+## Week of August 01, 2022

+| 8/1/2022 | [Microsoft Defender Threat Intelligence (Defender TI) Analyst Insights](/defender/threat-intelligence/analyst-insights) | added |

+| 8/1/2022 | [Microsoft Defender Threat Intelligence (Defender TI) Data Sets](/defender/threat-intelligence/data-sets) | added |

+| 8/1/2022 | [Tutorial: Gathering Threat Intelligence and Infrastructure Chaining using Microsoft Defender Threat Intelligence (Defender TI)](/defender/threat-intelligence/gathering-threat-intelligence-and-infrastructure-chaining) | added |

+| 8/1/2022 | [Microsoft Defender Threat Intelligence (Defender TI): Infrastructure Chaining](/defender/threat-intelligence/infrastructure-chaining) | added |

+| 8/1/2022 | [Quickstart: Accessing the Microsoft Defender Threat Intelligence (Defender TI) Portal](/defender/threat-intelligence/learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal) | added |

+| 8/1/2022 | [Microsoft Defender Threat Intelligence (Defender TI) Reputation Scoring](/defender/threat-intelligence/reputation-scoring) | added |

+| 8/1/2022 | [Searching & pivoting with Microsoft Defender Threat Intelligence (Defender TI)](/defender/threat-intelligence/searching-and-pivoting) | added |

+| 8/1/2022 | [Sorting, filtering, and downloading data using Microsoft Defender Threat Intelligence (Defender TI)](/defender/threat-intelligence/sorting-filtering-and-downloading-data) | added |

+| 8/1/2022 | [Using Projects with Microsoft Defender Threat Intelligence (MDTI)](/defender/threat-intelligence/using-projects) | added |

+| 8/1/2022 | [Using Tags in Microsoft Defender Threat Intelligence (Defender TI)](/defender/threat-intelligence/using-tags) | added |

+| 8/1/2022 | [What is Microsoft Defender Threat Intelligence (Defender TI)?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) | added |

+| 8/2/2022 | Defender Threat Intelligence | removed |

+| 8/2/2022 | [What is Microsoft Defender Threat Intelligence (Defender TI)?](/defender/threat-intelligence/index) | modified |

+| 8/2/2022 | What is Microsoft Defender Threat Intelligence (Defender TI)? | removed |

+| 8/3/2022 | [Tutorial: Gathering vulnerability intelligence](/defender/threat-intelligence/gathering-vulnerability-intelligence) | added |

+## Week of July 18, 2022

+| 7/18/2022 | [Defender Threat Intelligence](/defender/threat-intelligence/index) | added |

+ | | |

+ | | |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+|   |   |

+For more information, see [Data sets](data-sets.md).

+1. On the *Who is this email coming from* page, select a sender for the email, and then select **Next**. Note that shared mailboxes are not supported. The sender must be either a user mailbox or a group mailbox.

+# [**Domains, networking and partners**](#tab/Domains)

+# [**Privacy, security, rights, and SLA**](#tab/Privacy)

+1. In the admin center, go to the **Settings** \> **Integrated apps** \> **Add-ins** page.

+ Title: "Microsoft 365 Experience insights dashboard"

+audience: Admin

+ms.localizationpriority: medium

+description: "Get a periodic report of how people in your organization are using Microsoft 365 services and drill into each chart for more insights."

+# Microsoft 365 Experience insights dashboard

+The Experience insights (preview) dashboard shows you data across usage and sentiment to give you a fuller view of your organization's experience with Microsoft 365. This information and data on the dashboard will help you better understand and improve your users experience with Microsoft 365. The dashboard shows you data across usage and user sentiment, and helps give you a fuller picture of your user's overall experience. You can drill down into specific information such as feature usage for certain apps, exact feedback and Net Promoter Score (NPS) comments, and top help articles viewed by users in your organization. This info can help you identify opportunities to improve userΓÇÖs Microsoft 365 products and app experiences in your organization.

+<!--To learn more about adoption and training for users in your organization, see [Experience insights help article report](experience-insights-help-articles.md). -->

+## How to get to the Experience insights dashboard

+There are a couple of ways to get the Experience insights dashboard page. If youΓÇÖre a member of the global admin or global reader roles, when you log in to the Microsoft 365 admin center, youΓÇÖll see a one-time prompt to go to the Experience insights (preview) dashboard. You can access it at any time by selecting Experience insights (preview) from the admin home page.

+If youΓÇÖre a member of the reports reader role, once you sign into the admin center, youΓÇÖll automatically go to the Experience insights (preview) dashboard page. You can switch back to the admin center Dashboard view by selecting that option in the top right.

+To learn more, see [About admin roles](../add-users/about-admin-roles.md) andΓÇ»[Assign admin roles](../add-users/assign-admin-roles.md).

+## Apps and services data

+The **Apps and services** data section shows you a unified view across usage and sentiment in your organization to give you an at-a-glance understanding of your users' experience with Microsoft 365. Select an app or service to get additional details, such as comments submitted through feedback and NPS surveys, or the top Microsoft 365 help articles your users viewed. You can also favorite the apps or services in the list so that you can more easily view them.

+### Apps and services chart information

+The chart information gives you insight into the apps and services that you want to track data on. Select an app or service to dig deeper into usage, product feedback, net promoter score and help content data.

+**Active users** tells you the total count of unique users who performed at least one intentional action, like opening a file, in the app over the selected time period. Use this data to make sure you are hitting your adoption goals. [Learn more](../activity-reports/active-users-ww.md)

+**Product usage** is the percentage of people who are actively using the products that are enabled for them to use. Use this data to make decisions on where to optimize product assignments.

+**In-product feedback** Is the total number of feedback response from within the app or service that were initiated and submitted by your users. Use this data to gauge the success and satisfaction people have with the apps. [Learn more](feedback-user-control.md)

+**NPS survey response volume** is the total number of responses to the Net Promoter Score (NPS) survey. By default, Microsoft sends the survey to 5% of your users and asks ΓÇ£Would you recommend this product?ΓÇ¥ Use this data to gauge user satisfaction and to see what people are saying about the app. [Learn more](../manage/manage-feedback-product-insights.md)

+**Help article views** is the total number of views of Microsoft help articles and training videos about the app. Use this data to find topics of interest and share the suggested training with your users. [Learn more](experience-insights-help-articles.md)

+> [!NOTE]

+> You can filter the chart data for trends over the last 30 days, 90 days, or 180 days.

+## Products and services data

+Select a product or service to see more detailed information about product usage, user feedback, Net Promoter Score (NPS) and what help articles your users are reading.

+### Teams usage example

+For some apps and services, you can see additional information into the usage of specific features to get a better understanding of what your users are using the most.

+### Teams user feedback example

+In the user feedback section, you can see the actual comments your users submitted to help you gauge if there is a pattern that needs to be addressed.

+### Teams Net Promoter Score (NPS) example

+NPS details allow you see promoters, passives, and detractors so that you can get a pulse on the sentiment in your organization. Similar to product feedback, you can also view the specific comments your users submitted. In some cases where there is enough volume, you may also see Top topics that categorizes some of the comments into bucketed categories for easier parsing of the data.

+### Teams help article example

+For the first time, you can now see what articles your users are consuming on Support.Microsoft.com com or via the Microsoft 365 in-app help experiences. You can see the top articles for the specific app or service in your organization, how many people are viewing the app, and preview the article in-line. This can be an excellent way of identifying what your users are trying to do and where they may be struggling. Since not all users seek out help, itΓÇÖs a good indication of content that may be beneficial to a broader set of users in the organization. [Learn more](experience-insights-help-articles.md)

+## Additional resources

+<!-- :::image type="content" source="../../media/additional-resources.png" alt-text="Screenshot: Image showing additional resources you can select"::: -->

+### View your organization's Productivity Score

+Productivity Score supports the journey to digital transformation with insights about how your organization uses Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and technology experience measurements and can be compared to benchmarks from organizations similar in size to yours. For more information on Productivity Score, read, [Productivity Score](../productivity/productivity-score.md).

+### Take training for adoption specialists

+In this introductory course, you'll learn the six critical elements to drive adoption of your Microsoft cloud services to deliver value to your company. This course is applicable to any size company and uses Office 365 and Microsoft Teams as the example service to create real world scenarios.

+### Join the adoption community

+Welcome to the Driving Adoption Community! Connect and discuss the latest topics and best practices in driving cloud adoption. Meet and learn from peers and Microsoft Staff and stay up to date on upcoming trainings, events and our monthly Community calls.

+### Use the Microsoft 365 adoption tools

+Use our resources to go from inspiration to execution with our productivity cloud. Get started, experiment with our services, and onboard employees at scale while being confident that you are improving the employee experience.

+ Title: "Experience insights help article report"

+audience: Admin

+ms.localizationpriority: medium

+description: "Get a report of the Microsoft 365 help articles people in your organization are reading."

+# Experience insights help article report

+As the admin of a Microsoft 365 organization, you get a report of the Microsoft 365 help articles people in your organization are reading. You can use this information to see which Microsoft 365 product or service your users need the most help using and provide more resources and help. To learn more about adoption and training for users in your organization, see [Microsoft 365 Experience insights dashboard](experience-insights-dashboard.md).

