Query Details

Microsoft Defender for Endpoint - Certificates - DigiCert Global Root G2

MDE Digi Cert Global Root G2

Query

let CertCount = DeviceTvmCertificateInfo
| summarize TotalCerts = count() by DeviceId;
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(Timestamp,*) by DeviceId
| project Timestamp, DeviceId, DeviceName, OSPlatform, JoinType
| join kind=leftouter (DeviceTvmCertificateInfo
| extend IssuedTo_CommonName = tostring(parse_json(IssuedTo)["CommonName"])
| where IssuedTo_CommonName == "DigiCert Global Root G2")
on $left. DeviceId == $right. DeviceId
| summarize arg_max(Timestamp,*) by DeviceId
| extend CertPresent = iff(isnotempty( IssuedTo_CommonName),"Yes","No")
| project Timestamp,DeviceId, DeviceName,OSPlatform, JoinType, CertPresent, IssuedTo_CommonName, ExpirationDate,Path
| join kind=leftouter  CertCount
on $left. DeviceId == $right. DeviceId
| extend TotalCerts = iff(TotalCerts > 0,TotalCerts,0)
| project Timestamp, DeviceId,DeviceName, OSPlatform, JoinType,TotalCerts, CertPresent, IssuedTo_CommonName, ExpirationDate,Path
//| where CertPresent == "No" and TotalCerts > 0

About this query

Explanation

This KQL query set is designed to help identify devices in a network that may have issues related to the DigiCert Global Root G2 certificate. Here's a simple breakdown of what each query does:

  1. Query 1: This query lists all devices, indicating whether they have the DigiCert Global Root G2 certificate installed or not. It checks the DeviceTvmCertificateInfo table to see if the certificate is present and summarizes the total number of certificates for each device.

  2. Query 2: This query is similar to the first but adds information about missing security updates. It identifies devices that do not have the DigiCert Global Root G2 certificate and also checks for any missing security updates from Microsoft. This helps in understanding if a device is not only missing the certificate but also lacks important security patches.

  3. Query 3: This query identifies devices that do not have any certificate inventory data available in the Defender TVM (Threat and Vulnerability Management) system. It checks for devices that have been onboarded but do not report any certificate data, which could indicate a configuration or reporting issue.

These queries are useful for network administrators using Microsoft Defender for Endpoint to ensure that devices are properly configured with necessary certificates and security updates, particularly in preparation for changes that require the DigiCert Global Root G2 certificate.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

DeviceTvmCertificateInfoDeviceInfoDeviceTvmSoftwareVulnerabilities

Keywords

Devices

Operators

letsummarizecountbywherearg_maxprojectjoinkindleftouterextendtostringparse_jsoniffisnotemptymatchesregexdistinctmake_setarray_length

Actions

GitHub