Device inventory

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The Device inventory shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.

At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.

Note

The device inventory is available in different Microsoft 365 Defender services. The information available to you will differ depending on your license. You'll get the most complete set of capabilities when using Microsoft Defender for Endpoint Plan 2.

There are several options you can choose from to customize the devices list view. On the top navigation you can:

  • Add or remove columns
  • Export the entire list in CSV format
  • Select the number of items to show per page
  • Apply filters

During the onboarding process, the Devices list is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.

Note

If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.

The list of devices

Sort and filter the device list

You can apply the following filters to limit the list of alerts and get a more focused view.

Device name

During the Microsoft Defender for Endpoint onboarding process, devices onboarded to MDE are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by:

  • Computers and Mobile: Enterprise endpoints (workstations, servers and mobile devices)
  • Network devices: Devices like routers and switches
  • IoT devices: Devices like printers and cameras

Access the device inventory page by selecting Device inventory from the Endpoints navigation menu in the Microsoft 365 Defender portal.

Device inventory overview

The device inventory opens on the Computers and Mobile tab. At a glance you'll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.

Use the Onboarding Status column to sort and filter by discovered devices, and those already onboarded to Microsoft Defender for Endpoint.

Image of devices list with list of devices.

From the Network devices and IoT devices tabs, you'll also see information such as vendor, model and device type:

Image of network devices list.

At the top of each device inventory tab, you can see the total number of devices, the number of devices that are not yet onboarded, and the number of devices that have been identified as a higher risk to your organization. You can use this information to help you prioritize devices for security posture improvements.

The Newly discovered device count for network devices and IoT devices tabs, shows the number of new devices discovered, in the last 7 days, listed in the current view.

Image of new discovered device count.

Explore the device inventory

There are several options you can choose from to customize the device inventory view. On the top navigation for each tab you can:

  • Search for a device by name
  • Search for a device by the most recently used IP address or IP address prefix
  • Add or remove columns
  • Export the entire list in CSV format for offline analysis
  • Select the date range to display
  • Apply filters

Note

If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.

You can use the sort and filter functionality available on each device inventory tab to get a more focused view, and to help you assess and manage the devices in your organization.

The counts on the top of each tab will be updated based on the current view.

Use filters to customize the device inventory views

Filter Description
Risk level
The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
Exposure level
The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.

If the exposure level says "No data available," there are a few reasons why this may be the case:
- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.
- Device OS not supported - see minimum requirements for Microsoft Defender for Endpoint.
- Device with stale agent (unlikely).
Tags
Filter the list based on the grouping and tagging that you've added to individual devices. See Create and manage device tags.
Device value
Filter the list based on whether the device has been marked as high value or low value.
Exclusion state
Filter the list based on whether the device has been excluded or not. For more information, see Exclude devices.
OS Platform
Filter by the OS platforms you're interested in investigating
(Computers and mobile and IoT devices only)
First seen
Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.
(Computers and mobile and IoT devices only)
Windows version
Filter by the Windows versions you're interested in investigating.
(Computers and mobile only)
Sensor health state
Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:
- Active: Devices that are actively reporting sensor data to the service.
- Inactive: Devices that have stopped sending signals for more than 7 days.
- Misconfigured: Devices that have impaired communications with service or are unable to send sensor data.
Misconfigured devices can further be classified to:
- No sensor data
- Impaired communications
For more information on how to address issues on misconfigured devices see, Fix unhealthy sensors.

(Computers and mobile only)
Onboarding status
Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. You can filter by the following states:
- Onboarded: The endpoint is onboarded to Microsoft Defender for Endpoint.
- Can be onboarded: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices.
- Unsupported: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint.
- Insufficient info: The system couldn't determine the supportability of the device.
(Computers and mobile only)
Antivirus status
Filter the view based on whether the antivirus status is disabled, not updated or unknown.
(Computers and mobile only)
Group
Filter the list based on the group you're interested in investigating.
(Computers and mobile only)
Managed by
Managed by indicates how the device is being managed. You can filter by:
- Microsoft Defender for Endpoint
- Mobile device management (MDM)
- Unknown: This could be due the running an outdated Windows version, SCCM being in place, or another third party MDM.

(Computers and mobile only)
Device Type
Filter by the device type you're interested in investigating.
(IoT devices only)

Use columns to customize the device inventory views

You can add or remove columns from the view and sort the entries by clicking on an available column header.

On the Computer and Mobiles tab, select Customize columns to see the columns available. The default values are checked in the image below:

Image of computers and mobiles

On the Network devices tab, select Customize columns to see the columns available. The default values are checked in the image below:

Image of network device columns

On the IoT devices tab, select Customize columns to see the columns available. The default values are checked in the image below:

Image of IoT device columns

Investigate devices in the Microsoft Defender for Endpoint Devices list