The introduction of enhanced Device Inventory in Intune has been eagerly awaited by several teams within our organization. The inventory data, along with CMPivot-like real-time and cached query functionality provided by the Intune data platform, represent significant advancements. These improvements fulfill the promises of cloud-native management and establish a foundation for future developments, such as Copilot integration, cross-platform support, and integrated device actions.
Device Inventory
The initial capabilities in this area emerged in early 2024 with Single Device Query, introducing the ability to perform real-time queries on a Windows device. This was further developed with Device Inventory, which implemented inventory collection through a Properties Catalog policy applicable to multiple devices. The data collected by an agent on managed devices is made available in the Resource Explorer blade for individual devices. The Data platform schema specifies each supported Entity and its applicability to Inventory and Device Query scenarios.
The processing of the Properties Catalog policy on a device eventually results in a CSP firing off to install the “Microsoft Device Inventory Agent”, which appears in Add/Remove Programs and is registered as a Windows Service (InventoryService). The main install directory is %ProgramFiles\Microsoft Device Inventory Agent, which also contains a Logs folder useful for troubleshooting. The Intune Diagnostics data collection also has been updated to pick up Inventory logs. The agent leverages a SQLite DB for its operations, tracking periodic local changes and then performing a daily upload. This is independent of any device sync activity. Intune Admins can rely on the Discovered Apps report to keep track of Agent install counts. Like the Intune Management Extension and EPM agents, agent upgrades occur without any explicit Admin/end-user involvement. The Properties Catalog policy report also has per-property inventory state for each device.
The internal Intune environment at Microsoft is typically the first at-scale tenant where major features like Device Inventory are validated. Engineering teams frequently rely on the environment for validation across individual features, scale/perf and end-user experience (hence “Customer Zero”). The initial waves of rollout in our environment for pre-release versions of the agent were gated to devices in the tens of thousands. The targeting was then switched over to “All Devices” to simulate the at-scale rollout that would be expected in most customer environments. Randomization is factored into the initial Inventory upload, so across our major expansion we did not see issues reported from end users relating to local/network perf. Oddly, we encountered a somewhat painful bug relating to a high CPU condition on agent upgrade, which was addressed quickly. Our team still sees this as a win as internal validation prevented this issue from hitting customer tenants.
Multi Device Query
Device Query for Multiple Devices relies on the inventory data uploaded by devices and introduces the capability to write custom queries to gather insights on device configuration. The Kusto Query Language (KQL) query editor supports IntelliSense and has a parser tuned for this scenario. Docs call out the set of operators currently supported.
Joins between entities follow a natural/implicit style where the join field is automatically configured to be the DeviceId with join type of innerunique. The Device entity is also linked to by default, which allows for core Device attributes to be used (example below). Please see additional info on current query and join limits here.
The returned result set supports dynamic paging to automatically refresh the UI for any large outputs. There is a ~40 min cache retention where the same query re-run within a session is expected to pull data directly from a cache. In our environment, we treat the Managed Devices -> Query permission as an elevated permission, so standing access is not allowed and a separate Group based PIM needs to be activated for access.
Copilot Integration (in development)
Copilot in Intune integration for Multiple Devices builds on the previously released capability for Single Device queries. Copilot simplifies query authoring via the Natural Language to KQL skill. This is an absolute timesaver for those new to KQL or the Device Query schema or those that prefer Copilot build an initial query that can be further refined. Recently, we had an issue that caused some duplicate device records to appear in Device Query. As seen with the prompt below, Copilot not only understands the exact entity properties to leverage but also creates the KQL compliant query.
Query Output
Conclusion
We hope this post helps with your own implementations of Device Inventory, Device Query and Copilot in Intune. We look forward to sharing more on our implementation as new capabilities emerge.
Microsoft