KQL Queries Made Easy: My Intune Admin Journey with Copilot

by

I started learning how to write KQL as soon as I became dissatisfied with my reporting methods in Intune. I started when we could only send diagnostic logs from Intune to a Log Analytics workspace and query this data. It was difficult at first, but it got easier the more I wrote queries. After some time, I started a small project to collect and share queries that anyone could copy and paste. This project has grown significantly and can be found here: KQLSearch.com.

The not-so-fun part for me was taking a break from writing queries because, honestly, there were only a couple of times when I really needed to do it. I set everything up, connected my Power BI dashboard, and after that, it was completely automated. Whenever a colleague asked me questions about the queries or needed help creating new ones, I struggled because I hadn’t written a single query in weeks. KQL is easy to learn, but it can also become complicated quickly.

Here’s how the Security Copilot in Intune has helped me in recent months:

Remembering the KQL Struggle

As an Intune administrator, you are likely to be familiar with the potential power (and complexity) of Kusto Query Language (KQL). With Intune’s advanced analytics, we can use KQL to query device data and gain deep insights into compliance status, operating system versions, encryption state, and more. However, not all of us are KQL experts or have time to write a query everytime they need to search for something.

My New KQL Sidekick

Then Security Copilot in Intune came along, and it felt like a breath of fresh air. Copilot is essentially an assistant integrated into Intune that translates natural language into KQL (yes it can do way more but my focus is on KQL). You can ask Intune a question in plain English (I just learned that other languages are also supported), and Copilot will instantly generate the KQL query. I dont need to know each available table or columns.

The first time I tried it, I opened a device query in Intune, clicked the “Query with Copilot” button, and typed in my query. To my surprise, Copilot came back with a ready-to-run KQL query that made sense. It even explained how it built the query. It was as if a friendly expert were sitting next to me, translating my simple request into the exact code needed. This saved a lot of time.

Natural Language Queries in Action

Let’s look at some practical examples. I used to spend a lot of time on device queries, but Copilot handles them easily now.

  • Encryption checks: I often need to find machines that aren’t encrypted. Now, I just ask, “Show me all devices without BitLocker,” and Copilot generates a query to find devices without BitLocker encryption.
  • OS version filters: Are you wondering who’s using Windows 11? I can type “Show me Windows 11 devices.” Copilot can filter the inventory for Windows 11 endpoints.
  • Patching status: During the monthly updates, I might ask, “Which devices haven’t been updated in the last 30 days?” Copilot will immediately create a KQL query to find any devices that haven’t received recent updates.

These are just a few examples, but you can already see the pattern. You can now do tasks that used to require creating complex filters or reports by simply asking Copilot in natural language. You can even ask about things like Defender status or TPM support. Copilot can find that data for you without you having to remember the exact field names.

Day-to-Day Benefits for Device Management

Using Copilot for device queries has really made my day-to-day Intune management easier. Here are the most significant wins I’ve noticed:

  • Speed and Convenience: I can write complex queries quickly. What used to take me 10-15 minutes of tweaking now takes a single sentence and a few seconds.
  • No KQL Expertise Needed: You don’t have to be fluent in KQL anymore. Copilot translates plain English into precise queries.
  • Fewer Errors: I’ve made mistakes like using the wrong operator or misremembering a field name. Copilot’s queries are accurate and optimized.
  • Learning on the Go: Copilot is turning out to be a great teacher. It shows me what queries are there, and even explains how they were generated. This helps me learn KQL. Maybe I need the skill later again 🙂
  • More Focus on Results: The best part is that I can spend more time using device data and less time gathering it. It makes getting information as easy as talking with someone.

Conclusion: A Intune Admin’s Perspective

The Security Copilot in Intune is an amazing tool that can convert natural language into KQL. It has completely changed the way I do my Intune admin work. It made a boring task fun. I ask Intune questions like I would a colleague and get the answers I need without having to look at the query syntax. It’s a helpful tool that makes managing devices easier and more intuitive.

I still double-check the output, but so far Copilot’s suggestions have been spot on. It has helped me find devices that are not following the rules, see what is missing in terms of security, and make reports much more easily. If you manage Intune devices and haven’t tried the Copilot preview yet, I highly recommend doing so. Using Copilot to translate from English to KQL saves time and makes sure you’re getting the right information. It’s like having an expert with you.

Have you tried it yet? What is your experience?