Creating Security group in Azure AD with only MDE onboarded devices

We are implementing defender for endpoint for a large enterprise however facing difficulty in pushing AV, ASR and EDR policies via Intune. All the MDE onboarded devices are also Intune managed hence their managed by section is populated with "Intune". We need to push policies via Intune to only those devices which are MDE onboarded but could not find a way to create dynamic security group which adds only MDE onboarded devices to it. Can not use query SystemLable "MDEManaged" as this field is blank[] when the device is already Intune managed. Also tried with (device.systemLabels -contains "MDEJoined") and (device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000") and (device.deviceOSType -eq "Windows") but it could not help either.

Is there any way we can create a dynamic security group which will add all MDE onboarded and Intune managed devices into it?