By: Laura Arrizza - Program Manager and Spencer Shumway – Program Manager | Microsoft Endpoint Manager - Intune
We are introducing two new reports in the policy configuration space within Microsoft Endpoint Manager to help IT admins troubleshoot where failures may occur across their device configuration profiles and compliance policies. You will be able to use the two reports to see where conflicts and errors are occurring, with the ability to narrow it down to the device and setting level to identify where the issues lie.
In addition, there are a few general reporting infrastructure announcements that customers should be aware of when using all new reports. We’ve called these out at the end of this blog post.
Contents:
- New policy operational reports
- Assignment Failures operational report for configuration profiles
- Non-compliant policies operational report for compliance policy
- Reporting Announcements for upcoming changes
New Policy Operational Reports
Customers can navigate to the “Monitor” section under the “Devices” node to see two new operational reports under the Configuration and Compliance headers. The “Assignment failures (preview)” report shows device configuration data, and the “Noncompliant policies (preview)” report shows compliance policy data.
Figure 1. Monitor | Assignments failures (preview)
Both reports follow a similar structure where the first view of the report shows the list of policies in your environment and the count of devices in a state of failure. The “Assignment failures” report shows the aggregate number of devices in a state of error or conflict, with the ability to filter by profile type and platform. The “Noncompliant policies” report shows the aggregate number of devices in a state of noncompliant or error, with the ability to filter by platform.
Figure 2. Monitor | Noncompliant policies (preview)
Throughout both reports, you can use the upgraded grid controls to search, sort, and filter across all the records. We have included easier page controls and faster export to a zip file containing the csv records of the report view. In addition, the records will be updated automatically to refresh the data within approximately 20 minutes.
Figure 3. Monitor | Assignment failures (preview) overview
From the first view of the report, you can select the policy or profile that has devices in a failure state. This will navigate to the second level of the report showing the list of device/user combinations that are in the failure state with its status. The number of records in view may be higher than the first aggregate since the records are based on a per device per user basis.
Admins have the same capabilities for the upgraded grid controls on this view and the ability to export the information locally. The report can also add extra columns to see extended Azure AD user information or device ID information.
Figure 4. Assignment failures - Android Enterprise
After viewing the devices and users in failure, you can select the device/user record to view all the settings applied on the device from the selected policy. Here, admins can easily see which settings are in an error or conflict state which is causing failure in the first place. Selecting the setting record will open the setting details context pane which provides more insight into troubleshooting. If the setting is in a state of error, the error code can help identify what the error is. If the setting is in a state of conflict, the “source profiles” table can help identify which other profiles are causing the conflict.
Figure 5. Profile Setting Error
Overall, the new reports aim to help streamline the troubleshooting process for admins to identify where failures are occurring across their policies and drill down to the setting level to understand how to mitigate.
Known Issues in Public Preview
The new reports are available in public preview with some known issues that the team will work out before removing the preview tags. See below:
- Administrative template profiles are not supported in the Assignment Failures report.
- The setting details pane on the third level of the reports currently only show the error code information if the setting is in error. The string version for the “Error details” is not yet available.
Existing Policy Reports and Roadmap
These two new reports are part of the effort to improve the policy reports across the console. As these are additive reports with fresher data, the records and numbers shown across the console in existing reports may be slightly different (i.e., “Assignment Status” and “Policy Compliance” reports). We encourage you to try out the new reports and use the existing ones for additional information.
You will continue to see improvements to the policy reporting space over the next few months. This includes adding security baseline and endpoint security records to the new “Assignment Failures” report, replacing older reports with new organizational ones, and ensuring consistency across the console.
Stay tuned for more updates on the What’s New and through this TechCommunity blog!
Reporting Announcements for Upcoming Changes:
- Change to the default columns in Devices Export API call
- Localization changes for data export
- New Azure Monitor diagnostic setting that maps the Devices list
Change to the default columns in Devices Export API call
NOTE: This change only affects those using our new Reporting Export Graph API without any column selections. UI export, which is the more typical way to export the All Devices list, is not affected by this upcoming change.
