In Microsoft security environments, unmanaged endpoints represent one of the most significant blind spots in an organization's security posture. These unmanaged devices create critical visibility gaps that attackers routinely exploit:
- Servers missing agents due to failed deployments or system updates
- BYOD devices connecting to corporate networks without proper onboarding
- IoT equipment that was never properly inventoried or secured
- Shadow IT purchases that bypass standard procurement processes
Microsoft Defender for Endpoint (MDE) provides several built-in capabilities to help identify these coverage gaps, but many security teams aren't effectively leveraging these tools. This guide walks through the methods available for discovering unprotected endpoints and explores how to operationalize this process for continuous monitoring.
Why unmonitored endpoints are a security risk
Unmanaged endpoints introduce security vulnerabilities through two primary risk vectors.
Lack of security controls
Endpoints that aren't onboarded to MDE operate outside your security perimeter, lacking the real-time monitoring, threat detection, and incident response capabilities that protected devices enjoy. These unmanaged devices miss critical security updates, operate with potentially misconfigured settings, and provide no telemetry to security operations centers.
The risk compounds in dynamic environments where devices regularly join and leave networks. An unpatched server that loses its MDE agent during a system update, a department's shadow IT purchases that bypass standard procurement, or contractors' devices that connect to corporate resources can all become entry points for lateral movement and data exfiltration.
Increased breach risk
Undiscovered BYOD endpoints are 71% more likely to be part of a cyber breach, stemming from limited visibility that prevents proper security configuration, updates, and vulnerability patching.
Microsoft's own Digital Defense Report telemetry shows that roughly 90% of successful ransomware attacks originate from unmanaged devices, with human-operated ransomware attacks increasing by 200% year-over-year. These attacks disproportionately target smaller organizations where comprehensive endpoint management proves especially challenging.
When security teams lack visibility into network assets, they cannot apply consistent security policies, monitor for threats, or respond effectively to incidents involving these devices.
MDE device discovery feature
Microsoft Defender for Endpoint includes native device discovery functionality designed to map out devices on corporate networks, including those not yet protected by MDE. This capability transforms onboarded endpoints into network sensors that can identify and catalog unmanaged devices within the environment.
The system operates through two discovery modes:
- Basic discovery mode uses the SenseNDR.exe component on onboarded endpoints to passively monitor network traffic, identifying devices without generating additional network activity.
- Standard discovery mode extends this passive monitoring with active network probing, using common discovery protocols and multicast queries to actively scan for devices while generating minimal network traffic.
Standard discovery mode became the default for all tenants in July 2021 and provides comprehensive device identification across enterprise endpoints (workstations, servers, mobile devices), network infrastructure (routers, switches), and IoT devices (printers, cameras, connected equipment). This broad discovery capability helps security teams understand the full scope of their network-connected assets.
How to find unmanaged devices through the M365 Defender portal
The Microsoft 365 Defender portal provides the primary interface for reviewing discovered but unprotected endpoints. Security teams can access comprehensive device information and filter specifically for coverage gaps.
Device inventory view
Navigate to the Device inventory section under Defender for Endpoint to view all devices known to the system. This comprehensive list displays both onboarded devices and those discovered on the network that lack MDE protection.
Filter by onboarding status
Use the onboarding status filter to focus on unprotected endpoints. Select "Can be onboarded" to display endpoints that device discovery has identified on your network with supported operating systems for MDE deployment, but currently lack an onboarded agent.
The filtered results provide essential details for each unmanaged endpoint, including device names, IP addresses, operating systems, and the last time the device was observed on the network. This information enables security teams to prioritize onboarding efforts based on device criticality.
