Introduction To The Series
You have enrolled your endpoints into Microsoft Intune, you’ve configured policies, and you are managing your devices. What’s next? How do you validate your endpoints’ management states, and how do you track the health of your endpoints over time?
In previous posts we here at Model Technology Solutions have talked at length about the capabilities Intune provides for managing endpoints & operating system updates, endpoint configuration, application deployment, and more.
This series of posts will focus on another important element of endpoint management – reporting, or, the ability to understand current and historic data about your endpoints’ actual state and the results of your management configuration.
This series will cover:
- Intune’s reporting approach
- Capabilities provided out of the box
- Methods of using Intune’s data to perform advanced reporting
This knowledge will enable you, as an Intune administrator, to better utilize the wealth of data contained within the Intune service for the benefit of your organization.
This series is for Intune administrators who want to better utilize the wealth of data contained within the Intune service to benefit their organization through increased visibility into and understanding of their endpoint devices’ state, as well as aiding with improving configuration and addressing potential security holes.
One important caveat – all information in this post is based on the current state of Intune as of January 2022. While the core Intune reporting structure is likely to persist well into the future, specific details of report names and locations may shift over time.
Intune Reporting Overview
Microsoft Intune – a core component of Microsoft Endpoint Manager – is Microsoft’s modern, cloud-based platform for managing endpoint devices and applications. Intune contains a wealth of data on the endpoints it manages, all of which is available in various ways for administrators to use in managing Intune and the endpoint configuration. Microsoft has established and defined a framework for how that data is exposed within Intune to ensure the data administrators need is close at hand alongside their management activities.
This framework not only defines several types of reports by their intended usage, but allows the reporting data to be made available throughout the Intune environment in places intended to be easily accessible and relevant to the specific report types.
An important takeaway from this is that the “Reports” node in the Intune navigation menu is not a holistic collection of all of Intune’s reporting data.
This is unfortunately a common point of confusion for Intune users, and an understandable one at that. It would make sense that all of the reporting data would be found in a node called “Reports”…but in reality that is only a subset of the available data.
The following sections will discuss the various types of reports that comprise Intune’s reporting framework, the intent for each type, and where that data can be found in addition to the “Reports” module.
Types of Reports
The Intune reporting framework defines four types – or focus areas – of reports:
- Operational
- Provides timely, targeted data that helps you focus and take action.
- Admins, subject matter experts, and help desk technicians will find these reports most helpful.
- Organizational
- Provides a broader summary of an overall view, such as device management state.
- Managers and admins will find these reports most helpful.
- Historical
- Provides patterns and trends over a period of time.
- Managers and admins will find these reports most helpful.
- Advanced / Specialist
- Allows you to use raw data to create your own custom reports.
- Admins will find these reports most helpful.
In part one of this series, we will cover only the Operational Reports category. The remainder of the categories of data will be featured in future posts.
Where to Find Reports
As noted above, reports are found in different places in the Intune portal depending on their type and intended usage.
Operational reports comprise the majority of the reports available in Intune today. These can be found in numerous places throughout the Intune portal and can be grouped into three categories:
- Overview reports
- Monitor reports
- Dashboards
When navigating through the Intune web portal, almost every section initially loads an “Overview” or “Summary” page which displays a set of reports as tabs in the workspace – these are the “Overview” reports.
Furthermore, each section has either a link labeled “Monitor”, which loads a list of reports, or a category of views labeled “Monitor”, under which additional reports are listed. Essentially, everywhere in the Intune portal that lists “Monitor” is a collection of the “Monitor” reports.
Finally, the main Intune node titled “Dashboard” is where Dashboard reports can be found, including the pre-configured Intune overview dashboard and any custom dashboards created by administrators.
Organizational and Historical reports can be found in the “Reports” node in the Intune navigation menu. These reports are grouped into several categories and provide broader views of the organization’s managed endpoints and management state.
“Specialist reports” refer to the abilities exposed by Intune for creating custom reports. This data can be accessed via the “Reports” node in the Intune navigation menu in the categories labeled “Intune Data Warehouse” and “Azure Monitor”.
The following sections will go into further detail on the different types of reports and, most importantly, how to go about configuring custom reports.
Operational Reports
As noted above, Operational reports are located throughout the Intune web portal and are intended to provide timely, targeted data within the context of the administrator’s current actions.
For example, Operational reports about Device state can be found in the Devices node alongside the tools for configuring device policy.
Overview Reports
Overview reports can be found at the top level of the Devices and Apps nodes in the Intune portal. These depict a collection of actionable and summary information about the state of managed devices and apps, providing administrators with immediate access to key information they need. These reports also alert the administrators to specific issues they may want to address.