When you make a request with no select columns provided:
{"reportName": "Devices", "filter": "", "select": "" }
you will receive the default column set. This default column set for the devices report contained some columns that were either not user friendly, not useful, or confusing. We will be removing those columns from the default column list starting December 2020. The columns being removed are listed here:
PhoneNumberE164Format |
_ComputedComplianceState |
_OS |
OSDescription |
These columns will still be available for selection if you need them, but only explicitly, and not by default. If you have built automation around the default columns of the device export when using the exportJobs API, and that automation uses any of these columns, you need to refactor your processes to explicitly select these and any other relevant columns like this:
{"reportName": "Devices", "filter": "", "select": ["PhoneNumberE164Format", "_ComputedComplianceState", "_OS", "OSDescription"]}
Localization changes for data export
As many customers have noticed, we provide localized and non-localized column information with almost all report exports. It looks something like this for any given column that contains localizable data:
ComplianceState |
ComplianceState_loc |
0 |
Not evaluated |
0 |
Not evaluated |
2 |
Not compliant |
0 |
Not evaluated |
2 |
Not compliant |
2 |
Not compliant |
0 |
Not evaluated |
0 |
Not evaluated |
0 |
Not evaluated |
2 |
Not compliant |
0 |
Not evaluated |
0 |
Not evaluated |
2 |
Not compliant |
The human readable/localized values are provided in the _loc column, while the actual column contains the enum/dev string values. These enum/dev string values are used to interact with the API and are less likely to change, which make them ideal for automation.
In contrast to this approach, we have a few export experiences that provide only the human readable/localized string data, which looks like this:
OS |
Windows |
Windows |
Windows |
Windows |
Windows |
Android |
Android |
Android |
Android |
iOS |
iOS |
iOS |
iOS |
We recognize that some customers prefer this approach, especially to avoid column re-mapping when taking data to external tools/sources for reporting.
Currently there is no way to configure which experience you will receive in regard to localization, as each report has a built-in default behavior that remains static. In the future, we are working to add the capability to specify the localization experience you prefer. If you have strong thoughts or feelings about what the new behaviors and defaults should be, or have existing issues with localization, just respond back on this blog post or tag @IntuneSuppTeam out on Twitter!
New Azure Monitor diagnostic setting that maps the Devices list
We have recently enabled a new Azure Monitor Diagnostic setting called Devices for our internal testing. This testing precedes the release of a new Devices category that maps to the All Devices list in Microsoft Endpoint manager admin center. While the setting is visible and can be configured, we will not publish data to your Azure monitor subscription until we officially enable the setting early next year. We do not recommend enabling this setting until that time.
Total reports supported by our new infrastructure:
New report |
Sprint Released (YYMM) |
Non-compliant devices operational report (Devices > Monitor) |
1911 |
Device Compliance organizational report (Reports > Device Compliance) |
1911 |
Device compliance trends report (Reports > Device Compliance) |
1911 |
Device compliance logging |
1911 |
New Devices List - With upgraded controls for search, sort, filter, export and with better performance |
2003 |
New Devices List in EDU console - With upgraded controls for search, sort, filter, export, and with better performance |
2005 |
Antivirus agent status organizational report (Reports > Microsoft Defender Antivirus (Preview)) |
2009 |
Antivirus agent status operational report (Endpoint security > Antivirus) |
2009 |
Detected malware organizational report (Reports > Microsoft Defender Antivirus (Preview)) |
2009 |
Detected malware operational report (Endpoint security > Antivirus) |
2009 |
Group policy migration readiness organizational report (Reports > Group policy analytics (Preview)) |
2009
|
Windows 10 feature updates organizational report (Reports > Windows updates (Preview)) |
2010 |
Windows 10 feature updates operational report (Devices > Monitor) |
2010 |
Noncompliant policies (Devices > Monitor) |
2011 |
Assignment failures (Devices > Monitor) |
2011 |
Let us know if you have any additional questions on this by commenting back to this post or tagging @IntuneSuppTeam out on Twitter.
Blog post updates:
- 2/5/21: Updated known issues section as a few previously known issues were fixed in the 2101 release!
Updated Dec 19, 2023
Version 14.0Intune_Support_Team
Microsoft
Joined October 11, 2018
Intune Customer Success
Follow this blog board to get notified when there's new activity