Identify unmanaged devices in Defender for Endpoint
5 minutes
5 Questions
Identifying unmanaged devices in Microsoft Defender for Endpoint is a critical task for Security Operations Analysts to maintain comprehensive visibility across the organization's network environment. Unmanaged devices are endpoints that exist on your network but do not have the Defender for Endpoi…Identifying unmanaged devices in Microsoft Defender for Endpoint is a critical task for Security Operations Analysts to maintain comprehensive visibility across the organization's network environment. Unmanaged devices are endpoints that exist on your network but do not have the Defender for Endpoint sensor installed or configured properly.
To identify unmanaged devices, analysts can leverage the Device Discovery feature within the Microsoft 365 Defender portal. This capability uses onboarded endpoints to probe and scan the network, discovering devices that lack proper security coverage. The discovery process operates in two modes: Basic discovery, which passively collects data, and Standard discovery, which actively probes endpoints for richer information.
Within the portal, navigate to Assets > Devices and filter by onboarding status. Devices marked as 'Can be onboarded' represent unmanaged endpoints that have been detected but require sensor deployment. The device inventory provides details such as IP addresses, operating systems, risk levels, and exposure scores for these discovered assets.
Analysts should regularly review the unmanaged devices list to identify potential security gaps. Each unmanaged device represents a potential blind spot where threats could operate undetected. The portal displays device classification including workstations, servers, mobile devices, network devices, and IoT equipment.
To address unmanaged devices, security teams can take several actions: deploy the Defender for Endpoint sensor, investigate why certain devices remain unmanaged, or exclude known devices that cannot support the agent. The Advanced Hunting feature allows analysts to write KQL queries against the DeviceInfo table to create custom reports on device onboarding status.
Best practices include establishing baseline counts of unmanaged devices, creating alerts when new unmanaged devices appear, and integrating device discovery findings into vulnerability management programs. This proactive approach ensures maximum security coverage and reduces the attack surface across the enterprise environment.
Identify Unmanaged Devices in Defender for Endpoint
Why It Is Important
Identifying unmanaged devices is a critical security practice because these devices represent potential blind spots in your organization's security posture. Unmanaged devices are endpoints that exist on your network but are not onboarded to Microsoft Defender for Endpoint, meaning they lack visibility, protection, and monitoring. Attackers often target these devices as entry points since they may have vulnerabilities that go undetected and unpatched.
What Are Unmanaged Devices?
Unmanaged devices in Defender for Endpoint refer to endpoints discovered on your corporate network that have not been onboarded to the Defender for Endpoint service. These can include:
• Workstations and servers not yet enrolled • IoT devices • Network devices like routers and switches • Legacy systems running unsupported operating systems • BYOD (Bring Your Own Device) endpoints • Printers and other network-connected peripherals
How It Works
Defender for Endpoint uses device discovery capabilities to identify unmanaged devices on your network. There are two discovery modes:
1. Basic Discovery: Uses passive methods to collect information about devices through network traffic analysis from onboarded endpoints.
2. Standard Discovery: Actively probes the network to find devices, providing richer data collection including device names, OS information, and more detailed attributes.
The discovery process leverages onboarded devices as sensors to detect other endpoints communicating on the network. Discovered devices appear in the Device Inventory with an onboarding status indicating they are not yet managed.
Key Features for Managing Unmanaged Devices:
• Device Inventory: View all discovered devices with filtering options to isolate unmanaged endpoints • Vulnerability Assessment: Some vulnerability data may be available for discovered devices • Onboarding Recommendations: Prioritize which devices should be onboarded based on risk • Network Segmentation Insights: Understand communication patterns between managed and unmanaged devices
How to Answer Exam Questions on This Topic
When facing exam questions about identifying unmanaged devices in Defender for Endpoint, focus on these key concepts:
1. Understand the Discovery Modes: Know the difference between Basic and Standard discovery. Basic is passive and uses less network resources, while Standard provides more comprehensive device information through active probing.
2. Know Where to Find Information: Unmanaged devices are visible in the Device Inventory within the Microsoft Defender portal. You can filter by onboarding status to see devices that need attention.
3. Prerequisites: Remember that you need onboarded devices acting as sensors for discovery to work. The more managed devices you have, the better your network visibility.
4. Actions Available: Understand that you can onboard discovered devices, tag them, or exclude certain device types from discovery.
Exam Tips: Answering Questions on Identify Unmanaged Devices
• Tip 1: If a question asks about discovering devices with minimal network impact, the answer is likely Basic Discovery.
• Tip 2: Questions about getting detailed OS information or device names from unmanaged devices point toward Standard Discovery.
• Tip 3: Remember that device discovery requires Windows 10 version 1809 or later or Windows Server 2019 or later for the sensing devices.
• Tip 4: When asked about reducing attack surface, identifying and onboarding unmanaged devices is a key step mentioned in security best practices.
• Tip 5: Pay attention to questions about network device discovery which specifically targets routers, switches, and firewalls - this is a separate capability that can be enabled.
• Tip 6: For scenario-based questions, consider the risk priority - devices with known vulnerabilities or those in critical network segments should be prioritized for onboarding.
• Tip 7: The Device Inventory uses the classification Can be onboarded to indicate devices eligible for Defender for Endpoint enrollment.