Forum Discussion
Incomplete Defender for Endpoint API call via Powershell
Hello! I'm trying to export data from my assets via Powershell, using this api: https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 My script seems...
JimBjo What you describe is not what I see in my org's MDE UI and API, from what I see and use the deviceId value is consistent across all of the points you mention.
Very interesting, when experimenting further I can see that for some machines I get more than one match by matching on DNS, 3 in one case, and one of these have an id (that is the name of the property in the returned json) that matches "Device id". I clearly need to examine this further.
- Oh, I did not think of that. We do have a subset of inactive devices in MDE where the authentication token was reset due to a bug in the 22H2 upgrade. Those have 2 listings if we look them up by hostname, so that could cause confusion if we got the deviceId mixed up. In those cases though I would expect to get the data from the last update to the old deviceId before the reset. Interesting, I will bear that possibility in mind if we see anything like you describe.