24H2 devices 'Not applicable' for Defender Onboarding Blob via connector?

Howdy, stuck on this one... Our org has shipped out about 50 or so new Dell devices which arrived with 24H2 on them, they've been enrolled via Autopilot via partner integration with Dell and all that seems good.

The only sticking point, is that they are all currently in compliance grace period because they have no Defender Risk Score.

On investigation, our Endpoint Detection and Response policy for onboarding the devices to Intune is showing as 'Not Applicable' on these devices...

Client configuration package type is "Auto from connector" and the policy is 100% targeted to these devices, it's not getting filtered out or anything like that.

Has anyone seen this? I saw some other threads about a similar issue, but these seem to be related to devices with ARM CPUs only, these things have bog standard Intel 13th Gen

All of the other compliance is good (Secure Boot/Code Integrity/etc)