Reporting on Defender for Endpoint Agent Status

by

Did you know you can query and see Defender for Endpoint’s health across Defender 365 and Defender for Cloud. Lets take a look at how we can report on things such as the health and enabled status of:

  • Real Time Protection
  • Sensor Data Collection
  • Sensor Enablement
  • Tamper Protection
  • Potentially Unwanted Application Protection
  • Agent Communication
  • EDR Blocking Mode
  • Antivirus
  • Antivirus Reporting
  • Antivirus Signature
  • Behavior Monitoring
  • Ransomware Protection (Controlled Folder Access)

    Defender 365

    In the Defender 365 Portal, security.microsoft.com, we can see agent health in several areas. Defender 365 will have the most comprehensive report.

    Device Health Report

    1. From the https://security.microsoft.com/ portal navigate to Reports Device Health
    2. Under the Microsoft Defender Antivirus Health tab the first box shows active, passive, and EDR modes. 
    3. You can click on the colors to show more details. 

    Device health Microsoft Defender Antivirus health report | Microsoft Learn

    Advanced Hunting

    1. From the https://security.microsoft.com/ portal navigate to Hunting Advanced Hunting
    2. Select Queries
    3. Under Community Queries expand General queries
    4. Double click Endpoint Agent Health Status Report
    5. Click Run Query

    Defender for Cloud

    Specifically for server workloads Defender for Cloud can report on endpoint protection status.

    Endpoint Protection Health Recommendation 

    A couple of requirements to know about first before diving into this report. 

- This recommendation does support multiple endpoint protection vendors as described in Supported endpoint protection solutions
- This recommendation requires the Azure Monitor Agent to be installed on the endpoint
- Refer to what conditions this recommendation applies to based on the vendor Endpoint protection assessment and recommendations
    • Specifically for Defender for Endpoint if any of the following occurs this recommendation will show unhealthy
      • Any of the following properties are false:
        • AMServiceEnabled
        • AntispywareEnabled
        • RealTimeProtectionEnabled
        • BehaviorMonitorEnabled
        • IoavProtectionEnabled
        • OnAccessProtectionEnabled
      • If one or both of the following properties are 7 or more:
        • AntispywareSignatureAge
        • AntivirusSignatureAge
    1. Navigate to the Endpoint protection health issues should be resolved on your machines recommendation in Defender for Cloud and review the results
    %d bloggers like this: