MS Graph - where to find detectedAppID for windowsProtectionState

Kahr Michael 5 Reputation points
2024-06-28T08:23:17.02+00:00

Hi

We are currently building a reporting system for all Client / Server Systems, which should contain Intune Configs / State and Defender Informations. All our Clients (win 10 / 11) are intune managed with Defender Policies + ATP Onboarded.

As far as I got, I'm able to get all intune managed devices with basic infos via https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

Then I tried to retreive the Protection state, but I need a "detectedAppId" before I can retreive the state per unique device id. I tried to get the AppId via below graph call, but I got nothing in return (only 200 OK)

https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$filter=displayName eq 'Windows Defender Antivirus'

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/detectedApps",
    "@odata.count": 0,
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET deviceManagement/detectedApps?$select=deviceCount,displayName",
    "value": []
}

When I check the "Discovered Apps" in Intune, I don't see any entry for Defender nor AntiVirus nor AntiMalware or something else.

Which "detectedAppId" is required for the below graph call?

https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{detectedAppId}/managedDevices/{managedDeviceId}/windowsProtectionState

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,200 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,646 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
26 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 39,256 Reputation points
    2024-06-28T10:28:56.9833333+00:00

    Hi @Kahr Michael

    You can try listing the detectedApps directly and it should return the corresponding detectedAppId for you.

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

  2. Kahr Michael 5 Reputation points
    2024-07-01T08:20:46.4066667+00:00

    I have now created a list of all detected Apps (26.928 entries), but only found 5 entries for defender and all of them are for Apple Mac, nothing for windows OS.

    How can I get the status of the applied policies (Defender as minimum) to windows clients from intune?

    0 comments