MDE Digi Cert Global Root G2

# Microsoft Defender for Endpoint - Certificates - DigiCert Global Root G2 ![KQL](https://img.shields.io/badge/language-KQL-blue.svg) ![Status: Testing](https://img.shields.io/badge/status-testing-blue.svg) ## Query Information ### Description The below KQL queries assist in identifying devices that don't have the DigiCert Global Root G2 Certificate installed. - Query 1: Find all devices with and without the DigiCert Global Root G2 certificate - Query 2: Same as the first query but enriched with missing security updates information when available. - Query 3: Devices that have no Defender TVM Certificate Invetory Data #### References - [MC1193408 - (Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026](https://mc.merill.net/message/MC1193408) ### Author - **Alex Verboon** ## Defender XDR Find all devices with and without the DigiCert Global Root G2 certificate ```kql let CertCount = DeviceTvmCertificateInfo | summarize TotalCerts = count() by DeviceId; DeviceInfo | where OnboardingStatus == 'Onboarded' | summarize arg_max(Timestamp,*) by DeviceId | project Timestamp, DeviceId, DeviceName, OSPlatform, JoinType | join kind=leftouter (DeviceTvmCertificateInfo | extend IssuedTo_CommonName = tostring(parse_json(IssuedTo)["CommonName"]) | where IssuedTo_CommonName == "DigiCert Global Root G2") on $left. DeviceId == $right. DeviceId | summarize arg_max(Timestamp,*) by DeviceId | extend CertPresent = iff(isnotempty( IssuedTo_CommonName),"Yes","No") | project Timestamp,DeviceId, DeviceName,OSPlatform, JoinType, CertPresent, IssuedTo_CommonName, ExpirationDate,Path | join kind=leftouter CertCount on $left. DeviceId == $right. DeviceId | extend TotalCerts = iff(TotalCerts > 0,TotalCerts,0) | project Timestamp, DeviceId,DeviceName, OSPlatform, JoinType,TotalCerts, CertPresent, IssuedTo_CommonName, ExpirationDate,Path //| where CertPresent == "No" and TotalCerts > 0 ``` Find all devices without the DigiCert Global Root G2 certificate and missing security updates information. ```kql let missingkb = DeviceTvmSoftwareVulnerabilities | where SoftwareVendor == 'microsoft' | where SoftwareName matches regex @"(?i)^windows.*\d+$" | where isnotempty(RecommendedSecurityUpdate) | distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName | join kind=leftouter ( DeviceInfo | where isnotempty(OSPlatform) | where OnboardingStatus == 'Onboarded' | where isnotempty(OSVersionInfo) | summarize arg_max(Timestamp, *) by DeviceId) on $left.DeviceId == $right.DeviceId | summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName, DeviceId | extend TotalMissingKB = array_length(MissingKBs); let CertCount = DeviceTvmCertificateInfo | summarize TotalCerts = count() by DeviceId; DeviceInfo | where OnboardingStatus == 'Onboarded' | summarize arg_max(Timestamp,*) by DeviceId | project Timestamp, DeviceId, DeviceName, OSPlatform, JoinType | join kind=leftouter (DeviceTvmCertificateInfo | extend IssuedTo_CommonName = tostring(parse_json(IssuedTo)["CommonName"]) | where IssuedTo_CommonName == "DigiCert Global Root G2") on $left. DeviceId == $right. DeviceId | summarize arg_max(Timestamp,*) by DeviceId | extend CertPresent = iff(isnotempty( IssuedTo_CommonName),"Yes","No") | project Timestamp,DeviceId, DeviceName,OSPlatform, JoinType, CertPresent, IssuedTo_CommonName,ExpirationDate, Path | join kind=leftouter missingkb on $left. DeviceId == $right. DeviceId | project Timestamp, DeviceId,DeviceName, OSPlatform, JoinType, CertPresent, IssuedTo_CommonName, ExpirationDate, TotalMissingKB, MissingKBs,Path | join kind=leftouter CertCount on $left. DeviceId == $right. DeviceId | extend TotalCerts = iff(TotalCerts > 0,TotalCerts,0) | project Timestamp, DeviceId,DeviceName, OSPlatform, JoinType,TotalCerts, CertPresent, TotalMissingKB, MissingKBs, IssuedTo_CommonName, ExpirationDate,Path | where CertPresent == "No" and TotalCerts > 0 ``` Devices that have no Defender TVM Certificate Invetory Data ```kql let CertCount = DeviceTvmCertificateInfo | summarize TotalCerts = count() by DeviceId; DeviceInfo | where OnboardingStatus == 'Onboarded' | summarize arg_max(Timestamp, *) by DeviceId | project Timestamp, DeviceId, DeviceName, OSPlatform, ClientVersion, OSBuild, OsBuildRevision, JoinType | join kind=leftouter CertCount on $left.DeviceId == $right.DeviceId | extend TotalCerts = iff(TotalCerts > 0, TotalCerts, 0) | project Timestamp, DeviceId, DeviceName, ClientVersion, OSPlatform, OSBuild, OsBuildRevision, JoinType, TotalCerts | where TotalCerts == 0 ```

Explanation

This KQL script is designed to help identify devices in a network that either have or lack the DigiCert Global Root G2 certificate, which is important for using certain Microsoft services. Here's a simplified summary of what each part of the script does:

Query 1: Find all devices with and without the DigiCert Global Root G2 certificate
- This query checks all onboarded devices to see if they have the DigiCert Global Root G2 certificate installed.
- It lists each device along with details like the operating system platform and whether the certificate is present.
- It also counts the total number of certificates on each device.
Query 2: Find devices without the DigiCert Global Root G2 certificate and missing security updates
- This query builds on the first by also checking for missing security updates on devices that lack the DigiCert Global Root G2 certificate.
- It identifies devices that are missing recommended security updates from Microsoft and lists these along with the device details.
- The query filters to show only devices that do not have the certificate but have other certificates installed.
Query 3: Identify devices with no Defender TVM Certificate Inventory Data
- This query identifies devices that have no certificate data recorded in Defender TVM (Threat and Vulnerability Management).
- It lists devices that are onboarded but have zero certificates recorded, indicating a potential issue with certificate inventory data collection.

Overall, these queries help in managing and securing a network by ensuring that devices have the necessary certificates and are up-to-date with security patches.

KQL Search

MDE Digi Cert Global Root G2

Query

Explanation

Details

Actions