Intune
Intune Device Query: A Practical Guide
Topics: Intune
We found a very nice new feature in the Intune Console called Device Query. This feature is very well known from SCCM and is now also added to the Intune Suite via the Advanced Endpoint Analytics license. Intune Device Query can help you get more live insights from your endpoint devices. This post will show you how.
Understanding Intune Device Query: An Essential Tool for IT Admins
The device query functionality provides a mechanism for obtaining immediate insights into the status and settings of Windows devices. This feature, a component of the comprehensive Intune Advanced Analytics suite, empowers admins to execute Kusto queries for instantaneous data on devices, including their current condition and configuration details.
Utilizing this capability, administrators can diagnose issues with devices, verify their compliance, gather specific inventory data, and more. The Kusto Query Language enables the formulation of queries that tap into a wide range of device attributes, including hardware details, software setups, registry entries, and network configurations. The device query feature facilitates the acquisition of necessary device information on-demand. Through real-time query execution on a chosen device, it delivers data that can be leveraged for addressing security concerns or troubleshooting.
Intune Device Query Prerequisites
You need one of the following Intune Suite licenses:
- The Intune Advanced Analytics Add-on
- Microsoft Intune Suite
If you don’t have a license, you can purchase one or utilize a 90-day trial for up to 250 users. To get this license, open the Intune Portal and go to the Tenant administration -> Intune add-ons. Here, you will find all the different licenses, and for each, there is also a link to the Microsoft365 admin center to purchase or trial the licenses.
In addition, the devices that you want to query must be enrolled in Intune and Endpoint Analytics, and the admin needs the Managed Devices - Query permission.
How to Utilize Intune Device Query: Step-by-Step Guide
Open the Intune Portal and navigate to Devices -> Device name -> Device query.
From the menu blade, you can then create queries using the KQL syntax and click run to execute.
Intune Device Query Examples: Unlocking Device Insights
- Cpu : Get information about the CPU of a Device
Cpu | project ProcessorId, CurrentClockSpeed, MaxClockSpeed, CpuStatus - WindowsRegistry : This entity retrieves information about the registry under the specified registry key.
WindowsRegistry('PATH_OF_YOUR_REGISTRY_KEY')
| project RegistryKey, ValueName, ValueType, ValueData - WindowsEvent : This entity retrieves information from the specified information from specified log on the device.
WindowsEvent('System', 7d)
| where tostring(EventId) == 'EVENT_ID'
| project EventId, LoggedDateTime, LogName, Message, ProviderName, WindowsUserAccount These are only some examples. You have nearly unlimited capabilities using device queries and the power of KQL.
Intune Device Query Operators
Table Operators
Table operators can be used to filter, summarize, and transform data streams. The following operators are currently supported:
| Table operators | Description |
| count | Returns a table with a single record containing the number of records |
| distinct | Produces a table with the distinct combination of the provided columns of the input table |
| join | Merge the rows of two tables to form a new table by matching row for the same device |
| order by | Sort the rows of the input table into order by one or more columns |
| project | Select the columns to include, rename or drop, and insert new computed columns |
| take | Return up to the specified number of rows |
| top | Returns the first N records sorted by the specified columns |
| where | Filters a table to the subset of rows that satisfy a predicate |
Scalar Operators
| Operators | Description | Example |
| == | Equal | 1 == 1, ‘aBc’ == ‘AbC’ |
| != | Not Equal | 1 != 2, ‘abc’ != ‘abcd’ |
| < | Less | 1 < 2, ‘abc’ < ‘DEF’ |
| > | Greater | 2 > 1, ‘xyz’ > ‘XYZ’ |
| <= | Less or Equal | 1 <= 2, ‘abc’ <= ‘abc’ |
| >= | Greater or Equal | 2 >= 1, ‘abc’ >= ‘ABC’ |
| + | Add | 2 + 1, now() + 1d |
| – | Subtract | 2 – 1, now() – 1h |
| * | Multiply | 2 * 2 |
| / | Divide | 2 / 1 |
| % | Modulo | 2 % 1 |
| like | Left Hand Side (LHS) contains a match for Right Hand Side (RHS) | ‘abc’ like ‘%B%’ |
| !like | LHS doesn’t contain a match for RHS | ‘abc’ !like ‘_d_’ |
