Windows Server - Missing Security Updates
MDE Windows Server Missing Security Updates
Query
DeviceTvmSoftwareVulnerabilities
| where SoftwareName startswith 'windows_server'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo, OSDistribution
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo, OSDistribution
// | where OSDistribution == @"WindowsServer2019"About this query
Windows Server - Missing Security Updates
Query Information
Description
The below query provides an overview of missing security updates for Windows Server devices
References
Microsoft 365 Defender
Overview Missing KBs Windows Server
Details missing KBs Windows Server
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName startswith 'windows_server'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)
Explanation
The query provides an overview of missing security updates for Windows Server devices. It retrieves information about the recommended security updates that are missing on each device, including the update name, ID, and the number of devices that are exposed to the missing update. It also includes details about the operating system version and distribution. The query can be filtered to focus on a specific Windows Server version if needed.
Details

Alex Verboon
Released: June 10, 2023
Tables
DeviceTvmSoftwareVulnerabilitiesDeviceInfo
Keywords
Keywords: Windows ServerMissing Security UpdatesQueryDescriptionReferencesMicrosoft 365 DefenderOverviewDeviceTvmSoftwareVulnerabilitieswherestartswithisnotemptydistinctDeviceIdRecommendedSecurityUpdateRecommendedSecurityUpdateIdSoftwareNamejoinkindleftouterDeviceInfoOnboardingStatusOSVersionInfosummarizearg_maxTimestampbyOSDistributionextendTotalMissingKBDeviceprojectBulletinIDTotal Exposed devicesExposed devicesSoftwareVendorMissingKBsDeviceNameTotalMissingKB.
Operators
|whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxbyextendproject