Query Details
Device Configuration Not Compliant
Query
# Device congifuration not compliant ---- ## Defender XDR ```KQL DeviceTvmSecureConfigurationAssessment | join kind=inner DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId | where IsCompliant == 0 and IsApplicable == 1 | summarize ConfigurationImpactScore = sum(ConfigurationImpact), ImpactedConfiguration = make_set(ConfigurationName), ConfigID = make_set(ConfigurationId) by DeviceName | sort by ConfigurationImpactScore ```
Explanation
This KQL query is designed to identify devices that are not compliant with certain security configurations. Here's a simple breakdown of what it does:
-
Data Source: It starts by accessing two tables:
DeviceTvmSecureConfigurationAssessmentandDeviceTvmSecureConfigurationAssessmentKB. -
Joining Tables: It performs an inner join between these two tables using the
ConfigurationIdas the key. This means it combines rows from both tables where theConfigurationIdmatches. -
Filtering: The query filters the results to include only those configurations that are not compliant (
IsCompliant == 0) but are applicable (IsApplicable == 1) to the device. -
Summarizing Data: For each device (
DeviceName), it calculates:ConfigurationImpactScore: The total impact score of all non-compliant configurations by summing up their individual impact scores (ConfigurationImpact).ImpactedConfiguration: A set of names of the configurations that are non-compliant.ConfigID: A set of IDs of the configurations that are non-compliant.
-
Sorting: Finally, it sorts the devices by their
ConfigurationImpactScorein ascending order, so you can see which devices have the highest impact from non-compliance.
In summary, this query helps identify and prioritize devices based on the impact of their non-compliant security configurations.
Details
Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators