A few months ago I moved from Kolide Launcher to Orbit for my OSQuery deployment. I don't think I realized it, at the time, but I believe I lost the kolide_wmi table in the process. Is there anything comparable in base OSQuery or provided by the Orbit agent?

I'm having trouble finding a description of that table @MarkMurdock. Can you fill us in on what data it gathered?

It was essentially a way to run WMI queries against Windows systems. Here is an example query that we had automated to detect SMART disk failures on Windows devices:

WITH wmi_raw_disk_drives AS (
  SELECT * FROM kolide_wmi 
  WHERE class = 'Win32_DiskDrive' 
  AND properties = 'model,serialnumber,name,systemname,status'),
wmi_disk_drives AS (
SELECT
  MAX(CASE WHEN key = 'model' THEN value END) AS model,
  MAX(CASE WHEN key = 'serialnumber' THEN value END) AS serial_number,
  MAX(CASE WHEN key = 'name' THEN value END) AS name,
  MAX(CASE WHEN key = 'systemname' THEN value END) AS system_name,
  MAX(CASE WHEN key = 'status' THEN value END) AS smart_status
FROM wmi_raw_disk_drives
GROUP BY parent)
SELECT * FROM wmi_disk_drives WHERE smart_status != 'OK';

Thanks! I'm pinging the rest of the team to see if we've found any workarounds for this with plain osquery. We do have a feature request that's related: https://github.com/fleetdm/fleet/issues/17378

Thank you Kathy!