In the Devices node, the Overview report contains four separate tabs, each displaying one or more reporting tiles with summary information, including:
- The “Enrollment Status” tab displays the counts of Intune enrolled devices by operating system, the enrollment failures by operating system, and the top enrollment failures in the past week.
- The “Enrollment Alerts” tab displays a list of any active alerts generated from enrollment issues.
- The “Compliance Status” tab displays:
- Counts of managed devices by their compliance state.
- Counts of managed devices broken into Compliant and Non-Compliant for each assigned Compliance Policy.
- Number of devices without Compliance Policies assigned to them.
- Compliance settings with the highest number of non-compliant devices.
- The “Configuration Status” tab displays the counts of users and devices by configuration profile application status and the profiles with the highest count of deployment errors.
In the Apps node, the Overview report contains two separate tabs with reporting tiles, including:
- The “Installation Status” tab displays the applications with the highest counts of installation failures by device type and the total count of applications with installation failures.
- The “App Protection Policy Status” tab displays the total count of users who have been assigned application protection policies which are grouped by whether they are licensed or not, along with the count of users that have been flagged from application protection policies.
In both of these Overview reports, clicking on any of the reporting tiles drills down to specific Monitor reports with further information on the topic at hand.
Additional Overview reports can be found in the Endpoint Security node when selecting several of the options in the “Manage” category. These are functionally similar to the Devices and Apps Overview reports in that they may have multiple tabs of data with reporting tiles displaying high-level state information for administrators, though they also share the workspace with the interface for configuring the relevant endpoint security policies.
The specific reports at the time of writing include:
- Under “Antivirus”
- The “Summary” tab displays the counts of unhealthy endpoints by category, along with the count of active malware in the environment.
- The “Unhealthy Endpoints” tab displays a list of all endpoints suffering from malware infection.
- The “Active Malware” tab displays the identities of all active malware detected on managed devices.
- Under “Firewall”
- The “Summary” tab lists the count of devices with the firewall turned off.
- The “MDM Devices Running Windows 10 or Later with Firewall Off” displays the list of specific devices with the firewall turned off.
Monitor Reports
Monitor reports can be found at various locations within the Devices, Apps, and Endpoint Security nodes, providing more detailed information beyond that which is listed in the Overview reports.
Each of these reports provide the ability to search across the displayed columns, modify which columns are displayed, sort by any column displayed*, and export the data to CSV format for further exploration in Excel or other data analysis tools. Furthermore, items in each report can be clicked through to review the specific item’s details, providing access to further information that may be relevant for the report.
*Note: At the time of writing this, most Monitor reports allow sorting by every column available, however some reports do not. Microsoft has stated that their intent is to allow sorting of all columns and they are slowly rolling that out across the range of Monitor reports found in Intune.
In the Devices node, there is a dedicated Monitor link that loads a collection of reports, organized into categories named “Configuration”, “Compliance”, “Enrollment”, “Software Updates”, and “Other”. The following reports can be found there:
- Under “Configuration”
- The “Assignment Status” report lists the counts of devices with errors, conflicts, or pending statuses for each Configuration Profile.
- The “Assignment Failures” report lists the count of devices with errors for each configuration profile with assignment errors. Clicking through a profile provides more information on the specific devices that have failed.
- The “Devices with Restricted Apps” report displays a list of devices upon which applications configured as restricted are currently installed. This report helps administrators quickly identify the users to contact and devices to align with organizational policy on restricted apps.
- The “Encryption Report” lists each managed device along with their readiness for encryption, TPM chip version, and OS version. Individual devices can be clicked through to display the name of the profile applied to the device to enforce encryption and the status of the profile deployment.
- The “Certificates” report lists the status of all certificates that have been deployed to devices from Intune.
- Under “Compliance”
- The “Noncompliant Devices” report lists information for all devices that are in a “Not Compliant” state. Clicking through on a device pulls up the device’s full information in Intune for further analysis.
- The “Devices without Compliance Policy” report lists devices of any operating system for which no compliance policy has been assigned.
- The “Setting Compliance” report lists, for each setting enforced by any compliance policies, the counts of compliant and noncompliant devices. Each setting can be clicked through to list the specific devices that are not compliant for the setting.
- The “Policy Compliance” report lists, for each compliance policy, the counts of devices that are compliant, noncompliant, or have errors with the policy’s contents. Clicking through a policy lists the specific devices that are not compliant or have errors.
- The “Noncompliant Policies” report lists, for each compliance policy that has noncompliant devices, the counts of devices that are noncompliant or have errors with the policy’s contents. Clicking through a policy lists the specific devices that are not compliant or have errors.
