Query Details

Azure Arc - Compare Azure Arc Computer Resources with Defender for Endpoint Resources

Arc Compare MDE

Query

let ServerOS = dynamic(["Linux","WindowsServer2025","WindowsServer2022","WindowsServer2019","WindowsServer2016","WindowsServer2012","WindowsServer2012R2"]);
let arcservers = arg("").Resources
| where type == 'microsoft.hybridcompute/machines'
| project
  ArcComputerName = tolower(tostring(properties.osProfile.computerName)),
  ArcLocation = location,
  resourceGroup,
  subscriptionId,
  ArcOSName = tostring(properties.osName);
  DeviceInfo
    | where OSPlatform  in(ServerOS) 
  | summarize arg_max(TimeGenerated,*) by DeviceName
  | project 
MDEDeviceName = tolower(split(DeviceName,".")[0]),
  MDEOSPlatform = OSPlatform, 
  OnboardingStatus  
  | join kind=leftouter hint.remote=left (arcservers)
  on $left. MDEDeviceName == $right.ArcComputerName
  | where isnotempty(ArcComputerName) // Remove devices that are not Arc-enabled, this could include a scenario like non-persistent VDIs with MDE
  | project ArcComputerName, MDEDeviceName, ArcOSName, MDEOSPlatform, OnboardingStatus, ArcLocation, resourceGroup, subscriptionId

About this query

Azure Arc - Compare Azure Arc Computer Resources with Defender for Endpoint Resources

Query Information

Description

Use the below query to compare the Azure Arc Server Inventory with the Defender for Endpoint resources.

References

Author

  • Alex Verboon

Defender XDR

Explanation

This KQL query is designed to compare the list of servers managed by Azure Arc with those managed by Microsoft Defender for Endpoint (MDE). Here's a simplified explanation of what the query does:

  1. Define Server Operating Systems: It starts by defining a list of server operating systems (ServerOS) that includes Linux and various versions of Windows Server.

  2. Retrieve Azure Arc Servers: The query fetches resources from Azure Arc that are of the type microsoft.hybridcompute/machines. It extracts and standardizes relevant details such as the computer name, location, resource group, subscription ID, and operating system name.

  3. Retrieve Defender for Endpoint Devices: It then gathers information about devices from Defender for Endpoint, filtering to include only those with operating systems in the predefined ServerOS list. It selects the most recent entry for each device based on the TimeGenerated field.

  4. Join Data: The query performs a left outer join between the Defender for Endpoint devices and the Azure Arc servers based on the computer name (converted to lowercase for consistency).

  5. Filter and Project Results: It filters out devices that are not Azure Arc-enabled, which might include non-persistent virtual desktop infrastructure (VDI) devices. Finally, it selects and displays relevant columns such as the computer names from both sources, operating system details, onboarding status, location, resource group, and subscription ID.

In summary, this query helps identify and compare servers that are managed by both Azure Arc and Defender for Endpoint, providing insights into their configuration and status.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 19, 2026

Tables

ResourcesDeviceInfo

Keywords

AzureArcComputerResourcesDefenderForEndpointServerInventoryDevices

Operators

letdynamicargResourceswhere==projecttolowertostringinsummarizearg_maxbysplitjoinkindleftouterhint.remoteonisnotempty

Actions

GitHub