Welcome to the second post in our Intune Reporting series!
Part one of this series introduced Intune’s reporting framework and core concepts, then dove in to identify and discuss the various Operational reports strewn throughout the system.
This post will discuss Intune’s Organizational and Historical reports. These reports are primarily targeted at managers and IT admins and are intended to provide a broader summary of a subject, such as device management state, along with identifying patterns and trends over a period of time. This post will define each of these reports present in Intune at the time of this post’s creation, along with info on what data the reports provide.
The goal is to empower you to better leverage Intune’s data to understand your endpoint fleet and help improve security and management of your company’s endpoints.
Read on for more information!
Organizational & Historical Reports
Intune’s Organizational and Historical reports are found in Intune’s Reports node and are intended to provide broader summaries of overall views along with displaying patterns and trends over time.
Inside the Reports node, the available reports are organized by category and subcategory. Within each subcategory, a Summary view is displayed with high-level information about the relevant subcategory, similar to the Overview Operational reports. A second tab, titled Reports, is used to access each of the specific reports contained in the subcategory. Unlike the Operational reports, when loaded, these reports do not immediately display information, rather they prompt for report parameters to be defined. Upon entering or selecting the desired parameters and clicking the “Run Report” button, the report will be generated and will display information.
The three main categories that reports fall into are:
- Device Management
- Endpoint Security
- Analytics
Each category and the reports contained within will be discussed in the following sections.
Device Management
The Device Management category contains reports focused on the management and configuration of endpoint devices. It contains five separate subcategories for reports:
- Device Compliance
- Device Configuration
- Group Policy Analytics
- Windows Updates
- Cloud Attached Devices
Each contains a summary report along with one or more specific reports, as described in the following sections.
Device Compliance
The Device Compliance subcategory’s Summary report provides a high-level summary of the compliance state of managed devices, listing the count of devices by each possible compliance state. As a high-level summary, this is useful but doesn’t provide any new information not listed in the Operational reports. Additionally, this report must be refreshed manually with a “Refresh” button displayed at the top of the report.
Under the Reports tab, two reports can be found:
- Device Compliance
- Device Compliance Trends
The Device Compliance report shows the counts of devices that are compliant and noncompliant for the selected parameters. When configuring the report, you have the option of selecting specific compliance states, operating systems, and device ownership states to filter the results. Once the desired parameters are selected and the “Generate” button is pressed, Intune will generate the report, which may take some time depending upon the quantity of data in the Intune environment.
Once the report generation is complete, the report will show a graphical breakdown of the in-scope devices’ compliance states along with a list of the devices. Numerous columns are available to be selected and displayed in the report, plus each column can be used to sort the data, and the report’s contents can be filtered via text to display a subset of the data. The filtered and sorted data can be exported to CSV format for further data analysis or other usage.
The Device Compliance Trends report shows a graphical trend report of device compliance states over the last 60 days. This report will automatically display the last 60 days of data for all compliance states and operating systems, but you can select your desired compliance states and operating systems to filter the report down to a targeted subset of the data. You can run your mouse over the report to view the specific values for each listed compliance state per date in the report’s range.
Device Configuration
The Device Configuration subcategory’s Summary report lists the status of the five device configuration profiles with the largest number of assignment targets. For each listed profile, it lists the profile’s type, then the count of devices by deployment status, organized by success, error, and conflicts. Additionally, this report must be refreshed manually with a “Refresh” button displayed at the top of the report. This provides a quick look at the status of your most important (by breadth) device configuration profiles, but does not provide the capability to click into the report and drill down to further details.
Under the Reports tab, a single report can be found: Profile Configuration Status.
The Profile Configuration Status report allows you to filter through all device configuration profiles to see their current status on assigned devices matching the selected parameters. When configuring the report, you have the option of selecting specific device operating systems and specific device configuration profile types.
Once the desired parameters are selected and the “Generate” button is pressed, Intune will generate the report, which may take some time depending upon the quantity of data in the Intune environment.
