KQL Search

Query Details

Intune Devices By OS Version

Query

id: 7b8c9d10-aaaa-4001-8001-00000000000D
name: HUNT - Intune devices by outdated OS version
description: |
  Ranks IntuneDevices by OS and OS version to surface estate that is running old or unsupported
  builds. These devices are more likely to hold vulnerable agents or to fail Conditional Access
  version-check grace periods and become compliance-bypass candidates.
requiredDataConnectors:
  - connectorId: AzureMonitor(IntuneLogs)
    dataTypes:
      - IntuneDevices
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  IntuneDevices
  | where TimeGenerated > ago(1d)
  | summarize arg_max(TimeGenerated, *) by DeviceId = tostring(DeviceId)
  | extend OS = tostring(OS), OSVersion = tostring(OSVersion),
           UPN = tolower(tostring(UPN)),
           LastSeen = todatetime(LastContact)
  | summarize Devices = count(),
              UniqueUsers = dcount(UPN),
              Sample = make_set(DeviceName, 25),
              OldestContact = min(LastSeen),
              NewestContact = max(LastSeen)
            by OS, OSVersion
  | order by OS asc, OSVersion asc
version: 1.0.0

Explanation

This query is designed to identify and rank devices managed by Microsoft Intune that are running outdated or unsupported operating system (OS) versions. These devices are at a higher risk of security vulnerabilities and may not comply with certain security policies.

Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from Intune logs, specifically focusing on devices (IntuneDevices).

  2. Time Frame: It looks at data generated in the last day (TimeGenerated > ago(1d)).

  3. Data Processing:

    • It selects the most recent entry for each device (arg_max(TimeGenerated, *) by DeviceId).
    • It extracts and formats relevant information such as OS, OS version, user principal name (UPN), and the last contact time.

  4. Summarization:

    • It counts the total number of devices and unique users.
    • It creates a sample list of up to 25 device names.
    • It identifies the oldest and newest contact times for each OS and OS version.

  5. Output:

    • The results are ordered by OS and OS version in ascending order.

The query helps in identifying devices that might bypass security compliance due to outdated software, which is crucial for maintaining a secure IT environment.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

IntuneDevices

Keywords

IntuneDevicesOSOSVersionUPNDeviceIdDeviceNameLastContactTimeGenerated

Operators

IntuneDeviceswhereagosummarizearg_maxbyextendtostringtolowertodatetimedcountmake_setminmaxorder byasc

Actions