This week is basically a follow-up on an earlier post about Advanced Analytics. At that time, it was all still in preview and still listening to the name of Advanced Endpoint Analytics. Advanced Analytics is also one of the latest additions to the Microsoft Intune Suite and it builds on top of those earlier previewed functionalities. On top of those features from the preview, Microsoft now also added Battery Health and Device query to the mix of features of Advanced Analytics. Even more insights and more options to actual query devices for information. Battery Health is a report that provides insights into the health of the batteries of the devices within the environment and how it influences the user experience. An interesting report, for even more insights about the devices. Device query on the other hand, brings something a lot more interactive to the table. That provides IT administrators with the ability to real-time query devices within the environment. And that makes it really interesting to look at. This post will start with an introduction of Device query, followed with a closer look at the Intune data platform.
Note: At the moment of writing Device query can only be used per device, but that might change in the future.
Introducing Device query
For those being familiar with Configuration Manager, the functionality provided by Device query might also look familiar. With CMPivot, Configuration Manager already provided the ability to real-time query devices. With Device query, Microsoft Intune now gets its first iteration of that functionality. First iteration, as it currently only provides the ability to perform real-time queries per device. That does provide a good feeling about how powerful it might become in the future. Device query provides IT administrators with a feature to quickly gain real-time information about the devices within the environment. That can be achieved by using Kusto Query Language (KQL) queries. Even more reasons, to start understanding KQL. Device query will run the specified KQL query in real-time on the selected device. The returned data can be used for further analysis of security threats, or with troubleshooting.
When looking at using Device query, the steps are actually pretty straight forward. The following steps will walk through the process of running Device query for a specific Windows device.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows
- On the Windows | Windows devices page, as shown in Figure 1, select the specific device and navigate to Device query.
Note: At the moment of writing Device query is supported on corporate-owned Windows 10 or later devices.
Understanding the Intune data platform schema
The Intune data platform schema contains an overview of the data that is available to query via Device query. That data can be filtered, grouped and refined. Similar to how an IT administrator would use KQL queries to hunt for threats, an IT administrator can now search for answers to specific questions. Those questions can be business related when looking for device information, but can also be related to troubleshooting when looking for specific certificates. All of that can be achieved remotely. So, the IT administrator becomes less dependent on the availability of the user to perform research.
At this moment the following entities are available and can be queried. For each of those entities there will be an example query available with the projection of a few important properties. Besides that, a filter is added when there are many results and a short explanation is added when the example query is not that straight forward.
- BiosInfo – This entity retrieves basic information about the BIOS of the device.
| project Manufacturer, ReleaseDateTime, SerialNumber, SmBiosVersion
- Certificate – This entity retrieves information about the installed certificates for the computer.
| where CommonName startswith 'Microsoft Intune'
| project CommonName, ValidToDateTime, SelfSigned, SigningAlgorithm, KeyStrength
- Cpu – This entity retrieves information about the CPU of the device.
| project ProcessorId, CurrentClockSpeed, MaxClockSpeed, CpuStatus
- DiskDrive – This entity retrieves information about the physical drives of the device.
| project DriveId, Manufacturer, Manufacturer, DiskName, SerialNumber, SizeBytes
- EncryptableVolume – This entity retrieves information about the encryptable volume status of the device.
| project WindowsDriveLetter, PersistentVolumeId, ProtectionStatus, EncryptionMethod, EncryptionPercentage
- FileInfo – This entity retrieves information about the specified file or files under the specified directory on the device.
| project Path, Directory, FileName, SizeBytes, LastModifiedDateTime, Attributes
Note: The FileInfo entity takes any path with, or without, a specific file, as input to retrieve information.
- LocalGroup – This entity retrieves information about the local groups on the device.
| project GroupId, GroupName, WindowsSid
- LocalUserAccount – This entity retrieves information about the local user accounts on the device.
| project UserId, Username, HomeDirectory, WindowsSid
- LogicalDrive – This entity retrieves information about the logical drives of the device.
| project DriveIdentifier, DriveType, FileSystem, DiskSizeBytes, FreeSpaceBytes
- MemoryInfo – This entity retrieves information about the memory of the device.
| project PhysicalMemoryTotalBytes, PhysicalMemoryFreeBytes, VirtualMemoryTotalBytes, VirtualMemoryFreeBytes
- OsVersion – This entity retrieves information about the operating system version of the device.
| project OsName, OsVersion, BuildVersion, Architecture, InstallDateTime
- Process – This entity retrieves information about the running process on the device.
| where OnDisk == true
| project ProcessName, Path, WorkingSetSizeBytes, OnDisk
- SystemEnclosure – This entity retrieves information about the chassis and security status of the device.
| project SerialNumber, ChassisTypes, SecurityBreach, BreachDescription
- SystemInfo – This entity retrieves system information of the device.
| project ComputerName, ProcessorArchitecture, PhysicalProcessorCount, HardwareManufacturer, HardwareModel
- Tpm – This entity retrieves information about the TPM of the device.
| project ProductName, Manufacturer, SpecVersion, Owned, Enabled, Activated
- WindowsAppCrashEvent – This entity retrieves information about app crashes from the Application log on the device.
| project AppName, AppVersion, LoggedDateTime, WindowsUserAccount
- WindowsDriver – This entity retrieves information about in-use Windows device drivers on the device.
| where Signed != true
| project DriverDeviceId, FriendlyName, DriverDescription, InfName, Class, BuildDate
- WindowsEvent – This entity retrieves information from the specified information from specified log on the device.
| where tostring(EventId) == '19'
| project EventId, LoggedDateTime, LogName, Message, ProviderName, WindowsUserAccount
Note: The WindowsEvent entity takes any Event log and a specified timeframe in days, as input to retrieve information.
- WindowsQfe – This entity retrieves information about security updates on the device.
| project ComputerName, HotFixId, QfeDescription, Caption, InstalledDate
- WindowsRegistry – This entity retrieves information about the registry under the specified registry key.
| project RegistryKey, ValueName, ValueType, ValueData
Note: The WindowsRegistry entity takes any registry key, as input to retrieve information. This search, however, currently automatically refers to the wow6432node in the registry. Hence the results of the example query.
- WindowsService – This entity retrieves information about the installed Windows services on the device.
| where StartMode == 'AUTO' and State != 'RUNNING'
| project ServiceName, DisplayName, StartMode, State, WindowsUserAccount
For more information about the Intune Suite add-on capabilities and Enterprise App Management, refer to the following docs.