KQL Query for DevDrive on Windows 11

Copper Contributor


I am not sure whether this is the place for this topic, but I'll give it a try.

I would like to keep track about DevDrive created on Windows 11 devices via KQL query. Does anyone have some hints for this? Thanks.




3 Replies
To track the creation of drives, specifically "DevDrive," on Windows 11 devices using KQL, you would likely need to access logs or events that record system changes, such as drive creation. Assuming this information is logged and available in a table like DeviceEvents, you could use a KQL query to filter for events related to the creation of a "DevDrive". Here’s how you could structure your query: DeviceEvents | where OperatingSystem == "Windows 11" // Filter for Windows 11 devices | where ActivityType == "DriveCreated" // Assuming 'DriveCreated' is the event type for creating new drives | where DeviceName contains "DevDrive" // Filter for 'DevDrive' creation events | project Timestamp, DeviceName, UserName, ActivityType // Select relevant columns to display | order by Timestamp desc // Sort by most recent events

