Device TVM Secure Configuration Assessment Summary
Query
DeviceTvmSecureConfigurationAssessment
| join kind=leftouter (
DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationId, ConfigurationName
) on ConfigurationId
| summarize
Total = count(),
Compliant = countif(IsCompliant == 1),
NonCompliant = countif(IsCompliant == 0),
NotApplicable = countif(IsApplicable == 0)
by ConfigurationId, ConfigurationName
| order by NonCompliant descAbout this query
Device TVM Secure Configuration Assessment Summary
Query Information
Description
This rule summarizes the compliance status of security configurations across devices using data from DeviceTvmSecureConfigurationAssessment and DeviceTvmSecureConfigurationAssessmentKB. It identifies and prioritizes security misconfigurations by counting compliant, non-compliant, and not-applicable devices for each configuration, ordered by the highest number of non-compliant devices.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to provide a summary of how well devices adhere to security configuration standards. It uses data from two sources: DeviceTvmSecureConfigurationAssessment and DeviceTvmSecureConfigurationAssessmentKB. Here's a simple breakdown of what the query does:
-
Join Data Sources: It combines information from two tables to get details about each security configuration, including its ID and name.
-
Count Compliance Status: For each security configuration, it calculates:
- The total number of devices assessed.
- The number of devices that are compliant with the configuration.
- The number of devices that are non-compliant.
- The number of devices for which the configuration is not applicable.
-
Prioritize Issues: It sorts the configurations by the number of non-compliant devices, showing the configurations with the most issues at the top.
In summary, this query helps identify which security configurations are most problematic across devices by highlighting those with the highest number of non-compliant devices.
Details

Benjamin Zulliger
Released: March 30, 2026
Tables
Keywords
Operators