MDE - TVM - Security Configuration - Windows Firewall
MDE TVM Security Controls Firewall
Query
// Security Controls - Firewall - Compliance Summary
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-51","scid-50","scid-49","scid-46","scid-43","scid-2073","scid-2072","scid-2071","scid-2070")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
ConfigurationId == "scid-51", "DisableMergeFWConnectionRules",
ConfigurationId == "scid-50", "DisableMergeFWRules",
ConfigurationId == "scid-49", "DisableFWNotProgPublic",
ConfigurationId == "scid-46", "DisableFWNotProgPrivate",
ConfigurationId == "scid-43", "DisableFWNotProgDomain",
ConfigurationId == "scid-2073", "SecFwPublic",
ConfigurationId == "scid-2072", "SecFwPrivate",
ConfigurationId == "scid-2071", "SecFwDomain",
ConfigurationId == "scid-2070", "TurnOnFw",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100)About this query
Explanation
The first query retrieves the compliance status of Windows Firewall configurations. It summarizes the compliance status for each configuration and calculates the number of compliant, non-compliant, and not applicable devices. It also provides additional information such as the configuration name, subcategory, description, category, and risk description.
The second query focuses on the non-compliant details of the Windows Firewall configurations. It retrieves the devices that are not compliant with the configurations and provides information about the device name, configuration name, subcategory, and category.
Details

Alex Verboon
Released: September 19, 2023
Tables
DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB
Keywords
DevicesIntuneUserMDETVMSecurity ConfigurationWindows Firewall
Operators
whereinsummarizearg_maxbyextendcasedcountifjoinontointprojectsort