20+ Intune Device Queries to Level Up Your Device Management

20+ Intune Device Queries to Level Up Your Device Management

As many of us know, managing a fleet of devices can be challenging without the right tools and techniques. Microsoft Intune, a component of Microsoft Endpoint Manager, offers a robust device management solution that helps IT Administrators maintain control over their organization's devices. One of the most powerful features within Intune is the ability to leverage the Kusto Query Language (KQL) for device queries. This capability enables administrators to delve deep into device data, offering insights that drive better decision-making and operational efficiencies. In this blog post, we'll explore how to leverage KQL with Intune Device Query to enhance device management across your organization.

Why Use KQL with Intune?

KQL, a rich language designed to query large datasets in Azure Monitor, also finds its application in querying device data ingested from Microsoft Intune into Azure Log Analytics. This integration opens up a plethora of opportunities for IT administrators to perform complex analyses and obtain detailed information about the state, health, and security of devices under management. From BIOS information to system encryption status, leveraging KQL allows you to tailor your queries to meet specific organizational needs, troubleshoot issues more effectively, and ensure compliance with security policies.

Getting Started with KQL in Intune

Before diving into specific queries, it's essential to ensure your Intune device data is being ingested into Azure Log Analytics. This process typically involves setting up Intune data export to Azure Monitor, a straightforward procedure detailed in Microsoft's documentation. Once set up, you can begin to explore the power of KQL for device management.

Key Queries for Device Management

Below are several key queries that can be utilized to extract valuable information from your device fleet. These queries serve as a starting point and can be customized further to suit your specific requirements.

Get BIOS Information

| project Manufacturer, ReleaseDateTime, SerialNumber, SmBiosVersion

List Installed Certificates

| project SubjectName, Issuer, CommonName, ValidFromDateTime, ValidToDateTime, KeyUsage 

Retrieve CPU Details

| project Model, Manufacturer, ProcessorType, CoreCount, CurrentClockSpeed

Check Disk Drive Information

| project DriveId, Model, SizeBytes, Manufacturer, InterfaceType

Encryptable Volume Status

| project VolumeId, WindowsDriveLetter, ProtectionStatus, EncryptionMethod

Retrieve File Information

| order by LastModifiedDateTime desc
| project FileName,FileVersion,ProductVersion

Local Group Names

| project GroupId, GroupName

Local User Accounts

| project Username, UserDescription, HomeDirectory

Logical Drive Details

| project DriveIdentifier, DriveType, FreeSpaceBytes, DiskSizeBytes

Memory Information

| project DriveIdentifier, DriveType, FreeSpaceBytes, DiskSizeBytes

Operating System Version

| project OsName, OsVersion, MajorVersion, MinorVersion

Running Processes

| project ProcessId, ProcessName, CommandLine

System Enclosure Details

| project Manufacturer, Model, SecurityBreach, LockEquipped

System Information

| project FqdnHostname, HardwareManufacturer, HardwareModel

 TPM Status

| project Activated, Enabled, Manufacturer, SpecVersion

 Windows Application Crash Events

| project AppName, AppVersion, LoggedDateTime

 Windows Driver Information

| project FriendlyName, DriverVersion, ProviderName

Windows Event Logs

WindowsEvent('System', 7d)
| where tostring(EventId) == '19'

Identifying system-related events with Event ID 19 within the last 7 days, specifically for Windows Updates Installations. But this can be modified to look for any event Id as needed.

Windows Quality Fixes (QFEs)

| project HotFixId, Caption, InstalledDate

Windows Registry


Windows Services

| project ServiceName, DisplayName, State, StartMode
This last one is not shown under available query properties in the Device Query blade, but I have tested it and confirm it works for me (and Rudy Ooms, great article btw, see resources below.).
I would also say this is one of the most useful queries in my opinion.

Installed Applications

| project name,version,publisher,uninstall_string,install_date

Enhancing Operational Efficiencies

Leveraging KQL within Intune for device queries not only simplifies the management of a diverse device ecosystem but also enhances operational efficiencies through:

  • Proactive Issue Resolution: By identifying and addressing potential issues before they impact the end-user experience.
  • Improved Compliance Posture: Ensuring devices adhere to organizational security policies and compliance standards.
  • Streamlined Asset Management: Offering detailed insights into device configurations, software installations, and hardware lifecycle management.


Leveraging Intune Device Query transforms how organizations manage and secure device fleets. By harnessing the power of detailed queries, IT administrators can gain unprecedented insights into their devices, leading to improved security, compliance, and operational effectiveness. As the digital workspace continues to evolve, leveraging advanced querying capabilities will be key to staying ahead in managing and securing organizational assets effectively.


Device query in Microsoft Intune
Learn how to gain on-demand information about the state of your devices using device query.
Device Query | 64-bits | WindowsRegistry Entity | Intune
Device Query | 64-bits | WindowsRegistry Entity | Intune | No results to show | Programs | Missing Results | Intune Suite | sysnative | 32-bits | 64 bits
Kusto Query Language (KQL) overview - Azure Data Explorer & Real-Time Analytics
Learn about how to use Kusto Query Language to explore data.

Subscribe to > Jorgeasaurus

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.