HUNT - Intune devices by outdated OS version
Intune Devices By OS Version
Query
IntuneDevices
| where TimeGenerated > ago(1d)
| summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
| extend OS = tostring(OS), OSVersion = tostring(OSVersion),
UPN = tolower(tostring(UPN)),
LastSeen = todatetime(LastContact)
| summarize Devices = count(),
UniqueUsers = dcount(UPN),
Sample = make_set(DeviceName, 25),
OldestContact = min(LastSeen),
NewestContact = max(LastSeen)
by OS, OSVersion
| order by OS asc, OSVersion ascExplanation
This query is designed to identify and rank devices managed by Microsoft Intune that are running outdated or unsupported operating system (OS) versions. These devices are at a higher risk of security vulnerabilities and may not comply with certain security policies.
Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from Intune logs, specifically focusing on devices (IntuneDevices).
-
Time Frame: It looks at data generated in the last day (
TimeGenerated > ago(1d)). -
Data Processing:
- It selects the most recent entry for each device (
arg_max(TimeGenerated, *) by DeviceId). - It extracts and formats relevant information such as OS, OS version, user principal name (UPN), and the last contact time.
- It selects the most recent entry for each device (
-
Summarization:
- It counts the total number of devices and unique users.
- It creates a sample list of up to 25 device names.
- It identifies the oldest and newest contact times for each OS and OS version.
-
Output:
- The results are ordered by OS and OS version in ascending order.
The query helps in identifying devices that might bypass security compliance due to outdated software, which is crucial for maintaining a secure IT environment.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques