Device inventory
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Vulnerability Management
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
The Device inventory shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
Note
The device inventory is available in Microsoft Defender XDR services. The available information might differ depending on your license. To get the most complete set of capabilities, use Microsoft Defender for Endpoint Plan 2.
Risk Level, which can influence enforcement of Conditional Access and other security policies in Microsoft Intune, is now available for Windows devices.
There are several options you can choose from to customize the devices list view. On the top navigation you can:
- Add or remove columns.
- Export the entire list in CSV format.
- Select the number of items to show per page.
- Apply filters.
During the onboarding process, the Devices list is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
Note
If you export the devices list, it contains every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file includes all devices in the organization, regardless of any filtering applied in the view itself.
In addition, when you export the devices list, the antivirus status shows as Not-Supported. For antivirus status, use the recently released Microsoft Defender Antivirus health report instead. This report allows you to export even more details.
The following image depicts the devices list:
Sort and filter the device list
You can apply the following filters to limit the list of alerts and get a more focused view.
Device name
During the Microsoft Defender for Endpoint onboarding process, devices onboarded to Defender for Endpoint are gradually populated into the device inventory as they begin to report sensor data. The device inventory is also populated by devices that are discovered in your network through the device discovery process. The device inventory has the following tabs:
- All devices
- Computers & mobile: Enterprise endpoints (workstations, servers, and mobile devices).
- Network devices: Devices like routers and switches.
- IoT/OT devices: Enterprise internet of things (IoT) devices like printers and cameras, and operational technology (OT) devices like servers or packaging systems.
- Uncategorized devices: Devices that couldn't be properly classified.
Navigate to the Device inventory page
In the Defender portal at https://security.microsoft.com, go to Assets > Devices. Or, to go directly to the Device inventory page, use https://security.microsoft.com/machines.
Device inventory overview
The device inventory opens on the All devices tab. You can see information such as device name, domain, risk level, exposure level, OS platform, criticality level, onboarding status, sensor health state, mitigation status, and other details for easy identification of devices most at risk.
The Classify critical assets card allows you to define device groups as business critical. You might also see the Attack path warning card, which takes you to Attack paths to examine if any of your assets are part of an attack path. For more information, see Overview of attack paths.
Note
Classify critical assets and attack path information is part of Microsoft Security Exposure Management, which is currently in public preview.
Use the Onboarding Status column to sort and filter by discovered devices, and devices that are already onboarded to Microsoft Defender for Endpoint.
From the Network devices and IoT/OT devices tabs, you also see information such as vendor, model, and device type:
Note
Device discovery integration with Microsoft Defender for IoT in the Defender portal (Preview) is available to help locate, identify, and secure your complete OT/IOT asset inventory. Devices discovered with this integration appear on the IoT/OT devices tab.
With Defender for IoT, you can also view and manage Enterprise IoT devices (like printers, smart TVs, and conferencing systems) as part of enterprise IoT monitoring. For more information, see Enable Enterprise IoT security with Defender for Endpoint.
At the top of each device inventory tab, the following device counts are available:
- Total: The total number of devices.
- Critical assets: The number of your business critical assets (All devices tab only).
- High risk: The number of devices that are identified as a higher risk to your organization.
- High exposureThe number of devices with high exposure.
- Not onboarded: The number of devices that aren't yet onboarded. (All devices and Computers & mobile tabs only).
- Newly discovered: The number of newly discovered devices within the last 7 days (all tabs except Computers & mobile).
You can use this information to help you prioritize devices for security posture improvements.
Explore the device inventory
There are several options to customize the device inventory view. On the top navigation for each tab you can:
- Search for a device by name.
- Search for a device by the most recently used IP or Mac address or IP address prefix.
- Add or remove columns.
- Export the entire list in CSV format for offline analysis.
- Select the date range to display.
- Apply filters.
Note
If you export the device list to CSV, it contains every device in your organization, so it might take a long time to download the CSV file. The CSV file contains unfiltered data for all devices in the organization, regardless of any filters.
You can use the sort and filter functionality on each device inventory tab to get a more focused view. These controls also help you assess and manage the devices in your organization.
The counts on the top of each tab are updated based on the current view.
