MDE TVM Security Controls Credential Guard

# MDE - TVM - Security Configuration - Credential Guard ## Query Information Use the below query to retrieve Credential Guard configuration compliance #### References ### Microsoft 365 Defender ```kql // Security Controls - Credential Guard - Compliance Summary DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-2080") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName | extend Configuration = case( ConfigurationId == "scid-2080", "TurnOnCredGuard", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId | join DeviceTvmSecureConfigurationAssessmentKB on $left.ConfigurationId == $right.ConfigurationId | extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable)) | extend PctCompliant = toint((Compliant*100) / TotalDevices) | project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription | sort by ConfigurationSubcategory // | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant // | render columnchart with(kind=stacked100) ``` ```kql // Security Controls - Credential Guard- Non-Compliance Details DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-2080") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName | extend Configuration = case( ConfigurationId == "scid-2080", "TurnOnCredGuard", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | where IsCompliant == 0 | join kind=leftouter DeviceTvmSecureConfigurationAssessmentKB on $left.ConfigurationId == $right.ConfigurationId | project DeviceName, ConfigurationName, ConfigurationSubcategory, ConfigurationCategory | sort by DeviceName, ConfigurationSubcategory, ConfigurationName ```

Explanation

The first query retrieves the compliance status of Credential Guard configuration. It summarizes the compliance status by Configuration and ConfigurationId, and calculates the number of compliant, non-compliant, and not applicable devices. It also calculates the percentage of compliant devices. The results are sorted by ConfigurationSubcategory.

The second query retrieves the details of non-compliant devices for Credential Guard configuration. It filters for non-compliant devices and joins with additional information from DeviceTvmSecureConfigurationAssessmentKB. The results are sorted by DeviceName, ConfigurationSubcategory, and ConfigurationName.

Details

Alex Verboon

Released: September 19, 2023

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DeviceTvmSecureConfigurationAssessment,ConfigurationId,DeviceId,DeviceName,Configuration,Result,IsApplicable,IsCompliant,Compliant,NonCompliant,NotApplicable,ConfigurationName,ConfigurationSubcategory,ConfigurationDescription,ConfigurationCategory,RiskDescription,TotalDevices,PctCompliant,DeviceTvmSecureConfigurationAssessmentKB

Operators

DeviceTvmSecureConfigurationAssessmentwheresummarizearg_maxbyextendcasedcountiftointjoinonprojectsort

KQL Search