+## How to get to the Experience insights dashboard

+There are a couple of ways to get the Experience insights dashboard page. If youΓÇÖre a member of the global admin or global reader roles, when you log in to the Microsoft 365 admin center, youΓÇÖll see a one-time prompt to go to the Experience insights (preview) dashboard. You can access it at any time by selecting Experience insights (preview) from the admin home page.

+If youΓÇÖre a member of the reports reader role, once you sign into the admin center, youΓÇÖll automatically go to the Experience insights (preview) dashboard page. You can switch back to the admin center Dashboard view by selecting that option in the top right.

+Select an app or service and then select **Help content**.

+## Interpret your organization's help article views

+Chart information gives you insight into the apps and services that you want to track data on. Help article views is the total number of help article page views that users in your organization have viewed in a Microsoft 365 app or on support.microsoft.com.

+> [!NOTE]

+> Help article views are only shown for users who have signed in to the desktop app or have signed in to [support.microsoft.com](https://support.microsoft.com).

+|Item|Description|

+|:--|:--|

+|1 |Use the Help content tab to see where people need help using the app or service. |

+|2 |You can filter for trends over the last 30 days, 90 days, or 180 days. |

+|3 |Total number of help article page views in app or on [support.microsoft.com](https://support.microsoft.com). |

+|4 |List of the top help articles related to the app or service that your end-users are reading. If an article covers multiple apps, it will be shown for each related app. |

+## Examples of help articles

+Help articles can be found in-app in the help pane or at the [Microsoft support page](https://support.microsoft.com/).

+### Help article on Microsoft support page

+### In-app help article in Microsoft Word

+**Fortify your environment**. (These are tasks your admin completes.)

+- [**1. Sign in and set up your environment**](m365bp-setup-overview.md). Complete the basic setup process for Microsoft 365 for your business or campaign.

+- [**2. Bump up security protection**](m365bp-security-overview.md). Set up critical front-line security measures to prevent cyberattacks.

+**Train your team**. (These are tasks everyone does.)

+- [**3. Set up unmanaged (BYOD) devices**](m365bp-protect-pcs-macs.md). Set up all the unmanaged ("bring your own device," also referred to as BYOD) devices so they are safely part of the ecosystem.

+- [**4. Use email securely**](m365bp-protect-email-overview.md). Know what to watch for in your email, and take the necessary steps to protect yourself from attacks.

+- [**5. Collaborate and share securely**](m365bp-collaborate-share-securely.md). Learn how to share files with others and collaborate more securely with Microsoft Teams, SharePoint, and OneDrive.

+**Safeguard managed devices**. These are tasks your admin or security team does.

+- [**6. Set up and secure managed devices**](m365bp-protect-devices.md). Enroll and secure company devices so they monitored and protected from threats.

+> [!TIP]

+> For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).

+ Title: "Protect against malware and other threats with Microsoft 365 Business Premium"

+# Protect against malware and other cyberthreats with Microsoft 365 Business Premium

+- [Your next objectives](#next-objectives).

+## Next objectives

+Proceed to:

+- [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md)

+- [Protect all email](m365bp-protect-email-overview.md)

+- [Collaborate and share securely](m365bp-collaborate-share-securely.md)

+- [Set up and secure managed devices](m365bp-protect-devices.md)

+- [Turn on security defaults (MFA)](m365bp-conditional-access.md).

+> [!NOTE]

+> If you have a billing profile, you con only change the billing frequency when you buy or upgrade a subscription. To find out if you have a billing profile, see [View my billing profiles](manage-billing-profiles.md#view-my-billing-profiles).

+> If you're in a recurrent billing subscription, the addition or modification of the RFC is reflected on the invoice of your next charge.

+## How often and when am I billed?

+Depending on the billing frequency you chose when you bought your subscription, you receive an invoice monthly, every 3 months, every 6 months, or annually. The amount of time since the last invoice date is called the Billing Period and is shown on page one of the invoice, above the Billing Summary section. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.

+Starting on page two of the invoice, you see the charges grouped by product order. For Azure customers, the charges might be organized by invoice section.

+At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one billing profile, you receive an invoice for each billing profile. Learn how to [find and view your bill or invoice](view-your-bill-or-invoice.md).

+When you buy a subscription to Microsoft 365 for business, you sign up for a set of apps and services that you pay for on a recurring basis. The applications and services that you receive as part of your subscription depend on which product you purchased, such as Microsoft 365 Apps for business or Microsoft 365 Business Standard. You can see what comes with each product on the [Microsoft 365 for small and medium-sized businesses](https://www.microsoft.com/microsoft-365/business/compare-all-microsoft-365-business-products) page.

+4. The sign-up process may take several minutes to complete. After it's complete, you're ready to start the setup wizard for your subscription. For more information about setting up your subscription, see [Next steps](#next-steps).

+4. Choose a billing frequency for your subscription, then select **Checkout**.

+|AttachmentNames|The names of files attached to an email message.|`attachmentnames:annualreport.ppt` <p> `attachmentnames:annual*`|Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard character ( * ) returns messages with the word "annual" in the file name of an attachment.¹|`bcc:pilarp@contoso.com` <p> `bcc:pilarp` <p> `bcc:"Pilar Pinilla"`|All examples return messages with Pilar Pinilla included in the Bcc field.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|

+- If NotifyAllowOverride action is set with WithoutJustification or WithJustification or FalsePositives, make sure BlockAccess is set to true and BlockAccessScope has appropriate value. Otherwise policy tip will come up but the user will not find an option to override the email with justification.

+During the 15Mb download we measure the TCP latency to the SharePoint service front door. This is the latency under load and it's compared to the latency when not under load. The increase in latency when under load is often attributable to consumer network device buffers being loaded (or bloated). A network insight is shown for any bloat of 100ms or more.

+## Week of August 01, 2022

+| Published On |Topic title | Change |

+|||--|

+| 8/1/2022 | [Key infrastructure requirements before enrolling in the Microsoft Defender Experts for Hunting service](/microsoft-365/security/defender/before-you-begin-defender-experts?view=o365-21vianet) | added |

+| 8/1/2022 | [What is Microsoft Defender Experts for Hunting offering](/microsoft-365/security/defender/defender-experts-for-hunting?view=o365-21vianet) | added |

+| 8/1/2022 | [How to subscribe to Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting?view=o365-21vianet) | added |

+| 8/1/2022 | [Understand the Defender Experts for Hunting report in Microsoft 365 Defender](/microsoft-365/security/defender/defender-experts-report?view=o365-21vianet) | modified |

+| 8/1/2022 | [How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-21vianet) | modified |

+| 8/1/2022 | [How to setup automated attacks and training within Attack simulation training](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-setup-attack-simulation-training-for-automated-attacks-and-training?view=o365-21vianet) | modified |

+| 8/1/2022 | [Use Cost management in the Microsoft 365 admin center](/microsoft-365/commerce/use-cost-mgmt?view=o365-21vianet) | modified |

+| 8/1/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified |

+| 8/1/2022 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-21vianet) | added |

+| 8/1/2022 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-21vianet) | modified |

+| 8/1/2022 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-21vianet) | modified |

+| 8/1/2022 | [Glossary of security terms for Microsoft 365 security capabilities](/microsoft-365/business-premium/m365bp-glossary?view=o365-21vianet) | modified |

+| 8/1/2022 | [Paying for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?view=o365-21vianet) | modified |

+| 8/1/2022 | [Bulk import external contacts to Exchange Online](/microsoft-365/compliance/bulk-import-external-contacts?view=o365-21vianet) | modified |

+| 8/1/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Protection](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-21vianet) | modified |

+| 8/1/2022 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-21vianet) | modified |

+| 8/1/2022 | [Submit files for analysis by Microsoft](/microsoft-365/security/intelligence/submission-guide?view=o365-21vianet) | modified |

+| 8/2/2022 | [View your Threat & Vulnerability Management dashboard in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-view-tvm-dashboard?view=o365-21vianet) | modified |

+| 8/2/2022 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-21vianet) | modified |

+| 8/2/2022 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-21vianet) | modified |

+| 8/2/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-21vianet) | modified |

+| 8/2/2022 | [Manage your allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-21vianet) | modified |

+| 8/3/2022 | [Microsoft 365 Group mailbox size management](/microsoft-365/admin/create-groups/group-mailbox-size-management?view=o365-21vianet) | added |

+| 8/3/2022 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-21vianet) | modified |

+| 8/3/2022 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-21vianet) | modified |

+| 8/3/2022 | [Configure local overrides for Microsoft Defender Antivirus settings](/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 8/4/2022 | [Export non product code software inventory assessment per device](/microsoft-365/security/defender-endpoint/get-assessment-non-cpe-software-inventory?view=o365-worldwide) | added |

+| 8/4/2022 | [Export assessment methods and properties per device](/microsoft-365/security/defender-endpoint/get-assessment-methods-properties?view=o365-21vianet) | modified |

+| 8/4/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 8/4/2022 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-21vianet) | modified |

