Query Details
Comparison Intuneand MDE Devices
Query
# Comparison between devices in Intune and MDE
## Query Information
#### Description
This query lists the devices that are onboarded in Intune and classifies them based on the status of Defender For Endpoint. You can select your own *SearchPeriod* in this query. The MDE data is based on a process activities seen in the search window, if that is the case then the device is classified as *MDE Onboarded*. This can help determine which devices have not yet been onboarded to MDE.
### References
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/intunedevices
## Sentinel
```KQL
let SearchPeriod = 30d;
let MDEDevices = DeviceProcessEvents
| where TimeGenerated > ago(SearchPeriod)
| extend DeviceNameWithoutDomain = tostring(split(DeviceName, ".", 0)[0])
| distinct DeviceNameWithoutDomain;
IntuneDevices
| where todatetime(LastContact) > ago(SearchPeriod)
| summarize arg_max(TimeGenerated, DeviceName, LastContact) by DeviceId
| extend MDEStatus = iff(DeviceName in~ (MDEDevices), "MDE Onboarded", "Not Onboarded")
| summarize Total = count(), Devices = make_set(DeviceName) by MDEStatus
```Explanation
This query compares devices in Intune and Microsoft Defender for Endpoint (MDE) based on their status. It lists the devices onboarded in Intune and classifies them as either "MDE Onboarded" or "Not Onboarded" based on the presence of process activities seen in the search window for MDE. The query allows you to select a specific search period. The result provides the total count of devices and a set of device names for each classification.
Details
Bert-Jan Pals
Released: November 11, 2023
Tables
IntuneDevices
Keywords
Devices,Intune,MDE
Operators
wheretodatetimeagosummarizearg_maxextendin~iffcountmake_set