As many of us know, managing a fleet of devices can be challenging without the right tools and techniques. Microsoft Intune, a component of Microsoft Endpoint Manager, offers a robust device management solution that helps IT Administrators maintain control over their organization's devices. One of the most powerful features within Intune is the ability to leverage the Kusto Query Language (KQL) for device queries. This capability enables administrators to delve deep into device data, offering insights that drive better decision-making and operational efficiencies. In this blog post, we'll explore how to leverage KQL with Intune Device Query to enhance device management across your organization.

Why Use KQL with Intune?

KQL, a rich language designed to query large datasets in Azure Monitor, also finds its application in querying device data ingested from Microsoft Intune into Azure Log Analytics. This integration opens up a plethora of opportunities for IT administrators to perform complex analyses and obtain detailed information about the state, health, and security of devices under management. From BIOS information to system encryption status, leveraging KQL allows you to tailor your queries to meet specific organizational needs, troubleshoot issues more effectively, and ensure compliance with security policies.

Getting Started with KQL in Intune

Before diving into specific queries, it's essential to ensure your Intune device data is being ingested into Azure Log Analytics. This process typically involves setting up Intune data export to Azure Monitor, a straightforward procedure detailed in Microsoft's documentation. Once set up, you can begin to explore the power of KQL for device management.

Key Queries for Device Management

Below are several key queries that can be utilized to extract valuable information from your device fleet. These queries serve as a starting point and can be customized further to suit your specific requirements.

Get BIOS Information

BiosInfo
| project Manufacturer, ReleaseDateTime, SerialNumber, SmBiosVersion

List Installed Certificates

Certificate
| project SubjectName, Issuer, CommonName, ValidFromDateTime, ValidToDateTime, KeyUsage 

Retrieve CPU Details

Cpu
| project Model, Manufacturer, ProcessorType, CoreCount, CurrentClockSpeed

Check Disk Drive Information

DiskDrive
| project DriveId, Model, SizeBytes, Manufacturer, InterfaceType

Encryptable Volume Status

EncryptableVolume
| project VolumeId, WindowsDriveLetter, ProtectionStatus, EncryptionMethod

Retrieve File Information

FileInfo('C:\Windows\*')
| order by LastModifiedDateTime desc

FileInfo('C:\Windows\NOTEPAD.EXE')
| project FileName,FileVersion,ProductVersion

Local Group Names

LocalGroup
| project GroupId, GroupName

Local User Accounts

LocalUserAccount
| project Username, UserDescription, HomeDirectory

Logical Drive Details

LogicalDrive
| project DriveIdentifier, DriveType, FreeSpaceBytes, DiskSizeBytes

Memory Information

LogicalDrive
| project DriveIdentifier, DriveType, FreeSpaceBytes, DiskSizeBytes

Operating System Version

OsVersion
| project OsName, OsVersion, MajorVersion, MinorVersion

Running Processes

Process
| project ProcessId, ProcessName, CommandLine

System Enclosure Details

SystemEnclosure
| project Manufacturer, Model, SecurityBreach, LockEquipped

System Information

SystemInfo
| project FqdnHostname, HardwareManufacturer, HardwareModel

 TPM Status

Tpm
| project Activated, Enabled, Manufacturer, SpecVersion

 Windows Application Crash Events

WindowsAppCrashEvent
| project AppName, AppVersion, LoggedDateTime

 Windows Driver Information

WindowsDriver
| project FriendlyName, DriverVersion, ProviderName

Windows Event Logs

WindowsEvent('System', 7d)
| where tostring(EventId) == '19'

Windows Quality Fixes (QFEs)

WindowsQfe
| project HotFixId, Caption, InstalledDate

Windows Registry

WindowsRegistry('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\*')

Windows Services

WindowsService
| project ServiceName, DisplayName, State, StartMode

Installed Applications

programs
| project name,version,publisher,uninstall_string,install_date

Enhancing Operational Efficiencies

Leveraging KQL within Intune for device queries not only simplifies the management of a diverse device ecosystem but also enhances operational efficiencies through:

• Proactive Issue Resolution: By identifying and addressing potential issues before they impact the end-user experience.
• Improved Compliance Posture: Ensuring devices adhere to organizational security policies and compliance standards.
• Streamlined Asset Management: Offering detailed insights into device configurations, software installations, and hardware lifecycle management.

Conclusion

Leveraging Intune Device Query transforms how organizations manage and secure device fleets. By harnessing the power of detailed queries, IT administrators can gain unprecedented insights into their devices, leading to improved security, compliance, and operational effectiveness. As the digital workspace continues to evolve, leveraging advanced querying capabilities will be key to staying ahead in managing and securing organizational assets effectively.

Resources

Device query in Microsoft Intune

Learn how to gain on-demand information about the state of your devices using device query.

Microsoft LearnSmritib17

Device Query | 64-bits | WindowsRegistry Entity | Intune

Device Query | 64-bits | WindowsRegistry Entity | Intune | No results to show | Programs | Missing Results | Intune Suite | sysnative | 32-bits | 64 bits

Call4Cloud - Intune | MMP-C | WinDC | Autopilotrudyooms

Kusto Query Language (KQL) overview - Azure Data Explorer & Real-Time Analytics

Learn about how to use Kusto Query Language to explore data.

Microsoft Learnshsagir