Introducing New Policy Reports & more in Microsoft Endpoint Manager Reporting

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

By: Laura Arrizza - Program Manager and Spencer Shumway – Program Manager | Microsoft Endpoint Manager - Intune

 

We are introducing two new reports in the policy configuration space within Microsoft Endpoint Manager to help IT admins troubleshoot where failures may occur across their device configuration profiles and compliance policies. You will be able to use the two reports to see where conflicts and errors are occurring, with the ability to narrow it down to the device and setting level to identify where the issues lie.

 

In addition, there are a few general reporting infrastructure announcements that customers should be aware of when using all new reports. We’ve called these out at the end of this blog post.

 

Contents:

 

New Policy Operational Reports

Customers can navigate to the “Monitor” section under the “Devices” node to see two new operational reports under the Configuration and Compliance headers. The “Assignment failures (preview)” report shows device configuration data, and the “Noncompliant policies (preview)” report shows compliance policy data.

 

Figure 1. Monitor | Assignments failures (preview)Figure 1. Monitor | Assignments failures (preview)

Both reports follow a similar structure where the first view of the report shows the list of policies in your environment and the count of devices in a state of failure. The “Assignment failures” report shows the aggregate number of devices in a state of error or conflict, with the ability to filter by profile type and platform. The “Noncompliant policies” report shows the aggregate number of devices in a state of noncompliant or error, with the ability to filter by platform.

 

Figure 2. Monitor | Noncompliant policies (preview)Figure 2. Monitor | Noncompliant policies (preview)

Throughout both reports, you can use the upgraded grid controls to search, sort, and filter across all the records. We have included easier page controls and faster export to a zip file containing the csv records of the report view. In addition, the records will be updated automatically to refresh the data within approximately 20 minutes.

 

Figure 3. Monitor | Assignment failures (preview) overviewFigure 3. Monitor | Assignment failures (preview) overview

From the first view of the report, you can select the policy or profile that has devices in a failure state. This will navigate to the second level of the report showing the list of device/user combinations that are in the failure state with its status. The number of records in view may be higher than the first aggregate since the records are based on a per device per user basis.

 

Admins have the same capabilities for the upgraded grid controls on this view and the ability to export the information locally. The report can also add extra columns to see extended Azure AD user information or device ID information.

 

Figure 4. Assignment failures - Android EnterpriseFigure 4. Assignment failures - Android Enterprise

After viewing the devices and users in failure, you can select the device/user record to view all the settings applied on the device from the selected policy. Here, admins can easily see which settings are in an error or conflict state which is causing failure in the first place. Selecting the setting record will open the setting details context pane which provides more insight into troubleshooting. If the setting is in a state of error, the error code can help identify what the error is. If the setting is in a state of conflict, the “source profiles” table can help identify which other profiles are causing the conflict.

 

Figure 5. Profile Setting ErrorFigure 5. Profile Setting Error

Overall, the new reports aim to help streamline the troubleshooting process for admins to identify where failures are occurring across their policies and drill down to the setting level to understand how to mitigate.

 

Known Issues in Public Preview

The new reports are available in public preview with some known issues that the team will work out before removing the preview tags. See below:

  • Administrative template profiles are not supported in the Assignment Failures report.
  • Certificate profile types will have settings may appear as “#” in the report view. Work is in progress on how to report status for certificate profiles.  
  • Specific RBAC roles have access to the reports:
    • Global administrator
    • Profile Manager (Built in Role)
    • Compliance Read-Only Admin
  • If an admin creates a new scope tag to be applied to the reports, it can take up to 24 hours for the scope tag to take effect. In that time, the policies that are affected by the scope tag may be removed from view in the interim period.
  • The setting details pane on the third level of the reports currently only show the error code information if the setting is in error. The string version for the “Error details” is not yet available.

 

Existing Policy Reports and Roadmap

These two new reports are part of the effort to improve the policy reports across the console. As these are additive reports with fresher data, the records and numbers shown across the console in existing reports may be slightly different (i.e., “Assignment Status” and “Policy Compliance” reports) We encourage you to try out the new reports and use the existing ones for additional information.

 

You will continue to see improvements to the policy reporting space over the next few months. This includes adding security baseline and endpoint security records to the new “Assignment Failures” report, replacing older reports with new organizational ones, and ensuring consistency across the console.

 

Stay tuned for more updates on the What’s New and through this TechCommunity blog!

