Επεξεργασία

Κοινή χρήση μέσω


Intune data platform

Applies to: Microsoft Intune

This article goes over the properties supported in the Intune Data Platform.

Device query allows you to quickly assess the state of devices in your environment and take action. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be filtered, grouped, and refined to answer business questions, troubleshoot issues in your environment, or respond to security threats.

Each table (entity) in this page lists the types of queries that are supported.

BiosInfo

Description: Provides basic BIOS Information.

Supported for: Device query, single device on-demand.

Property Type Description
Manufacturer String (Max length 256 characters) Manufacturer of this software element.
ReleaseDateTime DateTime(UTC) BIOS Release Date
SerialNumber String (Max length 256 characters) Assigned serial number of this software element.
SmBiosVersion String (Max length 256 characters) BIOS version as reported by SMBIOS.

Certificate

Description: Certificate Authorities installed in Keychains/ca-bundles. Only certificates for computers are returned. Supported for: Device query, single device on-demand.

Property Type Description
SubjectName string Certificate distinguished name
Issuer string Certificate issuer distinguished name
CommonName string Certificate CommonName
IsCa bool 1 if CA: true (certificate is an authority) else 0
SelfSigned bool 1 if self-signed, else 0
ValidFromDateTime datetime (UTC) Lower bound of valid date
ValidToDateTime datetime (UTC) Certificate expiration data
SigningAlgorithm string (max length 256 characters) Signing algorithm used
KeyAlgorithm string (max length 256 characters) Key algorithm used
KeyStrength long Key size used for RSA/DSA, or curve name
KeyUsage string (max length 256 characters) Certificate key usage and extended key usage
SerialNumber string (max length 256 characters) Certificate serial number
StoreLocation string (max length 256 characters) Certificate system store location
StoreName string (max length 256 characters) Certificate system store

CPU

Description: Retrieves CPU hardware info on the machine.

Supported for: Device query, single device on-demand.

Property Type Description
ProcessorId string (max length 256 characters) The DeviceID of the CPU.
Model string (max length 256 characters) The model of the CPU.
Manufacturer string (max length 256 characters) The manufacturer of the CPU.
ProcessorType string The processor type, such as Central, Math, or Video.
Architecture String (max length 20 characters) Processor architecture used by the platform.
CpuStatus string (max 256 length 256 characters) The current operating status of the CPU.
CoreCount long The number of cores of the CPU.
LogicalProcessorCount long The number of logical processors of the CPU.
AddressWidth long The width of the CPU address bus.
CurrentClockSpeed long The current frequency of the CPU.
MaxClockSpeed long The maximum possible frequency of the CPU.
SocketDesignation string (max length 256 characters) The assigned socket on the board for the given CPU.
Availability string(max length 256 characters) The availability and status of the CPU.

DiskDrive

Description: Retrieves basic information about the physical disks of a system.

Supported for: Device query, single device on-demand.

Property Type Description
DriveId string (max length 256 characters) The unique identifier of the drive on the system.
PartitionCount long Number of detected partitions on disk.
DriveIndex long Physical drive number of the disk.
InterfaceType string (max length 256 characters) The interface type of the disk.
PnpDeviceId string (max 256 length 256 characters) The unique identifier of the drive on the system.
SizeBytes long Size of the disk.
Manufacturer string (max length 256 characters) The manufacturer of the disk.
Model string (max length 256 characters) Hard drive model.
DiskName string (max length 256 characters) The label of the disk object.
SerialNumber string (max length 256 characters) The serial number of the disk.
Description string (max length 256 characters) The OS's description of the disk.

EncryptableVolume

Description: Retrieves encryptable volume status of the machine.

