cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE
By
Anil Abraham
Published Jun 21 2019 03:53 PM 14.7K Views
Anil Abraham
Microsoft
‎Jun 21 2019 03:53 PM

INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE

‎Jun 21 2019 03:53 PM

First published on TECHNET on Feb 23, 2019

It’s me Anil Abraham again with a quick blog. These days my job involves walking into customers and talking about modern device management and how to shift from the traditional management methods to the new ways. Obviously, Intune plays a big part in modern device management.


More often these days, I get asked the question of how about reporting and the flexibility we had with SCCM in terms of capability that came with SSRS that let us create custom reports.

Customer Query:-

The other day one of the customers asked me a question, how to report all devices in Intune that are reported as non-compliant because they have not reported back to Intune in the last 30 days. 30 days because in Intune that is the default setting for a device to be marked non - compliant if it hasn't checked in.

Microsoft Graph is your answer. For those that are new to Microsoft Graph start @ https://developer.microsoft.com/en-us/graph/

The data that Intune exposes, be it inventory data, policy or apps, they are all exposed via Microsoft Graph.

For people familiar with Graph and Intune, the query that gives the result is


https://graph.microsoft.com/v1.0/deviceManagement/
deviceCompliancePolicySettingStateSummaries/
DefaultDeviceCompliancePolicy.RequireRemainContact/
deviceComplianceSettingStates?$filter=state eq 'nonCompliant'


For people who are new to this...

Sign into Graph Explorer ( https://developer.microsoft.com/graph/graph-explorer/ ) using an account that has delegated permissions to read the properties and classes that you are after. More details @ https://docs.microsoft.com/en-us/graph/permissions-reference

For a quick view of the data that is held within Intune and exposed via Graph, an example of all the enrolled devices is as below.



Getting there...

I started looking at the API for Intune @ https://docs.microsoft.com/en-us/graph/api/resources/intune-graph-overview?view=graph-rest-1.0

From the request, I know, I am after a specific device compliance setting, so first step is to find all the device compliance policy settings, which I found was listed @ https://docs.microsoft.com/en-us/graph/api/intune-deviceconfig-devicecompliancepolicysettingstatesum...

From the above I could identify the query to be run in Graph Explorer as https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries

This gives me a list of settings that are part of compliance policies as below in the graph explorer.



Going through the list I could identify the value that I was after as below.





I hear you ask, what is so much about it as there is this list you could Export from the Intune Web console. A sample from test tenant is below. The intention of this blog is to give an overview of the Graph and access to data within.



As you can see the numbers from the graph explorer matches what you see for the "Is Active" setting. You also have the option to export the report at this level. You could drill down further in the Intune Report as below.





There is an export option here too and you could get the data into Excel but it gives you all the devices, both compliant and non-compliant and then you should filter in Excel to get the data that you are after.

Let’s look at how to do all this in Graph Explorer. From the previous exercise in Graph Explorer we know the ID of the setting that we are after is DefaultDeviceCompliancePolicy.RequireRemainContact.

Further constructing the query to report only on the above said setting and devices to show only that compliance setting value, I built the query as below

https://graph.microsoft.com/v1.0/deviceManagement/
deviceCompliancePolicySettingStateSummaries/
DefaultDeviceCompliancePolicy.RequireRemainContact/deviceComplianceSettingStates

Result is as below





The result shows all the 12 devices in my test tenant and the compliance state for each of those devices against the DefaultDeviceCompliancePolicy.RequireRemainContact setting.

Sample data for a device that is non-compliant is as below.

As you can see the value that we are after is the value of the property "state". So, with that knowledge building the query to show only the devices that are non-compliant for that setting would be

https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries/Defaul... eq 'nonCompliant'


In action the result would look like below.






The result is the 9 devices that are non-compliant because they have not contacted Intune for the last 30 days.

But, I can hear you say, Anil I want to report all this programmatically and reporting through Graph Explorer is not an option in an enterprise. If there is enough interest and I can find some time I will put a Part 2 to show how we could automate all this.

Hope you find this helpful....

4 Comments
Conrad Murray
Brass Contributor
‎Mar 11 2021 01:59 AM
‎Mar 11 2021 01:59 AM

Hi, this is all good stuff, but...

 

What we are seeing and experiencing is devices that have multiple users logging in, or where a device has been transitioned to another users without being reset/reimaged.  That device still has the user profiles for multiple people.  Those stale users then fail the "Is Active" setting for the Built-in Device Compliance policy (not logged on < 30 days) and mark the whole device Not Compliant.  We have been advised by Microsoft that these stale logins do not eventually disappear off the device nor from MEM (unless they are genuine leavers that account gets deleted or de-licensed).  The only solution is to delete the stale users profile off the device.  This seems like a sledgehammer to crack a nut, and that user may one day log on again, or may have had valid data in the profile that should not be deleted.

 

Built-in Device Compliance Policy 1.PNG

Nathan Hartley
Steel Contributor
‎Dec 09 2022 10:39 AM
‎Dec 09 2022 10:39 AM

@Conrad Murray , are you still seeing the "built-in Windows "Is Active" Compliance Policy (DefaultDeviceCompliancePolicy.RequireRemainContact) marks recently active PCs non-compliant when a past user-based test becomes stale" problem?

 

I have been tweeting with the Intune Support team about this.

https://twitter.com/Treestryder/status/1601284621593112578

 

0 Likes
Like
Conrad Murray
Brass Contributor
‎Dec 11 2022 03:11 PM
‎Dec 11 2022 03:11 PM

Hi Nathan @Nathan Hartley yes, 100% still seeing this.  And we want to move to Conditional Access for our client to block access to non-compliant devices, but I am hesitant to go live with it because of this.  My colleague thinks that this part of non-compliance will be ignored, but we are not really sure and will need to test.  We have been running exports for the client to get all their devices compliant for all other settings - that is a real pain to get out, which setting is failing per device, but we have a Graph script to do it.  They are mainly there with minimum OS, CodeIntergrity, BitLocker, Firewall/AV/Defender, but these past users AND system are the last worry for us.  We will go to ring testing to be sure.

 

ConradMurray_0-1670799937771.png

 

kwtthomas
Copper Contributor
‎Apr 23 2024 10:43 PM
‎Apr 23 2024 10:43 PM

Hi Anil

Is there a way to generate report all devices that shows "Microsoft Entra Compliance" as "no compliant" Intune Portal and Intune as compliant?

As of now i can see this column or status of device (BYOD) only by running Intune troubleshooting section.

 

Regards

Thomas

 

intune Err.PNG

0 Likes
Like
Version history
Last update:
‎Feb 20 2020 11:51 AM
Updated by: