Query Details

Windows 10 - Missing Security Updates

MDE Windows 10 Missing Security Updates

Query

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_10'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo

About this query

Windows 10 - Missing Security Updates

Query Information

Description

The below query provides an overview of missing security updates for Windows 10 devices

References

Microsoft 365 Defender

Overview Missing KBs Windows 10

Details missing KBs Windows 10

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_10'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)

Explanation

This KQL query is designed to identify Windows 10 devices that are missing security updates. It consists of two parts:

  1. Overview of Missing Security Updates:

    • The query starts by filtering data to focus on vulnerabilities related to Microsoft Windows 10. - It identifies devices that have recommended security updates but haven't installed them yet.
    • The query then joins this information with device details to ensure the devices are onboarded and have valid OS version information.
    • It summarizes the data to show which security updates (identified by their IDs) are missing across devices, along with the operating system version.
    • The result includes the total number of devices missing each update and lists the specific devices affected.
  2. Details of Missing Security Updates:

    • Similar to the first part, this query also filters for Windows 10 devices with missing security updates.
    • It joins with device information to ensure the devices are onboarded.
    • Instead of summarizing by update, it summarizes by device, showing which updates are missing on each device.
    • The result includes the total number of missing updates for each device.

In simple terms, these queries help identify which Windows 10 devices need specific security updates and provide an overview of how widespread the issue is across the network.

Details

Alex Verboon profile picture

Alex Verboon

Released: February 5, 2025

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

DeviceTvmSoftwareVulnerabilitiesInfoNameIdVendorRecommendedSecurityUpdateOSPlatformOnboardingStatusVersionTimestampMissingDevicesKBsTotalKB

Operators

whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxonmake_setextendarray_lengthproject

Actions

GitHub