This chapter covers Microsoft Defender for Endpoint's Device Inventory, a critical component for managing and securing endpoints in an organization. Device Inventory provides a comprehensive, real-time list of all devices onboarded to Defender for Endpoint, along with detailed attributes such as hardware specifications, operating system versions, installed software, and security configurations. For the SC-200 exam, questions on Device Inventory appear in approximately 5-10% of the total exam, focusing on navigation, filtering, and understanding the data presented. Mastery of this topic is essential for security operations analysts who need to quickly assess the device landscape and identify potential risks.
Jump to a section
Imagine a large public library with thousands of books, each with a unique barcode. A librarian with a handheld scanner walks through the aisles, scanning every book on every shelf. Each scan records the book's ID, its location (aisle, shelf, position), and a timestamp. The scanner sends this data to a central database that maintains a master list of all books. When a book is checked out, the librarian scans it again, updating its status to 'checked out' and recording the borrower's ID. If a book is damaged, the librarian notes that in the system. The library also has sensors at the exits that detect any book leaving without being scanned, triggering an alert. Periodically, the librarian performs a full inventory scan to reconcile the database with the physical shelves, identifying missing or misplaced books. This system ensures the library always knows which books are present, where they are, and their condition. Similarly, Microsoft Defender for Endpoint's Device Inventory continuously scans and records information about every device in the organization, including hardware details, installed software, and security posture. It uses sensors and agents to collect data, updates the inventory in real-time, and alerts when devices are missing or non-compliant. The inventory serves as a single source of truth for security operations, enabling quick identification of vulnerable or compromised devices.
What is Device Inventory?
Device Inventory is a feature within Microsoft Defender for Endpoint that provides a centralized, searchable, and filterable list of all devices that are onboarded to the service. It acts as the authoritative source of truth for device information, enabling security operations teams to quickly answer questions like: 'Which devices are running a specific operating system version?' or 'How many devices have a particular application installed?' The inventory is automatically populated by the Defender for Endpoint sensor installed on each device, which collects and reports a wide range of telemetry data.
Why Does Device Inventory Exist?
In any organization, knowing what devices exist and their current state is foundational to security. Without an accurate inventory, security teams cannot identify which devices are missing critical patches, have outdated antivirus definitions, or are running unauthorized software. Device Inventory solves this by providing a continuously updated, single-pane-of-glass view of the entire device fleet. It also serves as the starting point for many security investigations, threat hunting, and incident response workflows.
How Device Inventory Works Internally
The Device Inventory is built on the telemetry data sent by the Microsoft Defender for Endpoint sensor (the agent) installed on each device. The sensor collects data at multiple levels:
Boot-time collection: When a device starts, the sensor gathers hardware and OS information.
Periodic collection: The sensor sends heartbeat updates every 5 minutes (default) with health status and configuration changes.
Event-driven collection: When significant events occur (e.g., software installation, patch updates, registry changes), the sensor sends an update immediately.
The collected data includes:
Device name, domain, and IP address
Operating system version and build
Installed software and applications (via Windows Registry and file system scanning)
Hardware details: CPU, RAM, disk size, TPM presence
Security configuration: Windows Defender Antivirus state, firewall status, BitLocker status
Onboarding status: First seen, last seen, and sensor health state
This data is sent to the Defender for Endpoint cloud service, where it is processed and stored in a high-performance database optimized for fast queries. The inventory is then presented in the Microsoft 365 Defender portal under Assets > Devices. The data is refreshed in near real-time; however, there can be a delay of up to 5 minutes for changes to appear in the portal.
Key Components and Default Values
Device Inventory page: Located at https://security.microsoft.com under Assets > Devices. It displays a table with columns such as Device Name, OS Platform, OS Version, Risk Level, Health State, Last Seen, and Tags.
Filters: The inventory supports filtering by OS platform (Windows, Linux, macOS, Android, iOS), risk level (Low, Medium, High, Critical), health state (Active, Inactive, Misconfigured, Sensor Disconnected), and custom tags.
Tags: You can add custom tags to devices (e.g., 'Production', 'Test', 'Critical') to organize them. Tags are applied via device configuration or through API/automation.
Export: The inventory can be exported to CSV for offline analysis. Maximum export limit is 100,000 devices per request.
API: The Device Inventory data is accessible via Microsoft Graph API and Defender for Endpoint APIs, allowing integration with SIEMs and automation tools.
Data retention: Device inventory data is retained for 180 days for active devices. For inactive devices (not seen for 30+ days), retention is 90 days.
Configuration and Verification Commands
While Device Inventory is automatically populated, you can verify the data from the device side using PowerShell or the sensor's diagnostic tool.
