Defender for Endpoint - Device Inventory - Windows LTSC devices
MDE Windows 10 LTSC Inventory
Query
DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF)
| where IsWindowsLtscVersionRunning == @"true"About this query
Explanation
The query is used to identify Windows 10 LTSC (Long-Term Servicing Channel) devices within the MDE (Microsoft Defender for Endpoint) inventory. It retrieves information from the DeviceTvmInfoGathering and DeviceInfo tables and filters the results based on the IsWindowsLtscVersionRunning field. The query also includes additional fields such as DeviceId, DeviceName, OSArchitecture, OSPlatform, OSBuild, OSVersionInfo, OSVersion, JoinType, and MachineGroup.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceTvmInfoGatheringDeviceInfo
Keywords
DevicesIntuneUserDefender for EndpointDevice InventoryWindows LTSC devices
Operators
extendevaluatewhereparse_jsonbag_unpacksummarizebyprojectisnotemptyjoinoniffTimestampDeviceIdDeviceNameIsLtscOSArchitectureOSPlatformOSBuildOSVersionInfoOSVersionJoinTypeMachineGroup