Use filters to customize the device inventory views
The available device properties to use as filters vary based on the device inventory tab as described in the following table:
| Property | Tabs | Description |
|---|---|---|
| Antivirus status |
|
The antivirus status of the device. The available values are:
|
| Cloud platforms |
|
The cloud platform that the device belongs to. The available values are:
|
| Criticality level |
|
The assigned criticality level of the device (how critical a device is for your organization). The available values are:
For more information, see Overview of critical asset management. |
| Device category | All devices | The category value assigned to the device. Enter a value or select from the available values:
|
| Device subtype |
|
The subtype value assigned to the device. Enter a value or select an available value (for example, Video conference). |
| Device type |
|
The type value assigned to the device. Enter a value or select an available value (for example, Audio and Video). |
| Device value | All | The assigned value of the device. The available values are High and Low. |
| Exclusion state | All | The available values are Not excluded and Excluded. For more information, see Exclude devices. |
| Exposure level | All | The exposure level of the device based on pending security recommendations. The available values are:
|
| First seen | All tabs except Network devices | How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are Last 7 days or Over 7 days ago. |
| Group |
|
Device groups. Enter a value in the box. |
| Internet facing |
|
Whether the device is internet facing. The available values are Yes and No. |
| Managed by |
|
How the device is being managed. The available values are:
|
| Mitigation status |
|
The available values are Contained and Isolated. |
| Model | All devices | The model of the device. Enter a value or select from the available values. |
| Onboarding status |
|
Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are:
|
| OS Platform |
|
The operating system on the device. The available values are:
|
| OS Version | All devices | The version of the operating system, which includes Windows versions. On the Computers & mobile tab, the Windows version filter is also available. |
| Risk level | All | The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are:
Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. |
| Sensor health state |
|
The available values for onboarded devices are:
|
| Site |
|
Used for Defender for IoT site security (requires a Defender for IoT license). |
| Tags | All | The grouping and tagging that you added to individual devices. For more information, see Create and manage device tags. |
| Transient device | All | The available values are No and Yes. By default, transient devices are filtered to reduce inventory noise. For more information, see Identifying transient devices. |
| Vendor | All devices | The vendor of the device. Enter a value or select from the available values. |
| Windows version | Computers & mobile | The version of Windows. The OS version filter is also available. The value Future version for this property is caused by one of the following scenarios:
The full OS version is visible on the device details page. |
Use columns to customize the device inventory views
You can sort the entries by clicking on an available column header. Select 
Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
All devices tab:
- Name<sup*
- IP<sup*
- MAC address
- Criticality level<sup*
- Device category<sup*
- Device type<sup*
- Device subtype
- Vendor
- Model
- Domain<sup*
- Device AAD id<sup*
- Risk level<sup*
- Exposure level<sup*
- OS platform<sup*
- OS distribution
- OS version<sup*
- Sensor health state<sup*
- Onboarding status<sup*
- First seen
- Last device update<sup*
- Tags<sup*
- Exclusion state
- Managed by<sup*
- Managed by status<sup*
- Mitigation status<sup*
- Cloud platforms<sup*
Firmware information for OT devices is displayed in the OS version and Model columns.
Computers & mobile tab:
- Name<sup*
- Domain<sup*
- Device AAD id<sup*
- Device type
- Device subtype
- Risk level<sup*
- Exposure level<sup*
- OS platform<sup*
- OS distribution
- Windows version<sup*
- MAC address
- Criticality level<sup*
- Sensor health state<sup*
- Onboarding status<sup*
- Last device update<sup*
- First seen
- Tags<sup*
- Exclusion state
- Managed by<sup*
- Managed by status<sup*
- Mitigation status<sup*
- Cloud platforms<sup*
Network devices tab
- IP*
- MAC address
- Vendor*
- Model*
- Name*
- Domain
- Device type
- Device subtype
- Risk level*
- Exposure level*
- OS distribution*
- OS version*
- Last device update*
- First seen
- Tags*
- Exclusion state
IoT/OT devices tab
- IP*
- MAC address*
- Name*
- Device type*
- Device subtype*
- Vendor*
- Model*
- Risk level*
- Exposure level*
- OS distribution*
- OS version*
- First seen
- Last device update*
- Domain
- Tags*
- Exclusion state
Uncategorized devices tab:
- Name*
- Vendor*
- IP*
- MAC address
- Risk level
- Exposure level
- OS distribution*
- OS version*
- Last device update*
- First seen
- Tags*
- Exclusion state
Tip
To see all columns, you likely need to do one or more of the following steps:
- Horizontally scroll in your web browser.
- Narrow the width of appropriate columns.
- Zoom out in your web browser.
Related articles
Investigate devices in the Microsoft Defender for Endpoint Devices list.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.