Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

KQL Query for DevDrive on Windows 11

Copper Contributor

Hello,

I am not sure whether this is the place for this topic, but I'll give it a try.

I would like to keep track about DevDrive created on Windows 11 devices via KQL query. Does anyone have some hints for this? Thanks.

 

Regards,

Davor

3 Replies
To track the creation of drives, specifically "DevDrive," on Windows 11 devices using KQL, you would likely need to access logs or events that record system changes, such as drive creation. Assuming this information is logged and available in a table like DeviceEvents, you could use a KQL query to filter for events related to the creation of a "DevDrive". Here’s how you could structure your query: DeviceEvents | where OperatingSystem == "Windows 11" // Filter for Windows 11 devices | where ActivityType == "DriveCreated" // Assuming 'DriveCreated' is the event type for creating new drives | where DeviceName contains "DevDrive" // Filter for 'DevDrive' creation events | project Timestamp, DeviceName, UserName, ActivityType // Select relevant columns to display | order by Timestamp desc // Sort by most recent events

saya pulang jika Ratih pergi , tapi saya kangen banget sama anak saya Seno El Fati , @Joe Stocker 

Akibat kebanyakan event , akibat kebanyakan merekrut seseorang dan melobi orang , akhirnya terjadilah perselingkuhan , dan mengorbankan saya dan anak anak saya. Yang penelitian saya kalian semua yang nikmati hasil nya dan memperebutkan semua bukti bukti saya. Yang gila itu kalian bukan saya dan anak anak saya.