Supported for: Device query, single device on-demand

Property Type Description
VolumeId string(Max length 256 characters) ID of the encrypted volume.
WindowsDriveLetter string(Max length 5 characters) Drive letter of the encrypted drive.
PersistentVolumeId string(Max length 38 characters) This is a Guid Persistent ID of the drive.
ProtectionStatus string (max length 256 characters) The BitLocker protection status of the drive.
EncryptionMethod string(256) The encryption type of the device.
EncryptionPercentage long (An integer from 0 to 100 inclusive) The percentage of the drive that is encrypted.
Locked bool The accessibility status of the drive from Windows.

FileInfo

Description: Lists all file info of the passed file or files under the passed directory.

Supported for: Device query, single device on-demand.

Note

This is a parameterized entity where you must pass in the path of the File you want to query. For example, pass in FileInfo('c:\windows\system32\drivers\etc\hosts') | take 10. If a directory is passed, it will return info on the files in the directory and sub-directories.

Property Type Description
Path string(Max Length 260 characters) Absolute file path
Directory string (Max Length 4096 characters) Directory of file(s)
FileName string(Max Length 260 characters) Namxxe portion of file path
SizeBytes long Size of file in bytes
LastAccessDateTime datetime(UTC) Last access time
LastModifiedDateTime datetime(UTC) Last modification time
LastStatusChangeDateTime datetime(UTC) Last status change time
CreatedDateTime datetime(UTC) (B)irth or (cr)eate time
Attributes string File attribute string. See: https://ss64.com/nt/attrib.html
FileVersion string(Max length 256 characters) File version
ProductVersion string(Max length 256 characters) File product version
ProductName string(Max length 256 characters) File Product Name
OriginalName string(Max length 256 characters) (Executable files only) Original filename

LocalGroup

Description: Lists local user groups.

Supported for: Device query, single device on-demand.

Property Type Description
GroupId long, Result should be (>=0) Group ID
GroupName String(Max length 256 characters) Group Name
WindowsSid String(Max length 256 characters) sid of group on windows

LocalUserAccount

Description: Lists local user accounts.

Supported for: Device query, single device on-demand.

Property Type Description
UserId long, Result should be (>=0) User ID
Username string(max length 256 characters) Username
UserDescription string(max length 256 characters) Optional user description
HomeDirectory string(max length 4096 characters) User's home directory
WindowsSid string(max length 256 characters) Windows Sid

LogicalDrive

Description: Details for logical drives on the system. A logical drive generally represents a single partition.

Supported for: Device query, single device on-demand.

Property Type Description
DriveIdentifier string (Max length 5 characters) The drive ID, usually the drive name. For example, 'C:'.
DriveType string(Max length 100 character) Drive type such as local disk or removal disk
DiskDescription string (Max length 256 characters) The canonical description of the drive. For example, 'Logical Fixed Disk', 'CD-ROM Disk'.
FreeSpaceBytes long, Result should be (>=0) The amount of free space, in bytes, of the drive (-1 on failure).
DiskSizeBytes long, Result should be (>=0) The total amount of space, in bytes, of the drive (-1 on failure).
FileSystem string(Max length 256 characters) The file system of the drive.

MemoryInfo

Description: Memory Information.

Supported for: Device query, single device on-demand.

Property Type Description
PhysicalMemoryTotalBytes Long, Result should be (>=0) Total amount of physical memory available to the operating system. This value doesn't necessarily indicate the true amount of physical memory, but what is reported to the operating system as available to it.
PhysicalMemoryFreeBytes LongResult should be (>=0) Number of bytes of physical memory currently unused and available.
VirtualMemoryTotalBytes Long, Result should be (>=0) Number of bytes of virtual memory.
VirtualMemoryFreeBytes Long, Result should be (>=0) Number of bytes of virtual memory currently unused and available.

OsVersion

Description: A single row containing the operating system name and version.

Supported for: Device query, single device on-demand,

Property Type Description
OsName string (max length 256 characters) Distribution or product name
OsVersion string (max length 40characters) Pretty, suitable for presentation, OS version
MajorVersion Long Major release version
MinorVersion Long Minor release version
PatchVersion long Optional patch release
BuildVersion string Optional build-specific or variant string
Architecture string(max length 256 characters) OS Architecture
InstallDateTime datetime (UTC) The install date time of the OS.

