HKLM only — the fastest path when you only have Intune access. Per-user HKCU is not in the diagnostics bundle, so the Per-user tile will show 0; use Option A if you need HKCU.
In the Intune admin center, run Collect diagnostics on the target device.
Apps with install failures across the fleet, sorted by failure count. Click any error code for an AI-powered diagnosis.
Platform
View
Loading apps…
Switch to this view to aggregate error codes across every failing app — useful for spotting systemic issues (Store offline, App Installer broken) vs app-specific failures.
Error code ▼
Hex ▼
Devices affected ▼
Apps affected ▼
Sample apps
—
—
Failed
0
devices with install failures
Unique error codes
0
distinct failure reasons
User failures
0
distinct affected users
Failed installs
↻ Refresh
Application ▼
Version ▼
Platform ▼
Device ▼
User ▼
State ▼
Error ▼
Last modified ▼
Actions
Tenant health summary for customer-review meetings — totals, refresh attention, top failures, top drift. Auto-loaded on sign-in.
Loading overview…
Managed devices
0
across all platforms
Needing attention
0
stale 90+ days or Win 10
Apps with failures
0
FailedDeviceCount > 0
Drifted software (P2/E5)
0
components with >20% drift
Top failing apps
View all →
App
Publisher
Failed devices
Top drifted software
View all →
Software
Drift %
Drifted devices
Find which devices have a given app, with per-device version and state. Export the device list for targeted upgrades or exclusion groups.
Assigned apps
0
in this tenant
Zero installs
…
assigned 30+ days · installed nowhere
Platform
Loading apps…
—
—
Assigned to
Loading assignments…
Installed devices
⧉ Copy device names⬇ Export CSV↻ Refresh
Device ▼
User ▼
Version ▼
State ▼
Platform ▼
Last modified ▼
Multi-Admin Approval queue for this tenant — every pending and recent approval request across apps, scripts, configurations, and device actions. Approve or reject inline; no admin-center context switch.
Pending
0
needs approval
Approved
0
last 7 days
Rejected
0
last 7 days
Expired
0
last 7 days
Resolution rate
—
decided / seen
Approval queue
✕ Clear KPI↻ Refresh
Loading approval queue…
Requestor ▼
Type ▼
Status ▼
Requested ▼
Last updated ▼
Justification
Actions
Audit view of Win32 apps assigned as Required — toggle between All Devices and All Users assignments.
Loading required apps…
Apps with an Uninstall assignment to a group — what's being actively removed from the fleet.
Platform
Loading uninstall apps…
Managed-device inventory for Win11 readiness, post-EOS Win10 cleanup, and stale-device refresh planning. Tile filters + CSV export for Entra-group import.
Loading devices…
Modern OS rate
—
on Windows 11
Windows 10
0
Past EOS · Oct 2025
Windows 11
0
Stale 90+ days
0
no check-in for 90 days+
4GB RAM
0
≤ 4GB installed
8GB RAM
0
8GB installed
16GB RAM
0
16GB installed
32+ GB RAM
0
≥ 32GB installed
64GB Storage
0
≤ 64GB total
128GB Storage
0
128GB total
256GB Storage
0
256GB total
512+ GB Storage
0
≥ 512GB total
Duplicate serial
0
same serial on 2+ records
Missing from Entra
0
no Entra match
No primary user
0
empty UPN
Hardware inventory
✕ Clear KPI⬇ Export CSV↻ Refresh
Platform
RAM
Storage
Manufacturer
Device Name ▼
Manufacturer ▼
Model ▼
RAM (GB) ▼
Total (GB) ▼
Free (GB) ▼
Windows ▼
Last Check-in ▼
Actions
Autopilot reconciliation — find Autopilot device records still registered after their Intune device was retired or reimaged, devices in Autopilot that haven't been assigned a deployment profile, and duplicate Entra device objects pointing at the same Autopilot identity. Hybrid-by-design duplicates (one Entra-joined + one hybrid-joined record per device) are hidden by default.
