How to Create a Dynamic SCCM Collection for Microsoft Defender ATP Devices

When managing security policies and updates, it’s sometimes desirable to target only those devices that are successfully onboarded to Microsoft Defender ATP or have the ATP agent actively running. Instead of relying on registry queries, we can leverage SCCM’s built-in AdvancedThreatProtectionHealthStatus class to achieve this.

This guide explains how to create a dynamic SCCM collection including:

  • Devices onboarded to Microsoft Defender ATP (OnboardingState = 1)
  • Devices where the Defender ATP agent is running (SenseIsRunning = 1)

More information about the class can be found here.

Step 1: Understanding the SCCM Inventory Class

SCCM gathers ATP health data under:

SMS_G_System_AdvancedThreatProtectionHealthStatus

Key fields include:

  • OnboardingState – Indicates if the device is onboarded (1 = Yes)
  • SenseIsRunning – Shows if the Defender ATP agent is active (1 = Running)

Since this data is already collected by SCCM, querying this class tend to be an easier approach than checking the registry.

Step 2: Creating the SCCM Collection Query

Follow these steps to define a query-based collection:

  1. Open SCCM Console → Navigate to Assets and ComplianceDevice Collections.
  2. Right-click and choose Create Device Collection.
  3. Assign a name, e.g., Defender ATP Onboarded Devices.
  4. Under Membership Rules, select Add RuleQuery Rule.
  5. Insert this WQL query into the Query Statement box:
SELECT SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name,
       SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client
FROM SMS_R_System
INNER JOIN SMS_G_System_AdvancedThreatProtectionHealthStatus
ON SMS_G_System_AdvancedThreatProtectionHealthStatus.ResourceID = SMS_R_System.ResourceID
WHERE SMS_G_System_AdvancedThreatProtectionHealthStatus.OnboardingState = 1
   OR SMS_G_System_AdvancedThreatProtectionHealthStatus.SenseIsRunning = 1
  1. Click OK to save.
  2. Enable Incremental Updates to keep the collection dynamic.
  3. Click Save & Deploy.

Step 3: Deploying Security Updates and Policies

Once your collection is active, you can:

  • Deploy Microsoft Defender Antivirus definition updates or Microsoft Defender Platform Updates exclusively to compliant devices.
  • Apply Security Baselines to devices that meet the ATP criteria.
  • Monitor compliance through SCCM reports.