Running a registry based query

Copper Contributor


we have some computers which we need to find out the specific registry value in order to be able to update their OS.
The path: HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AU

The value (Dword): NoAutoUpdate

I want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On.

Thanks for help


4 Replies
Why not just Advanced Hunting and query the registry from there?
That's what I am trying to do but I cant find the correct syntax


Head into Advanced hunting - Microsoft 365 security

Use this to start with:

>| limit 100
Then pivot from there using show filters?
For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQL

| where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
| project Timestamp, DeviceName, RegistryValueName