- The “Windows Health Attestation Report” report provides a collection of key Windows health metrics for each managed device.
- Under “Enrollment”
- The “Autopilot Deployments” report lists all Windows Autopilot-driven device enrollments within the past 30 days.
- The “Enrollment Failures” report prompts for the selection of one or more users, then lists enrollment failures logged for the selected users.
- The “Incomplete User Enrollments” report provides further details for enrollments that were initiated but failed to be completed, listing at which phase of the enrollment process the enrollment was ceased, among other related data.
- Under “Software Updates”
- The “Per-Update Ring Deployment State” displays, for each configured update deployment ring, the count of devices with errors, which devices failed to be updated, and which were updated successfully. Clicking through an update ring loads the relevant configuration page for the update ring along with an Overview report listing further status information for the update deployment.
- The “Installation Failures for iOS Devices” report lists iOS devices for which update installation failed and provides additional details on the failures.
- The “Feature Update Failures” report lists, for each configured Windows feature update deployment, the devices with errors from the update process. Clicking through a feature update deployment provides a list of the specific devices which generated errors.
- The “Windows Expedited Update Failures” report lists, for each configured expedited Windows update deployment, the count of devices which failed to install the update. Clicking through an update displays a list of the specific devices which failed.
- Under “Other”
- The “Device Actions” report lists a log of the device actions triggered within Intune for managed devices, along with the user initiating the action and the action’s result.
In the Apps node, there is a dedicated Monitor link that loads a collection of reports, described as follows:
- The “App Licenses” report is used to track consumed and available licenses for applications for which license tracking is managed in Intune.
- The “Discovered Apps” report provides a holistic list of all applications discovered on all managed devices. Clicking through an application lists the specific devices upon which that application has been found to be installed.
- The “App Install Status” report lists, for each application, the install failure percentage, along with the counts of install failures for deployments targeting devices and users.
- The “App Protection Status” report lists the count of all users that have been assigned application protection policies, broken down by whether they are licensed or not. Additionally, it lists the counts of flagged users and users with potentially harmful apps. Furthermore, it provides links to download more detailed app protection reports for iOS & Android, for Windows Information Protection without Enrollment, for Windows Information Protection via MDM, and for Application Configuration.
In the Endpoint Security node, a single Monitor report can be found at this time:
- The “Assignment Failures” report lists the count of devices with errors for each configuration profile with assignment errors. Clicking through a profile lists more information on the specific devices that have failed. This is the same report that is listed in the Devices -> Monitor section and described above.
Many of the reports listed are currently in “Preview” mode and may see changes and expansions of capability before they are fully released.
Dashboards
Intune’s Dashboard reports are accessed via the Dashboard node in the navigation menu. This view is a pre-configured version of the standard Azure Dashboard functionality with a number of tiles listing key information about the Intune environment.
This dashboard can be rearranged and can have tiles removed, though very few tiles exist to be added which aren’t already present on the pre-configured dashboard.
Custom dashboards can also be created, though they are limited to the existing tiles, again, most of which are already present on the pre-configured dashboard. Still, this can be used to create more targeted views for specific subsets of Intune administrators.
Additionally, the reporting tiles link to relevant Monitor and Overview reports throughout the Intune interface, providing easy access to configuration options.
The data listed by default on the pre-configured dashboard includes:
- Device enrollment status and count of enrollment failures in the past 7 days
- Device compliance status and count of noncompliant devices
- Device configuration status and count of policies with errors or conflicts
- Client apps status and count of apps with installation failures
- App protection policy user status per operating system
- Count of Intune-enrolled devices per operating system
- Count of devices per device compliance status
- Device configuration profile status and count of users and devices by status, along with a weekly trend
More Coming Soon!
This is just the first of multiple posts in our Intune reporting series that are going to be coming out in the next month or so. These posts are going to continue to explore the different places that data can be retrieved from Intune and how to utilize it to gain valuable insights into the state of your endpoints and improve security.
The level of granular data that Intune provides with which to make improvements, decisions, and policies is by-far some of the best in the industry. Gartner agrees. We’re committed to supporting IT pros to fully utilize these tools for which they’ve already paid and gained access. We write posts like this as part of that support, to enable administrators like you with the knowledge and power you need to ensure your infrastructure is as secure and efficient as possible.
If you haven’t already done so, sign up for our email list to get the other posts in this series in the next month. If you’re already on it, just stick around. We’re committed to taking you as deep as possible into this software so that you know exactly what’s possible and how you can use Intune’s data for the betterment of your company and the improvement of your endpoint management.
More soon!