Announcing updated policy reporting experience in Microsoft Endpoint Manager

By: Laura Arrizza - Program Manager | Microsoft Endpoint Manager - Intune

Microsoft Endpoint Manager is excited to announce improvements for the Microsoft Intune policy reporting experience that are rolling out with the 2203 service release. We are updating the ‘per-policy’ reporting experience to address common pain points and feedback from customers. These changes leverage the Intune reporting framework, which helps to reorganize how we surface policy reports and provide a better overall reporting experience.

Currently, the latest updates for policy reports apply to the following policy types:

• Device configuration policies (excluding ADMX, DFCI, OEMConfig)
• Endpoint security policies

We will keep you informed as more policy types start to use the updated reporting experience. In this post, we will review the improved reporting experience, and walk through some of the changes we have made across these different report types.

Overview of reporting improvements

Our goal is to give you a powerful, reliable reporting experience that provides an accurate set of rich data to help you manage the policies you have configured in your Intune environment. The new reporting framework offers the following capabilities:

• Data consistency: Ensuring consistent data across all policy reports in Intune, using the same source of truth.
• Better performance: Even in the largest tenants with the largest reports, our new reporting infrastructure lets you quickly generate and consume reports.
• Data representation: Addressing pain points of devices in ‘pending’ state and how we surface device records with multiple user affinities.
• Sleeker design: Updated designs to represent data in a simpler, organized way.
• Navigation tools: We support search, sort, paging, improved export functionality, and filtering controls to get the most out of the data.
• More context for reports: Additional device columns, updated terminology, tooltips, and documentation updates.

Next, we’ll walk through some of these reporting improvements in detail.

A tour of the new policy reporting experience

First, navigate to the applicable policy list for either your device configuration or endpoint security policies. In the Microsoft Endpoint Manager admin center, go to Devices > Configuration profiles or the Endpoint security node, depending on the policy type you want to view information for.

Screenshot of the Devices > Configuration profiles page in the Microsoft Endpoint Manager admin center, showing a list of profiles (policies). An arrow points to an individual policy that you can select to continue to the next step.

Select the policy to go to the policy overview page. Instead of two donut charts, the new overview page has a simplified, linear aggregate chart that shows the number of device and user check-ins that have reported back in Success, Error, Conflict, or Not Applicable state. The aggregate chart will update as check-ins occur, with improved performance as compared to the previous donut charts. Under the aggregate chart are entry points (cards) to different list reports, as well.

The policy overview page also includes a Properties section with a summary of policy basics, settings, assignments, filters, scope tags, and other information. You can edit these properties directly from the policy overview page.

Screenshot of the update policy overview page in the Endpoint Manager admin center that shows a new, linear aggregate chart at the top and cards that you can select to open different status reports.

Continue reading to learn about improvements we’ve made to specific reports.

Device and user check-in status

Select View report to view the Device and user check-in status report, which combines information that was previously split into separate device status and user status reports. This report shows the list of device and user check-ins for the policy, with the check-in status and last check-in time (based on the reported policy check-in time). When you open the report, the aggregate chart will remain at the top of the page, and the data will be consistent with the list data. Use the filter column to view assignment filter options. You can also view additional columns for device properties in the report: Model, Manufacturer, Intune device ID. Tools are available to search across the entire dataset, sort on every column, use paging controls to navigate through data, view number of records within the report. We have improved export functionality when saving information to a .csv file, including applying filters to the exported data and an overall quicker export process.

Screenshot of the ‘Device and user check-in status’ report in the Endpoint Manager admin center. It shows a field above the aggregate chart where you can enter a value to search, sort, or filter on. The columns shown in the report are ‘Device name’, ‘Logged in user’, ‘Check-in status’, ‘Assignment filter’, and ‘Last check-in time’.

If you select one of the device and user entries, it will drill down into the list of settings applied to the device/user from the policy. From here, you can view the settings and setting status to see more details on errors and conflicts. This is the same view as is reflected in other areas of the UI.

Screenshot of the Profile Settings report for a specific device in the Endpoint Manager admin center. It includes the columns ‘Setting name’ and ‘Setting status’.

Device assignment status

We also have a brand-new Device assignment status policy report, which surfaces data on the latest status for assigned devices from the policy. To go to this report, select the Device assignment status card on the policy overview page. By default, the report will return empty until you generate the report with or without a filter for the assignment status. Once completed, the report will include a timestamp for when it was last generated. The reporting data will be available for up to three days before needing to be generated again.

Like the Device and user check-in status report, the Device assignment status report page includes an aggregate chart that summarizes the list data. The aggregate counts the number of device check-ins based on the last active user across Success, Error, Conflict, Not Applicable, and Pending states. A denominator shows the total count of assigned devices and primary users targeted by the policy. The list records reflect the same data, surfacing only one entry per device based on its last active user.

Like the previous report, we have included additional device columns, tools to navigate throughout the records, the ability to drill down to the settings view, and added context on reports.

Screenshot of the ‘Device assignment status’ report in the Endpoint Manager admin center. It shows a dropdown field above the aggregate chart where you can select an Assignment status to filter on. It also shows an example timestamp: “Report generated on” 12/27/2021, 4:01:34 PM.” The report list columns are ‘Device name’, ‘Last active user’, and ‘Assignment status’. It generates one record per device, based on the last active user of the device. This helps avoid duplicate entries.