When the report generation is complete, the report will list:
- Each profile by name and its type
- The target operating system
- A count of devices in each profile deployment state (success, error, and conflicts)
The list of profiles can be filtered by name to find specific profiles based on matching text.
Unfortunately, this report also does not enable you to drill down into further details about which devices are in an erroneous state, nor link back to the reference profile. While this is useful for getting a high-level view of which profiles are most and least successful, it does not provide any use for identifying the causes of issues nor troubleshooting them.
At time of writing, this report is still in a Preview state, so with luck this report will gain more useful functionality before it is released into general availability.
Group Policy Analytics
The Group Policy Analytics subcategory provides summary reporting data for the Group Policy Analytics operational feature in Intune and is useful for planning a migration from Group Policy to Intune Policy for device management. If the Group Policy Analytics operational feature has not been used, then the Group Policy Analytics reporting will contain no data.
In order to use these reports, you must first export group policy objects from an Active Directory environment and import them into Intune for analysis. Policy objects can be imported in the Devices node under Devices -> Group Policy Analytics. Intune will analyze imported policy objects and provide information on mapping the legacy group policy objects to Intune device configuration profiles and other Intune policies. For more details on importing data, refer to the Microsoft documentation here.
Once group policy objects have been imported and analyzed, the Group Policy Analytics subcategory comes alive. Its Summary report provides an overview of group policy migration readiness, taking into account data from all imported policy objects and displaying how many configured policy settings are ready for migration, not supported in Intune, or deprecated. As with the other subcategories, this Summary report does need to be refreshed manually to take into account any policy objects that were imported since the last refresh.
Under the Reports tab, a single report can be found: Group Policy Migration Readiness.
The Group Policy Migration Readiness report displays further details about the readiness of your Group Policy implementation for migration to modern management with Intune and Intune policy, again assuming that you have imported all of your group policy objects into Intune.
When configuring the report, you can select specific migration readiness states, profile types, and Windows CSP names to filter the report results. Once the desired parameters are selected and the “Generate” button is pressed, Intune will generate the report, which, as with the others, may take some time depending upon the quantity of data being processed.
When the report generation is complete, the report will identify:
- Each setting defined in the imported group policy objects
- Each setting’s group policy category
- Each setting’s migration readiness
- The minimum Windows OS version required to support the setting via modern management
- The necessary setting scope (user or device)
- The type of profile to be used to configure the setting
The results can be filtered via a text field and can be exported for usage in other systems or analysis. This can help dramatically accelerate a migration from legacy Group Policy to modern management with Intune Policy, as well as identify other necessary steps to take with your endpoints to prepare for the migration.
The minimum Windows OS version required to support the setting is based on when the relevant CSP (configuration service provider) was added to Windows or enabled to administrate the setting in question. If Intune policies are configured to manage a setting but the target device’s Windows operating system is a version older than what is supported, then the policy will not work, as the Windows operating system will be lacking the capability to apply the policy. This is an important consideration when migrating from Group Policy to modern management and another important reason to keep your Windows client devices updated and using a supported version of Windows!
Windows Updates
Speaking of keeping Windows up to date, let’s next look at the Windows Updates subcategory of organizational and historical reports. The Windows Updates subcategory’s Summary report has two separate quick reports, each of which must be refreshed separately, one for Windows Feature updates and one for Windows Expedited Quality updates.
The Windows Feature summary report lists each Windows feature update profile configured in Intune, along with the target Windows version for the profile and the count of devices within the assignment scope and their deployment state (success, error, in progress, rollback initiated, or cancelled).
The Windows Expedited Quality Updates Summary report lists the same thing, except for Windows Quality Update profiles, which enable deployment of specific updates outside of the Update Ring settings.
