Query Details
Device Windows11devicesand Users
Query
//Finds Windows 11 devices enrolled in Defender for Endpoint and the last user who logged on interactively //Data connector required for this query - M365 Defender - Device* tables DeviceInfo | where TimeGenerated > ago(60d) | where isnotempty( OSPlatform) | summarize arg_max(TimeGenerated, *) by DeviceName | extend OSBuildString = tostring(OSBuild) | where OSPlatform == "Windows11" or OSBuildString startswith "22" or OSBuildString startswith "21" | project DeviceName, OSBuild, OSPlatform, OSVersion |join kind=inner ( DeviceLogonEvents | where LogonType == "Interactive" | where ActionType == "LogonSuccess" | where InitiatingProcessCommandLine == "lsass.exe" | summarize arg_max(TimeGenerated, *) by DeviceName ) on DeviceName | project DeviceName, AccountName, OSBuild, OSPlatform, OSVersion
Explanation
This query finds Windows 11 devices that are enrolled in Defender for Endpoint and retrieves the last user who logged on interactively. It uses the DeviceInfo and DeviceLogonEvents tables from the M365 Defender data connector. The query filters for devices with a recent TimeGenerated, a non-empty OSPlatform, and then groups the results by DeviceName, keeping the latest TimeGenerated for each device. It further filters for devices with OSPlatform "Windows11" or OSBuildString starting with "22" or "21". The final result includes the DeviceName, AccountName (last user who logged on), OSBuild, OSPlatform, and OSVersion.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceInfoDeviceLogonEvents
Keywords
Devices,Intune,User
Operators
| where>ago()isnotempty()summarizearg_max()byextendstartswithorprojectjoinkind=inner==