4.4 Defender Intelligence, BitLocker Key Rotation, and KQL Device Query Troubleshooting
Key Takeaways
- Update Microsoft Defender Antivirus security intelligence is a one-time remote action to refresh Defender threat definitions on supported Windows devices.
- Defender quick scan and full scan look for malware, while security intelligence update refreshes the detection content Defender uses.
- Rotate BitLocker keys after a recovery key is used, shared, exposed, or when a device is serviced or reassigned.
- Single-device Device query runs a supported subset of Kusto Query Language in near real time against a selected corporate-owned Windows device and depends on Windows Push Notification Services.
- Device query for multiple devices uses collected inventory across supported corporate-owned platforms; Windows devices require a properties catalog policy to collect inventory.
Security operations from Intune
The exam expects you to distinguish ongoing security policy from one-time operational action. Antivirus policy, disk encryption policy, and security baselines define desired state. Remote actions and device query help you respond to a live issue.
Three actions are especially important in the current MD-102 blueprint: update Microsoft Defender Antivirus security intelligence, rotate BitLocker recovery keys, and run a device query by using Kusto Query Language (KQL).
What to use when
| Symptom or request | Use | Why | Follow-up |
|---|---|---|---|
| Defender definitions are stale on a managed Windows device | Update Microsoft Defender Antivirus security intelligence | Refreshes security intelligence files without waiting for the normal update cycle | Run quick or full scan if compromise is suspected |
| The security team suspects malware on a device | Quick scan or Full scan | Scans the device with Microsoft Defender Antivirus | Use full scan for a deeper check, then review Defender for Endpoint signals |
| A BitLocker recovery key was shared with help desk | Rotate BitLocker keys | Generates a new recovery key for the operating system drive so the old key cannot be reused | Confirm key escrow and document the recovery event |
| Support needs to know whether a service is running | Single-device Device query | Queries live device state without starting a remote control session | Use a remote action or remediation only after confirming the state |
| Security needs a fleet list of unencrypted drives | Device query for multiple devices | Queries collected inventory across supported corporate-owned devices | Export results or create a group for targeted remediation |
Defender security intelligence updates
The Update Microsoft Defender Antivirus security intelligence remote action refreshes the definitions and detection content used by Microsoft Defender Antivirus. Use it when a device is online or expected to check in and the problem is stale intelligence, not a missing antivirus policy.
Do not confuse this with a scan. A scan evaluates the device for malware. A security intelligence update refreshes the data Defender uses to detect current threats. In a live incident, a practical sequence is: update intelligence, run a quick or full scan, collect diagnostics if needed, and escalate to Microsoft Defender for Endpoint response actions when containment or investigation is required.
BitLocker key rotation
BitLocker key rotation is a Windows remote action. It remotely refreshes the recovery key for the operating system drive on BitLocker-encrypted Windows devices. Use it after a recovery key is used during support, shared with a technician, exposed in a ticket, or after device servicing or reassignment.
The action requires the right Intune role or a custom role with the BitLocker key rotation remote task permission plus device visibility. A typical path is Devices > All devices > select the device > BitLocker key rotation > confirm.
Device query with KQL
Device query lets an admin run KQL against a selected device or across collected inventory. The single-device version is near real time for supported corporate-owned Windows devices that are Intune managed and Microsoft Entra joined or hybrid joined. It uses Windows Push Notification Services to notify the device, so blocking that dependency can cause query failure.
Use KQL to reduce disruption. Instead of immediately remote controlling a user's device, query the service, registry, process, event, certificate, TPM, or encryption state you need. Examples:
WindowsService
| where Name == 'WinDefend'
| project Name, State, StartMode
EncryptableVolume
| where ProtectionStatus != 'PROTECTED'
| join LogicalDrive on Device
OsVersion
| summarize DevicesCount = count() by OsVersion
Know the boundaries. Device query supports only a subset of KQL operators and functions. Single-device query has limits such as a 128 KB result string, 15 queries per minute, and 2,048 characters for query input. Multi-device query supports Windows, supported corporate-owned Android Enterprise devices, iOS/iPadOS, and macOS, but Windows devices need a properties catalog policy to collect inventory.
Troubleshooting path
A strong admin-action answer usually follows this order:
- Query first when you need evidence and the device is reachable.
- Use Sync when policy state is stale.
- Use update intelligence when Defender content is stale.
- Use scans or remediations when query results show a device-level issue.
- Rotate keys when recovery material was exposed.
- Reserve Wipe, Delete, or security containment for high-impact incidents with clear authorization.
A managed Windows device has outdated Microsoft Defender Antivirus definitions, but there is no evidence yet that malware is present. Which Intune remote action directly addresses the outdated definitions?
During a support call, a technician read a BitLocker recovery key to a user. What should the endpoint admin do after the device is recovered?
Which statements about Intune Device query are correct?
Select all that apply