Device Security

Monitor and assess the security posture of devices across your organization. View device health status, security configurations, compliance state, and vulnerability exposure from Microsoft Defender for Endpoint.

Note: Device security insights require Microsoft Defender for Endpoint onboarding. Included with Microsoft 365 E5 or available as Defender for Endpoint Plan 1/Plan 2.

Security Overview

• 847 — Secure Devices
• 123 — At Risk
• 12 — High Exposure
• 45 — Onboarding

Device Risk Levels

• High — Active threats detected, unpatched critical vulnerabilities, or security features disabled. Requires immediate attention. Examples: Active malware, critical CVEs, Defender disabled.
• Medium — Potential risks identified but no active threats. Missing recommended security configurations or moderate vulnerabilities. Examples: Missing patches, weak configurations.
• Low — Device meets security baselines. No significant risks or vulnerabilities detected. Compliant with security policies. Examples: Fully patched, Defender active, compliant.

Device Inventory

Device Details

Security State

• Antivirus status and signature version
• Real-time protection enabled
• Cloud-delivered protection status
• Tamper protection enabled
• Firewall state per profile

Vulnerability Assessment

• Missing security updates
• Software vulnerabilities (CVEs)
• Configuration weaknesses
• Exposure score breakdown

Active Alerts

• Malware detections
• Behavioral alerts
• Network anomalies
• Policy violations

Compliance

• Intune compliance status
• Security baseline compliance
• Configuration profile status
• Encryption status (BitLocker/FileVault)

Security Recommendations

• Enable Tamper Protection (High Impact) — Prevents malware from disabling Defender security features. Affected: 23 devices.
• Update Vulnerable Software (Medium Impact) — Update applications with known security vulnerabilities. Affected: 156 devices.
• Enable Cloud Protection (Medium Impact) — Enable cloud-delivered protection for faster threat response. Affected: 45 devices.

Device Actions

Isolate Device

Disconnect device from network while maintaining Defender connection. Use during active incident investigation.

Run Antivirus Scan

Initiate quick or full antivirus scan remotely. Results appear in device timeline.

Collect Investigation Package

Gather forensic data from device including event logs, running processes, and network connections.

Restrict App Execution

Block non-Microsoft signed applications from running. Emergency measure during incidents.

Onboarding Status

• Onboarded — Device is actively reporting to Defender for Endpoint. Security data and telemetry flowing normally.
• Pending — Onboarding package deployed but device hasn’t reported yet. May take up to 24 hours for first check-in.
• Can be Onboarded — Device meets requirements but onboarding hasn’t been initiated. Deploy onboarding configuration profile.
• Unsupported — Device OS or version not supported by Defender for Endpoint. Check platform requirements.

Best Practices

• Onboard all endpoints — Ensure 100% coverage for complete visibility into device security.
• Address high-risk devices first — Prioritize remediation for devices with active threats or critical vulnerabilities.
• Enable tamper protection — Prevent malware from disabling security features on devices.
• Monitor inactive devices — Investigate devices that haven’t checked in recently — may indicate issues.

API Reference

• GET /api/security/device-security — List all devices with security status
• GET /api/security/device-security/:deviceId — Get device security details
• POST /api/security/device-security/:deviceId/isolate — Isolate device from network
• POST /api/security/device-security/:deviceId/scan — Run antivirus scan
• GET /api/security/device-security/recommendations — Get security recommendations