+| 8/4/2022 | [Paying for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?view=o365-21vianet) | modified |

+| 8/4/2022 | [Help your clients and customers use virtual appointments](/microsoft-365/frontline/virtual-appointments-toolkit?view=o365-21vianet) | modified |

+| 8/4/2022 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-21vianet) | modified |

+| 8/5/2022 | [Use Microsoft Teams meetings with Blackboard Learn](/microsoft-365/lti/teams-meetings-with-blackboard-learn?view=o365-worldwide) | added |

+| 8/5/2022 | [Guest users in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-guest-users?view=o365-worldwide) | modified |

+| 8/5/2022 | [Manage guest access in Microsoft 365 groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups?view=o365-worldwide) | modified |

+| 8/5/2022 | [Manage data for Microsoft Whiteboard](/microsoft-365/whiteboard/manage-data-organizations?view=o365-worldwide) | modified |

+| 8/5/2022 | [Manage sharing for Microsoft Whiteboard in GCC High environments](/microsoft-365/whiteboard/manage-sharing-gcc-high?view=o365-worldwide) | modified |

+| 8/5/2022 | [Manage sharing for Microsoft Whiteboard](/microsoft-365/whiteboard/manage-sharing-organizations?view=o365-worldwide) | modified |

+| 8/5/2022 | [Microsoft 365 Business Premium overview](/microsoft-365/business-premium/index?view=o365-worldwide) | modified |

+| 8/5/2022 | [Collaborate and share securely in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-collaborate-share-securely?view=o365-worldwide) | modified |

+| 8/5/2022 | [Set Up unmanaged devices overview](/microsoft-365/business-premium/m365bp-devices-overview?view=o365-worldwide) | modified |

+| 8/5/2022 | [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices?view=o365-worldwide) | modified |

+| 8/5/2022 | [Use email securely](/microsoft-365/business-premium/m365bp-protect-email-overview?view=o365-worldwide) | modified |

+| 8/5/2022 | [Increase security in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-security-overview?view=o365-worldwide) | modified |

+| 8/5/2022 | [Welcome to Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-setup-overview?view=o365-worldwide) | modified |

+| 8/5/2022 | [Set up Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-setup?view=o365-worldwide) | modified |

+| 8/5/2022 | [Deploy, manage, and report on Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 8/5/2022 | [Configure and manage Microsoft Threat Experts capabilities through Microsoft 365 Defender](/microsoft-365/security/defender/configure-microsoft-threat-experts?view=o365-worldwide) | modified |

+###### [Device Health]()

+####### [Export device health methods and properties](device-health-api-methods-properties.md)

+####### [Export device antivirus health report](device-health-export-antivirus-health-report-api.md)

+> [!IMPORTANT]

+> The `AlertInfo` and `AlertEvidence` tables replace the `DeviceAlertEvents` table in the Microsoft Defender for Endpoint schema. To learn more, see [Map DeviceAlertEvents Table](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde).

+Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)

+### 08.08.2022

+- Added new Export Device Health API method - GET /api/public/avdeviceshealth [Export device health methods and properties](device-health-api-methods-properties.md)

+For deploying AV and ASR policies through Microsoft System Center Configuration Manager (SCCM) follow the steps:

+- Enable Endpoint Protection and configure custom client settings.

+- Install the Endpoint Protection client from a command prompt.

+- Verify the Endpoint Protection client installation.

+##### Enable Endpoint Protection and configure custom client settings

+Follow the steps to enable endpoint protection and configuration of custom client settings:

+1. In the Configuration Manager console, click **Administration.**

+1. In the **Administration** workspace, click **Client Settings.**

+1. On the **Home** tab, in the **Create** group, click **Create Custom Client Device Settings.**

+1. In the **Create Custom Client Device Settings** dialog box, provide a name and a description for the group of settings, and then select **Endpoint Protection.**

+1. Configure the Endpoint Protection client settings that you require. For a full list of Endpoint Protection client settings that you can configure, see the Endpoint Protection section in [About client settings.](/mem/configmgr/core/clients/deploy/about-client-settings#endpoint-protection)

+ > [!IMPORTANT]

+ > Install the Endpoint Protection site system role before you configure client settings for Endpoint Protection.

+1. Click **OK** to close the **Create Custom Client Device Settings** dialog box. The new client settings are displayed in the **Client Settings** node of the **Administration** workspace.

+1. Next, deploy the custom client settings to a collection. Select the custom client settings you want to deploy. In the **Home** tab, in the **Client Settings** group, click **Deploy.**

+1. In the **Select Collection** dialog box, choose the collection to which you want to deploy the client settings and then click **OK.** The new deployment is shown in the **Deployments** tab of the details pane.

+Clients are configured with these settings when they next download client policy. For more information, see [Initiate policy retrieval for a Configuration Manager client.](/mem/configmgr/core/clients/manage/manage-clients)

+##### Installation of Endpoint Protection client from a command prompt

+Follow the steps to complete installation of endpoint protection client from the command prompt.

+1. Copy **scepinstall.exe** from the **Client** folder of the Configuration Manager installation folder to the computer on which you want to install the Endpoint Protection client software.

+1. Open a command prompt as an administrator. Change directory to the folder with the installer. Then run ```scepinstall.exe```, adding any extra command-line properties that you require:

+ |**Property** |**Description** |

+ |||

+ |```/s``` |Run the installer silently|

+ |```/q``` |Extract the setup files silently|

+ |```/i``` |Run the installer normally|

+ |```/policy``` |Specify an antimalware policy file to configure the client during installation|

+ |```/sqmoptin```|Opt-in to the Microsoft Customer Experience Improvement Program (CEIP)|

+1. Follow the on-screen instructions to complete the client installation.

+1. If you downloaded the latest update definition package, copy the package to the client computer, and then double-click the definition package to install it.

+ > [!NOTE]

+ > After the Endpoint Protection client install completes, the client automatically performs a definition update check. If this update check succeeds, you don't have to manually install the latest definition update package.

+**Example: install the client with an antimalware policy**

+```scepinstall.exe /policy <full path>\<policy file>```

+##### Verify the Endpoint Protection client installation

+After you install the Endpoint Protection client on your reference computer, verify that the client is working correctly.

+1. On the reference computer, open **System Center Endpoint Protection** from the Windows notification area.

+1. On the **Home** tab of the **System Center Endpoint Protection** dialog box, verify that **Real-time protection** is set to **On.**

+1. Verify that **Up-to-date** is displayed for **Virus and spyware definitions.**

+1. To make sure that your reference computer is ready for imaging, under **Scan options,** select **Full,** and then click **Scan now.**

+### Filter to view just the Endpoint Attack Notifications

+You can filter your incidents and alerts if you want to only see the Defender Experts Notifications amongst the many alerts. To do so:

+1. On the navigation menu, go to **Incidents & alerts** > **Incidents** > select the Filter icon icon.

+2. Scroll down to the Tags field > select the **Defender Experts** check box.

+3. Select **Apply**.

+## Ask Defender Experts about suspicious cybersecurity activities in your organization

+> - You need to have the **Manage security settings** permission in the Microsoft 365 Defender portal to be able to submit the **Ask Defender Experts** inquiry.

+2. From the upper right-hand menu, click the **?** icon. Then, select **Ask Defender Experts **

+A flyout screen opens. The following screen shows when you are on a trial subscription. The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.

+The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.

+### Defender Experts' alert communications

+Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Ask Defender Experts** inquiry within two days, to communicate the investigation status from the following categories:

+#### To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to:

+- [Microsoft Defender Experts in Microsoft 365 Overview](defender-experts-for-hunting.md)

+If `AuditAllowed` or `AuditDenied` is configured in your policy and **Send event** is selected in **Options**, an event will be sent to Advanced hunting or the Device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in.

+ Title: Microsoft Defender Antivirus export device antivirus health details API methods and properties

+description: "Learn how to export a list of Microsoft Defender Antivirus device health details."

+keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+MS.technology: mde

+

+# Export device antivirus health details API methods and properties

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## Export device antivirus health details API description

+Retrieves a list of Microsoft Defender Antivirus device health details. This API has different API calls (methods) to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:

+- **JSON response** The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.

+- **via files** This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:

+ - Call the API to get a list of download URLs with all your organization data.

+ - Download all the files using the download URLs and process the data as you like.

+Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages.

+> [!IMPORTANT]

+>

+> For Windows&nbsp;Server&nbsp;2012&nbsp;R2 and Windows&nbsp;Server&nbsp;2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

+> [!NOTE]

+>

+> For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus compliance report in Microsoft Defender for Endpoint](machine-reports.md).

+>

+### 1.1 Export device antivirus health details API methods

+Method|Data type|Description

+:|:|:

+**(JSON response)**|Microsoft Defender Antivirus health per device collection. See: [1.2 Export device antivirus health details API properties (JSON response)](#12-export-device-antivirus-health-details-api-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. | The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.

+**(via files)**|Microsoft Defender Antivirus health per device collection. See: [1.3 Export device antivirus health details API properties \(via files\)](#13-export-device-antivirus-health-details-api-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. |This API solution enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: <ol><li>Call the API to get a list of download URLs with all your organization data.</li><li>Download all the files using the download URLs and process the data as you like.</li></ol>

+### 1.2 Export device antivirus health details API properties (JSON response)

+> [!NOTE]

+>

+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.

