows Defender Firewall** &gt; **Allowed applications** and ensure Windows Management Instrumentation (WMI) is allowed through Windows Firewall.|

+|Scanning account is a member of Performance Monitor Users group| The scanning account must be a member of the **Performance Monitor Users** group on the device to be scanned.|

+|Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace | To verify or enable these permissions: </br> </br> - Run wmimgmt.msc </br> - Right click **WMI Control (Local)** and select **Properties**</br> - Go to the Security tab</br> - Select the relevant WMI namespace and select **Security**</br> - Add the specified group and select to allow the specific permissions</br> - Select **Advanced**, choose the specified entry, and select **Edit**</br> - Set **Applies To** to ΓÇ£This namespace and subnamespacesΓÇ¥|

+|**Performance Monitor Users** group should have permissions on DCOM operations| To verify or enable these permissions: </br></br> - Run dcomcnfg </br> - Navigate to **Component Services** > **Computers** > **My Computer** </br> - Right click My Computer and choose **Properties** </br> - Go to the COM Security tab </br> - Go to **Launch and Activation Permissions** and select **Edit Limits** </br> - Add the specified group and select to allow **Remote Launch** and **Remote Activation** |

+## Configure a new authenticated scan

+To configure a new authenticated scan:

+1. Go to **Settings** > **Device discovery** > **Authenticated scans** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

+2. Select **Add new scan** and choose **Windows authenticated scan** and select **Next**.

+ :::image type="content" source="../../media/defender-vulnerability-management/authenticated-scan.png" alt-text="Screenshot of the add new authenticated scan screen" lightbox="../../media/defender-vulnerability-management/authenticated-scan.png":::

+3. Enter a **Scan name**.

+4. Select the **Scanning device:** The onboarded device you'll use to scan the unmanaged devices.

+5. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file will override any manually added addresses.

+6. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting ΓÇÿDo not repeatΓÇÖ.

+7. Choose your **Authentication method** - there are two options to choose from:

+ - Kerberos (preferred)

+ - Negotiate

+ >[!Note]

+ > Negotiate option will fallback to NTLM in cases where Kerberos fails. Using NTLM is not recommended as it is not a secure protocol.

+8. Enter the credentials Microsoft Defender Vulnerability Management will use to remotely access the devices:

+ - **Use azure KeyVault:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials

+ - **Enter [gMSA account details](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview/):** Input the Domain and Username

+9. Select **Next** to run or skip the test scan. For more information on test scans, see [Scan and add network devices](../defender-endpoint/network-devices.md#scan-and-add-network-devices).

+10. Select **Next** to review the settings and then select **Submit** to create your new authenticated scan.

+>[!Note]

+>As the authenticated scanner currently uses an encryption algorithm that is not compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.

+>

+> To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner will run: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy with a DWORD value named **Enabled** and value of **0x0**

+>

+>FIPS compliant algorithms are only used in relation to departments and agencies of the United States federal government.

+### Windows authenticated scan APIs

+You can use APIs to create a new scan and view all existing configured scans in your organization. For more information, see:

+- [Get all scan definitions](../defender-endpoint/get-all-scan-definitions.md)

+- [Add, delete or update a scan definition](../defender-endpoint/add-a-new-scan-definition.md)

+- [Get all scan agents](../defender-endpoint/get-all-scan-agents.md)

+- [Get scan history by definition](../defender-endpoint/get-scan-history-by-definition.md)

+- [Get scan history by session](../defender-endpoint/get-scan-history-by-session.md)

+## Related articles

+- [Network devices](../defender-endpoint/network-devices.md)