Query Details

Windows Server - Missing Security Updates

MDE Windows Server Missing Security Updates

Query

DeviceTvmSoftwareVulnerabilities
| where SoftwareName startswith 'windows_server'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo, OSDistribution
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo, OSDistribution
// | where OSDistribution == @"WindowsServer2019"

About this query

Windows Server - Missing Security Updates

Query Information

Description

The below query provides an overview of missing security updates for Windows Server devices

References

Microsoft 365 Defender

Overview Missing KBs Windows Server

Details missing KBs Windows Server

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName startswith 'windows_server'
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)

Explanation

The query provides an overview of missing security updates for Windows Server devices. It retrieves information about the recommended security updates that are missing on each device, including the update name, ID, and the number of devices that are exposed to the missing update. It also includes details about the operating system version and distribution. The query can be filtered to focus on a specific Windows Server version if needed.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 10, 2023

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

Keywords: Windows ServerMissing Security UpdatesQueryDescriptionReferencesMicrosoft 365 DefenderOverviewDeviceTvmSoftwareVulnerabilitieswherestartswithisnotemptydistinctDeviceIdRecommendedSecurityUpdateRecommendedSecurityUpdateIdSoftwareNamejoinkindleftouterDeviceInfoOnboardingStatusOSVersionInfosummarizearg_maxTimestampbyOSDistributionextendTotalMissingKBDeviceprojectBulletinIDTotal Exposed devicesExposed devicesSoftwareVendorMissingKBsDeviceNameTotalMissingKB.

Operators

|whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxbyextendproject

Actions

GitHub