| contains | RHS occurs as a subsequence of LHS | ‘abc’ contains ‘b’ |
| !contains | RHS doesn’t occur in LHS | ‘team’ !contains ‘i’ |
| startswith | RHS is an initial subsequence of LHS | ‘team’ startswith ‘tea’ |
| !startswith | RHS isn’t an initial subsequence of LHS | ‘abc’ !startswith ‘bc’ |
| endswith | RHS is a closing subsequence of LHS | ‘abc’ endswith ‘bc’ |
| !endswith | RHS isn’t a closing subsequence of LHS | ‘abc’ !endswith ‘a’ |
| and | True if and only if RHS and LHS are true | (1 == 1) and (2 == 2) |
| or | True if and only if RHS or LHS is true | (1 == 1) or (1 == 2) |
Aggregation Functions
Aggregation functions can be used with the summarize table operator to calculate summarized values. The following aggregation functions are currently supported:
| Function | Description |
| avg() | Returns the average of the values across the group |
| count() | Returns a count of the records per summarization group |
| countif() | Returns a count of rows for which Predicate evaluates to true |
| dcount() | Returns the number of distinct values in the group |
| max() | Returns the maximum value across the group |
| maxif() | Starting in version 2107, you can use maxif with the summarize table operator. Returns the maximum value across the group for which Predicate evaluates to true. |
| min() | Returns the minimum value across the group |
| minif() | Starting in version 2107, you can use minif with the summarize table operator. Returns the minimum value across the group for which Predicate evaluates to true. |
| percentile() | Returns an estimate for the specified nearest-rank percentile of the population defined by Expr |
| sum() | Returns the sum of the values across the group |
| sumif() | Returns a sum of Expr for which Predicate evaluates to true |
Scalar Functions
Scalar functions can be used in expressions. Currently the following scalar functions are supported:
| Function | Description |
| ago() | Subtracts the given timespan from the current UTC clock time |
| bin() | Rounds values down to many datetime multiple of a given bin size |
| case() | Evaluates a list of predicates and returns the first result expression whose predicate is satisfied |
| datetime_add() | Calculates a new datetime from a specified datepart multiplied by a specified amount, added to a specified datetime |
| datetime_diff() | Calculates the difference between two date time values |
| iif() | Evaluates the first argument and returns the value of either the second or third arguments depending on whether the predicate evaluated to true (second) or false (third) |
| indexof() | Function reports the zero-based index of the first occurrence of a specified string within input string |
| isnotnull() | Evaluates its sole argument and returns a Boolean value indicating if the argument evaluates to a non-null value |
| isnull() | Evaluates its sole argument and returns a Boolean value indicating if the argument evaluates to a null value |
| now() | Returns the current UTC clock time |
| strcat() | Concatenates between 1 and 64 arguments |
| strlen() | Returns the length, in characters, of the input string |
| substring() | Extracts a substring from a source string starting from some index to the end of the string |
| tostring() | Converts input to a string representation |
Leveraging the Graph API for Intune Device Queries
Here you can find a PowerShell script to run the query with code. To do this we first have to figure out the Id of the device and then encode the query to a base64.
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"
$hostname = ""
$query=""
$device_id_url = 'https://graph.microsoft.com/beta/deviceManagement/managedDevices?$filter=deviceName eq '+"'$hostname'&" + '$select=id'
$device_id = Invoke-MgGraphRequest -Uri $device_id_url -Method GET
$device_id = $device_id[0].id
$encodedBytes = [System.Text.Encoding]::UTF8.GetBytes($query)
$encodedText = [System.Convert]::ToBase64String($encodedBytes)
$DeviceQuery_URL = "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$device_id')/createQuery"
$Body = @{
"query"="$encodedText"
}
Invoke-MgGraphRequest -Uri $DeviceQuery_URL -Method POST -Body $Body Enhancing Efficiency with Intune Device Query
Leveraging Intune Device Query empowers administrators to swiftly access and analyze device data, ensuring operational efficiency and security compliance. This guide has equipped you with the knowledge to effectively implement and benefit from this powerful tool, enhancing your IT management capabilities.
