When is a device considered deleted or inactive in the DeviceInfo table?

Hello vinaygowlla​,

When is a device considered inactive?

• Not seen by Defender for Endpoint for 7 days: if the device hasn’t communicated or sent sensor data for at least 7 days, it's marked inactive.
• Offboarded for at least 7 days: even after offboarding, the device transitions to inactive after a week.
  Network connectivity issues: devices with impaired communications (e.g. blocked ports or URLs) can become inactive.
• Once inactive, the device remains in inventory based on retention settings (typically 30–180 days) and may continue to appear in reports such as Vulnerability Management for up to 30 days before being excluded.

As for Microsoft Defender for Endpoint specifically, there is no explicit “deleted” status. Devices may naturally drop off based on retention, but cannot be manually deleted from inventory to preserve forensic integrity.

References:

Handling Inactive Devices in Microsoft Defender for Endpoint

Understand retention logic in Microsoft Defender Vulnerability Management

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like