Brand new: Device Query for Multiple Devices in Intune
In the ever-evolving landscape of IT management, having real-time insights into the state of your devices is crucial. Microsoft Intune now provides a feature known as Device Query for multiple devices that allows IT administrators to query multiple devices simultaneously using Kusto Query Language (KQL). This capability is essential for troubleshooting, responding to security threats, and making informed business decisions. This is of course based on the Device Query (for single device) feature that was released last year.
Requirements to run Device Query for Multiple Devices
To take advantage of querying multiple devices, ensure you have the Managed Devices – Query permission and that your devices are enrolled in Endpoint Analytics. Note that the user cannot have a scope tag assigned. If using scope tags you need to use Global Admin or Intune Administrator role.
You will need a license that includes Microsoft Intune Advanced Analytics this is included in:
- Intune Advanced Analytics add-on
- Microsoft Intune Suite.
The devices must be corporate owned to be able to see and search the inventoried data.
You must collect the device inventory data, for more info on how to:
Introducing the new Device Inventory for Windows in Intune – Mr T-Bone´s Blog
How to Perform a Device Query for Multiple Devices
- Access the Intune Admin Center:
Start by logging into the Microsoft Intune admin center. Navigate to Devices and select Device query - Compose Your KQL Query in the query box. Write a query that can fetch data from multiple devices. For example, to get a list of devices and their OS versions, you could use:
Device
| project DeviceName,OSVersion- Select Run to execute the query
- Results are now displayed in the Results tab area
Practical Use Cases
Device Query for multiple devices can be used in a variety of scenarios:
- Compliance and Security: Identify devices that do not meet compliance standards or have potential security vulnerabilities.
- Performance Monitoring: Monitor device performance metrics across your organization.
- Inventory Management: Get detailed reports on device inventory to manage your assets more effectively.
Kusto Query Language (KQL)
Is a powerful query language used to retrieve and manipulate data from large datasets. It’s designed for working with structured, semi-structured, and unstructured data stored in Microsoft data services, such as Azure Monitor, Azure Data Explorer, and Microsoft Intune. KQL is highly optimized for performance and is particularly useful for analytics, diagnostics, and monitoring.
Crash course of KQL Query
A KQL query typically starts with a table and then applies various operators and functions to filter, transform, and analyze the data.
1. Starting with a Table
The first step is to specify the table you want to query. In this case, we’ll start with the Device table.
DeviceThis retrieves all the data from the Device table
You can visually see all properties available in that table:
2. Applying Filters with the Where Operator
You can then use an Operators to filter that table. The Where operator is a common filter operator to filter rows based on a condition. For example, to find all devices with a DeviceName that starts with “Tbone-“:
Device
|where DeviceName startswith "Tbone-"This filters the data to show only rows where the DeviceName column value starts with “Tbone-“.
3. Customize output with Project Operator
You can also use Operators to modify the output. The Project operator is used to select specific columns to display. For example, to show only DeviceName, SerialNumber, Manufacturer:
Device
|where DeviceName startswith "Tbone-"
| project DeviceName, SerialNumber, Manufacturer This narrows down the result to only the DeviceName, SerialNumber, Manufacturer columns.
4. Aggregating Data with Summarize Operator
The Summarize operator is used to perform aggregations, such as counting, averaging, or summing data. For example, to count the number of devices from the same manufacturer:
Device
|where DeviceName startswith "Tbone-"
| project DeviceName, SerialNumber, Manufacturer
| summarize count() by ManufacturerThis counts the number of devices with the same Manufacturer.
5. Sorting Data with Order by Operator
The Order By operator is used to sort the result. For example, to sort the devices by manufacturer in descending order:
Device
|where DeviceName startswith "Tbone-"
| project DeviceName, SerialNumber, Manufacturer
| order by Manufacturer descThis sorts the filtered results by the Manufacturer column in descending order.
Example Query Putting It All Together
Let’s combine all these concepts into a comprehensive query:
Device
|where DeviceName startswith "Tbone-" //Filter devices with a name starts with Tbone-
| project DeviceName, SerialNumber, Manufacturer //Select the relevant columns
| summarize count() by Manufacturer //Count the number of devices from each manufaturer
| order by Manufacturer desc //Sort the results in descending orderNote that you can add comments to your query with //
I hope you find it simple, it is not that hard to do queries in KQL
- Table: Start with a table name to retrieve data.
where: Filter rows based on a condition.project: Select specific columns to display.summarize: Aggregate data to get meaningful insights.order by: Sort the result set based on specified criteria.
By using these basic components, you can build powerful queries to analyze and gain insights from your data. You can find more info on supported Tables, operators and functions here:
https://learn.microsoft.com/mem/analytics/device-query-multiple-devices?WT.mc_id=EM-MVP-5004264
Summary
Device query for multiple devices really has a potential to become a great tool. We now hove the power to find, sort and identify devices with specific hardware. I hope someday we will see more usage of this also inside Intune. Like using this KQL in Intune filters or use the KQL results to create a dynamic groups. But it is really helpful as it is, so start testing this out in your own environments!
About The Author
