Let’s Explore Microsoft Intune Device Query for Multiple Devices. This article will explain how to use Kusto Query Language (KQL) and Device Query feature for Multiple Devices. It aims to elucidate the process of getting details about your devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.
Well, Device Query is not something new for Intune administrators. The Device Query reports are available in real time, and you can retrieve them directly. The output returned can be utilized to respond to security threats, troubleshoot the device, and make informed business decisions.
The Device Query feature was not available for Multiple Devices. Recently Microsoft added this feature available for Multiple Devices. This feature is a valuable tool that provides administrators with crucial insights into a wide range of software and hardware configurations multiple windows devices at same time.
This article will discuss accessing the last uploaded inventory and provide information about multiple Windows devices using the Device Query feature and KQL. Also, I will explain the Prerequisites and licenses you should have to access the Device Query feature in the Intune portal. Let’s get started..!
Table of Contents
Know More About Kusto Query Language (KQL)
The Device Query feature in Intune utilizes the Kusto Query Language (KQL) to obtain real-time data. However, it’s important to note that the device query only supports a limited set of KQL operators. KQL is a straightforward yet powerful language that allows users to easily query structured, semi-structured, and unstructured data.
The query intent is easily understood with this expressive and readable language optimized for authoring experiences. I would recommend referring to Microsoft’s Kusto Query Language learning resources. These resources provide comprehensive and insightful information on the subject matter and are designed to facilitate a deeper understanding of the topic. Also, refer to the Kusto Query Language (KQL) overview to explore more.
- SCCM Collection for Windows 11 22H2 Devices | CMPivot | SQL Queries
- Use SCCM CMPivot to Perform Security Audits Created New Local User Account | Tried to Reset Password
I have already published an article explaining Kusto Query Language (KQL) and Intune Device Query for single device in last year. I would recommend to you refer this article to learn how gain comprehensive insights about KQL and Device Query.
Prerequisites for Using Device Query for Multiple Devices
What are the Prerequisites for using Intune Device Query with multiple devices? To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. The Advanced Analytics features are available with the Intune Advanced Analytics add-on and Microsoft Intune Suite.
For a user to use Device query, you must assign the Managed Devices – Query and Organization – Read permissions to them. Also, the Devices must be Intune managed and corporate owned. Device query for multiple devices only works on devices that are already collecting device inventory data.
- List of Intune Devices with Patch Deployment Status and Country Details using KQL queries
- Intune Pivot Query Real-time Reporting Troubleshooting Capabilities
To use Device query on a device, the device must be enrolled in Endpoint Analytics. Please remember the Device query for multiple devices is currently only supported on devices running Windows 10 and later. It not supported on non Windows devices.
Device queries for multiple devices do not show real-time information. Instead, they use data from the Device Inventory, which is collected from each device and sent to Intune about every 24 hours. This means any query reflects the device’s condition based on the last inventory upload, not its current condition.
The Intune Inventory Agent collects data on device hardware, performance, and reliability. This information is then uploaded and can be viewed in the Intune Resource Explorer. Multi-Device Queries use this uploaded inventory instead of checking the devices directly.
Supported Properties
Let’s learn about Supported Properties. Device query supports the following entities. If you would like to learn more about each entity and its property, please refer Intune Data Platform Schema.
| Entities | Description |
|---|---|
| Battery | Provides details about battery and battery health |
| Bios Info | Provides basic BIOS Information. |
| Cpu | Retrieves CPU hardware info on the machine. |
| Disk Drive | Retrieves basic information about the physical disks of a system. |
| Encryptable Volume | Retrieves encryptable volume status of the machine. |
| Logical Drive | Details for logical drives on the system. A logical drive generally represents a single partition. |
| Memory Info | Memory Information. |
| Network Adapter | Provides basic network adapter information. |
| Os Version | Privides operating system name and version |
| System Enclosure | Displays information pertaining to the chassis and its security status. |
| Time | Provides App Crash info in Windows event log file Application in look back time. |
| Tpm | Provides TPM related information of the device |
| Video Controller | Provides video controller and graphics information. |
| Windows Qfe | Information about security patches on the device. |
Discuss Known Limitations
As per Microsoft, there are few known limitations with Device Query feature for Multiple Devices. I thank Microsoft for explaining all the details in their article.
- When writing queries with a join operator, $left and $right parameters show a red underline under $left and $right. However, the query can still run and returns results as expected.
- A single query can contain a maximum of 3 join operators. Queries with additional joins fail.
- A max of ~50,000 records are returned for a query.
- A maximum of 10 queries can be submitted per minute. Additional queries will fail.
- A maximum of 1,000 queries can be submitted per month.
- Using the Device entity in aggregation functions shows a red underline. However, the query can still run and can return results as expected.
How to use Device Query for Multiple Devices
We have enough discussed of the Intune-Device Query and Kusto Query Language (KQL). Let’s start learning how to use Device Query for Multiple Devices in the Intune portal and retrieve live data.
- Sign in to the Microsoft Intune Admin portal.
- Go to Devices
- Select Device query
Once you click on Device query, you will have the list of the entities. All the available entities and it’s descriptions are documented in above table. Kindly refer the table before you start.
NOTE! Device queries for multiple devices reflect the state as of the last inventory upload to Intune, which occurs approximately every 24 hours rather than in real-time.
Expanding any of the entities will reveal the Device property, which exists outside of the Device entity. These entities are designed to code and retrieve last uploaded inventory information about multiple devices. I am expanding the Battery entity in this example.
I will explain a few examples in this article. I hope these examples help you understand how Microsoft Intune Device Query works for multiple devices.
- Intune Report for AAD Joined Vs Hybrid AAD Joined Devices using KQL Query
- Intune Device Encryption Status Report
List Disk Manufacturer , DiskName and SerialNumber with DeviceName
The below KQL query will list out Disk manufacturer name, disk name and disk’s serial number with DeviceName deatils. Please remember, The operators are arranged in a sequence, which is represented by a pipe symbol ( | ). Data flows sequentially through the operators, with output from one operator serving as input for the subsequent operator.
DiskDrive | project Device.DeviceName, Manufacturer ,DiskName, SerialNumber- Paste the above KQL query and click on Run
- You can see the output with disk details on Result panel.
List All the Windows 11 Devices
I am looking for all the Windows 11 devices with OsName, OsVersion and PatchVersion. The below query will get the details with no time. You could modify the query as per your requirment. As I mentioned in my first example, paste the below Query and click on Run to get the output.
OsVersion
| where OsName !contains "Windiws 11" | project Device,OsName, OsVersion, PatchVersion- Intune Anomaly Detection Device and Advanced Analytics
- MS Defender Advanced Hunting using KQL Queries
- Intune Diagnostics Settings Log Analytics KQL Queries Azure Subscription Missing Issue
Identify the CPU Configuration
The KQL query will list out the CPU Configuration. Paste the below Query and click on Run to get the output. You may modify the query as per your requirment.
Cpu | project Device, Architecture, CoreCount, LogicalProcessorCount
I still have plenty of examples that could help you, but this article’s space isn’t sufficient for all of them. Please feel free to reach out to me on LinkedIn if you need assistance with writing the query, or you can use Copilot for help.
I trust that this article will significantly benefit you and your organization. I appreciate your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About the Author: Sujin Nelladath, a Microsoft Graph MVP with over 10 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.