Microsoft Defender for Endpoint - Streamlined Connectivity
MDE Connectivity Type
Query
DeviceInfo
| where Timestamp > ago(30d)
| where OnboardingStatus == 'Onboarded'
| where DeviceCategory == 'Endpoint'
| summarize arg_max(Timestamp,*) by DeviceId
| where isempty( HostDeviceId) // exclude WSL, as they will create duplicate and adopt the connectivity type of the host
| extend ConnectivityType = iff(isempty( ConnectivityType),"Not-Streamlined",ConnectivityType)
| project DeviceName, OSPlatform, ConnectivityType, DeviceId
| summarize Total = count() by ConnectivityTypeAbout this query
Explanation
This query is designed to provide an overview of devices using the new streamlined connectivity feature in Microsoft Defender for Endpoint. Here's a simplified breakdown:
-
Purpose: The query aims to show how many devices are connected through different connectivity methods within the Microsoft Defender for Endpoint environment.
-
Data Source: It uses the
DeviceInfotable to gather information about devices that have been onboarded in the last 30 days and are categorized as endpoints. -
Filtering:
- It filters out devices that are not onboarded.
- It excludes devices running Windows Subsystem for Linux (WSL) to avoid duplicates, as these devices adopt the connectivity type of their host.
-
Connectivity Type:
- It checks if the
ConnectivityTypeis empty and labels such devices as "Not-Streamlined." - It then projects relevant information like
DeviceName,OSPlatform,ConnectivityType, andDeviceId.
- It checks if the
-
Summarization: The query summarizes the total number of devices by each connectivity type.
-
Limitations in Microsoft Sentinel:
- The
ConnectivityTypeattribute is not currently synchronized with Microsoft Sentinel, so the query cannot be executed there. - As a workaround, two additional queries are provided to identify devices interacting with the endpoint security URL and checking specific registry keys related to onboarding.
- The
Overall, this query helps administrators understand how devices are connecting to Microsoft Defender for Endpoint and identify any that are not using the streamlined connectivity method.
Details

Alex Verboon
Released: September 5, 2024
Tables
Keywords
Operators