This new report includes improvements to address two previous pain points:

• Reducing duplicate device entries – The report ‘flattens’ device entries to the last active user. Previously, customers might have seen multiple entries for devices that reflected both a ‘system account’ and ‘user account’ as the last signed-in user.
• Improved definitions of ‘Pending’ state – We have improved the way we determine a device to be in a ‘Pending’ state. When a device state is pending, it means it has not reported back what the status is for applied policy settings. At this point, it is unknown which user is associated with the device, so the user field will be empty. This state is consistent across the Intune UI.

Per setting status

The Per setting status report surfaces the summary of device and user check-ins that are in Success, Conflict, Error states at the granular setting level within the policy. This report leverages the same consistency and performance updates as well as navigation tools we’ve made available to other reports. To go to this report, select the Per setting status card on the policy overview page.

Screenshot of the ‘Per settings status’ report in the Endpoint Manager admin center. It includes a list of settings, by name, and a field above the list where you can ‘Search by setting name’. The report list columns are ‘Setting Name’, ‘Success’, ‘Error’, and ‘Conflict’.

Certificates

For applicable policy types, the Certificates report is available to show certificate-related data for the policy.

The same data will be reflected in the ‘per device’ report which is available by navigating to Devices > All devices > select device > Device configuration to ensure data consistency.

Screenshot of the device configuration report in the Endpoint Manager admin center that lists all policies applied to a device. Select a policy to drill down to a list of policy settings and setting status.

Common questions

Will I lose any data with these changes?

The reporting changes will have no impact on existing data. The same information from before is available at parity, plus more.

What about Microsoft Graph API endpoints?

New Graph API endpoints are available using updated reporting experience. Existing Graph API endpoints will stay intact. We suggest you move any automation over to using updated endpoints:

List of settings by category

How are reports generated for different device types and user affinity types? Why do I see ‘system account’ users?

Policy reports are generated based on the context of a user check-in for a device. For example, in cases of a physical device with primary and secondary users, the last active user will likely be a user account. However, for Windows Autopilot devices, inactive users, or helpdesk sign-ins to a device, the last active user may show as the ‘system account’. Note, when a user signs in to a device that they are not assigned to or the primary user for, this entry will not be surfaced.

What other reporting changes are on the roadmap?

• Enable for government cloud environments
• Move all policy types to new experience
• Improving error codes and conflict resolution
• Innovation in new reports

Do the updated reports include scope tag support?

Yes! All updated reports will honor scope tags as configured via your tenant administration and policy settings. Scoped admins will be able to see the available data to them in summary and list report views.

When viewing the 'Device configuration' report per device object, only scoped admins can view the list of policies applied to a device. If an admin does not have scoped permissions, they can leverage the 'Read only' permission for Device Configuration to view the resultant set of policies on the device.

Known issues

We are continuing to investigate and work through small issues that you may be experiencing with the new policy reports. See below the items that are known and have fixes in progress to address:

1. Entries of devices being shown with the device name as 'None provided'. [Resolved in 2205 service release] 
   1. There may be cases where report entries surface additional records with the device name as "None provided". These may be old/stale device records that are no longer applicable to the policy.
   2. Solution: Fix is planned for this to clean up old/stale device records with ~end of month/beginning of May.
      
      
2. Check-in status being reflected as 'Remediated'. [Resolved in 2205 service release]
   1. The check-in status for certain device and logged in user records may show as 'Remediated' in the list report views. Generally, 'Remediated' refers to the fact that the device's settings did not report back as Compliant or Not Compliant, leading to one of the known states of Success, Error, Conflict, Pending, or Not Applicable. Typically, devices and users in 'Remediated' state will turnover to Success, however there are cases they may stay in Remediated state.
   2. Solution: Fix is planned to address devices and users in 'Remediated' state to ensure this case is handled correctly. Will provide updates on timeline.
      
      
3. Mismatch in data between summary aggregates and list reports. [Improvements made in 2205, more to come in 2206/2207]
   1. In some cases, customers may see some mismatches in reported data across the summary aggregates and list reports. This may be due to a few factors that the team is addressing and investigating.
      1. The above two issues for old/stale device records creating noise in reports and devices and users reporting back in 'Remediated' state only in the list views but not being reflected in the summary views.
      2. Timing of when the data gets updated across the different reports.
      3. Note the difference of the changes in how data gets represented given the updated experience.
   2. Solution: Team is continuing to address where improvements can be made to ensure consistent, reliable data across all the policy reports.
      
      
4. Report records that show an empty 'Last active user' or 'Logged in user' column reflect a non-user entity, formally surfaced as 'System account'. [Fix expected in 2207 service release]

Summary

We hope you are as excited as we are about these improvements, and we encourage you to check out these new changes in Intune. For details on past changes we’ve made, see Introducing New Policy Reports & more in Microsoft Endpoint Manager Reporting and Microsoft Intune announces powerful new reporting framework. Stay tuned for updates on further improvements to Intune reporting. If you have any feedback or questions, leave a comment below or reach out to @IntuneSuppTeam on Twitter.

Post updates:

03/28/22: Added Q&A around scope tag support.

04/22/22: Added known issue section.

04/29/22: Updated post to include a known issue where report records that show an empty 'Last active user' or 'Logged in user' column reflect a non-user entity, formally surfaced as 'System account'.

06/3/22: Updated status of known issues.