Edit

Microsoft Defender for Endpoint Antivirus and Intune integration

  • Applies to: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

Prerequisites

Supported operating systems

  • Windows
  • macOS
  • Android

In the Microsoft Defender portal, you can view and manage threat detections using the following steps:

  1. Visit the Microsoft Defender portal at https://security.microsoft.com and sign-in.

    On the landing page, you see the Devices with active malware card with the following information:

    • Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.
    • Last updated date and time.
    • A bar with the Active and Malware remediated portions as per your scan.

    You can select View Details for more information.

  2. Once remediated, you see the following text being displayed:

    Malware found on your devices have been remediated successfully.

Manage threat detections in Microsoft Intune

You can manage threat detections for any devices that are enrolled in Microsoft Intune using the following steps:

  1. Go to the Microsoft Intune admin center at intune.microsoft.com and sign-in.

  2. In the navigation pane, select Endpoint security.

  3. Under Manage, select Antivirus. You see tabs for Summary, Unhealthy endpoints, and Active malware.

  4. Review the information on the available tabs, and then take action as necessary.

    For example, when you can select a device that is listed under the Active malware tab, you can choose one action from the list of actions provided:

    • Restart
    • Quick Scan
    • Full Scan
    • Sync
    • Update signatures

FAQs

In the Microsoft Defender portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?

To see when the malware was detected, you can take the following steps:

  1. Since this is an integration with Intune, visit Intune portal and select Antivirus and then select Active malware tab.

  2. Select Export.

  3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip file.

  4. Open the CSV and find the LastStateChangeDateTime column to see when malware was detected.

In the devices with malware detections report, why can't I see any information about which malware was detected on the device?

To see the malware name, visit the Intune portal as this is an integration with Intune, select Antivirus, and select Active malware tab and you see a column named Malware name.

I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware

The Devices with active malware report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.

Use the following Advanced Hunting query:

DeviceInfo
| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
| where OnboardingStatus == "Onboarded"
| where SensorHealthState == "Active"
| distinct DeviceId, DeviceName
| join kind=innerunique (
AlertEvidence
| where Timestamp > ago(15d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| where DetectionSource == "Antivirus")
on DeviceName
| distinct DeviceName, DeviceId, Title, AlertId, Timestamp

I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?

Use the Advanced Hunting query that is mentioned here for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT admin's to make sure that the devices are uniquely named. If a device is retired, use tags to decommission it.

I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue

Cloud Protection isn't allowed through your firewall or proxy.

Do the following steps to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:

  1. Open an elevated Command Prompt (a Command Prompt window you opened by selecting Run as administrator). For example:

    1. Open the Start menu, and then type cmd.
    2. Right-click on the Command Prompt result, and then select Run as administrator.

  2. In the elevated Command Prompt, run the following commands:

    Tip

    The first command changes the directory to the latest version of <antimalware platform version> in %ProgramData%\Microsoft\Windows Defender\Platform\<antimalware platform version>. If that path doesn't exist, it goes to %ProgramFiles%\Windows Defender.

    (set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform\" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform\%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1

MpCmdRun.exe -ValidateMapsConnection

For more information about MpCmdRun, see Configure and manage Microsoft Defender Antivirus with the MpCmdRun command-line tool.

I see a device that has been inactive for 180+ days but still showing up on the report for 'Devices with active malware'. The device doesn't show in the "Device inventory", can't be turned on and can't be offboarded from Microsoft Defender for Endpoint

The device has not been retired from Intune.

  • Last updated on