From the device (Windows):
# Check sensor health and last communication
Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntivirusEnabled, LastFullScanAge, LastQuickScanAgeFrom the cloud (via API):
GET https://api.security.microsoft.com/api/machines
Authorization: Bearer <token>This returns a JSON array of all onboarded devices with their attributes.
Using Microsoft Graph Explorer:
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevicesNote: This endpoint is for Intune managed devices, not all Defender for Endpoint devices.
Interaction with Related Technologies
Device Inventory integrates with: - Microsoft 365 Defender: The inventory is shared across Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, providing a unified view. - Microsoft Intune: Device Inventory can be enriched with Intune compliance data if devices are co-managed. - Microsoft Sentinel: You can stream device inventory data to Sentinel for advanced correlation and alerting. - Vulnerability Management: The inventory feeds into Microsoft Defender Vulnerability Management (MDVM) to provide a list of devices with software vulnerabilities. - Threat Analytics: Device Inventory is used to scope threat analytics reports, showing which devices are affected by particular threats.
Common Exam Scenarios
On the SC-200 exam, you may be asked to:
Identify where to find Device Inventory in the portal.
Determine which devices are at highest risk based on inventory data.
Filter devices by OS version to find those needing a patch.
Understand the difference between 'Active' and 'Inactive' device states.
Know that tags can be used to group devices for targeted actions.
Performance and Limitations
The inventory can handle up to 500,000 devices per tenant. Beyond that, performance may degrade, and Microsoft recommends using API-based queries for large-scale operations.
The portal displays up to 10,000 devices per page. Use filters or search to narrow results.
Real-time updates are not instantaneous; expect up to 5 minutes delay for changes to reflect.
Security Considerations
Device Inventory data is sensitive. Access to the inventory should be restricted to security analysts and administrators via Azure AD roles such as 'Security Reader' or 'Security Administrator'. The inventory can be used to identify high-value targets (e.g., domain controllers, SQL servers) for attackers, so proper access controls are critical.
Access Device Inventory in Portal
Navigate to the Microsoft 365 Defender portal (security.microsoft.com) and sign in with an account that has the appropriate permissions (Security Reader, Security Administrator, or Global Administrator). From the left-hand navigation menu, expand 'Assets' and select 'Devices'. This opens the Device Inventory page, which displays a table of all onboarded devices. The page loads with default columns: Device Name, OS Platform, OS Version, Risk Level, Health State, and Last Seen. You can customize the columns by clicking the 'Columns' button. This is the primary interface for viewing and managing device information in Defender for Endpoint.
Apply Filters to Narrow Results
Use the filter bar at the top of the Device Inventory page to refine the list. Filters include: OS Platform (Windows, Linux, macOS, Android, iOS), Risk Level (Low, Medium, High, Critical), Health State (Active, Inactive, Misconfigured, Sensor Disconnected), and Tags. You can also use the search box to find specific devices by name or IP. For example, to find all Windows 10 devices with a Critical risk level, select 'Windows' from OS Platform, 'Critical' from Risk Level, and click 'Apply'. The inventory updates dynamically. This filtering capability is crucial for quickly identifying devices that require immediate attention, such as those with high risk or misconfigured sensors.
View Device Details and Timeline
Click on any device name in the inventory to open its detailed device page. This page provides comprehensive information organized into tabs: 'Overview' shows device name, domain, IP, OS, and sensor health. 'Health' displays sensor status, last seen time, and onboarding date. 'Software inventory' lists all installed applications with versions and publishers. 'Vulnerabilities' (if enabled) shows CVEs affecting the device. 'Security recommendations' provides actionable steps to improve security posture. The 'Timeline' tab shows a chronological list of events (e.g., alerts, software installations, logins) that occurred on the device. This timeline is essential for investigations, as it allows analysts to correlate events with alerts.
Export Inventory to CSV
To export the current filtered view of the inventory, click the 'Export' button at the top of the Device Inventory page. The export generates a CSV file containing all columns visible in the current view. This is useful for offline analysis, reporting, or integration with other tools. The export limit is 100,000 devices per request. If your filtered list exceeds this, you must narrow the filter further. The export process runs in the background, and you will receive a notification when the file is ready for download. Note that the CSV includes device names, OS details, risk levels, and health states, but not the full timeline or software inventory.
Add Tags to Devices for Organization
Tags are custom labels that you can assign to devices to categorize them. Tags can be applied via the device details page: under the 'Overview' tab, click 'Manage tags'. You can add existing tags or create new ones. Tags are also manageable via API or through group policies. Common use cases include tagging devices by department (e.g., 'Finance', 'HR'), by role (e.g., 'Domain Controller', 'Exchange Server'), or by criticality (e.g., 'Critical', 'Test'). Once tagged, you can filter the inventory by these tags. Tags persist across sessions and are shared across Microsoft 365 Defender. They are instrumental in targeting specific device groups for actions like running antivirus scans or isolating devices.
