Query Details
MDE TVM Security Controls App Lication Guard
Query
# MDE - TVM - Security Configuration - Application Guard
## Query Information
Use the below query to retrieve Application Guard configuration compliance
#### References
### Microsoft 365 Defender
```kql
// Security Controls - Application Guard - Compliance Summary
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2051")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-2051", "TurnOnAppGuardManagedMode",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100)
```
```kql
// Security Controls - Application Guard - Non-Compliance Details
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2051")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-2051", "TurnOnAppGuardManagedMode",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| where IsCompliant == 0
| join kind=leftouter DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| project DeviceName, ConfigurationName, ConfigurationSubcategory, ConfigurationCategory
| sort by DeviceName, ConfigurationSubcategory
```Explanation
The first query retrieves the compliance status of Application Guard configuration. It summarizes the compliance status by configuration and calculates the number of compliant, non-compliant, and not applicable devices. It also calculates the percentage of compliant devices. The results are sorted by configuration subcategory.
The second query retrieves the details of non-compliant devices for the Application Guard configuration. It joins the results with additional information about the device and configuration. The results are sorted by device name and configuration subcategory.
Details
Alex Verboon
Released: September 19, 2023
Tables
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB
Keywords
Devices,Intune,User
Operators
whereinsummarizearg_maxbyextendcasedcountifjoinontointprojectsort