Skip to main content
Skip table of contents

Intune health

Overview

Summary

Monitor Intune adoption, compliance, and stability across your entire device to quickly diagnose and remediate Intune client issues.

Problem

Devices without Intune working as intended represent significant compliance issues and overall end-point management complications. However, IT teams rarely have the visibility to identify compliance or performance issues live in their environment. When problems do arise and tickets are raised, detecting, troubleshooting, and remediating the root cause of client issues can be lengthy for support agents.

Although it is possible to monitor compliance and health using different tools from Microsoft or other external systems, IT teams do not have a single place to do so, making Intune health management a complicated process.

Solution

Access a single source of truth to monitor and remediate - in real-time - Intune client adoption, health, performance, and compliance across your entire device landscape. By leveraging this landscape-wide visibility, you can easily and quickly detect the source of client issues and trigger the appropriate remediation. 

Key features

  • Real-time monitoring of Intune client presence and health across all endpoints.

  • Instant detection of adoption, performance, and health-related issues.

  • Quick targeting of problematic devices to further investigations. 

  • Monitoring of policy, enrollment, and synchronization compliance 

  • Monitoring of abnormal client health behavior that might indicate more persistent issues.

  • Data gathering and remediation remote actions to retrieve key troubleshooting insight and enforce policy synchronization compliance.

Changelog

V1.0.0.0 - Initial Release

V1.0.0.1 - The Intune agent discovery method has been changed to include the intunewindowsagent.exe binary.

V1.0.0.2 - Multiple widgets that query the events table have been redesigned to improve their performance by using context-based filters that represent the exact state at the time of the event.

Dependencies

This pack uses four remote actions:

  • Get Intune device status: collects Intune client component health information and enrollment diagnostic data;

  • Get Intune synchronization status: collects sync diagnostics and enforcement data for Intune client policies;

  • Get Intune client diagnostics: collects Intune client diagnostic logs, creates a single archive of those logs, and stores it in the following folder on the device: "C:\Users\Public\Documents";

  • Invoke Intune policy synchronization: forces the Intune client policy to sync on the device.

Pack Structure

The package includes a single dashboard with seven tabs and four remote actions.
This dashboard is described below.

Remote Actions

Get Intune device status (Windows only)

This remote action collects Intune client component health information and enrollment diagnostic data. This dashboard uses the following outputs of this remote action:

  • mdm_service_installed: indicates if the "Intune Management Extension" service is installed on the device;

  • mdm_service_running: indicates if the "Intune Management Extension" service is running on the device;

  • onboarding_certificate_installed: indicates if the Intune MDM onboarding certificate is installed on the device;

  • onboarding_certificate_is_valid: indicates if the Intune MDM onboarding certificate is valid on the device;

  • enrollment_error_detected: indicates whether device enrollment errors are present in the Intune log on the device;

  • auto_enrollment_error_detected: indicates whether device auto-enrollment errors are present in the Intune log on the device.

We recommend configuring this remote action to run daily on all active Windows client devices.

Get Intune synchronization status (Windows only)

This remote action collects sync diagnostics and enforcement data for Intune client policies. This dashboard uses the following outputs of this remote action:

  • last_policy_apply_error: indicates whether recent policy enforcement errors are present in the Intune log on the device;

  • last_synchronization_failed: indicates whether recent policy sync errors are present in the Intune log on the device.

We recommend configuring this remote action to run daily on all active Windows client devices.

Get Intune client diagnostic (Windows only)

This remote action collects the Intune client diagnostic logs, creates a single archive of those logs, and stores it in the following folder on the device: "C:\Users\Public\Documents".
This is a type of remediation remote action. We recommend performing it on demand as part of the troubleshooting procedure.

Invoke Intune policy synchronization (Windows only)

This remote action forces the Intune client policy to sync on the device.

This is a type of remediation remote action. We recommend performing it on demand as part of the troubleshooting procedure.

For more information on remote actions and how to schedule them, please refer to the documentation, here.

Intune health dashboard

This dashboard utilizes tabs to separate content.

Dashboard filters common to each tab allow you to select a specific location, device name, device platform, or device type. There are three levels of localization: Country, State, and City. These are based on and are limited to the configured Geo-IP localization level. An additional filter by device entity is also included.

Please note: Visit the Learn platform to learn about NQL's method for filtering devices by specific properties, such as operating system platform and name, at the time of the event:

Summary

For the Intune service owner, support teams, or any other stakeholders, the dashboard section is a place to get a quick overview of the health of Intune clients in your organization.

The following data is shown on this tab:

  • A gauge and set of KPIs that indicate the presence of Intune clients and devices without an Intune client or Configuration Manager;

  • A set of KPIs that indicate various aspects of the stability and compliance of Intune clients on devices, including the health of Intune client components, issues with enrollment and policies, and the stability of Intune client binaries;

  • A set of KPIs that indicate Intune client memory and CPU usage on devices;

  • A set of KPIs that show a summary of network connections for the Intune client on devices, including the ratio and number of devices with failed network connections, and the average connection time across all devices.

Adoption

This tab allows the operator to view key information about the presence of the Intune client on devices, as well as break down devices running the Intune client by entity, by operating system, and by version.

Stability and compliance

This tab provides diagnostic information about the stability and compliance of Intune client components (status of the Intune service on Windows devices, presence and validity of the Intune MDM connection certificate), crashes, and hangs of the Intune client on devices.

Enrollment

This tab provides diagnostic information about Intune device enrollment issues: Automatic enrollment (AutoPilot) and Standard enrollment, as well as trending data for these issues.

Please note: we recommend the following steps for troubleshooting these issues:

  1. Click 'Investigate' on the KPI with the number of affected devices to get a list of devices;

  2. Check the Network Connectivity tab to determine if these devices can communicate with Intune resources;

  3. If this does not resolve the issue, expand the "Get Intune Client Diagnostics" remote action to create an archive of Intune diagnostic logs, which will be saved in the following folder on the device: "c:\users\public\documents".

Policies and sync

This tab contains diagnostic data related to Intune sync and policy enforcement issues, as well as trending data for these issues.

Please note: we recommend the following steps for troubleshooting these issues:

  1. Click 'Investigate' on the KPI with the number of affected devices to get a list of devices;

  2. Deploy the "Invoke Intune policy synchronization" remote action to initiate the Intune client sync;

  3. If the issue persists, check the Network Connectivity tab to determine if these devices can communicate with Intune resources;

  4. If this does not resolve the issue, deploy the "Get Intune Client Diagnostics" remote action to create an archive of Intune diagnostic logs, which will be saved in the following folder on the device: "c:\users\public\documents". These logs can then be copied remotely from the device and analyzed for any client-side or configuration issues that are preventing clients from successfully synchronizing and enforcing policies.

Performance

This tab provides Intune client memory and CPU usage data, as well as a breakdown by Intune client binaries and versions.

Network connectivity

This tab provides detailed information about Intune client traffic usage, failed network connections, and average connection time across all devices, as well as a breakdown of inbound/outbound connections for each domain and a breakdown of Intune client traffic by destination type.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.