Query Details
MDE TVM Accounts LAPS
Query
# MDE - TVM - Security Configuration - Laps (legacy)
## Query Information
Use the below query to retrieve LAPS configuration compliance
#### References
### Microsoft 365 Defender
```kql
// Accounts - Enable Local Administrator Password Solution Compliance Overview
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-84")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-84", "Enable LAPS",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription
```
```kql
// Local Administrator Password Solution - Non-Compliance Details
let DeviceOSInfo = DeviceInfo | where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp,*)by DeviceId;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-84")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-84", "Enable LAPS",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| where IsCompliant == 0
| join kind=leftouter DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| project DeviceName, ConfigurationName, ConfigurationCategory, DeviceId
| join kind= leftouter (DeviceOSInfo)
on $left. DeviceId == $right.DeviceId
```
Explanation
The first query retrieves LAPS (Local Administrator Password Solution) configuration compliance for devices. It summarizes the compliance status (compliant, non-compliant, not applicable) for each configuration and provides additional information such as the total number of devices, percentage of compliant devices, and configuration details.
The second query focuses on non-compliant devices for the LAPS configuration. It retrieves the device name, configuration name, configuration category, and device ID for devices that are not compliant with the LAPS configuration. It also includes information about the device's operating system.
Details
Alex Verboon
Released: September 19, 2023
Tables
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKBDeviceInfo
Keywords
Devices,Intune,User
Operators
|inwheresummarizearg_maxbyextendcasedcountifjointointprojectletisnotemptykindleftouter