- CMPivot queries
- Power plan per device
- Devices where AC power plan is not High Performance
- Devices with > 1 monitor
- Machines where user X is currently logged on
- Local Time deviation
- Registry items
- Machine-level proxy configuration
- Find KMS Licensing servers
- List Maintenance Windows with Time Zone information
- Filtered on last hour and specific StartTime
- Render charts with title
- List all Active directory user that are administrator of their machine
- List on which machine an admin is administrator
- Count application crash by devices
- List application crash on a specific device
- List all Auto Start Software on a specific device
- List a specific Autostart software
- Count all Bios version
- Find a specific device based on a serial number
- Find a specific device based on bios version
- List 50 last lines of a specific SCCM log file on a specific computer
- List 50 last lines of a specific SCCM log file
- Active Tcp connection in or out of a specific device to a specific destination'
- Active Tcp connection in or out of the device to a specific destination
- List all Microsoft devices based on Manufacturer
- List all Lenovo devices based on Manufacturer
- List all Dell devices based on Manufacturer
- List all HP devices based on Manufacturer
- Count devices by Manufacturer
- Count devices by Model
- Search a specific disk based on serial number
- List all C:\ disk information from all devices
- Last 50 events from the Application event log from a specific computer
- Last 50 events from the Application event log
- Last 50 events from the System event log
- Last 50 events from the Security event log
- Information about a specific file
- Information about a specific file on a specific computer
- Active file share information excluding Administrative Shares (Share$)
- Active file share information on a specific device
- Count of application installed on the device
- Count Devices with a specific application
- List installed applications on a specific device
- List a specific installed applications
- List a installed applications of a specific publisher
- List all Ethernet address that are up
- List a device based on it's IPv4 address
- Count device with a specific OS version
- OS information on a specific device
- List all device with 64-bit OS
- List all device with 32-bit OS
- List all devices with Windows 10
- List all devices with Windows 7
- List a specific process
- List all process from a specific device
- List all values for a specific HKEY_LOCAL_MACHINE registry key
- List all values for a specific HKEY_CURRENT_USER registry key
- List all Services on a specific machine
- List machines with a specific running service
- List machines with a specific stopped service
- List SMB Configuration on a specific device
- Count all device with SMB1 enabled
- Count all device with SMB1 disabled
- Count device with a specific software update applicable but not installed on the device (by KB Number)
- A software update applicable but not installed on a specific device
PowerSettings | where Name == 'Power Plan Type'
PowerSettings | summarize countif((ACValue == 'High Performance')) by Device // | summarize countif((ACSettingIndex == 1)) by Device | where (countif_ == 0) | project Device
DesktopMonitor | summarize dcount(DeviceID) by Device | where dcount_ > 1
User | where UserName like '%X%'
OperatingSystem | where isnotnull( LocalDateTime ) | summarize count() by LocalDateTime
Registry('hkcu:\\Environment')
Registry('hklm:\\KEY')
Registry('hku:\\KEY')
Registry('HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings') | summarize countif( (Property == 'ProxyEnable') and (Value == '1') ) by Property,Value
Registry('HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings') | summarize countif( (Property == 'ProxyEnable') and (Value == '1') ) by Property,Value
SWLicensingService | where (IsKeyManagementServiceMachine == 1)
