Intune Anomalies Report
Every IT administrator knows the struggle of maintaining a clean and secure Microsoft Intune environment. Devices can fall out of compliance, applications might fail to deploy, and inactive devices can clutter your management overview. Gaining a comprehensive, actionable insight into these potential issues often involves tedious manual checks and a collection of disparate reports.
Table of Contents
I’ve encountered these challenges repeatedly, leading to complex spreadsheets and time-consuming audits. To combat this, I’ve developed a solution: a PowerShell script that provides a responsive, interactive overview of your Intune anomalies, complete with easy filtering, detailed viewing, and clear indicators to highlight peculiarities.
What prompted this
In every tenant I manage, the same pattern repeats. A device falls out of compliance, nobody notices because the admin center doesn’t surface it clearly, and it only comes up when the user complains about blocked access. Or an app deployment fails silently on 30 devices because the package was updated but the detection rule wasn’t. Or a fleet that reads as fully encrypted in the admin center, where Entra is actually missing the BitLocker recovery key for a handful of devices - invisible until the day a laptop is in a drawer and you need to get back in. Or a Windows LAPS policy that landed on a device months ago but quietly stopped refreshing the local admin password backup, so the value in Entra no longer unlocks anything.
These aren’t edge cases - they’re the daily reality of Intune management at scale. The built-in Intune reports are scattered across multiple blades with no single view that says “here are the things that need your attention right now.” That’s exactly what this script builds: one HTML report, one command, every anomaly in one place.
Requirements
To utilize this script, ensure you have the following:
- Microsoft Graph PowerShell Modules: The script connects to the Microsoft Graph API, requiring the relevant PowerShell modules for authentication and data retrieval.
- Permissions: The script requires the following Microsoft Graph API permissions to function correctly:
DeviceManagementManagedDevices.Read.AllDeviceManagementConfiguration.Read.AllDeviceManagementServiceConfig.Read.AllDeviceManagementApps.Read.AllUser.ReadUser.Read.AllDirectory.Read.AllMail.SendBitlockerKey.ReadBasic.AllDeviceLocalCredential.ReadBasic.All
Features
This script is designed to provide a comprehensive analysis of your Intune environment, offering a variety of key features:
- BitLocker & Encryption Posture: Flags devices where Intune assigned a BitLocker policy but no OS-volume recovery key is in Entra, alongside devices that aren’t encrypted at all. Resolves assignments across Settings Catalog, legacy device configurations, and Endpoint Security intents, honouring include and exclude groups and assignment filters.
- Windows LAPS Backup Health: Flags devices covered by an Entra-backed LAPS policy with no local admin credential backed up, or whose most recent backup is older than 60 days.
- Deprecated Settings Catalog Detection: Walks every Settings Catalog policy and flags settings Microsoft has marked deprecated.
- Application Failure Analysis: Identifies applications with failure rates that may indicate packaging or deployment issues.
- Compliance Policy Violations: Provides a detailed breakdown of non-compliant devices with specific violation reasons.
- Multi-User Device Detection: Locates user-driven devices with multiple logged-on users that should be re-enrolled as shared devices.
- Autopilot Hash Validation: Identifies non-company-owned devices missing hardware hash registration in Autopilot.
- Inactive Device Tracking: Lists devices that haven’t contacted Intune in 90+ days for cleanup consideration.
- OS Edition Overview: Helps identify devices that may need OS edition upgrades (e.g., Pro to Enterprise) for enhanced management and security features.
- Disabled User Detection: Identifies devices assigned to disabled Microsoft Entra ID user accounts.
For the BitLocker and LAPS checks the report uses the ReadBasic variants of the Graph scopes - it can confirm that a recovery key or password backup exists (and, for LAPS, when it was last refreshed), but never reads the actual recovery password or local admin password.
How does it work?
Note: This standalone script has been consolidated into the RKSolutions PowerShell module as
Get-IntuneAnomaliesReport. The module receives all ongoing detections, fixes, and performance work; the original standalone script on PowerShell Gallery still runs but is no longer maintained for new features. Install or update the module:Install-Module -Name RKSolutions -Scope CurrentUser # or, if already installed: Update-Module -Name RKSolutionsPowerShell Gallery: RKSolutions
This script is available in the Powershell Gallery. You can install it by the following line. https://www.powershellgallery.com/packages/Generate-IntuneAnomaliesReport/
Install-Script -Name Generate-IntuneAnomaliesReport -Force
Install-Script -Name Generate-IntuneAnomaliesReport -Force
Interactive Authentication
This is the simplest way to run the script. It will prompt you to log in with your Entra ID credentials.
Generate-IntuneAnomaliesReport.ps1
Generate-IntuneAnomaliesReport.ps1
Client Secret Authentication
This method is useful for automation scenarios. You’ll need to create an Entra ID application and grant it the required permissions.
Generate-IntuneAnomaliesReport.ps1 -TenantId “your-tenant-id” -ClientId “your-client-id” -ClientSecret “your-client-secret”
Generate-IntuneAnomaliesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret "your-client-secret"
Certificate Authentication
This method is also suitable for automation and is more secure than using a client secret. You’ll need to create an Entra ID application, upload a certificate, and provide the certificate thumbprint.
Generate-IntuneAnomaliesReport.ps1 -TenantId “your-tenant-id” -ClientId “your-client-id” -CertificateThumbprint “your-certificateThumbprint”
Generate-IntuneAnomaliesReport.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateThumbprint "your-certificateThumbprint"
Access Token Authentication
Accepts a pre-acquired access token for authentication. Useful when you’ve already obtained a token through another process or when integrating with existing authentication workflows. Provides flexibility but requires separate token management.
Generate-IntuneAnomaliesReport.ps1 -Identity “ManagedIdentity”
Generate-IntuneAnomaliesReport.ps1 -Identity "ManagedIdentity"
Managed Identity Authentication
Uses Azure’s managed identities to authenticate without storing credentials. Ideal for scripts running in Azure environments (VMs, Functions, Automation). The most secure option as it eliminates credential management entirely.
Generate-IntuneAnomaliesReport.ps1 -Accesstoken “AccessToken”
Generate-IntuneAnomaliesReport.ps1 -Accesstoken "AccessToken"
Email Functionality
This makes it easy to email reports automatically after generation.
Generate-IntuneAnomaliesReport.ps1 -SendEmail -Recipient “Recipient” -From “Sender”
Generate-IntuneAnomaliesReport.ps1 -SendEmail -Recipient "Recipient" -From "Sender"
Demo
Conclusion
This script is designed to simplify what has traditionally been a complex and time-consuming task for administrators: identifying and addressing anomalies within their Microsoft Intune environment. Hopefully, this tool will make it significantly easier for you to maintain optimal device management and security.
If you encounter any bugs or have ideas for improvements, please let me know. I’m actively maintaining this tool and welcome your feedback to make it even better.
Related
- RKSolutions PowerShell Module - this report is now available as part of the RKSolutions module alongside Entra admin roles, license assignment, and enrollment reports.