Advanced hunting for unmanaged devices
For organizations requiring detailed analysis or automated reporting, Microsoft 365 Defender's Advanced Hunting capabilities provide programmatic access to device discovery data. The DeviceInfo table in advanced hunting logs all devices; you can retrieve all non-onboarded ones by querying where OnboardingStatus != "Onboarded"
These queries return devices with various unmanaged statuses and can be exported for further analysis, automated reporting, or establishing alerts when new unmanaged devices appear. The DeviceNetworkInfo table provides additional context by showing which onboarded device originally observed each unmanaged endpoint, useful for understanding network topology. However, doing this type of work on a regular basis isn't tenable for leaner security teams and typically requires advanced knowledge of KQL syntax and query optimization.
Limitations of native discovery methods
While MDE's device discovery provides significant visibility into unmanaged endpoints, security teams must understand its inherent limitations. The system can only identify and report on devices that it actually observes through network monitoring or active scanning from onboarded endpoints.
Devices that never connect to corporate networks, operate on isolated network segments, or exist in environments without any onboarded MDE endpoints will remain invisible to this discovery process. Importantly, the portal can only list devices that MDE has actually discovered; any device that hasn't been observed by an onboarded endpoint or isn't connected to your corporate network (common in BYOD setups) won't appear in these results, potentially remaining completely unknown to security teams.
This limitation particularly affects BYOD scenarios where personal devices may access corporate resources through VPNs or web applications without connecting directly to monitored network segments.
Additionally, some discovered devices may appear with "Insufficient info" or "Unsupported" status, indicating that while MDE detected their presence, it couldn't gather enough information for full identification or determined that they cannot support MDE onboarding. These partial discoveries require additional investigation through other tools or manual processes to properly inventory and secure.
The manual nature of reviewing discovery results and running KQL queries also creates operational challenges. For organizations with large, dynamic environments, regularly checking for new unmanaged devices and maintaining current inventories requires significant time investment and advanced technical knowledge. For leaner security teams, this ongoing effort requiring both advanced KQL knowledge and regular manual review cycles often proves completely unsustainable.
Alternative approaches beyond MDE's native discovery
A complete approach to identifying unmanaged endpoints requires expanding beyond MDE's native discovery capabilities. Organizations can pursue this through two primary approaches:
1. Combining multiple data sources
A complete approach to identifying unmanaged endpoints requires combining MDE discovery data with information from other organizational systems. By cross-referencing IT asset inventories, directory services like EntraID, device management platforms such as Intune, and other security tools that do network scans (like your vulnerability management tools), organizations can identify gaps that discovery alone might miss.
This cross-referencing process reveals devices that exist in corporate inventories but don't appear in MDE's device list, indicating endpoints that may be on the network but outside the discovery scope. Similarly, devices listed in directory services but missing from MDE could represent dormant accounts, offline systems, or devices on network segments that lack onboarded endpoints for discovery.
Manual reconciliation of these data sources through spreadsheets or custom scripts remains technically feasible but becomes increasingly complex as organizations scale. The process requires regular data exports, careful matching of device identifiers across different systems, and ongoing maintenance to account for changing device inventories and network configurations.
2. Automation with Prelude for continuous visibility
Prelude automate the complex process of aggregating and reconciling data from multiple sources to provide comprehensive endpoint visibility. Rather than manually correlating information from MDE, asset management systems, directory services, and other security tools, Prelude continuously ingests data from these sources and automatically identifies coverage gaps like missing EDR, management, vuln scans, and more.
Prelude's approach eliminates the time-consuming manual processes involved in cross-referencing different inventory systems such as wiring up BI dashboards or correlating multiple CSV data exports. The platform maintains real-time awareness of your complete asset inventory while continuously monitoring which devices have EDR protection through MDE or other endpoint security tools. When gaps appear (whether due to failed agent deployments, system updates that remove protection, or new devices joining the network), Prelude immediately identifies and alerts on these coverage issues.
This continuous monitoring approach ensures that endpoint visibility remains current without requiring ongoing manual effort from your security team. As environments evolve and devices change, Prelude automatically updates its understanding of your environment and maintains accurate reporting on protection coverage across your entire infrastructure.
Maximize your security tools while minimizing your effort