+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.

+| Property (ID) | Data type | Description | Example of a returned value |

+|:-|:-|:-|:-|

+| avEngineUpdateTime | DateTimeOffset | Datetime when AV engine was last updated on device | ΓÇ£2022-08-04T12:44:02ZΓÇ£ |

+| avEngineVersion | String | Antivirus engine version | ΓÇ£1.1.19400.3ΓÇ¥ |

+| avIsEngineUpToDate | String | Up-to-date status of AV engine | ΓÇ£TrueΓÇ¥, ΓÇ£FalseΓÇ¥, ΓÇ£UnknownΓÇ¥ |

+| avIsPlatformUpToDate | String | Up-to-date stauts of AV platform | ΓÇ£TrueΓÇ¥, ΓÇ£FalseΓÇ¥, ΓÇ£UnknownΓÇ¥ |

+| avIsSignatureUpToDate | String | Up-to-date status of AV signature | ΓÇ£TrueΓÇ¥, ΓÇ£FalseΓÇ¥, ΓÇ£UnknownΓÇ¥ |

+| avMode | String | Antivirus mode. | Each mode will be a string typed integer value ranging from 0 to 5. Refer to the mapping below to see its valueΓÇÖs meaning: <ul><li>'' = Other</li><li> '0' = Active</li><li> '1' = Passive</li><li> '2' = Disabled</li><li> '3' = Other</li><li> '4' = EDRBlocked</li><li>'5' = PassiveAudit</li></ul> |

+| avPlatformUpdateTime | DateTimeOffset | Datetime when AV platform was last updated on device | ΓÇ£2022-08-04T12:44:02ZΓÇ¥ |

+| avPlatformVersion | String | Antivirus platform version | ΓÇ£4.18.2203.5ΓÇ¥ |

+| avSignaturePublishTime | DateTimeOffset | Datetime when AV security intelligence build was released | ΓÇ£2022-08-04T12:44:02ZΓÇ¥ |

+| avSignatureUpdateTime | DateTimeOffset | Datetime when AV security intelligence was last updated on device | ΓÇ£2022-08-04T12:44:02ZΓÇ£ |

+| avSignatureVersion | String | Antivirus security intelligence version | ΓÇ£1.371.1323.0ΓÇ¥ |

+| computerDnsName | String | DNS name | ΓÇ£SampleDnsΓÇ¥ |

+| dataRefreshTimestamp | DateTimeOffset | Datetime when data is refreshed for this report | ΓÇ£2022-08-04T12:44:02ZΓÇ£ |

+| fullScanError | String | Error codes from full scan | ΓÇ£0x80508023ΓÇ£ |

+| fullScanResult | String | Full scan result of this device | ΓÇ£CompletedΓÇ£ <br> ΓÇ£Cancelled ΓÇ£ <br>ΓÇ£FailedΓÇ£ |

+| fullScanTime | DateTimeOffset | Datetime when full scan has completed | ΓÇ£2022-08-04T12:44:02ZΓÇ£ |

+| id | String | Machine GUID | ΓÇ£30a8fa2826abf24d24379b23f8a44d471f00feabΓÇ¥ |

+| lastSeenTime | DateTimeOffset | Last seen datetime of this machine | ΓÇ£2022-08-04T12:44:02ZΓÇ¥ |

+| machineId | String | Machine GUID | ΓÇ£30a8fa2826abf24d24379b23f8a44d471f00feabΓÇ¥ |

+| osKind | String | Operating system kind | ΓÇ£windowsΓÇ¥, ΓÇ£macΓÇ¥, ΓÇ£linuxΓÇ¥ |

+| osPlatform | String | Operating system major version name | Windows 10, macOs |

+| osVersion | String | Operating system version | 10.0.18363.1440, 12.4.0.0 |

+| quickScanError | String | Error codes from quick scan | ΓÇ£0x80508023ΓÇ£ |

+| quickScanResult | String | Quick scan result of this device | ΓÇ£CompletedΓÇ£ <br>ΓÇ£Cancelled ΓÇ£ <br>ΓÇ£FailedΓÇ£ |

+| quickScanTime | DateTimeOffset | Datetime when quick scan has completed | ΓÇ£2022-08-04T12:44:02ZΓÇ£ |

+| rbacGroupId | Long | Device group ID that this machine belongs to | 712 |

+| rbacGroupName | String | Name of device group that this machine belongs to | ΓÇ£SampleGroupΓÇ¥ |

+### 1.3 Export device antivirus health details API properties (via files)

+> [!NOTE]

+>

+> - The files are gzip compressed & in multiline Json format.

+> - The download URLs are only valid for 3 hours; otherwise you can use the parameter.

+> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.

+> - Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.

+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.

+| Property (ID) | Data type | Description | Example of a returned value |

+|:-|:-|:-|:-|

+| Export files | array[string] | A list of download URLs for files holding the current snapshot of the organization. | ["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"] |

+| GeneratedTime | String | The time that the export was generated. | 2022-05-20T08:00:00Z |

+> [!NOTE]

+> In each of the Export files a property ΓÇ£DeviceGatheredInfoΓÇ¥ containing the data about Antivirus information can be found. Each of its attributes can provide you with information on the device's health and its status.

+## See also

+[Export device antivirus health report](device-health-export-antivirus-health-report-api.md)

+[Device health and compliance reporting](machine-reports.md)

+ Title: Microsoft Defender Antivirus Device Health details API

+description: "Retrieves a list of Microsoft Defender Antivirus device health details."

+keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+MS.technology: mde

+

+# Microsoft Defender Antivirus Device Health details API

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## API description

+Retrieves a list of Microsoft Defender Antivirus device health details.

+URL: GET: /api/public/avdeviceshealth

+<br>Supports [OData V4 queries](https://www.odata.org/documentation/).

+<br>OData supported operators:

+<br>```$filter``` on: ```machineId```, ```computerDnsName```, ```osKind```, ```osPlatform```, ```osVersion```, a```vMode```, ```avSignatureVersion```, ```avEngineVersion```, ```avPlatformVersion```, ```quickScanResult```, ```quickScanError```, ```fullScanResult```, ```fullScanError```, ```avIsSignatureUpToDate```, ```avIsEngineUpToDate```, ```vIsPlatformUpToDate```, ```rbacGroupId```

+<br>```$top``` with max value of 10,000.

+<br>```$skip```.

+<br>See examples at [OData queries with Microsoft Defender for Endpoint.](exposed-apis-odata-samples.md]

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.

+| Permission type | Permission | Permission display name |

+|:-|:-|:-|

+| Application | Machine.Read.All | 'Read all machine profiles' |

+| Application | Machine.ReadWrite.All | 'Read and write all machine information' |

+| Delegated (work or school account) | Machine.Read | 'Read machine information' |

+| Delegated (work or school account) | Macine.ReadWrite | 'Read and write machine information' |

+## HTTP request

+```http

+GET /api/public/avdeviceshealth

+```

+## Request headers

+| Name | Type | Description |

+|:-|:-|:-|

+| Authorization | String | Bearer {token}. **Required** |

+## Request body

+_Empty_

+## Response

+If successful, this method returns 200 OK with a list of device health details.

+## Example

+### Example request

+Here is an example of the request:

+```http

+GET https://api.securitycenter.microsoft.com/api/public/avdeviceshealth

+```

+### Example response

+Here is an example of the response:

+```json

+{

+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#avdeviceshealth",

+ "value": [

+ {

+ "id": "sampleId",

+ "machineId": "sampleMachineId",

+ "computerDnsName": "sampleDnsName",

+ "osKind": "mac",

+ "osPlatform": "macOS",

+ "osVersion": "11.6.5.0",

+ "avMode": "0",

+ "avSignatureVersion": "87523",

+ "avEngineVersion": "3.0",

+ "avPlatformVersion": "101.61.69",

+ "lastSeenTime": "2022-04-02T06:12:07+00:00",

+ "quickScanResult": "-",

+ "quickScanError": "-",

+ "fullScanResult": "-",

+ "fullScanError": "-",

+ "dataRefreshTimestamp": "2022-04-06T21:50:48+00:00",

+ "avSignatureUpdateTime": "2022-04-01T01:31:58+00:00",

+ "avIsSignatureUpToDate": "Unknown",

+ "avIsEngineUpToDate": "Unknown",

+ "avIsPlatformUpToDate": "Unknown",

+ "rbacGroupId": 86

+ },

+ ...

+ ]

+}

+```

+## See also

+[Device health and compliance report in Microsoft Defender for Endpoint](machine-reports.md)

+ Title: Microsoft Defender Antivirus Device Health export device antivirus health reporting

+description: Presents methods to retrieve Microsoft Defender Antivirus (MDAV) device health details.

+keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+MS.technology: mde

+# Export device antivirus health report

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+This API has two methods to retrieve Microsoft Defender Antivirus device antivirus health details:

+- **Method one:** [1 Export health reporting \(**JSON response**\)](#1-export-health-reporting-json-response) The method pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.

