DeviceTvmSecureConfigurationAssessment
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from Microsoft Defender Vulnerability Management. Use this reference to check the latest assessment results and determine whether devices are compliant.
You can join this table with the DeviceTvmSecureConfigurationAssessmentKB table using ConfigurationId so you can, for example, view the text description of the configuration from the ConfigurationDescription column of the DeviceTvmSecureConfigurationAssessmentKB table, in the configuration assessment results.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
OSPlatform |
string |
Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. |
Timestamp |
datetime |
Date and time when the record was generated |
ConfigurationId |
string |
Unique identifier for a specific configuration |
ConfigurationCategory |
string |
Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
ConfigurationSubcategory |
string |
Subcategory or subgrouping to which the configuration belongs. In many cases, string describes specific capabilities or features. |
ConfigurationImpact |
real |
Rated impact of the configuration to the overall configuration score (1-10) |
IsCompliant |
boolean |
Indicates whether the configuration or policy is properly configured |
IsApplicable |
boolean |
Indicates whether the configuration or policy applies to the device |
Context |
dynamic |
Additional contextual information about the configuration or policy |
IsExpectedUserImpact |
boolean |
Indicates whether there will be user impact if the configuration or policy is applied |
You can try this example query to return information on devices with non-compliant antivirus configurations along with the relevant configuration metadata from the DeviceTvmSecureConfigurationAssessmentKB table:
// Get information on devices with antivirus configurations issues
DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
Related topics
- Proactively hunt for threats
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
- Overview of Microsoft Defender Vulnerability Management
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for