Windows 10: Is there a way to get a device first seen date in defender for endpoint advanced hunting

I am looking to write a daily query that gets new devices that have not previously been seen before but am struggling to find an effective way to do this, any help would be greatly appreciated

:)

 

Microsoft Defender for Endpoint now supports Windows 10 on Arm devices

Source: https://www.microsoft.com/security/b...ows-10-on-arm/

 

I would like to remove device from Microsoft Defender for Endpoint portal

I would like to remove device from Microsoft Defender for Endpoint portal without running any script on the end PC. The end PC is no more active but still showing in the ATP Portal. Need suggestion

 

Defender for Business onboarding endpoint device Error id: 15 Error level: 1

Hi John,



Thank you for writing us here in Microsoft Community.



The error message "onboarding endpoint device Error id: 15 error level: 1 The service name is invalid" indicates that there is an issue with the service name that is being used to onboard the device to Microsoft Defender for Business.



To resolve this issue, you can try the following steps:

1. Make sure that you are using the correct service name for Microsoft Defender for Business. The service name should be "Microsoft Defender for Endpoint Onboarding" (without the quotes).

2. Check if the service is running on the device. You can do this by opening the Services app (services.msc) and looking for the "Microsoft Defender for Endpoint Onboarding" service. If the service is not running, start it and try onboarding the device again.

3. If the issue persists, try restarting the device and then attempt to onboard it again.



Should issue persists, try following additional steps:

• Check the Diagnostic Data Service: Ensure that the diagnostic data service is enabled and set to start
  
• Check Internet Connection: Make sure your device has a stable internet connection
  
• Check Microsoft Defender Antivirus Policy: Ensure that Microsoft Defender Antivirus is not disabled by a policy
  
• View Agent Onboarding Errors in the Device Event Log: Click Start, type Event Viewer, and press Enter. Go to Windows Logs > Application. Look for an event from WDATPOnboarding event source
  
• Stop the Service: Go to “Control Panel > Administrative Tools > Services”, find the service “Windows Defender Advanced Threat Protection Service”, right-click on the service and click “Stop”. This will stop the service and prevent it from running on the host
  
• Create a new Windows user account: Select Start > Settings > Accounts and then select Family & other users. > Next to Add other user, select Add account. > Select I don't have this person's sign-in information, and on the next page, select Add a user without a Microsoft account. > Enter a username and Next > Go back to Family & other users > Change account type to Administrator > Restart computer to switch to new user account.
  

If needed, you may check similar posts with answers from experts on Microsoft Q and A Questions - Microsoft Q&A and Community page Microsoft 365 Defender - Microsoft Community Hub



We will leave this thread open for our MVPs or other members who are experts about this concern to share their answers.



Honored to be part of your journey,

Bryll

Microsoft Community Agent