Intune Anomalies Report

Every IT administrator knows the struggle of maintaining a clean and secure Microsoft Intune environment. Devices can fall out of compliance, applications might fail to deploy, and inactive devices can clutter your management overview. Gaining a comprehensive, actionable insight into these potential issues often involves tedious manual checks and a collection of disparate reports.

I’ve encountered these challenges repeatedly, leading to complex spreadsheets and time-consuming audits. To combat this, I’ve developed a solution: a PowerShell script that provides a responsive, interactive overview of your Intune anomalies, complete with easy filtering, detailed viewing, and clear indicators to highlight peculiarities.

To utilize this script, ensure you have the following:

• Microsoft Graph PowerShell Modules: The script connects to the Microsoft Graph API, requiring the relevant PowerShell modules for authentication and data retrieval.
• Permissions: The script requires the following Microsoft Graph API permissions to function correctly:
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementServiceConfig.Read.All
  • DeviceManagementApps.Read.All
  • User.Read
  • User.Read.All
  • Directory.Read.All
  • Mail.Send

This script is designed to provide a comprehensive analysis of your Intune environment, offering a variety of key features:

• Application Failure Analysis: Identifies applications with failure rates that may indicate packaging or deployment issues.
• Multi-User Device Detection: Locates user-driven devices with multiple logged-on users that should be re-enrolled as shared devices.
• Encryption Status Monitoring: Reports devices without BitLocker encryption, highlighting significant security risks.
• Autopilot Hash Validation: Identifies non-company-owned devices missing hardware hash registration in Autopilot.
• Inactive Device Tracking: Lists devices that haven’t contacted Intune in 90+ days for cleanup consideration.
• Compliance Policy Violations: Provides a detailed breakdown of non-compliant devices with specific violation reasons.
• OS Edition Overview: This helps identify devices that may need OS edition upgrades (e.g., Pro to Enterprise) for enhanced management and security features.
• Disabled User Detection: Identifies devices assigned to disabled Microsoft Entra ID user accounts.

This script is available in the Powershell Gallery. You can install it by the following line.
https://www.powershellgallery.com/packages/Generate-IntuneAnomaliesReport/

Install-Script -Name Generate-IntuneAnomaliesReport -Force

This is the simplest way to run the script. It will prompt you to log in with your Entra ID credentials.

Generate-IntuneAnomaliesReport.ps1

This method is useful for automation scenarios. You’ll need to create an Entra ID application and grant it the required permissions.

Generate-IntuneAnomaliesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret "your-client-secret"

This method is also suitable for automation and is more secure than using a client secret. You’ll need to create an Entra ID application, upload a certificate, and provide the certificate thumbprint.

Generate-IntuneAnomaliesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateThumbprint "your-certificateThumbprint"

Accepts a pre-acquired access token for authentication. Useful when you’ve already obtained a token through another process or when integrating with existing authentication workflows. Provides flexibility but requires separate token management.

Generate-IntuneAnomaliesReport.ps1 -Identity "ManagedIdentity"

Uses Azure’s managed identities to authenticate without storing credentials. Ideal for scripts running in Azure environments (VMs, Functions, Automation). The most secure option as it eliminates credential management entirely.

Generate-IntuneAnomaliesReport.ps1 -Accesstoken "AccessToken"

This makes it easy to email reports automatically after generation.

Generate-IntuneAnomaliesReport.ps1 -SendEmail -Recipient "Recipient" -From "Sender"

This script is designed to simplify what has traditionally been a complex and time-consuming task for administrators: identifying and addressing anomalies within their Microsoft Intune environment. Hopefully, this tool will make it significantly easier for you to maintain optimal device management and security.

If you encounter any bugs or have ideas for improvements, please let me know. I’m actively maintaining this tool and welcome your feedback to make it even better.