Microsoft Defender for Endpoint - Certificates - DigiCert Global Root G2
MDE Digi Cert Global Root G2
Query
let CertCount = DeviceTvmCertificateInfo
| summarize TotalCerts = count() by DeviceId;
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(Timestamp,*) by DeviceId
| project Timestamp, DeviceId, DeviceName, OSPlatform, JoinType
| join kind=leftouter (DeviceTvmCertificateInfo
| extend IssuedTo_CommonName = tostring(parse_json(IssuedTo)["CommonName"])
| where IssuedTo_CommonName == "DigiCert Global Root G2")
on $left. DeviceId == $right. DeviceId
| summarize arg_max(Timestamp,*) by DeviceId
| extend CertPresent = iff(isnotempty( IssuedTo_CommonName),"Yes","No")
| project Timestamp,DeviceId, DeviceName,OSPlatform, JoinType, CertPresent, IssuedTo_CommonName, ExpirationDate,Path
| join kind=leftouter CertCount
on $left. DeviceId == $right. DeviceId
| extend TotalCerts = iff(TotalCerts > 0,TotalCerts,0)
| project Timestamp, DeviceId,DeviceName, OSPlatform, JoinType,TotalCerts, CertPresent, IssuedTo_CommonName, ExpirationDate,Path
//| where CertPresent == "No" and TotalCerts > 0About this query
Explanation
This KQL query set is designed to help identify devices in a network that may have issues related to the DigiCert Global Root G2 certificate. Here's a simple breakdown of what each query does:
-
Query 1: This query lists all devices, indicating whether they have the DigiCert Global Root G2 certificate installed or not. It checks the
DeviceTvmCertificateInfotable to see if the certificate is present and summarizes the total number of certificates for each device. -
Query 2: This query is similar to the first but adds information about missing security updates. It identifies devices that do not have the DigiCert Global Root G2 certificate and also checks for any missing security updates from Microsoft. This helps in understanding if a device is not only missing the certificate but also lacks important security patches.
-
Query 3: This query identifies devices that do not have any certificate inventory data available in the Defender TVM (Threat and Vulnerability Management) system. It checks for devices that have been onboarded but do not report any certificate data, which could indicate a configuration or reporting issue.
These queries are useful for network administrators using Microsoft Defender for Endpoint to ensure that devices are properly configured with necessary certificates and security updates, particularly in preparation for changes that require the DigiCert Global Root G2 certificate.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators