Hello everyone,

I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots.

To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device.

I've attempted to use the following KQL script in different ways without success:

DeviceEvents
| where ActionType == "Restarted" or ActionType == "Shutdown"
| summarize LastReboot = max(EventTime) by DeviceName

Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore.

Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance!

Best regards,

Sergio