Process

Description: All running processes on the host system.

Supported for: Device query, single device on-demand.

Property Type Description
ProcessId long Process ID
ProcessName string (max 260 characters) The name of process
Path string (max 4096 characters) Path to executed binary
CommandLine string (max 4096 characters) Complete argv
CurrentWorkingDirectory string (max 256 characters) Process current working directory
WorkingSetSizeBytes long Bytes of private memory used by process
TotalSizeBytes long Total virtual memory size
DiskBytesRead long Bytes read from disk
DiskBytesWritten long Bytes written to disk
ParentProcessId long Process parent's PID
Priority long Process nice level (-20 to 20, default 0)
UserTimeMilliseconds long CPU time in milliseconds spent user space
SystemTimeMilliseconds long CPU time in milliseconds spent in kernel space
StartDateTime Datetime(UTC)Need to convert this value to datetime Process start datetime in UTC
ElapsedTimeMilliseconds long Elapsed time in seconds this process has been running.
ProcessorTimePercent long Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100-nanoseconds ticks.
ThreadCount long Number of threads used by process
HandleCount long Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.
WindowsUserAccount string The owner of the process
OnDisk boolNullable<System.Boolean> The process path exists yes=1, no=0, unknown=-1

SystemEnclosure

Description: Displays information pertaining to the chassis and its security status.

Supported for: Device query, single device on-demand.

Property Type Description
SerialNumber string (max 64 characters) The serial number of the chassis.
AudibleAlarmEquipped bool If TRUE, the frame is equipped with an audible alarm.
BreachDescription string(max 256 characters) If provided, gives a more detailed description of a detected security breach.
ChassisTypes Array[string] A comma-separated list of chassis types, such as Desktop or Laptop.
ExtendedDescription string(max 256 characters) An extended description of the chassis if available.
LockEquipped bool If TRUE, the frame is equipped with a lock.
Manufacturer string (max 256 characters) The manufacturer of the chassis.
Model string (max 256 characters) The model of the chassis.
SecurityBreach string(max 256 characters) The physical status of the chassis such as Breach Successful, Breach Attempted, etc.
SmBiosAssetTag string (max 120 characters) The assigned asset tag number of the chassis.
Sku string (max 64 characters) The Stock Keeping Unit number if available.
Status string(256 characters) If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.
VisibleAlarmEquipped bool If TRUE, the frame is equipped with a visual alarm.

SystemInfo

Description: System information of the device.

Supported for: Device query, single device on-demand.

Property Type Description
FqdnHostname string (max 256) Network hostname including domain
Uuid string (max 36 characters) Unique ID provided by the system
ComputerName string (max 256 characters) Friendly computer name (optional)
PhysicalProcessorCount Long Number of physical processors
ProcessorArchitecture string(40 characters) CPU type
HardwareManufacturer string (max 256 characters) Hardware vendor
HardwareModel string (max 256 characters) Hardware model

Tpm

Description: Provides TPM related information of the device.

Supported for: Device query, single device on-demand.

Property Type Description
Activated bool TPM is activated
Enabled bool TPM is enabled
Owned bool TPM is owned
Manufacturer string (max 256 characters) TPM manufacturers name
ManufacturerVersion string (max 256 characters) TPM version
ManufacturerId long TPM manufacturers ID
ProductName string (max 256 characters) Product name of the TPM
PhysicalPresenceVersion string (max 256 characters) Version of the Physical Presence Interface
SpecVersion string (max 256 characters) Trusted Computing Group specification that the TPM supports

WindowsAppCrashEvent

Description: Provides App Crash info in Windows event log file Application in look back time.

Supported for: Device query, single device on-demand.