Scenario 1: Identifying Devices Missing Critical Patches
A large enterprise with 20,000 Windows devices needs to quickly find all devices that are still running Windows 10 version 1809, which is end-of-life and vulnerable to multiple CVEs. The security team uses Device Inventory to filter by OS Platform = 'Windows' and OS Version = '10.0.17763' (the build number for 1809). The inventory returns 1,200 devices. They export the list to CSV and cross-reference it with their patch management tool. They then create a targeted remediation plan. Without Device Inventory, this manual identification would take days. A common mistake is filtering by the friendly name 'Windows 10 1809' instead of the actual build number; the inventory uses build numbers for precision. The team also uses tags to mark these devices as 'Needs Patch' for tracking.
Scenario 2: Investigating a Ransomware Outbreak
During a ransomware incident, the SOC needs to determine which devices have the malicious file 'encrypt.exe' present. They use Device Inventory to search for devices with that file in the software inventory. However, the software inventory only includes installed applications, not arbitrary files. They realize they need to use the Advanced Hunting feature with a query like DeviceFileEvents | where FileName == 'encrypt.exe' instead. This shows that Device Inventory is not a full file inventory; it's an application inventory. Misunderstanding this leads to wasted time. Once they identify affected devices via Advanced Hunting, they use Device Inventory to verify the devices' health and risk levels before initiating isolation.
Scenario 3: Onboarding New Devices and Monitoring Health
A company rolls out Defender for Endpoint to 500 macOS devices. The IT team monitors the Device Inventory to ensure all devices appear within 24 hours. They notice that 20 devices show 'Sensor Disconnected' health state. By filtering on that state, they can quickly contact the users to troubleshoot. They also set up a scheduled report that exports the inventory daily to a shared SharePoint site, allowing management to review onboarding progress. Performance is smooth with 500 devices, but when the company scales to 10,000, the export takes longer and they switch to API-based queries. A common misconfiguration is not enabling the sensor on macOS correctly, resulting in devices showing as 'Inactive'. The team learns to check the sensor installation logs on the device side.
The SC-200 exam tests Device Inventory primarily under objective 1.1: Manage devices in Microsoft Defender for Endpoint. Expect 2-4 questions directly related to Device Inventory, often as part of a broader scenario. The exam focuses on:
1. Navigation and Basic Understanding: You must know that Device Inventory is located under Assets > Devices in the Microsoft 365 Defender portal. A common wrong answer is 'Security Center' or 'Azure Sentinel'. The exam may present a screenshot and ask where to find device information.
2. Filtering and Searching: Questions often ask you to filter the inventory to find specific devices. For example, 'You need to find all devices with a risk level of High. What should you do?' The correct answer is to use the Risk Level filter. A trap is to suggest using the search box only, which does not filter by risk level.
3. Device Health States: Know the four health states: Active, Inactive, Misconfigured, and Sensor Disconnected. The exam loves to test the difference between 'Inactive' (device not seen for 7+ days but still onboarded) and 'Sensor Disconnected' (sensor is not communicating, often due to network issues or uninstallation). A common wrong answer is confusing 'Inactive' with 'Offboarded'.
4. Tags and Grouping: Questions may ask how to organize devices by department. The answer is to use Tags. A trap is to suggest creating separate device groups in the portal, which is not a native feature; tags are the correct method.
5. Exporting Data: You may be asked how to export the device list for offline analysis. The answer is to use the Export button, which generates a CSV. A wrong answer is 'Use the API' – while possible, the exam expects the portal-based method for a simple task.
6. Data Freshness: Know that the inventory is updated every 5 minutes. A question might ask: 'A device was just onboarded. How long until it appears in the inventory?' Answer: Up to 5 minutes. A trap is 'Immediately' or '1 hour'.
7. Integration with Other Features: The exam may test that Device Inventory feeds into Vulnerability Management and Threat Analytics. For example, 'Which feature uses device inventory to show which devices are affected by a specific CVE?' Answer: Microsoft Defender Vulnerability Management.
8. Edge Cases: The exam might test that devices with 'Misconfigured' health state require attention to sensor settings. Also, that the inventory does not include devices that are not onboarded (e.g., unmanaged devices). A common misconception is that Device Inventory shows all devices in the network; it only shows those with the Defender for Endpoint sensor installed.
Elimination Strategy: For any Device Inventory question, first identify what the question is asking (e.g., find devices, export, filter). Then eliminate options that refer to other portals (e.g., Azure Security Center), other features (e.g., Advanced Hunting for simple queries), or incorrect states (e.g., 'Offboarded' as a health state). Always look for the most direct and efficient method described in the official documentation.
