Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR
  • Microsoft Defender for Endpoint

The DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema contains information about the various secure configurations checked by Microsoft Defender Vulnerability Management. It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics.

This table doesn't return events or records. We recommend joining this table to the DeviceTvmSecureConfigurationAssessment table using ConfigurationId to view text information about the security configurations in the returned assessments.

For example, when you query the DeviceTvmSecureConfigurationAssessment table you might want to view the ConfigurationDescription for the security configurations that come up in the assessment results. You can see this information by joining this table to DeviceTvmSecureConfigurationAssessment using ConfigurationId and project ConfigurationDescription.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
ConfigurationId string Unique identifier for a specific configuration
ConfigurationImpact string Rated impact of the configuration to the overall configuration score (1-10)
ConfigurationName string Display name of the configuration
ConfigurationDescription string Description of the configuration
RiskDescription string Description of the associated risk
ConfigurationCategory string Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
ConfigurationSubcategory string Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
ConfigurationBenchmarks string List of industry benchmarks recommending the same or similar configuration
Tags string Labels representing various attributes used to identify or categorize a security configuration
RemediationOptions string Recommended actions to reduce or address any associated risks

You can try this example query to return relevant configuration metadata along with information on devices with non-compliant antivirus configurations from the DeviceTvmSecureConfigurationAssessment table:

// Get information on devices with antivirus configurations issues
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.