Device Query requirement

anju sukumaran,

Advanced Hunting is a capability of Microsoft Defender XDR. Access to specific Advanced Hunting data depends on the Defender products licensed. To query endpoint EDR data, Microsoft Defender for Endpoint Plan 2 is required. Plan 1 provides limited endpoint visibility and does not support full Advanced Hunting for endpoints.

The MDM - intune has the capability for device query and Defender is not required for that https://dotnet.territoriali.olinfo.it/intune/advanced-analytics/device-query

For licenses that provide access to Microsoft Defender XDR (In your case Advanced Hunting) features via the Defender portal refer to https://dotnet.territoriali.olinfo.it/en-us/defender-xdr/prerequisites

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Enable and configure Device query in Intune by meeting its prerequisites; onboarding to Microsoft Defender for Endpoint or enabling Endpoint analytics is not required for Device query.

Specifically, first ensure that:

1. Devices are managed by Intune and marked as corporate owned.
2. Devices are Microsoft Entra joined or Microsoft Entra hybrid joined.
3. The Intune tenant has the Device query capability (Intune add-on) enabled.
4. The admin account has a role with Managed Devices/Query permission (for example, the Help Desk Operator role or a custom role with that permission).

Once these prerequisites are in place, Device query can be used to gather information about all Intune-managed devices. Defender onboarding and Endpoint analytics are separate capabilities and are not listed as prerequisites for Device query.

References:

• Device query
• Device query for multiple devices
• Manage devices with Intune Overview
• Get devices onboarded to Microsoft Defender for Endpoint
• Review and assess devices in Microsoft Defender for Endpoint