+- **Method two:** [2 Export health reporting \(**via files**\)](#2-export-health-reporting-via-files) This method enables pulling larger amounts of data faster and more reliably. So, it's recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:

+ - Call the API to get a list of download URLs with all your organization data.

+ - Download all the files using the download URLs and process the data as you like.

+Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages. See [Export device health details API methods and properties](device-health-api-methods-properties.md).

+> [!IMPORTANT]

+>

+> For Windows&nbsp;Server&nbsp;2012&nbsp;R2 and Windows&nbsp;Server&nbsp;2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

+> [!NOTE]

+>

+> For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus compliance report in Microsoft Defender for Endpoint](machine-reports.md).

+>

+## 1 Export health reporting (JSON response)

+### 1.1 API method description

+This API retrieves a list of Microsoft Defender Antivirus device antivirus health details. Returns a table with an entry for every unique combination of:

+- DeviceId

+- Device name

+- AV mode

+- Up-to-date status

+- Scan results

+#### 1.1.1 Limitations

+- maximum page size is 200,000

+- Rate limitations for this API are (**_example_** 30 calls per minute and 1000 calls per hour._)

+#### OData supported operators

+- ```$filter```ΓÇ» on: ```machineId```, ```computerDnsName```, ```osKind```, ```osPlatform```, ```osVersion```, ```avMode```, ```avSignatureVersion```, ```avEngineVersion```, ```avPlatformVersion```, ```quickScanResult```, ```quickScanError```, ```fullScanResult```, ```fullScanError```, ```avIsSignatureUpToDate```, ```avIsEngineUpToDate```, ```avIsPlatformUpToDate```, ```rbacGroupId```

+- ```$top```  with max value of 10,000.

+- ```$skip```.

+### 1.2 Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs for details.

+| Permission type | Permission | Permission display name |

+|:|:|:|

+| Application | Machine.Read.All | ΓÇÿRead all machine profilesΓÇÖ |

+| Application | Machine.ReadWrite.All | ΓÇÿRead and write all machine informationΓÇÖ |

+|Delegated (work or school account) | Machine.Read | ΓÇÿRead machine informationΓÇÖ |

+| Delegated (work or school account) | Machine.ReadWrite | ΓÇÿRead and write machine informationΓÇÖ |

+### 1.3 URL (HTTP request)

+```http

+URL: GET: /api/deviceavinfo

+```

+#### 1.3.1 Request headers

+| Name | Type | Description |

+|:|:|:|

+| Authorization | String | Bearer {token}. Required. |

+#### 1.3.2 Request body

+Empty

+#### 1.3.3 Response

+If successful, this method returns 200 OK with a list of device health details.

+### 1.4 Parameters

+- Default page size is 20

+- See examples atΓÇ»[OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md).

+### 1.5 Properties

+See: [1.2 Export device antivirus health details API properties (JSON response)](device-health-api-methods-properties.md#12-export-device-antivirus-health-details-api-properties-json-response)

+SupportsΓÇ»[OData V4 queries](https://www.odata.org/documentation/).

+### 1.6 Example

+#### Request example

+Here's an example request:

+```http

+GET https://api.securitycenter.microsoft.com/api/deviceavinfo

+```

+#### Response example

+Here's an example response:

+```json

+{

+ @odata.context: "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAvInfo",

+"value": [{

+ "id": "Sample Guid",

+ "machineId": "Sample Machine Guid",

+ "computerDnsName": "appblockstg1",

+ "osKind": "windows",

+ "osPlatform": "Windows10",

+ "osVersion": "10.0.19044.1865",

+ "avMode": "0",

+ "avSignatureVersion": "1.371.1279.0",

+ "avEngineVersion": "1.1.19428.0",

+ "avPlatformVersion": "4.18.2206.108",

+ "lastSeenTime": "2022-08-02T19:40:45Z",

+ "quickScanResult": "Completed",

+ "quickScanError": "",

+ "quickScanTime": "2022-08-02T18:40:15.882Z",

+ "fullScanResult": "",

+ "fullScanError": "",

+ "fullScanTime": null,

+ "dataRefreshTimestamp": "2022-08-02T21:16:23Z",

+ "avEngineUpdateTime": "2022-08-02T00:03:39Z",

+ "avSignatureUpdateTime": "2022-08-02T00:03:39Z",

+ "avPlatformUpdateTime": "2022-06-20T16:59:35Z",

+ "avIsSignatureUpToDate": "True",

+ "avIsEngineUpToDate": "True",

+ "avIsPlatformUpToDate": "True",

+ "avSignaturePublishTime": "2022-08-02T00:03:39Z",

+ "rbacGroupName": "TVM1",

+ "rbacGroupId": 4415

+ },

+ ...

+ ]

+}

+```

+## 2 Export health reporting (via files)

+### 2.1 API method description

+This API response contains all the data of Antivirus health and status per device. Returns a table with an entry for every unique combination of:

+- DeviceId

+- device name

+- AV mode

+- Up-to-date status

+- Scan results

+#### 2.1.2 Limitations

+- Maximum page size is 200,000.

+- Rate limitations for this API are 30 calls per minute and 1000 calls per hour.

+### 2.2 Permissions

+One of the following permissions is required to call this API.

+| Permission type | Permission | Permission display name |

+|:|:|:|

+| Application | Machine.ReadWrite.All | ' Read and write all machine informationΓÇÖ |

+| Delegated (work or school account) | Machine.Read | ' Read machine information ' |

+To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details](apis-intro.md).

+### 2.3 URL

+```http

+GET /api/machines/InfoGatheringExport

+```

+### 2.4 Parameters

+- ```sasValidHours```: The number of hours that the download URLs will be valid for (Maximum 24 hours).

+### 2.5 Properties

+See: [1.3 Export device antivirus health details API properties \(via files\)](device-health-api-methods-properties.md#13-export-device-antivirus-health-details-api-properties-via-files).

+### 2.6 Examples

+#### 2.6.1 Request example

+Here's an example request:

+```HTTP

+GET https://api-us.securitycenter.contoso.com/api/machines/InfoGatheringExport

+```

+#### 2.6.2 Response example

+Here's an example response:

+```json

+{

+ "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

+ "exportFiles": [

+ "https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=..",

+ "https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=.."

+ ],

+ "generatedTime": "2022-08-02T22:01:00Z"

+}

+```

+## See also

+[Export device health methods and properties](device-health-api-methods-properties.md)

+[Device health and compliance reporting](machine-reports.md)

+ - m365-security-compliance

+ - m365initiative-defender-endpoint

+[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus(MDAV) is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections. See the section, [Do I need to turn on EDR in block mode if I have Microsoft Defender Antivirus?](#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices) in the **Frequently asked questions** section.

+> EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. Some capabilities depend on Microsoft Defender Antivirus to be the active antivirus solution, such as the following examples:

+> It is expected that your non-Microsoft antivirus solution includes these capabilities.

+EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) capabilities. Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. This recommendation is primarily for devices using an active non-Microsoft antivirus solution (with Microsoft Defender Antivirus in passive mode). There is little benefit to enabling EDR in block mode when Microsoft Defender Antivirus is the primary antivirus solution on devices.

+When EDR in block mode is turned on, and a malicious artifact is detected, Defender for Endpoint remediates that artifact. Your security operations team will see detection status as **Blocked** or **Prevented** in the [Action center](respond-machine-alerts.md#check-activity-details-in-action-center), listed as completed actions. The following image shows an instance of unwanted software that was detected and remediated through EDR in block mode:

+For more information on the Defender CSP used for EDR in bloc

+|Operating system|Devices must be running one of the following versions of Windows: <ul><li>Windows 11</li><li>Windows 10 (all releases)</li><li>Windows Server 2019 or later</li><li>Windows Server, version 1803 or later</li><li>Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode)</li></ul>|

+|Microsoft Defender for Endpoint|Devices must be onboarded to Defender for Endpoint. See [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).|

+[**Advanced Hunting** methods](run-advanced-query-api.md) | Run queries from API.

+[**Alert** methods and properties](alerts.md) | Run API calls such as \- get alerts, create alert, update alert and more.

+[Export **Assessment** per-device methods and properties](get-assessment-methods-properties.md) | Run API calls to gather vulnerability assessments on a per-device basis, such as: \- export secure configuration assessment, export software inventory assessment, export software vulnerabilities assessment, and delta export software vulnerabilities assessment.

+[**Automated investigation** methods and properties](investigation.md) | Run API calls such as \- get collection of Investigation.

+[Export device health methods and properties](device-health-api-methods-properties.md) | Run API Calls such as - GET /api/public/avdeviceshealth.

+[**Domain**-related alerts](get-domain-related-alerts.md) | Run API calls such as \- get domain-related devices, domain statistics and more.

+[**File** methods and properties](files.md) | Run API calls such as \- get file information, file related alerts, file related devices, and file statistics.

+[**Indicators** methods and properties](ti-indicator.md) | Run API call such as \- get Indicators, create Indicator, and delete Indicators.

