Windows Recent Devices Missing Full Scan
Query
// All credit goes to Felix Brand - Taken from his post (https://www.linkedin.com/posts/felix-brand_defenderxdr-kql-microsoft-activity-7228749401849040896-0sNk)
// Microsoft now recommends (https://lnkd.in/ewBryvhF) to have one initial full scan when you onboard your system into MDE. But MDE does not trigger a full scan after onboarding, this KQL query combined with a custom detection rule can trigger a scan.
// Once a scan is completed on an endpoint, it will not appear in this query again.
let AvModeDescription = dynamic({"0":"Normal", "1":"Passive", "4":"EDR Block"});
let TimeRange = ago(1d);
DeviceTvmInfoGathering
| where Timestamp > TimeRange
| extend AdditionalFields = parse_json(AdditionalFields)
| extend AvMode = tostring(AvModeDescription[tostring(AdditionalFields.["AvMode"])])
| extend FullScanStatus = coalesce(extractjson("$.Full.ScanStatus", tostring(AdditionalFields.AvScanResults)),"Not available")
| where isnotempty( AvMode ) and AvMode has "Normal"
| where FullScanStatus !has "Completed"
| join DeviceEvents on DeviceName
| summarize arg_max(Timestamp, *) by DeviceName, DeviceId
| project DeviceName, DeviceId, FullScanStatus, ReportId, Timestamp
| take 50Explanation
This KQL query is designed to identify devices that have not completed a full antivirus scan after being onboarded into Microsoft Defender for Endpoint (MDE). Here's a simplified breakdown of what the query does:
-
Define Descriptions: It sets up a mapping for antivirus modes, translating numeric codes to human-readable descriptions like "Normal," "Passive," and "EDR Block."
-
Set Time Range: It looks at data from the past day (
ago(1d)). -
Filter Data: The query pulls data from
DeviceTvmInfoGathering, focusing on records where:- The antivirus mode is "Normal."
- The full scan status is not "Completed."
-
Join with Device Events: It combines this data with
DeviceEventsbased on the device name to gather more information. -
Summarize and Select: It selects the most recent record for each device and extracts relevant fields like device name, device ID, full scan status, report ID, and timestamp.
-
Limit Results: Finally, it limits the output to 50 devices.
In essence, this query helps identify up to 50 devices that need a full antivirus scan because they haven't completed one yet, which is important for maintaining security after onboarding into MDE.
Details

Nathan Hutchinson
Released: February 12, 2026
Tables
Keywords
Operators