Defender for Endpoint - TVM - EDR Sensor Update
MDE TVM EDR Sensor Update
Query
let missingKB = DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName startswith 'windows_server'
| where isnotempty(RecommendedSecurityUpdate)
| project-rename KBDeviceId = DeviceId
| distinct KBDeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by KBDeviceId
| extend TotalMissingKB = array_length(MissingKBs);
let configreq = (
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == 'scid-2030'
| where IsApplicable == "1"
| where IsCompliant == "0"
| project-rename configDeviceId = DeviceId
| project Timestamp, DeviceName, configDeviceId, OSPlatform
);
configreq
| join kind=leftouter (DeviceTvmInfoGathering
| extend xAVMode = parse_json(AdditionalFields.AvMode)
| where isnotempty(xAVMode)
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF, columnsConflict='keep_source'): (
Timestamp: datetime,
DeviceName: string,
DeviceId: string,
OSPlatform: string,
AsrConfigurationStates: dynamic,
AvEnginePublishTime: datetime,
AvEngineRing: string,
AvEngineUpdateTime: datetime,
AvEngineVersion: string,
AvIsEngineUptodate: string ,
AvIsPlatformUptodate: string,
AvIsSignatureUptoDate: string,
AvMode: string,
AvPlatformPublishTime: datetime,
AvPlatformRing: string,
AvPlatformUpdateTime: datetime,
AvPlatformVersion: string,
AvScanResults: string,
AvSignatureDataRefreshTime: datetime,
AvSignaturePublishTime: datetime,
AvSignatureRing: string,
AvSignatureUpdateTime: datetime,
AvSignatureVersion: string,
CloudProtectionState: string,
AdditionalFields: dynamic)
)
on $left. configDeviceId == $right.DeviceId
| join kind=leftouter (DeviceProcessEvents
| where FolderPath contains "defender"
| where InitiatingProcessFileName == @"MsSense.exe"
| summarize arg_max(Timestamp,*) by DeviceName, DeviceId
| extend xSHA256 = InitiatingProcessSHA256
| project Timestamp,DeviceId, DeviceName,InitiatingProcessVersionInfoProductVersion, InitiatingProcessVersionInfoFileDescription, xSHA256,InitiatingProcessFileName)
on $left.DeviceId == $right.DeviceId
| invoke FileProfile(xSHA256)
| project Timestamp, DeviceName,DeviceId,InitiatingProcessVersionInfoProductVersion, InitiatingProcessVersionInfoFileDescription, InitiatingProcessFileName, GlobalFirstSeen, AvEngineVersion, AvPlatformVersion, AvSignatureVersion
| join kind=leftouter (missingKB)
on $left. DeviceId == $right. KBDeviceIdAbout this query
Explanation
This KQL query is designed to identify Windows Servers that are missing updates for the EDR (Endpoint Detection and Response) Sensor, which is part of the Microsoft Defender for Endpoint suite. Here's a simple breakdown of what the query does:
-
Identify Missing Updates: The query first checks for any missing security updates (KBs) for Windows Server devices. It focuses on updates recommended by Microsoft for security purposes.
-
Configuration Assessment: It looks at the configuration of devices to see if they are compliant with a specific security configuration (identified by
scid-2030). It checks if the configuration is applicable and whether the device is compliant. -
Gather Device Information: The query gathers additional information about the devices, including antivirus (AV) engine details, such as version numbers and update times, to assess the current state of the AV components.
-
Check EDR Sensor Version: It examines the version of the EDR Sensor (specifically the
MsSense.exeprocess) installed on each device. This helps determine if the sensor is outdated by comparing the installed version with the latest known version. -
Combine Results: The query combines all this information to provide a comprehensive view of each device, including:
- The current version of the EDR Sensor and when it was first seen.
- The AV engine, platform, and signature versions.
- Any missing security updates (KBs).
-
Output: The final output lists devices with missing EDR Sensor updates, along with details about their current EDR Sensor version, AV status, and any missing security updates. This helps administrators identify and address potential security vulnerabilities related to outdated EDR components and missing updates.
Details

Alex Verboon
Released: February 5, 2025
Tables
Keywords
Operators