+[**IP**-related alerts](get-ip-related-alerts.md) | Run API calls such as \- get IP-related alerts and get IP statistics.

+[**Machine** methods and properties](machine.md) | Run API calls such as \- get devices, get devices by ID, information about logged on users, edit tags and more.

+[**Machine Action** methods and properties](machineaction.md) | Run API call such as \- Isolation, Run anti-virus scan and more.

+[**Recommendation** methods and properties](recommendation.md) | Run API calls such as \- get recommendation by ID.

+[**Remediation activity** methods and properties](get-remediation-methods-properties.md) | Run API call such as \- get all remediation tasks, get exposed devices remediation task and get one remediation task by id.

+[**Score** methods and properties](score.md) | Run API calls such as \- get exposure score or get device secure score.

+[**Software** methods and properties](software.md) | Run API calls such as \- list vulnerabilities by software.

+[**User** methods and properties](user.md) | Run API calls such as \- get user-related alerts and user-related devices.

+[**Vulnerability** methods and properties](vulnerability.md) | Run API calls such as \- list devices by vulnerability.

+|Reports: Device health| In development| In development| In development|

+|Reports: Web content filtering|| In development| In development|

+|Microsoft Secure Score| ¹|||

+description: Use the device health and compliance report to track device health, antivirus status and versions, OS platforms, and Windows 10 versions.

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+localization_priority: Normal

+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+> Information about the features that are _commercially released_ follows the prerelease information in the section titled [Publicly-released: Device health and compliance report in Microsoft Defender for Endpoint](#publicly-released-device-health-and-compliance-report-in-microsoft-defender-for-endpoint).

+## Public Preview - Device health and antivirus compliance report in Microsoft Defender for Endpoint

+The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

+> [!IMPORTANT]

+> For Windows&nbsp;Server&nbsp;2012&nbsp;R2 and Windows&nbsp;Server&nbsp;2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution).

+In the Microsoft 365 Security dashboard navigation panel, select **Reports**, and then open **Device health and compliance**.

+The Device health and compliance dashboard is structured in two tabs:

+- The [**Sensor health & OS** tab](#sensor-health--os-tab) provides general operating system information, divided into three cards that display the following device attributes:

+ - [Sensor health card](#sensor-health-card)

+ - [Operating systems and platforms card](#operating-systems-and-platforms-card)

+ - [Windows 10 versions card](#windows-10-versions-card)

+- The [**Microsoft Defender Antivirus health** tab](#microsoft-defender-antivirus-health-tab) has eight cards that report on aspects of Microsoft Defender Antivirus:

+ - [Antivirus mode card](#antivirus-mode-card)

+ - [Antivirus engine version card](#antivirus-engine-version-card)

+ - [Antivirus security intelligence version card](#antivirus-security-intelligence-version-card)

+ - [Antivirus platform version card](#antivirus-platform-version-card)

+ - [Recent antivirus scan results card](#recent-antivirus-scan-results-card)

+ - [Antivirus engine updates card](#antivirus-engine-updates-card)

+ - [Security intelligence updates card](#security-intelligence-updates-card)

+ - [Antivirus platform updates card](#antivirus-platform-updates-card)

+### Sensor health & OS tab

+Sensor health and OS cards report on general operating system health, which includes detection sensor health, up-to-date versus out-of-date operating systems, and Windows 10 versions.

+> [!div class="mx-imgBorder"]

+> 

+Each of the three cards on the **Sensor health** tab have two reporting sections, _Current state_ and _device trends_, presented as graphs:

+#### Current state graph

+In each card, the Current state (referred to in some documentation as _Device summary_) is the top, horizontal bar graph. Current state is a snapshot that shows information collected about devices in your organization, scoped to the current day. This graph represents the distribution of devices across your organization that report status or are detected to be in a specific state.

+> [!div class="mx-imgBorder"]

+> 

+#### Device trends graph

+The lower graph on each of the three cards isn't named, but is commonly known as _device trends_. The device trends graph depicts the collection of devices across your organization, throughout the time span indicated directly above the graph.

+By default, the device trends graph displays device information from the 30-day period, ending in the latest full day. To gain a better perspective about trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, open the filter and select a start day and end day.

+> [!div class="mx-imgBorder"]

+> 

+#### Filtering data

+Use the provided filters to include or exclude devices with certain attributes. You can select multiple filters to apply from the device attributes. When applied, filters apply to all three cards in the report.

+For example, to show data about Windows 10 devices with Active sensor health state:

+1. Under **Filters** > **Sensor health state** > **Active**.

+2. Then select **OS platforms** > **Windows 10**.

+3. Select **Apply**.

+#### Sensor health card

+The Sensor health card displays information about the sensor state on devices. Sensor health provides an aggregate view of devices that are:

+- active

+- inactive

+- experiencing impaired communications

+- or where no sensor data is reported

+Devices that are either experiencing impaired communications, or devices from which no sensor data is detected could expose your organization to risks, and warrant investigation. Likewise, devices that are inactive for extended periods of time could expose your organization to threats due to out-of-date software. Devices that are inactive for long periods of time also warrant investigation.

+#### Operating systems and platforms card

+This card shows the distribution of operating systems and platforms that exist within your organization.

+_OS systems and platforms_ can give useful insights into whether devices in your organization are running current or outdated operating systems. When new operating systems are introduced, security enhancements are frequently included that improve your organization's posture against security threats.

+For example, Secure Boot, introduced in Windows 8, practically eliminated the threat from some of the most harmful types of malware. Improvements in Windows 10 provide PC manufacturers the option to prevent users from disabling the Secure Boot feature. Preventing users from disabling the Secure Boot feature removes almost any chance of malicious rootkits or other low-level malware from infecting the boot process.

+Ideally, the ΓÇ£Current stateΓÇ¥ graph shows that the number of operating systems is weighted in favor of more current OS over older versions. Otherwise, the trends graph indicates that new systems are being adopted and/or older systems are being updated or replaced.

+#### Windows 10 versions card

+The card shows the distribution of Windows devices and their versions in your organization.

+In the same way that an upgrade from Windows 8 to Windows 10 improves security in your organization, changing from early releases of Windows to more current versions improves your posture against possible threats.

+The Windows version trend graph can help you quickly determine whether your organization is keeping current by updating to the most recent, most secure versions of Windows 10.

+### Microsoft Defender Antivirus health tab

+The Microsoft Defender Antivirus health tab contains eight cards that report on several aspects of Microsoft Defender Antivirus in your organization:

+Two cards, [Antivirus mode card](#antivirus-mode-card) and [Recent antivirus scan results card](#recent-antivirus-scan-results-card), report about Microsoft Defender Antivirus functions.

+The remaining six cards report about the Microsoft Defender Antivirus status for devices in your organization:

+| _version_ cards: | _update_ cards{<a id="fn1">1</a>} |

+|:|:|

+| [Antivirus engine version card](#antivirus-engine-version-card) <br> [Antivirus security intelligence version card](#antivirus-security-intelligence-version-card) <br> [Antivirus platform version card](#antivirus-platform-version-card) | [Antivirus engine updates card](#antivirus-engine-updates-card) <br> [Security intelligence updates card](#security-intelligence-updates-card) <br> [Antivirus platform updates card](#antivirus-platform-updates-card) |

+| The three update cards provide links to additional resources to learn more. | The three version cards provide flyout reports that provide additional information, and enable further exploration. |

+^{[1](#fn1)} For the three _updates_ cards, "**No data available**" indicates devices that aren't reporting update status. Devices that aren't reporting update status can be due to various reasons, such as:

+- Computer is disconnected from the network

+- Computer is powered down or in a hibernation state

+- Microsoft Defender Antivirus is disabled

+- Device is a non-Windows (Mac or Linux) device

+- Cloud protection is not enabled

+> [!NOTE]

+> Currently, "Up-to-date" reporting is only available for Windows devices. Up-to-date reporting generates information about Windows devices with cloud protection enabled and engine version: 1.1.19300.2 and newer. Cross-platform devices, such as Mac and Linux, are listed under "no data available."

+> [!div class="mx-imgBorder"]

+> 

+#### Card functionality

+The functionality is essentially the same for all cards. By clicking on a numbered bar in any of the cards, the **Microsoft Defender Antivirus details** flyout opens enabling you to review information about all the devices configured with the version number of an aspect on that card.

+> [!div class="mx-imgBorder"]

+> 

+If the version number that you clicked on is:

+- A current version, then **Remediation required** and **Security recommendation** aren't present

+- An outdated version, a notification at the top of the report is present, indicating **Remediation required**, and a **Security recommendation** link is present. Select the security recommendation link to navigate to the threat and vulnerability management console, which can recommend appropriate antivirus updates.

+To add or remove specific types of information on the **Microsoft Defender Antivirus details** flyout, click **Customize Columns**. In **Customize Columns**, select or clear items to specify what you want included in the Microsoft Defender Antivirus details report.

+> [!div class="mx-imgBorder"]

+> 

+Within the flyout: clicking on the name of the device will redirect you to the "Device page" for that device, where you can access detailed reports.

