Intune change tracking - Operation
This site describes the operation of the Intune change tracking Azure Workbook solution. Related Links:
Content
The Intune change tracking currently includes this contents:
- Overview
- Intune Audit event types, An overview of different Audit event types, filtered by custom time range.
- Intune method, An overview of the most common Audit event methods, filtered by custom time range.
- Recent Audit events, A table of all Audit events, based on the selected time range.
- Intune Audit event count, A count of Audit events over a fixed time. range.
- Search profile types
- Profile type Audit events, Table output of custom profile type audit events.
- Search the Audit event by Correlation ID, Copy the correlationID from the query above to explore the event.
- Value changes, Find the changed Settings Name and compare old with the new values.
- Changes over time, This is a visualization of custom profile type changes, summarized per day.
- Top 10 modified profiles, Find the top modified profiles by profile type.
- Search events for profiles by a specific term, Please specify a term/name in the parameter below to search the Profile Names.
- Device Identity
- Device to tenant assignment, View stats for Autopilot device identity/hardware hash assignment to your tenant.
- Find Device Identity events, Search Device Identity events by action.
- Authenticated Identities, Pie chart about the used identities to register a hardware hash.
- Device operations
- Search Device operations, Find event logs for specified device actions.
- Search event logs for a specific device, Specify the Intune Device ID to find all Audit event logs.
General
All of the queries can be filtered and have an impact to a custom time range. The parameter is always available at the top:
Overview
The Overview shows most important log information of your Intune environment.
Intune Audit event types
This section is helpful to understand the different Intune subjects by listing most essential profile type Audit event counts.
Intune method
This is an overview of the most used Intune methods (Create, Delete, Patch and Assign). You can furthermore filter all the methods to display specific Audit events by:
- Assign
- Commit
- Create
- Delete
- Get
- Modify
- Patch
- Update
Recent Audit events
A list of recent Intune Audit Logs, if you are looking for an actions performed recently.
Intune Audit event count
A counter of Audit event counts for fixed time spans.
Search profile types
To further investigate the profile type events, consolidate this section, which provides a lot of different information, always filtered by a profile type.
If you want to search specific Audit events by profile type, you can set this parameter and use these values:
- Device configuration profiles
- Apps
- Update profiles
- Compliance policies
- Deployment profiles
- Scripts
- Proactive remediation
- Certificate profile
Profile type Audit events
Search the Audit event by Correlation ID
If you want to understand the changed values, in particular old and new values, you can copy the Correlation ID from the table above or any other table and insert the ID to this parameter.
Changes over time
Changes over time support you to get insights about when and how much Intune events where performed over time, also filtered by the profile type.
Top 10 modified profiles
This is a pie chart that shows the top ten profiles, that associated Audit events.
Search events from profiles by a specific term
If you are searching for a specific profile by name, or a term you can do this here.
Device Identity
The Device Identity is intended to conduct Autopilot device hardware hash event logs.
Device to tenant assignment
An overview count of the three different device identity actions.
Find Device Identity events
You can specifically search Device Identity Audit logs by action.
- Upload
- Update
- Delete
Authenticated Identities
A pie chart of the identities that were used to register a hardware hash.
Device operations
The Device operations allow to search Intune actions performed by Intune administrator roles.
Search Device operations
Filter a query by an operation:
- Log collection request
- Download URL
- Delete
- Sync
- Wipe
- Update primary user
- Clean (Fresh start/Autopilot reset)
- Reboot
- Defender Scan (quick/full)
- Update Defender signature
- Retire
- Rename
- Locate
Search event logs for a specific device
Here you can paste the IntuneDeviceID (from the Intune device object or query above) into the parameter. Then the query will display all Operations performed on this device.