Query Details
Intune Operational Logs Unexpected Device OS Type Modification
Query
let query_frequency = 1h;
let query_period = 14d;
IntuneOperationalLogs
| where TimeGenerated > ago(query_period)
| extend Properties = todynamic(Properties)
| extend
DeviceId = tostring(Properties["AADDeviceId"]),
DeviceName = tostring(Properties["DeviceName"]),
DeviceHostName = tostring(Properties["DeviceHostName"]),
DeviceNetBiosName = tostring(Properties["DeviceNetBiosName"]),
Os = tostring(Properties["Os"]),
OsVersion = tostring(Properties["OsVersion"]),
DeviceOperatingSystem = tostring(Properties["DeviceOperatingSystem"]),
UserId = tostring(Properties["IntuneUserId"]),
UserPrincipalName = iff(
isnotempty(Properties["UserName"]) and isnotempty(Properties["UPNSuffix"]),
strcat(tostring(Properties["UserName"]), "@", Properties["UPNSuffix"]),
""
),
IntuneDeviceId = tostring(Properties["IntuneDeviceId"])
| where not(IntuneDeviceId == "00000000-0000-0000-0000-000000000000")
| extend
OsType = coalesce(
tolower(Os),
replace_strings(
tolower(tostring(split(DeviceOperatingSystem, " ")[0])),
dynamic(["macmdm", "iphone", "ipad", "androidaosp", "androidenterprise", "androidforwork"]),
dynamic(["macos", "ios", "ios", "android", "android", "android"])
)
)
| where not(OsType == "unknown")
| sort by TimeGenerated asc
| summarize
StarTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
DeviceNames = array_sort_asc(make_set(set_difference(pack_array(DeviceName, DeviceHostName, DeviceNetBiosName), dynamic([""])))),
OperatingSystemTypes = array_sort_asc(make_set(OsType)),
take_any(DeviceId),
take_any(UserId),
take_any(UserPrincipalName),
Properties = make_list(bag_pack(OperationName, Properties))
by IntuneDeviceId
| where array_length(OperatingSystemTypes) > 1
| where EndTime > ago(query_frequency)
| project
StarTime,
EndTime,
UserId,
UserPrincipalName,
DeviceId,
DeviceNames,
OperatingSystemTypes,
Properties,
IntuneDeviceId
Explanation
This query is analyzing logs from IntuneOperationalLogs over the past 14 days to identify devices that have been associated with multiple operating system types. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at logs generated in the last 14 days.
-
Data Extraction: It extracts various properties from the logs, such as device IDs, device names, operating system details, user IDs, and user principal names.
-
Filtering:
- It excludes logs where the IntuneDeviceId is a placeholder value ("00000000-0000-0000-0000-000000000000").
- It filters out entries where the operating system type is unknown.
-
Operating System Mapping: It maps certain operating system identifiers to more general categories (e.g., "macmdm" to "macos", "iphone" to "ios").
-
Sorting and Summarizing:
- It sorts the logs by the time they were generated.
- It summarizes the data by IntuneDeviceId, capturing the earliest and latest log times, unique device names, and operating system types.
-
Multi-OS Devices: It specifically looks for devices that have been associated with more than one operating system type.
-
Recent Activity: It ensures that the devices have had activity within the last hour.
-
Output: Finally, it projects a list of relevant details for each device, including the start and end times of the logs, user information, device IDs, device names, operating system types, and properties.
In essence, this query helps identify devices that have been used with multiple operating systems recently, which could be useful for monitoring and troubleshooting in an IT environment.
Details
Jose Sebastián Canós
Released: April 23, 2026
Tables
Keywords
Operators