CcmLog('ServiceWindowManager') | where (LogText like '%Service Window with ID = {%} having Starttime=%2020%') 1
| distinct Device, MaintenanceWindow = substring(LogText,indexof(LogText ,'Starttime=')), PolicyTime = DateTime | join (TimeZone | project Device, TimeZone = strcat(StandardName, ' ', Caption)) | project Device, MaintenanceWindow, TimeZone, PolicyTime | order by Device asc, PolicyTime desc
CcmLog('ServiceWindowManager',1h) | where (LogText like '%Service Window with ID = {%} having Starttime=4/30/2020%') 1
| distinct Device, MaintenanceWindow = substring(LogText,indexof(LogText ,'Starttime=')), PolicyTime = DateTime | join (TimeZone | project Device, TimeZone = strcat(StandardName, ' ', Caption)) | project Device, MaintenanceWindow, TimeZone, PolicyTime | order by Device asc, PolicyTime desc
<Something>
| render piechart with(title='some text')
Administrators | where (ObjectClass == 'User') | where (PrincipalSource == 'ActiveDirectory')
Administrators | where (Name == 'DOMAIN\\USERNAME')
AppCrash | summarize dcount( Device ) by FileName
AppCrash | where (Device == 'DeviceName')
AutoStartSoftware | where (Device == 'xx')
AutoStartSoftware | where (Product == 'ProductName')
Bios | summarize dcount( Device ) by Version
Bios | where (SerialNumber == 'xx')
Bios | where (Version == 'xx')
CcmLog('CCMLogName.log') | where (Device == 'DeviceName') | order by DateTime desc | project Device, LogText, DateTime
CcmLog('CCMLogName') | order by DateTime desc | project Device, LogText, DateTime
Connection | where (Device == ''DeviceName') | where (Server == ''ServerName')
Connection | where (Server == ''ServerName')
Device | where (Manufacturer like 'Microsoft')
Device | where (Manufacturer like 'Lenovo')
Device | where (Manufacturer like 'Dell')
Device | where (Manufacturer like 'HP')
Device | summarize dcount( Device ) by Manufacturer
Device | summarize dcount( Device ) by Model
Disk | where (Description == 'Local Fixed Disk') | where (VolumeSerialNumber == 'YourNumber')
Disk | where (Description == 'Local Fixed Disk') | where (Name == 'C:')
EventLog('Application') | where (Device == 'DeviceName') | order by DateTime desc
EventLog('Application') | order by DateTime desc
EventLog('System') | order by DateTime desc
EventLog('Security') | order by DateTime desc
File('c:\\path\\file.exe')
File('c:\\path\\file.exe')| where (Device == ''DeviceName')
FileShare | where (Type == 0)
FileShare | where (Device == ''DeviceName')
InstalledSoftware | summarize dcount( Device ) by ProductName
InstalledSoftware | summarize countif( (ProductName == 'YourProductName') ) by Device | where (countif_ > 0)
InstalledSoftware | where (Device == ''DeviceName')
InstalledSoftware | where (ProductName == 'YourProductName')
InstalledSoftware | where (Publisher == 'YourPublisherName')
IPConfig | where ((InterfaceAlias like 'Ethernet') and (Status == 'Up'))
IPConfig | where (IPV4Address == '192.168.1.1')
OS | summarize countif( (Version == '10.0.17134') ) by Device | where (countif_ > 0)
OS | where (Device == 'DeviceName')
OS | where (OSArchitecture == '64-bit')
OS | where (OSArchitecture == '32-bit')
OS | where (Version like '10%')
OS | where (Version like '6.1%')
Process | where (Name == 'ProcessName.exe')
Process | where (Device == 'DeviceName')
Registry('hklm:\\YOUR\\REGISTRY\\KEY')
Registry('hkcu:\\YOUR\\REGISTRY\\KEY')
Service | where (Device == 'DeviceName')
Service | where (Name == 'ServiceName') | where (State == 'Running')
Service | where (Name == 'ServiceName') | where (State == 'Stopped')
SMBConfig | where (Device == 'DeviceName')
SMBConfig | summarize countif( (EnableSMB1Protocol == true) ) by Device | where (countif_ > 0)
SMBConfig | summarize countif( (EnableSMB1Protocol == false) ) by Device | where (countif_ > 0)
Count device with a specific software update applicable but not installed on the device (by KB Number)
SoftwareUpdate | summarize countif( (KBArticleIDs == 'KB0000000') ) by Device | where (countif_ > 0)
SoftwareUpdate | where (Device == 'DeviceName')