Windows 10 - Missing Security Updates - Windows 11
MDE Windows 11 Missing Security Updates
Query
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_11'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfoAbout this query
Windows 10 - Missing Security Updates - Windows 11
Query Information
Description
The below query provides an overview of missing security updates for Windows 11 devices
References
Microsoft 365 Defender
Overview Missing KBs Windows 11
Details missing KBs Windows 11
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName == 'windows_11'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)
Explanation
This query is designed to identify and summarize missing security updates for devices running Windows 11. Here's a simple breakdown of what each part of the query does:
-
Data Source: The query pulls data from two tables:
DeviceTvmSoftwareVulnerabilitiesandDeviceInfo. -
Filter Criteria:
- It filters for vulnerabilities related to Microsoft software specifically for Windows 11. - It looks for entries where a recommended security update is available.
-
Data Joining:
- The query joins the vulnerability data with device information to ensure that only devices that are onboarded and have OS version information are considered.
-
Distinct Entries:
- It identifies unique combinations of devices and their recommended security updates.
-
Summarization:
- The first part of the query summarizes the data by listing the missing security updates (KBs) along with the devices that need them. It also counts how many devices are missing each update.
- The second part of the query provides a detailed list of missing updates for each device.
-
Output:
- The first query outputs a summary table showing each security update (Bulletin), its ID, the total number of devices missing the update, the list of those devices, and their OS version.
- The second query outputs a detailed list of missing updates for each device, along with the total number of missing updates per device.
In essence, this query helps administrators quickly identify which Windows 11 devices are missing critical security updates and provides details on the specific updates and affected devices.
Details

Alex Verboon
Released: February 5, 2025
Tables
Keywords
Operators