Autopilot devices
0
in scope
Orphan
0
no managed device
No profile
0
profile unassigned
Duplicate Entra
0
≥ 2 Entra records
Autopilot health
—
clean records
Autopilot devices
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading Autopilot data…
Serial ▼
Manufacturer ▼
Model ▼
Group tag ▼
PO ▼
Profile ▼
Last contact ▼
Status ▼
BitLocker escrow audit — Windows devices that report as encrypted in Intune cross-referenced with recovery keys actually backed up in Entra. Split into three risk tiers: Encrypted + Key (fully protected), Encrypted, no key (critical — real data-loss risk if the drive fails), and Not encrypted (policy non-compliance).
Windows devices
0
in scope
Encrypted + Key
0
fully protected
Encrypted, no key
0
critical — no recovery
Not encrypted
0
policy gap
Key escrow rate
—
of encrypted
Devices
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading BitLocker state…
Device ▼
User ▼
Windows ▼
Model ▼
Encrypted (Intune) ▼
Keys escrowed ▼
Last check-in ▼
MDM device-cert renewal health. Surfaces Windows devices whose management certificate is expiring, already expired, or whose sync has gone stale relative to the cert lifecycle — the silent drop-off pattern Microsoft's CA rollover triggered in May 2026.
Windows devices
0
in scope
Expiring
0
≤ 30 days remaining
Expired
0
already past expiry
Stale sync
0
no check-in ≥ 14 days
Cert health rate
—
no flag
Devices
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading device cert state…
Device ▼
User ▼
Windows ▼
Days remaining ▼
Cert expires ▼
Days since sync ▼
Status ▼
Actions
Defender software inventory with CVE counts and exposed-device counts. Requires Defender for Endpoint P2 or M365 E5, and the Security Administrator role.
Software
0
unique components
Software inventory
↻ Refresh
Loading vulnerability data…
Software ▼
OS Platform ▼
Vendor ▼
Weaknesses ▼
Exposed Devices ▼
Group-centric reverse lookup — pick an Entra group and see every policy, app, script, and update profile targeting it. The Hygiene panel above surfaces cruft: items with no assignments, assignments pointing at empty groups, and orphaned assignment filters.
Unassigned items
0
policies / apps / scripts with no assignment
Empty-group assignments
0
silent no-ops — group has zero members
Orphaned filters
0
assignment filters not referenced
Filters in use
0
filters referenced by ≥ 1 assignment
↻ Refresh
Type a group name above to see what's assigned to it.
—
Apps
0
mobile apps assigned
Configuration profiles
0
deviceConfigurations (legacy)
Settings catalog
0
configurationPolicies
Compliance policies
0
platform compliance rules
PowerShell scripts
0
deviceManagementScripts
Remediations
0
deviceHealthScripts
Windows Update profiles
0
feature · quality · driver
Apps (0)
Name
Intent
Filter
Exclusion
Last modified
Configuration profiles (0)
Name
Type
Filter
Exclusion
Last modified
Compliance policies (0)
Name
Platform
Filter
Exclusion
Last modified
Remediations (0)
Name
Schedule
Exclusion
Last modified
Settings catalog (0)
Name
Platform
Filter
Exclusion
Last modified
PowerShell scripts (0)
Name
Run as
Filter
Exclusion
Last modified
Windows Update profiles (0)
Name
Type
Filter
Exclusion
Last modified
Fleet-wide software version drift via Defender. Catches cross-product-family drift (.NET 8 vs 9, Snagit major versions) Intune's reports can't see. Requires Defender for Endpoint P2 or M365 E5, and the Security Administrator role.
Software Version Drift & Compliance
Software with Drift > 10%
0
≥ 1 device on a non-dominant version
Fleet compliance rate
—
on dominant version
Devices Affected
0
Sum of drifted-device counts
Top Drifted Software
—
—
Software version drift
↻ Refresh⬇ Export CSV
Loading drift data…
Software ▼
Vendor ▼
Dominant Version ▼
Drift % ▼
Drifted Devices ▼
Versions Detected ▼
Entra ID device recycle bin (preview). Soft-deleted devices remain restorable for
30 days with BitLocker recovery keys, LAPS passwords, and key material preserved.
Only Cloud Device Administrator, Intune Administrator, or Global Administrator can restore.
Hybrid-joined devices are hard-deleted and do not appear here.
