Query Details
Endpoint Installed Apps Windows
Query
name : Installed App name & version list
description :
- On a Windows device, here is a list of all installed app names and their versions
table :
- DeviceTvmSoftwareInventory
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventory-table?view=o365-worldwide
query : |
//Installed App name & version list
DeviceTvmSoftwareInventory
| where OSPlatform startswith "Windows"
| summarize Installed_Software = make_set(strcat(SoftwareName, " | ", SoftwareVersion)) by DeviceName, DeviceId, OSPlatform, OSVersion
| extend AppNum = array_length(Installed_Software)
| project DeviceId, DeviceName, OSPlatform, OSVersion, AppNum, Installed_Software
Explanation
This query retrieves a list of all installed app names and their versions on Windows devices. It uses the DeviceTvmSoftwareInventory table and filters for devices with an OSPlatform starting with "Windows". The query then summarizes the data by grouping it by DeviceName, DeviceId, OSPlatform, and OSVersion. It also calculates the number of installed apps and displays the results in a table with columns for DeviceId, DeviceName, OSPlatform, OSVersion, AppNum, and Installed_Software.
Details
Kijo Girardi
Released: March 15, 2023
Tables
DeviceTvmSoftwareInventory
Keywords
DeviceTvmSoftwareInventory,OSPlatform,Windows,SoftwareName,SoftwareVersion,DeviceName,DeviceId,OSVersion,Installed_Software,AppNum
Operators
toscalar()arg_max()count()mv-expandwheresummarizemake_setstrcatbyextendarray_lengthproject