Query Details
Intune Compliance Failuresby Operating System
Query
//Compliance Failures by Operating System let ComplianceLogs= IntuneOperationalLogs | where OperationName == "Compliance" | project TimeGenerated, Properties; ComplianceLogs | sort by TimeGenerated desc | join ( ComplianceLogs | extend myJson = todynamic(Properties) | project-away Properties | extend IntuneDeviceId=tostring(myJson["IntuneDeviceId"]) | project TimeGenerated, IntuneDeviceId | summarize TimeGenerated=max(TimeGenerated) by IntuneDeviceId ) on TimeGenerated | project-away TimeGenerated1, IntuneDeviceId | extend myJson=todynamic(Properties) | project-away Properties | extend DeviceOperatingSystem=tostring(myJson["DeviceOperatingSystem"]) | summarize FailureCount=count() by DeviceOperatingSystem | sort by FailureCount desc
Explanation
This query is summarizing compliance failures by operating system. It retrieves compliance logs from IntuneOperationalLogs where the operation name is "Compliance". It then joins the logs based on the latest time generated for each device, and counts the number of failures for each operating system. The results are sorted by the number of failures in descending order.
Details
Rod Trent
Released: July 10, 2020
Tables
IntuneOperationalLogs
Keywords
Compliance,OperatingSystem,Intune,Device
Operators
| where==|projectsort bydescjoinextendmyJsontodynamicproject-awayIntuneDeviceIdsummarizecountsort bydesc