KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio"Copy to clipboard" balloon tip blocks Copy icon
If you have 1920x1080 screen resolution or higher, this annoying balloon tip wreaks havoc by blocking the "copy" icon. I find this balloon tip to be the least necessary thing ever. Everyone who's job involves using the Defender portal knows what that icon means and the fact that it is blue lets us know even more concretely that we can click it. Does anyone else have this issue and/or find this annoying? The next thing that is also problematic in the same way, the way we have to use these balloons to first sort columns ascending, before we can ever sort descending. And we can't just click the obvious arrows, we have to click, get the balloon, choose "Sort ascending", then click again, get the next balloon, finally choose "Sort descending". I'm flabbergasted as to how anyone thought this was going to be helpful (making a simply sort button require so many clicks just to sort columns). I give feedback in the portal about these two things often, but it doesn't go away. These 2 UI elements are no good, need to go.