Loading soft-deleted devices…
Soft-deleted devices
↻ Refresh
Device name
OS
Trust type
Object ID
Deleted at
Days remaining
Enabled at delete
Action
Entra member accounts that are inactive or never signed in — the license-reclaim / identity-hygiene view for customer reviews. Last activity = the most recent of lastSignInDateTime, lastNonInteractiveSignInDateTime, and lastSuccessfulSignInDateTime, so non-interactive activity doesn't false-flag a user. Read-only by default; Revoke / Disable request scopes just-in-time on first click — list-only viewers are never prompted for write scopes. signInActivity requires Entra ID P1/P2.
Members in scope
0
enabled member accounts
Idle 90+ days
0
no recent sign-in
Never signed in
0
no recorded activity
Licensed & stale
0
≥ 1 license + stale
Members
Idle threshold
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading members…
Display name ▼
UPN ▼
Last activity ▼
Days idle ▼
Sign-in ▼
Licensed ▼
Status ▼
Actions
Locally installed AI agents discovered across the fleet — the shadow-AI visibility view, fed by Defender for Endpoint agent discovery (preview): CLI agents (Claude Code, Codex, Gemini CLI, GitHub Copilot CLI), desktop apps (ChatGPT, Claude, Ollama), agentic IDEs (Cursor, Windsurf), and VS Code extensions — see the supported-agent list; agents not on it are invisible to discovery. Detection logic adapted from SlimKQL / Detections.AI. Because the preview's hunting schema is in flux, the tab cascades through four sources — AgentsInfo → AIAgentsInfo (retired July 1, 2026) → the exposure graph (ExposureGraphEdges) → the fleet scan (the AI Agent Scan Proactive Remediation, deployable from this tab's empty state — agentless client-side hunting until Microsoft enables discovery by default) — and a banner states which one answered. Defender sources need P2 / M365 E5, the ThreatHunting.Read.All scope (already requested at sign-in), and a Defender security role on the signed-in user; the fleet scan only needs the existing Intune scopes.
Agent installs
0
local AI agents detected
Unique agents
0
distinct agent names
Devices with agents
0
≥ 1 agent installed
New (7 days)
0
recently installed
Fleet footprint
—
of onboarded devices
Detected agents
View
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading AI agents…
Windows devices below your selected free-disk-space threshold. The Win32 app Disk space required (MB) requirement rule silently marks a device as Requirements not met or Not Applicable when free space is below the rule — no obvious error in the Intune console, just a missing install. When an install does attempt and fails on disk, the IME logs commonly show 0x80070070 (not enough space on disk) or 0x87D30067 (extraction failed, often disk-related). Background context: Microsoft incident IT1168328 (the Intune Store / WinGet log bloat bug) silently filled %windir%\Temp\WinGet\defaultState on many tenants through 2025, and Windows 11 24H2 upgrades have pushed disk pressure up across the fleet.
Windows devices
0
in scope
< 1 GB free
0
emergency
< 5 GB free
0
at risk
< 20 GB free
0
watch
Lowest free
—
on —
Disk health rate
—
≥ 20 GB free
Devices
✕ Clear KPI⬇ Export CSV↻ Refresh
Loading disk-space inventory…
Device ▼
User ▼
Windows ▼
Model ▼
Free ▼
Total ▼
Free % ▼
Last check-in ▼
All proactive remediation scripts (deviceHealthScripts) with their schedules. Click a script to open its Intune admin-center blade.
⚡ IME Required App Check-in — run on a device (Rudy Ooms / Call4Cloud)
Pick a Windows device and force an on-demand required-app check-in — triggers the IME IStatusService.CheckInAsync path, cutting the ~60-minute wait for required Win32 apps after Autopilot or a new assignment. The remediation runs as the logged-on user, so the device needs a signed-in user and to be online; otherwise Intune queues it. The same ⚡ Check-in action also lives on every device row in the Hardware, Failed Install, and Cert health tabs.
