This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 6%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
I am using Advanced Hunting to perform some auditing. I expected some devices to return results, but they are not; and the number of results when I search for all devices is way lower than expected for my queries.
After checking the different IDs, I am noticing that only the devices correctly registered in Intune (i.e. not "pending" on Entra) are appearing in the reports.
The devices are onboarded in Defender and their "last seen" property seems correct.
So my question is: is that a simple coincidence, or can I have results for queries only from properly registered devices? (I cannot do testing as I can't get a "pending" device on purpose...)
Thank you!
How were the devices onboarded on to Defender?
Hi! They were onboarded via Intune, with the MDE Connector.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Medea, Thanks for posting in Q&A.
Since the data is collected by Defender and I am not familiar with Defender, are you using Defender for endpoint or Defender for Cloud? Please tag the corresponding one or contact the corresponding support for help.
https://video2.skills-academy.com/en-us/defender-endpoint/contact-support
https://video2.skills-academy.com/en-us/defender-cloud-apps/support-and-ts
Thanks for your kind understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
It would be MS Defender for Endpoints, but in the tags, there is only "MS Defender for Endpoint training", and nothing without the "training".
@Medea, You can tag MS Defender for Endpoints and wait for MS Defender for Endpoints support to help.