Microsoft just released Device query which will be part of the Intune Advanced Analytics (Intune Suite), Which can be used to gain on-demand information about the state of our device. Intune will run a query in real-time when you enter a query on a selected device. Device query can be used for troubleshooting, security threats, or anything we want it to be used for.
Why Intune Device query
Intune device query, is a feature that allows you to run Kusto queries on devices managed by Intune and get real-time data on their state and configuration. This feature is part of the Intune Advanced Analytics suite, which also includes anomaly detection, device scopes, and enhanced device timeline.
With Intune device query, you can troubleshoot device issues, check device compliance, collect custom inventory, and more. You can use the Kusto Query Language to write queries that can access various device properties, such as hardware specifications, software configuration, registry keys, and networking settings
How to use Device query
We must assume in this case we have the right requirements to let Device query work, like an Intune suite license.
Go to Devices | Device name | Device query
On the right side, we can create the query, in the properties table we can see which data we can search for, like BiosInfo Manufacturer.
Now for creating a query the language used here is KQL, best practices can be found Best practices for Kusto Query Language queries – Azure Data Explorer & Real-Time Analytics | Microsoft Learn
For example, if we want to find every local user could create the query.
Device query find local users
|
1 2 |
LocalUserAccount | where WindowsSid contains 'S-1-5' |
Or if we want to see a more complex one, if we want to trace the compliancy of a device and see if its disk is encrypted, and which TPM version we have and if it’s enabled.
Device query to find TPM and encryption
|
1 2 3 |
EncryptableVolume | join Tpm | project WindowsDriveLetter, ProtectionStatus, EncryptionMethod, EncryptionPercentage, Activated, Enabled, SpecVersion, Manufacturer |
Result:
How does this work in the background
Our mister DLL already found it out and please have a look at Rudy Ooms his blog to read it: https://call4cloud.nl/2024/02/device-query-a-mad-max-feature/
Conclusion
With Device query we have a tool in our hands to execute on-demand real-time queries, with these queries we can troubleshoot devices with ease. Or get real-time answers if we need anything from a device.
[…] Intune Device query […]