Manage devices in Microsoft Defender for Business
In Defender for Business, you can manage devices as follows:
- View a list of onboarded devices to see their risk level, exposure level, and health state
- Take action on a device that has threat detections
- View the state of Microsoft Defender Antivirus
- Onboard a device to Defender for Business
- Offboard a device from Defender for Business
View the list of onboarded devices
Important
In order to view the list of onboarded devices, you must have one of the following roles assigned:
- Global Administrator
- Security Administrator
- Security Reader
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
In the navigation pane, go to Assets > Devices.
Select a device to open its flyout panel, where you can learn more about its status and take action.
If you don't have any devices listed yet, Onboard devices to Defender for Business
Take action on a device that has threat detections
Important
In order to take action on a device with detected threats, you must have one of the following roles assigned:
- Global Administrator
- Security Administrator
In the Microsoft Defender portal (https://security.microsoft.com), in the navigation pane, go to Assets > Devices.
Select a device to open its flyout panel, and review the information that is displayed.
Select the ellipsis (...) to open the actions menu.
Select an action, such as Run antivirus scan or Initiate Automated Investigation.
View the state of Microsoft Defender Antivirus
Microsoft Defender Antivirus is a key component of next-generation protection in Defender for Business. When devices are onboarded to Defender for Business, Microsoft Defender Antivirus can have one of the following states:
- Active mode
- Passive mode
- Disabled (or uninstalled) mode
To view the state of Microsoft Defender Antivirus, you can choose from several options, such as:
- Reports, like the Device health report; or
- One of the methods described in How to confirm the state of Microsoft Defender Antivirus.
The following table describes each state and what it means.
| Microsoft Defender Antivirus state | What it means |
|---|---|
| Active mode (recommended) |
Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft Defender portal and in the Windows Security app on a device running Windows. We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection: - Real-time protection, which locates and stops malware from running on devices. - Cloud protection, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. - Network protection, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. - Web content filtering, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers. - Protection from potentially unwanted applications, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features. |
| Passive mode | A non-Microsoft antivirus/antimalware product is installed on the device, and even though the device has been onboarded to Defender for Business, Microsoft Defender Antivirus can detect threats but doesn't remediate them. Devices with Microsoft Defender Antivirus can still receive security intelligence and platform updates. You can switch Microsoft Defender Antivirus to active mode automatically by uninstalling the non-Microsoft antivirus/antimalware product. |
| Disabled mode | A non-Microsoft antivirus/antimalware product is installed on the device, and the device hasn't been onboarded to Defender for Business. Whether Microsoft Defender Antivirus went into disabled mode automatically or was set manually, it's not currently running on the device. In this case, Microsoft Defender Antivirus neither detects nor remediates threats on the device. You can switch Microsoft Defender Antivirus to active mode by uninstalling the non-Microsoft antivirus/antimalware solution and onboarding the device to Defender for Business. |
Onboard a device
See Onboard devices to Defender for Business.
Offboard a device
See Offboarding a device.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for