Device Windows11devicesand Users
Query
//Finds Windows 11 devices enrolled in Defender for Endpoint and the last user who logged on interactively
//Data connector required for this query - M365 Defender - Device* tables
DeviceInfo
| where TimeGenerated > ago(60d)
| where isnotempty( OSPlatform)
| summarize arg_max(TimeGenerated, *) by DeviceName
| extend OSBuildString = tostring(OSBuild)
| where OSPlatform == "Windows11" or OSBuildString startswith "22" or OSBuildString startswith "21"
| project DeviceName, OSBuild, OSPlatform, OSVersion
|join kind=inner (
DeviceLogonEvents
| where LogonType == "Interactive"
| where ActionType == "LogonSuccess"
| where InitiatingProcessCommandLine == "lsass.exe"
| summarize arg_max(TimeGenerated, *) by DeviceName
) on DeviceName
| project DeviceName, AccountName, OSBuild, OSPlatform, OSVersionExplanation
This query finds Windows 11 devices that are enrolled in Defender for Endpoint and retrieves the last user who logged on interactively. It uses the DeviceInfo and DeviceLogonEvents tables from the M365 Defender data connector. The query filters for devices with a recent TimeGenerated, a non-empty OSPlatform, and then groups the results by DeviceName, keeping the latest TimeGenerated for each device. It further filters for devices with OSPlatform "Windows11" or OSBuildString starting with "22" or "21". The final result includes the DeviceName, AccountName (last user who logged on), OSBuild, OSPlatform, and OSVersion.
Details

Matt Zorich
Released: June 17, 2022
Tables
DeviceInfoDeviceLogonEvents
Keywords
DevicesIntuneUser
Operators
| where>ago()isnotempty()summarizearg_max()byextendstartswithorprojectjoinkind=inner==