Advanced Hunting queries for vulnerability management
While Microsoft Defender for Endpoint's built-in Vulnerability Management reports and dashboards are ok, it's difficult to operationalise these, as it takes a lot of clicks from identifying an issue to knowing who to email.
Thankfully, all the data is available through Advanced Hunting queries, so it's possible (almost easy) to get what you need. The following are a subset of queries that I've used to find specific issues.
Last reboot time
Defender for Endpoint doesn't have an event or column that shows when the device was last rebooted. However, we can get an approximation by looking at when PID 4 (the System process) was started, and when the last DeviceEvent was:
DeviceEvents
| where TimeGenerated >ago(7d) and InitiatingProcessId == 4
| summarize max(TimeGenerated) by DeviceId, DeviceName, InitiatingProcessCreationTime
| sort by InitiatingProcessCreationTime asc
| project-rename StartTime=InitiatingProcessCreationTime, ApproximateEndTime=max_TimeGenerated
Zoom user-mode installs
When users launch a Zoom meeting, the default behaviour for Zoom is to download and prompt the user to run the user-mode installer.
If the user isn't a regular Zoom user, this means the software will sit on their device, and never update itself.
This query will look for devices that have an older Zoom user-mode install, and find its Entra Device ID so that we can add it to an Update or Uninstall group:
DeviceTvmSoftwareInventory
| where OSPlatform startswith "Windows"
| where SoftwareVendor =~ "zoom" and SoftwareName =~ "meetings"
// Update this with the latest few versions from https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0061222
| where SoftwareVersion !in (
"6.5.7509.0", // 2025-06-30
"6.5.6476.0", // 2025-06-23
"6.5.6118.0" // 2025-06-17
)
| join (
DeviceTvmSoftwareEvidenceBeta
| where SoftwareVendor =~ "zoom" and SoftwareName =~ "meetings" and RegistryPaths startswith "[\"HKEY_USERS"
| where todatetime(LastSeenTime) > ago(7d)
) on DeviceId
| join kind=leftouter (
DeviceProcessEvents
| where FileName =~ "zoom.exe" and FolderPath contains "AppData" and Timestamp >ago(30d)
| summarize count() by DeviceId, FileName, FolderPath
| project-rename execution_count=count_
) on DeviceId
| summarize sum(execution_count) by DeviceId, SoftwareVersion, LastSeenTime, tostring(RegistryPaths)
| join kind=leftouter (
DeviceLogonEvents
| where AccountDomain == "azuread" and AccountName has "@"
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, DeviceName, AccountName
) on DeviceId
| join kind=leftouter (
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, AadDeviceId
) on $left.DeviceId == $right.DeviceId
| join kind=leftouter (
IdentityInfo
| where AccountDomain != ""
| summarize arg_max(Timestamp, *) by AccountUpn
| project AccountUpn, AccountDisplayName, Department, JobTitle, EmailAddress, Country, GivenName
) on $left.AccountName == $right.AccountUpn
| project DeviceId, DeviceName, AadDeviceId, AccountName, GivenName, EmailAddress, SoftwareVersion, sum_execution_count, LastSeenTime, RegistryPaths
| sort by sum_execution_count asc, SoftwareVersion asc
| extend cmd = iff(AadDeviceId != "", iff(sum_execution_count >0, strcat("add_zoom_update ", DeviceName, " ", AadDeviceId), strcat("add_zoom_uninstall ", DeviceName, " ", AadDeviceId)), "")
Microsoft Defender Application Guard usage
Microsoft Defender Application Guard (aka MDAG or WDAG) has been deprecated, so now is the time to start a managed removal.
To find the users who have used Microsoft Defender Application Guard in the last 30 days:
DeviceFileEvents
| where Timestamp >ago(30d)
| where FolderPath contains @"\AppData\Local\Microsoft\Edge\User Data\Application Guard\User Data\Default\Extensions\Temp\"
| summarize min(Timestamp), max(Timestamp) by DeviceId
| join kind=leftouter (
DeviceLogonEvents
| where AccountDomain == "azuread" and AccountName has "@"
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, DeviceName, AccountName
) on DeviceId
| project DeviceId, DeviceName, AccountName, min_Timestamp, max_Timestamp