Query Details
Operational Show Users That Abandoned The Intune Enrollment
Query
// Show Users that abandoned the Intune Enrollment
// Inspiration: https://github.com/rod-trent/SentinelKQL/blob/master/Intune-Enrollmentsabandonedbytheuser.txt
IntuneOperationalLogs
| where TimeGenerated > ago(7d) // Change the value in () as you desire e.g. 12h, 10d, 30d. d = day, h = hour.
| where OperationName == "Enrollment"
| where Result == "Fail"
| extend EnrollmentType = tostring(todynamic(Properties).EnrollmentType)
| extend FailureReason = tostring(todynamic(Properties).FailureReason)
| extend OS = tostring(todynamic(Properties).Os)
| extend OSVersion = tostring(todynamic(Properties).OsVersion)
| extend UserID = tostring(todynamic(Properties).IntuneUserId) // You will find the User in your Azure AD.
| where FailureReason == "UserAbandonment"
| project
TimeGenerated,
FailureReason,
UserID,
OS,
OSVersion,
OperationName,
EnrollmentType
| sort by TimeGenerated desc Explanation
This query is designed to identify users who have abandoned the process of enrolling in Intune, a Microsoft service for mobile device management. It looks at operational logs from the past seven days (though this timeframe can be adjusted as needed), and filters for failed enrollment operations. It then extracts additional details about the enrollment attempt, such as the type of enrollment, the reason for failure, the operating system and version, and the user ID. The query specifically looks for instances where the failure reason was user abandonment. The results are then displayed in a table, sorted by the time the enrollment was attempted, with the most recent attempts shown first.
Details
Ugur Koc
Released: June 29, 2022
Tables
Keywords
Operators