+You can use the **Export** button within the _Microsoft Defender Antivirus details_ flyout to export a report to an Excel spreadsheet. Exported reports capture information based on your entry-point into the details report and which filters or customized columns you have set.

+For additional information on exporting using API, see the following articles:

+- [Export device antivirus health report](device-health-export-antivirus-health-report-api.md)

+- [Export device antivirus health details API methods and properties](device-health-api-methods-properties.md)

+#### Microsoft Defender Antivirus version and update cards functionality

+Following are descriptions for the six cards that report about the _version_ and _update_ information for Microsoft Defender Antivirus engine, security intelligence, and platform components:

+##### Full report

+In any of the three _version_ cards, click **View full report** to display the nine most recent Microsoft Defender Antivirus _version_ reports for each of the three device types: Windows, Mac, and Linux; if fewer than nine exist, they're all shown. An **Other** category captures recent antivirus engine versions ranking tenth and below, if detected.

+> [!div class="mx-imgBorder"]

+> 

+A primary benefit of the three _version_ cards is that they provide quick indicators as to whether the most current versions of the antivirus engines, platforms, and security intelligence are being utilized. Coupled with the detailed information that is linked to the card, the versions cards become a powerful tool to check if versions are up to date and to gather information about individual computers, or groups of computers.

+Ideally, when you run these reports, they'll indicate that the most current antivirus versions are installed, as opposed to older versions.

+Use these reports to determine whether your organization is taking full advantage of the most current versions.

+> [!div class="mx-imgBorder"]

+> 

+To help ensure your anti-malware solution detects the latest threats, get updates automatically as part of Windows Update.

+For more details on the current versions and how to update the different Microsoft Defender Antivirus components, visit [Microsoft Defender Antivirus platform support](manage-updates-baselines-microsoft-defender-antivirus.md).

+#### Card descriptions

+Following are brief summaries of the collected information reported in each of the _Antivirus version_ cards:

+##### Antivirus mode card

+Reports on how many devices in your organization ΓÇô on the date indicated on the card ΓÇô are in any of the following Microsoft Defender Antivirus modes:

+| value | mode |

+|||

+| 0 | Active |

+| 1 | Passive |

+| 2 | Disabled (uninstalled, disabled, or SideBySidePassive {also known as Low Periodic Scan}) |

+| 3 | Others (Not running, Unknown) |

+| 4 | EDRBlocked |

+> [!div class="mx-imgBorder"]

+> 

+Following are descriptions for each mode:

+- **Active** mode - In active mode, Microsoft Defender Antivirus is used as the primary antivirus app on the device. Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app.

+- **Passive** mode - In passive mode, Microsoft Defender Antivirus isn't used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats aren't remediated by Microsoft Defender Antivirus. IMPORTANT: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. See [Requirements for Microsoft Defender Antivirus to run in passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).

+- **Disabled** mode - synonymous with: uninstalled, disabled, sideBySidePassive, and Low Periodic Scan. When disabled, Microsoft Defender Antivirus isn't used. Files aren't scanned, and threats aren't remediated. In general, Microsoft doesn't recommend disabling or uninstalling Microsoft Defender Antivirus.

+- **Others** mode - Not running, Unknown

+- **EDR in Block** mode - In endpoint detection and response (EDR) blocked mode. See [Endpoint detection and response in block mode](edr-in-block-mode.md)

+Devices that are in either passive, LPS, or Off present a potential security risk and should be investigated.

+For details about LPS, see [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md).

+##### Recent antivirus scan results card

+This card has two bars graphs showing all-up results for quick scans and full scans. In both graphs, the first bar indicates the completion rate for scans, and indicate **Completed**, **Canceled**, or **Failed**. The second bar in each section provides the error codes for failed scans.

+By scanning the **Mode** and **Recent scan results** columns, you can quickly identify devices that aren't in active antivirus scan mode, and devices that have failed or canceled recent antivirus scans. You can return to the report with this information and gather more details and security recommendations. If any error codes are reported in this card, there will be a link to learn more about error codes.

+For more details on the current Microsoft Defender Antivirus versions and how to update the different Microsoft Defender Antivirus components, visit [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).

+##### Antivirus engine version card

+Shows the real-time results of the most current Microsoft Defender Antivirus engine versions installed across Windows Devices, Mac devices, and Linux devices in your organization. Microsoft Defender Antivirus engine is updated monthly.

+For more information on the current versions and how to update the different Microsoft Defender Antivirus components, see [Microsoft Defender Antivirus platform support](manage-updates-baselines-microsoft-defender-antivirus.md).

+##### Antivirus security intelligence version card

+Lists the most common _Microsoft Defender Antivirus security intelligence_ versions installed on devices on your network.

+Microsoft continually updates Microsoft Defender security intelligence to address the latest threats, and to refine detection logic. These refinements to security intelligence enhance Microsoft Defender AntivirusΓÇÖ (and other Microsoft anti-malware solutionsΓÇÖ) ability to accurately identify potential threats. This security intelligence works directly with cloud-based protection to deliver AI-enhanced, next-generation protection that is fast and powerful.

+##### Antivirus platform version card

+Shows the real-time results of the most current Microsoft Defender Antivirus platform versions installed across versions of Windows, Mac, and Linux devices in your organization. Microsoft Defender Antivirus platform is updated monthly.

+For more details on the current versions and how to update the different Microsoft Defender Antivirus components, see [Microsoft Defender Antivirus platform support](manage-updates-baselines-microsoft-defender-antivirus.md)

+##### Antivirus engine updates card

+This card identifies devices that have antivirus engine versions that are up to date versus out of date.

+The general definition of ΓÇÿ_Up to date_ΓÇÖ ΓÇô the engine version on the device is the most recent engine release {the Engine is usually released monthly, via Windows Update (WU)}. There's a three-day grace period from the day when WU is released.

+| Microsoft considers devices with **Antivirus engine updates** that have: | to be: |

+|:-|:-|

+| Communicated to Defender in last 7 days with Signature Publish time within last 7 days _and have_ Engine or Platform version build time _within_ last 60 days | Up-to-date |

+| Communicated to Defender in last 7 days with Signature Publish time within last 7 days but Engine or Platform version build time _older than_ 60 days | Out-of-date |

+| Communicated to Defender in last 7 days with Signature Publish time _greater than_ days | No data available |

+| NOT communicated to Defender in last 7 days and whose last status was "Up-to-date" | No data available |

+| NOT communicated to Defender in last 7 days and whose last status was "Out-of-date" | No data available |

+##### Security intelligence updates card

+This card identifies devices that have security intelligence versions that are up to date versus out of date.

+The general definition of ΓÇÿ**Up to date**ΓÇÖ ΓÇô the security intelligence version on the device was written in the past 7 days.

+| Microsoft considers devices with **Security Intelligence updates** that have: | to be: |

+|:-|:-|

+| A security intelligence version written in the past 7 days | Up-to-date |

+| Communicated to Defender in last 7 days with Signature Publish time within last 7 days | Up-to-date |

+| Communicated to Defender in last 7 days with Signature Publish time greater than last 7 days | Out-of-date |

+| NOT communicated to Defender in last 7 days and whose last status was "Up-to-date" | No data available |

+| NOT communicated to Defender in last 7 days and whose last status was Out-of-date | Out-of-date |

+##### Antivirus platform updates card

+This card identifies devices that have Antivirus platform versions that are up to date versus out of date.

+The general definition of ΓÇÿ_Up to date_ΓÇÖ ΓÇô the platform version on the device is the most recent platform release (Platform is usually released monthly, via Windows Update). There's a three-day grace period from the day when WU is released.

+| Microsoft considers devices with **Antivirus platform updates** that have: | to be: |

+|:-|:-|

+| Communicated to Defender in last 7 days with Signature Publish time within last 7 days _and have_ Engine or Platform version build time _within_ last 60 days | Up-to-date |

+| Communicated to Defender in last 7 days with Signature Publish time within last 7 days but Engine or Platform version build time _older than_ 60 days | Out-of-date |

+| Communicated to Defender in last 7 days with Signature Publish time _greater than_ days | No data available |

+| NOT communicated to Defender in last 7 days and whose last status was "Up-to-date" | No data available |

+| NOT communicated to Defender in last 7 days and whose last status was "Out-of-date" | No data available |

+For information about Manage Microsoft Defender Antivirus update versions, see: [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)

+### See also

+- [Export device antivirus health details API methods and properties](device-health-api-methods-properties.md)

+- [device-health-export-antivirus-health-report-api.md](device-health-api-methods-properties.md)

+- [Threat protection report](threat-protection-reports.md)

+## Publicly released: Device health and compliance report in Microsoft Defender for Endpoint

+The device status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

+The dashboard is structured into two sections:

+

+### Device trends

+By default, the device trends graph displays device information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:

+### Device summary

+Unlike the device trends graph, the device summary graph shows device information scoped to the current day.

+### Device attributes

+- **Health state**: shows information about the sensor state on devices. This graph provides an all-up view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.