Under the Reports tab, two reports can be found:
- Windows Feature Update Report
- Windows Expedited Update Report
The Windows Feature Update Report is used to view more specific details of the deployment state for a given feature upgrade. Upon selecting a feature update profile and specifying values for the update aggregation status and device ownership state, then generating the report, a list of devices will be displayed along with numerous columns of information with device information and update state. A graphical summary of the devices’ update state will also be listed. This provides the ability to quickly understand the deployment status for a given feature upgrade among managed devices.
The biggest limitation of this report is that it only displays devices targeted by the selected feature update profile, and only one feature update profile can be displayed at a time. If you are deploying feature updates purely via Update Rings and not leveraging feature update profiles, then the data will not be representative of your full environment.
The Windows Expedited Update Report is a near match to the Windows Feature Update Report but, again, is based on Windows Quality Update Profiles rather than feature update profiles. If quality update profiles have been used to deploy out-of-band updates in your environment, this report can be used to understand the success of those deployments across the Windows endpoint fleet. Otherwise, this report will provide limited, if any, value.
At the time of writing, both of these reports are in a Preview state, so we can look forward to functionality improvements prior to a general availability release in the future.
Cloud Attached Devices
The Cloud Attached Devices subcategory contains reports useful for understanding the relationship between Configuration Manager- and Intune-based endpoint management in your full Microsoft Endpoint Manager implementation.
The subcategory’s Summary report provides a breakdown of co-management eligibility for devices that are cloud attached / tenant attached, listing the counts of devices that are already co-managed, versus eligible for co-management, awaiting Azure AD join, needing an OS update, or are ineligible for co-management. Furthermore, it lists a breakdown of the various co-management workloads and lists the count of devices for which the workload is managed by Intune versus managed by Configuration Manager.
Under the Reports tab, two reports can be found:
- Co-Management Eligibility
- Co-Managed Workloads
The Co-Management Eligibility report provides further details on cloud attached devices and their ability to be, or status as being, co-managed between Intune and Configuration Manager. When configuring the report, you have the option of selecting specific eligibility states to filter the results. Once the desired parameters are selected and the “Generate” button is pressed, Intune will generate the report, which may take some time depending upon the quantity of data in the Intune environment.
When the report generation is complete, a list of cloud attached devices matching the specified parameters will be displayed, along with information on their eligibility status and operating system information. This data can be exported to CSV format for further data analysis or other usage. This can be useful to identify specific devices to target for modifications to bring them into a co-managed state. In a fully-cloud environment, where there are no devices that are Hybrid Joined, then this report will not display any information.
The Co-Managed Workloads report is used to display the specific devices for which a given workload is managed by Intune or Configuration Manager. Each workload is listed and can be configured to filter the report results down to the devices for which the workload is managed by Intune, Configuration Manager, or Both. Based on the selected parameters for each workload, once the “Generate” button is pressed, Intune will prepare the result and display a list of devices, along with which management tool owns which workload for the device.
This report is primarily used to understand which tool owns which workload for a given device, which can be useful in troubleshooting the co-management configuration in Configuration Manager. Beyond that, and if your environment is cloud-only and does not have Configuration Manager in use, then this report will be of little value.
Endpoint Security
The Endpoint Security category contains reports focused on the security posture of your endpoint devices. There are two separate subcategories for reports:
- Microsoft Defender Antivirus
- Firewall
Each contains a summary report along with one or more specific reports, as described in the following sections.
Microsoft Defender Antivirus
The Microsoft Defender Antivirus subcategory contains reports for quickly assessing and investigating further details of your endpoints’ protection state against malicious software. Its Summary report, once refreshed, shows the counts of endpoint devices based on their antivirus state – clean, pending scan, and critical condition (malware detected) – giving you rapid awareness of your endpoint fleet’s health state.
