Forum Discussion
When is a device considered deleted or inactive in the DeviceInfo table?
Hi,
I’m trying to better understand how device lifecycle is handled within Microsoft Defender for Endpoint, specifically in the context of Advanced Hunting via the DeviceInfo table.
When can we consider a device as deleted or removed from the DeviceInfo table?
How long do offboarded or inactive devices remain in the DeviceInfo table before they are automatically purged?
Are there specific values (e.g., onboardingStatus, lastSeen, isActive, etc.) or time-based thresholds that should be used to determine if a device is no longer active?
Any guidance or documentation references would be greatly appreciated!
Hello vinaygowlla,
When is a device considered inactive?
- Not seen by Defender for Endpoint for 7 days: if the device hasn’t communicated or sent sensor data for at least 7 days, it's marked inactive.
- Offboarded for at least 7 days: even after offboarding, the device transitions to inactive after a week.
Network connectivity issues: devices with impaired communications (e.g. blocked ports or URLs) can become inactive. - Once inactive, the device remains in inventory based on retention settings (typically 30–180 days) and may continue to appear in reports such as Vulnerability Management for up to 30 days before being excluded.
As for Microsoft Defender for Endpoint specifically, there is no explicit “deleted” status. Devices may naturally drop off based on retention, but cannot be manually deleted from inventory to preserve forensic integrity.
References:
Handling Inactive Devices in Microsoft Defender for Endpoint
Understand retention logic in Microsoft Defender Vulnerability Management
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
1 Reply
Hello vinaygowlla,
When is a device considered inactive?
- Not seen by Defender for Endpoint for 7 days: if the device hasn’t communicated or sent sensor data for at least 7 days, it's marked inactive.
- Offboarded for at least 7 days: even after offboarding, the device transitions to inactive after a week.
Network connectivity issues: devices with impaired communications (e.g. blocked ports or URLs) can become inactive. - Once inactive, the device remains in inventory based on retention settings (typically 30–180 days) and may continue to appear in reports such as Vulnerability Management for up to 30 days before being excluded.
As for Microsoft Defender for Endpoint specifically, there is no explicit “deleted” status. Devices may naturally drop off based on retention, but cannot be manually deleted from inventory to preserve forensic integrity.
References:
Handling Inactive Devices in Microsoft Defender for Endpoint
Understand retention logic in Microsoft Defender Vulnerability Management
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like