+### Filter data

+### Related articles

+- [Threat protection report](threat-protection-reports.md)

+<summary>July-2022 (Platform: 4.18.2205.TBD | Engine: 1.1.19500.2)</summary>

+*This section contains pre-release information that is still in active development. Expect updates, including the final security update version number, to occur.*

+&ensp;Security intelligence update version: *coming soon*<br/>

+&ensp;Release date: **August 8, 2022**<br/>

+&ensp;Platform: *4.18.2205.TBD*<br/>

+&ensp;Engine: **1.1.19500.2**<br/>

+&ensp;Support phase: **Security and Critical Updates**<br/>

+Engine version: 1.1.19300.2<br/>

+Security intelligence update version: *coming soon*<br/>

+### What's new

+- Performance improvement for [hybrid sleep](/windows-hardware/customize/power-settings/sleep-settings-hybrid-sleep) delay when Microsoft Defender Antivirus is active

+- Fixed client detection behavior related to custom [certificate blocking indicators of compromise](indicator-certificates.md)

+- Performance improvement for [AntiMalware Scan Interface (AMSI)](/windows/win32/amsi/antimalware-scan-interface-portal) caching

+- Improved detection and remediation for [Microsoft Visual Basic for Applications](/office/vba/language/concepts/getting-started/64-bit-visual-basic-for-applications-overview) (VBA) related macros

+- Improved processing of AMSI exclusions

+- Fixed deadlock detection in Host Intrusion Prevention System (HIPS) rule processing. (For additional information about HIPS and Defender for Endpoint, see [Migrating from a third-party HIPS to ASR rules](migrating-asr-rules.md).)

+- Fixed memory leak where `MsMpEng.exe` was consuming private bytes. (If high CPU usage is also an issue, see [High CPU usage due to Microsoft Defender Antivirus](troubleshooting-mode-scenarios.md))

+- Fixed deadlock with [behavior monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)

+- Improved trust validation

+- Fixed engine crash issue on legacy operating platforms

+- Performance Analyzer v3 updates: Added top path support, scan skip information, and OnDemand scan support. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+### Known Issues

+No known issues

+<br/><br/>

+</details><details>

+</details>

+### Previous version updates: Technical upgrade support only

+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.<br/><br/>

+<details>

+&ensp;Support phase: **Technical upgrade support (only)**<br/>

+</details><details>

+The option to **Ask Defender Experts** is available in several places in the portal so you can engage with experts in the context of your investigation:

+|Where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')

+|where ActionType contains "ExploitGuardNetworkProtection"

+|extend ParsedFields=parse_json(AdditionalFields)

+|project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName, IsAudit=tostring(ParsedFields.IsAudit), ResponseCategory=tostring(ParsedFields.ResponseCategory), DisplayName=tostring(ParsedFields.DisplayName)

+|sort by Timestamp desc

+> [!NOTE]

+> You can't use wildcards in the sending infrastructure.

+- A verified DKIM domain.

+ - A verified DKIM domain.

+ This example configures exceptions from the Defender for Office 365 protections in the Strict preset security policy for the specified security operations (SecOps) mailboxes.

+ - A verified DKIM domain.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Email Authentication Settings** in the **Rules** section \>**DKIM**. To go directly to the DKIM page, use <https://security.microsoft.com/dkimv2>.

+[Use DMARC to validate email](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)

+[Use trusted ARC Senders for legitimate mailflows](/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders)

+ - **Sender** (domain in source server's PTR record, IP/24 address, or verified DKIM domain)

+Regulatory standards that are recommended for consideration by energy organizations include FedRAMP (US Federal Risk and Authorization Management Program) which is based on and augments the NIST SP 800-53 Rev 4 standard (National Institute of Standards and Technology).

+## Identify Sensitive Data and Prevent Data Loss

+### Communication compliance

+With many communication channels available to employees, organizations increasingly require effective solutions for detecting and investigating communications in regulated industries such as energy trading markets. These challenges can include increasing numbers of communication channels and message volume and the risk of potential fines for policy violations.

+[Microsoft Purview Communication Compliance](/microsoft-365/compliance/communication-compliance) is a compliance solution that helps minimize communication risks by helping you detect, investigate, and act on inappropriate messages in your organization. Pre-defined and custom policies allow you to scan internal and external communications for policy matches so they can be examined by designated reviewers. Reviewers can investigate scanned email, Microsoft Teams, Yammer, or third-party communications in your organization and take appropriate actions to make sure they're compliant with your organization's message standards.

+Communication Compliance helps compliance teams effectively and efficiently review messages for potential violations of:

+- corporate Policies, such as acceptable use, ethical standards, and corporate specific policies

+- regulatory compliance requirements, such as employee communications regarding the types of businesses or transactions in which an organization engages in compliance with FERC regulations for energy markets

+Communication compliance provides built-in threat, harassment, and profanity classifiers to help reduce false positives when reviewing communications. This saves reviewers time during the investigation and remediation process. It helps reviewers focus on specific messages within long threads that have been highlighted by policy alerts. This helps compliance teams more quickly identify and remediate risks. It provides compliance teams with the ability to easily configure and fine-tune policies, adjusting the solution to the organization's specific needs and reducing false positives. Communication compliance can also help to identify potentially risky user behavior over time, highlighting potential patterns in risky behavior or policy violations. Finally, it provides flexible built-in remediation workflows. These workflows help reviewers quickly take action to escalate to legal or human resources teams according to defined corporate processes.

+## Protect against data exfiltration and insider risk

+A common threat to enterprises is data exfiltration, or the act of extracting data from an organization. This can be a significant concern for energy organizations due to the sensitive nature of the information that may be accessed by employees or field service staff day-to-day. This data includes both BES (Bulk Electric System) Cyber System information as well as business-related information and customer data. With the increasing methods of communications available and many tools for moving data, advanced tools are typically required to mitigate risks of data leaks, policy violations, and insider risk.

+### Insider risk management

+[Microsoft Purview Insider Risk Management](/microsoft-365/compliance/insider-risk-management) is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft eDiscovery (Premium) if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

+For example, insider risk management can correlate signals from a user's devices (such as copying files to a USB drive or emailing a personal email account) with activities from online services (such as Office 365 email, SharePoint Online, Microsoft Teams, OneDrive for Business) to identify data exfiltration patterns. It can also correlate these activities with employees leaving an organization which is a common behavioral pattern associated with data exfiltration. It can detect multiple potentially risky activities and behavior over time. When common patterns emerge, it can raise alerts and help investigators focus on key activities to verify a policy violation with a high degree of confidence. Insider risk management can also obfuscate data from investigators to help meet data privacy regulations while still surfacing key activities that help them efficiently perform investigations. When ready, it allows investigators to package and securely send key activity data to human resources and legal departments following common escalation workflows for raising cases for remediation action.

+Insider risk management is a significant increase in capabilities in Microsoft 365 for detecting and investigating insider risks while allowing organizations to still meet data privacy regulations and follow established escalations paths when cases require higher-level action.

+[Microsoft Purview Communication Compliance](/microsoft-365/compliance/communication-compliance) is a compliance solution that helps minimize communication risks by helping you detect, investigate, and act on inappropriate messages in your organization. Pre-defined and custom policies allow you to scan internal and external communications for policy matches so they can be examined by designated reviewers. Reviewers can investigate scanned email, Microsoft Teams, Yammer, or third-party communications in your organization and take appropriate actions to make sure they're compliant with your organization's message standards.

+Communication compliance provides reports that enable policy review activities to be audited based on the policy and the reviewer. Reports are available to validate that policies are working as defined by an organization's written policies. They can also be used to identify communications that require review and those that are not compliant with corporate policy. Finally, all activities related to configuring policies and reviewing communications are audited in the Office 365 unified audit log. As a result, communication compliance also helps financial institutions to comply with FINRA Rule 3120.

+In addition to complying with FINRA rules, communication compliance allows organizations to detect and act on communications that may be impacted by other legal requirements, corporate policies, and ethical standards. Communication compliance provides built-in threat, harassment, and profanity classifiers that help reduce false positives when reviewing communications, saving reviewers time during the investigation and remediation process. It also allows organizations to reduce risk by detecting communications when they undergo sensitive organizational changes, such as mergers and acquisitions or leadership changes.

+[Microsoft Purview Insider Risk Management](/microsoft-365/compliance/insider-risk-management) is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft eDiscovery (Premium) if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

+For example, insider risk management can correlate signals from a user's devices, such as copying files to a USB drive or emailing a personal email account, with activities from online services such as Office 365 email, SharePoint Online, Microsoft Teams, or OneDrive for Business, to identify data exfiltration patterns. It can also correlate these activities with employees leaving an organization, which is a common data exfiltration pattern. It can detect multiple potentially risky activities and behavior over time. When common patterns emerge, it can raise alerts and help investigators focus on key activities to verify a policy violation with a high degree of confidence. Insider risk management can pseudo-anonymize data from investigators to help meet data privacy regulations, while still surfacing key activities that help them perform investigations efficiently. It allows investigators to package and securely send key activity data to the HR and legal departments, following common escalation workflows for raising cases for remediation action.

+Insider risk management significantly increases capabilities of organizations to detect and investigate insider risks while allowing organizations to still meet data privacy regulations and follow established escalation paths when cases require higher-level action.