Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Running a registry based query

Copper Contributor
 

Hello,

we have some computers which we need to find out the specific registry value in order to be able to update their OS.
The path: HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AU

The value (Dword): NoAutoUpdate

I want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On.

Thanks for help

 

4 Replies
Why not just Advanced Hunting and query the registry from there?
That's what I am trying to do but I cant find the correct syntax

@UBBER2290 

Head into Advanced hunting - Microsoft 365 security

Use this to start with:

>DeviceRegistryEvents
>| limit 100
 
Then pivot from there using show filters?
For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQL

DeviceRegistryEvents
| where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
| project Timestamp, DeviceName, RegistryValueName