Query Details

Windows 10 - Missing Security Updates - Windows 11

MDE Windows 11 Missing Security Updates

Query

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_11'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo

About this query

Windows 10 - Missing Security Updates - Windows 11

Query Information

Description

The below query provides an overview of missing security updates for Windows 11 devices

References

Microsoft 365 Defender

Overview Missing KBs Windows 11

Details missing KBs Windows 11

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_11'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)

Explanation

This query is designed to identify and summarize missing security updates for devices running Windows 11. Here's a simple breakdown of what each part of the query does:

  1. Data Source: The query pulls data from two tables: DeviceTvmSoftwareVulnerabilities and DeviceInfo.

  2. Filter Criteria:

    • It filters for vulnerabilities related to Microsoft software specifically for Windows 11. - It looks for entries where a recommended security update is available.
  3. Data Joining:

    • The query joins the vulnerability data with device information to ensure that only devices that are onboarded and have OS version information are considered.
  4. Distinct Entries:

    • It identifies unique combinations of devices and their recommended security updates.
  5. Summarization:

    • The first part of the query summarizes the data by listing the missing security updates (KBs) along with the devices that need them. It also counts how many devices are missing each update.
    • The second part of the query provides a detailed list of missing updates for each device.
  6. Output:

    • The first query outputs a summary table showing each security update (Bulletin), its ID, the total number of devices missing the update, the list of those devices, and their OS version.
    • The second query outputs a detailed list of missing updates for each device, along with the total number of missing updates per device.

In essence, this query helps administrators quickly identify which Windows 11 devices are missing critical security updates and provides details on the specific updates and affected devices.

Details

Alex Verboon profile picture

Alex Verboon

Released: February 5, 2025

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

DevicesSoftwareSecurityUpdatesWindowsMicrosoft

Operators

|whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxon==make_setbyextendarray_lengthproject

Actions

GitHub