KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Device Groups

Query

# Microsoft Defender for Endpoint - Device Groups

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Complete](https://img.shields.io/badge/status-complete-brightgreen.svg)

## Query Information

### Description

This query identifies Windows 10 and Windows 11 devices across different device groups in Microsoft Defender for Endpoint, with a focus on discovering devices that end up in the "UnassignedGroup". It provides a pivot table view of device counts organized by OS platform and Device group, helping administrators quickly spot devices that haven't been properly assigned to a Device Group.

#### References

- [Create and manage device groups](https://learn.microsoft.com/en-us/defender-endpoint/machine-groups)

### Author

- **Alex Verboon**

## Defender XDR

Total Devices by OS per Device Group

```kql
let OS = dynamic(["Windows10","Windows11"]);
DeviceInfo
| where TimeGenerated > ago(30d)
| where OSPlatform has_any (OS)
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(TimeGenerated,*) by DeviceId
| summarize DeviceCount = count() by OSPlatform, MachineGroup
| evaluate pivot(MachineGroup, sum(DeviceCount))
| order by OSPlatform asc
```

Detailed list of devices and device groups.

```kql
let OS = dynamic(["Windows10","Windows11"]);
DeviceInfo
| where TimeGenerated > ago(30d)
| where OSPlatform has_any (OS)
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(TimeGenerated,*) by DeviceId
| project MachineGroup, OSPlatform, DeviceName, DeviceId, LoggedOnUsers
| order by MachineGroup asc, OSPlatform asc, DeviceName asc
```

Explanation

This KQL query is designed to help administrators using Microsoft Defender for Endpoint to manage their devices more effectively. It focuses on identifying Windows 10 and Windows 11 devices and how they are distributed across different device groups, with particular attention to those that are not assigned to any specific group, known as the "UnassignedGroup."

Here's a breakdown of what the query does:

  1. Filter for Relevant Devices: It looks at devices that have been active in the last 30 days and are running either Windows 10 or Windows 11. It only considers devices that are properly onboarded to Microsoft Defender for Endpoint.

  2. Summarize Device Counts: The query first summarizes the number of devices by their operating system and the device group they belong to. This is presented in a pivot table format, making it easy to see how many devices are in each group for each OS.

  3. Order and Display: The results are ordered by the operating system, making it straightforward to compare device counts across different groups.

  4. Detailed Device List: In addition to the summary, the query provides a detailed list of devices, showing their group, operating system, name, ID, and logged-on users. This helps administrators identify specific devices that might need attention, especially those in the "UnassignedGroup."

Overall, this query helps administrators quickly identify and manage devices that are not properly assigned to a device group, ensuring better organization and security management within Microsoft Defender for Endpoint.

Details

Alex Verboon profile picture

Alex Verboon

Released: December 9, 2025

Tables

DeviceInfo

Keywords

Devices

Operators

letdynamic|where>agohas_any==summarizearg_maxbyevaluatepivotsumorder byprojectasc

Actions