ReportId(Key) string (max 256 characters) Report ID of the App crash
AppPath string (max 256 characters) Application path
AppName string (max 256 characters) Application file name
AppVersion string (max 40 characters) Application version
LoggedDateTime datetime (UTC) System UTC time at which the event occurred
WindowsUserAccount string (max 256 characters) User account associated with this app crash

WindowsDriver

Description: Details for in-use Windows device drivers. This doesn't display installed but unused drivers.

Supported for: Device query, single device on-demand.

Property Type Description
DriverDeviceId(Key) string (Max 256 characters) Device ID
FriendlyName string(Max 256 characters) Such as "Microsoft Device Association Root Enumerator"
DriverDescription string (Max 256 characters) Driver description
DriverVersion string (Max 20 characters) Driver version
InfName string (Max 260 characters) Associated inf file
Class string (Max 256 characters) Device/driver class name
ProviderName string (Max 256 characters) Driver provider
Manufacturer string (Max 256 characters) Device manufacturer
BuildDateWin32_PnPSignedDriver class (Windows) | Microsoft Learn datetime(UTC) Driver date
Signed bool Whether the driver is signed or not

WindowsEvent

Description: Get Windows Event logs in the specified log name and look back in time.

Supported for: Device query, single device on-demand.

Note

When constructing the query, you must specify the log name and look back time, for example: WindowsEvent(Application, 1d) | take 1.

Property Type Description
LogName string (max 256 characters) the name of log
EventId long event ID
Level string string (max 30 characters) Level display name
possible value:CRITICAL_ERROR,ERROR,WARNING,INFORMATION,VERBOSE
LoggedDateTime datetime (UTC) System UTC time at which the event occurred
Message string (max 32766 characters) The event messages
ProviderName string (max 256 characters) Provider name of event
WindowsUserAccount string (max 256) User account associated with this event

WindowsQfe

Description: Information about security patches on the device. Supported for: Device query, single device on-demand.

Property Type Description
HotFixId (key) string (max 256 characters) Unique identifier associated with a particular update.
ComputerName string (max 256 characters) The name of the computer the patch is installed on.
Caption string (max 256 characters) A short textual description of the object.
QfeDescription string (max 256 characters) A textual description of the object.
FixComments string (max 256 characters) More comments about the Qfe.
InstalledByUserAccount string (max 256 characters) User account who installed the update. If this value is unknown, the property is empty.
InstalledDate datetime (UTC) Date that the update was installed. If this value is unknown, the property is empty.

WindowsRegistry

Description: Lists registry under the passed registry key.

Supported for: Device query, single device on-demand.

Note

You must pass in the registry key you are trying to query. For example, WindowsRegistry('HKEY_LOCAL_MACHINE\\ServiceLastKnownStatus').

Property Type Description
RegistryKey string (max 16638 characters) Full path to the value
ValueName string (max 16383 characters) Name of the registry value entry
ValueType string (max 255) Type of the registry value, or 'subkey' if item is a subkey
ValueData string (max size 1 MB) Data content of registry value

WindowsService

Description: Lists all installed Windows services and their relevant data.

Supported for: Device query, single device on-demand.

Property Type Description
ServiceName string (max 256 characters) Service name
ServiceType string (max 40)Win32_Service class - Win32 apps | Microsoft Learn Service Type such as: OWN_PROCESS, SHARE_PROCESS, or Interactive
DisplayName string (max 256 characters) Service Display name
State string (max 40 characters) Service Current status such as STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED
ProcessId long the Process ID of the service
StartMode string (Max 40 characters) Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED
ExitCode long The error code that the service uses to report an error that occurs when it is starting or stopping
ServiceSpecific ExitCode long The service-specific error code that the service returns when an error occurs while the service is starting or stopping
Path string (max 4096 characters) Path to Service Executable
ModulePath string (max 4096 characters) Path to ServiceDll
ServiceDescription string (max 256 characters) Service Description
WindowsUserAccount string (max 256 characters) The name of the account that the service process is logged on as when it runs. This name can be of the form Domain\UserName