Audit a Slow Windows Device via Intune and Apply Safe Remediations

"My computer is slow" is one of the most common helpdesk tickets — and one of the easiest to misdiagnose without data. Before you remote-control a user's machine or schedule a reimage, you can answer most of the diagnostic questions from Intune in under two minutes: when did the device last check in, is it compliant, are policies applying cleanly, is storage exhausted, is there malware, and what's installed?

This recipe walks through a structured audit of a single user's Windows device using Intune / Microsoft Graph, then applies two safe, non-destructive remediations — a device sync (to force policy re-evaluation) and a remote reboot (to clear memory, restart services, and apply pending updates). Run this as your standard first response to any performance complaint before escalating to hands-on troubleshooting.

After running this recipe you will have:

• The user's device identity in Intune (device ID, name, enrollment type, ownership)
• Compliance state and per-policy evaluation results (including any errored policies)
• Configuration profile assignment status
• Storage utilization, encryption state, and malware counts
• A list of installed/detected applications
• Last check-in timestamp (to detect stale or offline devices)
• A triggered device sync so the endpoint picks up latest policy
• A triggered remote reboot to clear transient performance issues
• A structured finding report you can hand back to the user or paste into your ticket

Warnings and gotchas

• Remote reboot is immediate. The rebootNow action gives the user only a short warning. Confirm with the user first, or at minimum notify them, before triggering it — they may lose unsaved work.
• Compliance state vs. policy state are different things. A device can report as "compliant" overall while an individual policy is in an "error" state (common with the Default Device Compliance Policy). Always check deviceCompliancePolicyStates, not just the top-level complianceState field.
• Virtual machines often report 0 physical memory. Don't mistake this for a hardware fault — VMware/Hyper-V guests frequently don't expose physical memory to Intune. If the device is a VM, check the hypervisor host's resource allocation before assuming a guest-side problem.
• $filter has limits on managedDevices. The Intune Graph endpoint does not support $filter on userId or some property combinations. Use userPrincipalName eq '...' for reliable filtering.
• Sync is not instant. The sync action queues a check-in request; actual completion depends on the device being online and responsive. Allow 5–15 minutes before re-auditing.
• Don't reimage on the first report. Always capture the audit data first — it's what lets you distinguish a policy problem from a hardware problem from a user-behavior problem.