Device Inventory is located under Assets > Devices in the Microsoft 365 Defender portal.
The inventory updates every 5 minutes by default; changes may take up to 5 minutes to appear.
Device health states: Active, Inactive (no communication for 7+ days), Misconfigured, Sensor Disconnected.
Use filters for OS Platform, Risk Level, Health State, and Tags to narrow the device list.
Tags are custom labels applied to devices for organization; they are shared across Microsoft 365 Defender.
Export the inventory to CSV (max 100,000 devices) for offline analysis.
Device Inventory does not show individual files; use Advanced Hunting for file searches.
The inventory feeds into Microsoft Defender Vulnerability Management for vulnerability assessment.
Access to Device Inventory requires at least Security Reader role in Azure AD.
Non-Windows devices (Linux, macOS, Android, iOS) appear only if onboarded with the Defender sensor.
These come up on the exam all the time. Here's how to tell them apart.
Device Inventory in Defender for Endpoint
Focuses on security posture: risk level, health state, vulnerabilities.
Includes devices from all platforms (Windows, Linux, macOS, Android, iOS) with Defender sensor.
Data source is the Defender for Endpoint sensor (telemetry).
Used primarily by security operations for threat detection and response.
Tags are for organizing security-relevant groups (e.g., critical assets).
Intune Device Inventory
Focuses on compliance and management: device configuration, policy compliance.
Includes devices managed by Intune (MDM/MAM), typically corporate devices enrolled in management.
Data source is the Intune management agent or MDM enrollment.
Used primarily by IT administrators for device management and policy enforcement.
Uses device groups and compliance policies for organization.
Mistake
Device Inventory shows all devices in the network, including non-Windows devices.
Correct
Device Inventory only shows devices that are onboarded to Microsoft Defender for Endpoint with the sensor installed. It does not include devices without the sensor, even if they are on the same network. Non-Windows devices (Linux, macOS, Android, iOS) are included only if onboarded.
Mistake
The Device Inventory is updated in real-time with no delay.
Correct
The inventory is updated near real-time, but there is a default delay of up to 5 minutes for changes to appear. This is due to the sensor's heartbeat interval and backend processing time.
Mistake
You can use Device Inventory to search for specific files on devices.
Correct
Device Inventory only shows installed applications (software inventory), not individual files. To search for files, use Advanced Hunting with the DeviceFileEvents table.
Mistake
Tags applied to devices in Device Inventory are only visible within Defender for Endpoint.
Correct
Tags are shared across Microsoft 365 Defender and can be used in other components like Microsoft Defender for Identity and Microsoft Defender for Cloud Apps. They are also accessible via API.
Mistake
Exporting the Device Inventory to CSV exports the full device timeline and software inventory.
Correct
The CSV export only includes the columns visible in the current table view (e.g., device name, OS, risk level, health state). It does not include the timeline or full software inventory. For that data, you must use the API or view individual device pages.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Log into the Microsoft 365 Defender portal (security.microsoft.com). In the left navigation pane, expand 'Assets' and select 'Devices'. This opens the Device Inventory page showing all onboarded devices. If you don't see 'Assets', ensure you have the required permissions (Security Reader or higher). The inventory is the default view for device management in Defender for Endpoint.
'Inactive' means the device has not communicated with the Defender for Endpoint cloud for more than 7 days, but the sensor is still installed and the device is onboarded. 'Sensor Disconnected' means the sensor is not sending data, often due to network issues, uninstallation, or tampering. Both require attention, but 'Sensor Disconnected' is more urgent as it indicates a potential breach or misconfiguration.
Yes, you can add custom tags to devices for categorization. On the device details page, under the 'Overview' tab, click 'Manage tags'. You can add existing tags or create new ones. Tags can also be applied via API or group policies. They are useful for filtering and targeting devices for actions like running scans or isolating.
It can take up to 5 minutes for a new device to appear in the inventory after the sensor is installed and communicates with the cloud. The sensor sends an initial heartbeat within minutes of installation. If the device does not appear after 10 minutes, check the sensor installation logs and network connectivity.
Yes, the Device Inventory includes a 'Software inventory' tab on each device's detail page, listing installed applications with their versions and publishers. This data is collected from the Windows Registry and file system. However, it does not include all files; only installed applications are listed.
Yes, click the 'Export' button on the Device Inventory page to export the current filtered view to CSV. The export includes all visible columns. The maximum export size is 100,000 devices. For larger inventories, use the API or narrow your filters.
You need at least the 'Security Reader' Azure AD role to view Device Inventory. 'Security Administrator' or 'Global Administrator' roles also have access. The permissions are managed in Azure AD, not within Defender for Endpoint directly.
You've just covered Defender for Endpoint Device Inventory — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?