Verify a run on the device (signed in as that user) — log folder: %LOCALAPPDATA%\IMERequiredAppCheckinRemediation\Logs
Remediations
↻ Refresh
Loading remediation scripts…
Script name ▼
Publisher ▼
Schedule ▼
Assigned groups ▼
Last modified ▼
Real per-user application usage from Intune-managed Windows devices, agentless via Proactive Remediations. Surfaces "installed but never launched" and "idle 90+ days" candidates for licence reclamation. See scripts/README.md for the collection script. Privacy: usernames are reduced to a single initial; no window titles, document names, URLs, or file paths are collected.
Software metering not configured for this customer
The metering collection script is a Proactive Remediation that needs to be created in this tenant before this tab has data to show. Deploy it directly from here, or upload scripts/software-metering-detect.ps1 manually and paste its script ID into Settings → Customers.
requires re-consent for one new write scope on first use
Version sprawl in your Intune app catalog (deviceAppManagement/mobileApps) — the app packages you've created/uploaded, assigned or not. Surfaces apps you hold many versions of (the classic "11 Notepad++ packages" mess, often from PatchMyPC publishing) so you can retire the superseded ones. Surplus = packages older than the newest version of that app; Unassigned packages target no group at all (safest to delete). Click 🗑 on any package to delete it from Intune (reuses the typed-confirm Delete flow, multi-admin-approval aware).
Loading Intune app catalog…
Multi-version apps
—
of — apps
Worst offender
—
—
Surplus packages
—
older versions to retire
Unassigned packages
—
orphans, safest to delete
Single-version rate
—
apps with no duplicates
Apps
✕ Clear KPI⬇ Export CSV↻ Refresh
App ▼
Publisher ▼
Packages ▼
Newest version ▼
Assigned ▼
Unassigned ▼
Platform ▼
← Back to apps
Version ▼
Assignment ▼
Created ▼
Actions
Drop one or more Intune log files (IME / AgentExecutor / MSI verbose) for AI-powered triage. Auto-trim cuts input tokens ~80%.
Log file analysis
Drop one or more Intune log files below. Default location on Windows:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Configure customers (for MSPs managing multiple tenants) and the Claude API key for the optional AI features. Everything stored in your browser's localStorage only.
Customers
For MSPs managing multiple tenants. Add each customer with a short code (2–3 letters) — the code is what shows in the dashboard's tenant dropdown so customer names stay off your screenshots. Only the code, the login email, an optional approver list, and optional remediation script IDs (Software Metering and IME Required App Check-in) are stored; no tokens. The dropdown appears once you've added two or more. When you submit a delete on a Multi-Admin-Approval tenant, the dashboard emails the approver list from your own mailbox (uses the Mail.Send scope, consent requested on first use).
Claude API key
Used to analyze Intune error codes with AI. Accepts an Anthropic key (sk-ant-…, calls api.anthropic.com) or an OpenRouter key (sk-or-…, calls openrouter.ai with the same Claude models) — the provider is detected from the key prefix. Stored in your browser's localStorage — never sent anywhere else.
Model
Pick a model based on cost vs. depth of analysis. Each error-code analysis uses roughly 500 input + 400 output tokens.
Choosing a model
Haiku 4.5 is the default — cheapest, fastest, and has its own rate-limit bucket so it won't conflict with other Anthropic API usage. Sufficient for error-code lookup and most MSI logs where the failure is a single obvious stack trace.
Haiku 4.5 — default. Most error codes and routine logs.
Sonnet 4.6 — escalate when Haiku misses something. Better at correlating timestamps across long IME logs and isolating root cause from noise.
Opus 4.7 — reserve for cases where Sonnet gives up. New tokenizer uses up to 35% more tokens, so effective cost gap is wider than headline pricing.
Biggest cost lever: auto-trim logs before sending — grep for error/return-value lines + surrounding context cuts input tokens 80%+ with no quality loss.
Detection rule
Delete app from Intune
Confirm action
Approval action
Device action history
Auto-deploy Software Metering script
A script with this name already exists in this tenant.
Assignment
Daily at UTC
Script content preview (loading…)
This creates a Proactive Remediation in the active tenant and starts running on the targeted devices on the next sync. The script always exits 0 (detection-only — no remediation runs). On first use this requires re-consent for the DeviceManagementScripts.ReadWrite.All scope.