Today (21.09.2020) a long awaited addition to Intune has been released in public preview:
Microsoft Defender Antivirus active Malware reporting!
You might ask what is so special about it? Well, it´s the fact that we can finally get some actual malware status data from your clients within the Endpoint Manager admin center.
Before that, only Configuration Manager could be used to view that information.
For the cloud-only environments, one was able to generate some custom reporting with LogAnalytics but there was no official way to retrieve the malware state.
This has now changed.
First of all, you will get a summary in the Antivirus Section of the Endpoint Security Management interface in MEM admin center:
For more details on current malware situations you can open the “Windows 10 detected malware” view, which will lead you to a detailed overview:
To get some insights on detected malware from situations in the past, you can use new reports, which have been added together with the “live”-view.
You can find the reports “Detected Malware” and “Antivirus agent status” (replaces the old “Threat Agent Status” in the long run) in the reports section of your admin center:
To get a report, just select it and then “generate report”. You will get a list of malware activities in your environment and how Defender has dealt with it.
It might take a while to generate until you are presented a list with devices where some kind of malware activity was happening, e.g.:
When your are coming from ConfigMgr, you might still be missing some crucial things like “Override” a threat which you can use to either stop a false positive from beeing flagged as malware or increase the threat severity for single threats.
I hope this will come in some future update because it is really needed to be able to take action from the MEM admin center.
Of course there´s always Microsoft Defender ATP which will give you a much closer look to what is happening on your endpoints, but the new capabilities released today are a very welcome addition to all environments without MDATP!
PS: As the new reports are based on the Graph API your automation possibilities are endless!