Under the Reports tab, two reports can be found:
- Antivirus Agent Status
- Detected Malware
The Antivirus Agent Status report provides a list of devices matching the selected report parameters, along with specific and relevant details about those devices, including the anti-malware version, antivirus engine version, device primary user, and more. This provides a single interface to give you the information you need to start remediating infections and identifying systemic issues with endpoints that may lead to infections. For report parameters, specific device antivirus states can be selected, enabling you to filter the report down to just those devices that need remediation. As with the other reports, the report data can be exported to CSV for use in further data analysis or other processes as needed.
The important thing to note is that this report is focused on the device state and configuration, listing all the configuration relevant to antimalware exposure. For details about specific malware detected in the environment, you’ll want to turn to the Detected Malware report.
The Detected Malware report generates a list of devices with malware detected upon them, listing details about the detected malware itself, such as its name, severity, category, frequency of detection, and more. The report parameters enable the report contents to filter by malware severity and its execution state – whether it is active, blocked, etc. The information in this report empowers you to further understand your current protection state and what threats have been detecting, beginning your journey towards remediation and hardening of security posture.
Firewall
The Firewall subcategory is unique in that there is no Summary report, only a single report instead, titled MDM Firewall Status for Windows 10 and Later. This report is intended to display the firewall status for all managed Windows devices. Like the other reports, it must be generated after selecting parameters before it displays any data, but the resulting data can be exported to CSV for further data analysis or usage. The only parameter available allows filtering of the firewall status values to get a subset of devices with a firewall state that interests you.
Once generated, the report lists each device that matches the specified firewall states, along with the devices’ firewall status, the management tool, and the device’s primary user. A small number of additional columns are also available. At the top of the report, it displays the counts of devices with each firewall state, giving you quick validation that all devices have their firewalls enabled or insight into the number of potentially exposed devices. This report’s job is to list the firewall status for each device, and it does that, but it does not provide any drill-thru capabilities for further information.
Analytics
The Analytics category contains a single subcategory, Endpoint Analytics.
Unlike the other categories’ subcategories, Endpoint Analytics is not an interface to a set of discrete Intune-specific reports but rather a front end exposing information from the larger Endpoint Analytics tool.
As defined by Microsoft, Endpoint Analytics is part of the Microsoft Productivity Score and it provides a collection of analytics intended to give you insights for measuring how your organization is working and the quality of your users’ experience on their devices. The goal for Endpoint Analytics is to help identify problematic policies or configuration combinations that could be detrimentally impacting your users, so that you can address the problems proactively without being buried in tickets.
A full exploration of Endpoint Analytics is outside the scope of this blog post, but the important takeaway for this post is that Endpoint Analytics leverages data collected from your endpoints to monitor on things like system startup performance, application reliability, and the ability for your users to work from anywhere securely by using the capabilities provided by Intune and Microsoft 365. It uses this data to not only provide a metric for user experience but also to provide environment-specific insights and recommendations to further improve your end users’ experience and optimize your endpoint management state.
Endpoint Analytics also provides the ability to create PowerShell script-based proactive remediation which Intune will deploy and run automatically on your endpoints when known issues are encountered, helping you leverage your knowledge of your infrastructure to automate issue resolution and free up your time for tasks that push your business forward rather than your valuable time being spent putting out fires all day long.
For Endpoint Analytics to function, a data collection policy does need to be configured and deployed from Intune to your endpoints. An interface on Endpoint Analytics’ Settings menu helps walk you through this. After the policy is deployed, data will start to flow into Endpoint Analytics and data will become available. This is a very useful tool for addressing common, and frequently “invisible”, issues with your endpoints and should be enabled in every Intune deployment.
Conclusion
As you can tell from the previous sections, Intune has quite a few Organizational and Historical reports, each designed with very specific-but-narrow use cases. For their use cases, they provide the necessary information in an efficient and clear manner. If additional information is needed, however, they don’t really provide any means of getting it. For that, we need to dive into Advanced Intune Reporting techniques, which will be the topic of the next post in this series.
In the meantime, hopefully this post was useful to help explain the native reports available within Intune and how they can be used to help with your endpoint management processes.
More soon!