Generate a Fleet-Level Intune Device Performance and UX Summary

Why this matters

IT leadership and device support teams regularly need a single, defensible view of fleet health — not one device at a time, but the whole estate. Endpoint Analytics and Intune expose dozens of signals (boot time, app reliability, storage, compliance state, policy conflicts), but the data is scattered across different Graph endpoints and the Intune UI. This recipe stitches those signals together into one fleet-level summary with a ranked remediation list.

When to run this

• Monthly or quarterly device health review
• Before a Windows feature update or major OS upgrade wave
• When leadership asks "how is our fleet doing?" and you need a real answer
• After a large enrollment event (M&A, new office, refresh cycle)
• When user-reported performance complaints start trending up

What it solves

Replaces ad-hoc spreadsheet pulls and GUI spelunking with a repeatable, data-driven fleet summary that surfaces the highest-impact issues (low storage, unencrypted devices, stale sync, policy conflicts) and turns them into prioritized actions.

After completing this recipe you will have

• A fleet-wide inventory summary (total devices, OS breakdown, ownership split)
• Compliance health: compliant / non-compliant / grace-period / unknown counts with a sample of offenders
• Configuration policy health: success / error / conflict / not-applicable counts per policy, with failing policies ranked by impact
• Endpoint Analytics performance data (where enrolled): device scores, boot-time outliers, startup performance
• A list of low-storage devices (<10% free) — often the biggest real-world UX killer
• A list of stale devices (30+ and 90+ days since last sync) for retirement/cleanup
• A count of unencrypted devices for security remediation
• A ranked, actionable remediation plan (Critical / High / Medium) that you can hand to a tech lead or leadership

Warnings & gotchas

• Endpoint Analytics may not be enrolled. Several endpoints (userExperienceAnalyticsBaselines, userExperienceAnalyticsDeviceScores, userExperienceAnalyticsDeviceStartupHistory) return empty arrays or 400/500 errors if the tenant has not onboarded Endpoint Analytics or if devices haven't yet uploaded telemetry. The script falls back to managed-device data when this happens — don't assume an empty result means a healthy fleet.
• Android work-profile storage reporting is quirky. Many Android Enterprise work-profile devices report 0 GB free because the number reflects only the work-profile partition, not the actual device. Validate a sample before creating tickets for 100+ "out of storage" Android devices.
• "Not applicable" is not a failure. A config policy showing 265 not-applicable devices usually means platform-scoped (Windows-only policy on iOS devices). Don't flag these as broken.
• Stale-sync can mean retired hardware. Before taking remedial action on 90+ day stale devices, check whether they've been formally decommissioned. Retiring an active-but-misconfigured device will surprise users.
• Do not auto-wipe based on this report. This is a read-only audit. Wipes and retires should be a separate, deliberate workflow with approval.
• Permissions scope. You need at least DeviceManagementManagedDevices.Read.All and DeviceManagementConfiguration.Read.All. For Endpoint Analytics, add DeviceManagementManagedDevices.Read.All (already covered) — Microsoft has historically rebranded these, so consent prompts may list additional scopes.