 

Reporting Announcements for Upcoming Changes:

  • Change to the default columns in Devices Export API call
  • Localization changes for data export
  • New Azure Monitor diagnostic setting that maps the Devices list

 

Change to the default columns in Devices Export API call

NOTE: This change only affects those using our new Reporting Export Graph API without any column selections. UI export, which is the more typical way to export the All Devices list, is not affected by this upcoming change.

 

When you make a request with no select columns provided:

{"reportName": "Devices", "filter": "", "select": "" }

 

you will receive the default column set. This default column set for the devices report contained some columns that were either not user friendly, not useful, or confusing. We will be removing those columns from the default column list starting December 2020. The columns being removed are listed here:

 

PhoneNumberE164Format 

_ComputedComplianceState 

_OS 

OSDescription 

 

These columns will still be available for selection if you need them, but only explicitly, and not by default. If you have built automation around the default columns of the device export when using the exportJobs API, and that automation uses any of these columns, you need to refactor your processes to explicitly select these and any other relevant columns like this:

 

{"reportName": "Devices", "filter": "", "select": ["PhoneNumberE164Format", "_ComputedComplianceState", "_OS", "OSDescription"]} 

 

Localization changes for data export

As many customers have noticed, we provide localized and non-localized column information with almost all report exports. It looks something like this for any given column that contains localizable data:

 

ComplianceState 

ComplianceState_loc 

0 

Not evaluated 

0 

Not evaluated 

2 

Not compliant 

0 

Not evaluated 

2 

Not compliant 

2 

Not compliant 

0 

Not evaluated 

0 

Not evaluated 

0 

Not evaluated 

2 

Not compliant 

0 

Not evaluated 

0 

Not evaluated 

2 

Not compliant 

 

The human readable/localized values are provided in the _loc column, while the actual column contains the enum/dev string values. These enum/dev string values are used to interact with the API and are less likely to change, which make them ideal for automation.

 

In contrast to this approach, we have a few export experiences that provide only the human readable/localized string data, which looks like this:

 

OS 

Windows 

Windows 

Windows 

Windows 

Windows 

Android 

Android 

Android 

Android 

iOS 

iOS 

iOS 

iOS 

 

We recognize that some customers prefer this approach, especially to avoid column re-mapping when taking data to external tools/sources for reporting.

 

Currently there is no way to configure which experience you will receive in regard to localization, as each report has a built-in default behavior that remains static. In the future, we are working to add the capability to specify the localization experience you prefer. If you have strong thoughts or feelings about what the new behaviors and defaults should be, or have existing issues with localization, just respond back on this blog post or tag @IntuneSuppTeam out on Twitter!

 

New Azure Monitor diagnostic setting that maps the Devices list

We have recently enabled a new Azure Monitor Diagnostic setting called Devices for our internal testing. This testing precedes the release of a new Devices category that maps to the All Devices list in Microsoft Endpoint manager admin center. While the setting is visible and can be configured, we will not publish data to your Azure monitor subscription until we officially enable the setting early next year. We do not recommend enabling this setting until that time. As always, let us know if you have questions on this setting by replying back on this post or tagging @IntuneSuppTeam out on Twitter!

 

Total reports supported by our new infrastructure:

New report 

Sprint Released (YYMM) 

Non-compliant devices operational report (Devices > Monitor) 

1911 

Device Compliance organizational report (Reports > Device Compliance) 

1911 

Device compliance trends report (Reports > Device Compliance) 

1911 

Device compliance logging 

1911 

New Devices List - With upgraded controls for search, sort, filter, export and with better performance 

2003 

New Devices List in EDU console - With upgraded controls for search, sort, filter, export, and with better performance 

2005 

Antivirus agent status organizational report (Reports > Microsoft Defender Antivirus (Preview)) 

2009 

Antivirus agent status operational report (Endpoint security > Antivirus) 

2009 

Detected malware organizational report (Reports > Microsoft Defender Antivirus (Preview)) 

2009 

Detected malware operational report (Endpoint security > Antivirus) 

2009 

Group policy migration readiness organizational report (Reports > Group policy analytics (Preview)) 

2009  

 

Windows 10 feature updates organizational report (Reports > Windows updates (Preview)) 

2010 

Windows 10 feature updates operational report (Devices > Monitor) 

2010 

Noncompliant policies (Devices > Monitor) 

2011 

Assignment failures (Devices > Monitor) 

2011 

 

Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.