Investigate a User's Device Health and Performance via Intune

When a user reports that their computer is slow, the fastest way to triage the issue remotely is to pull device telemetry from Intune rather than scheduling a session on the endpoint. Microsoft Graph exposes hardware specs (RAM, storage, model), OS version, encryption status, compliance/configuration policy state, last sync time, and detected apps — everything you need to form a hypothesis before touching the device.

This recipe is designed for a common helpdesk scenario: an IT admin receives a ticket like "my laptop is crawling" and needs a structured, repeatable way to investigate without immediately dispatching a technician. Common root causes surfaced by this workflow include under-provisioned VMs, low free disk space, missing Windows updates, unencrypted drives triggering compliance churn, or a specific detected app that is known to be resource-intensive.

When to run it

• A user reports sluggish performance, freezes, or long boot times.
• You want to validate device specs against corporate hardware standards.
• You need a pre-call triage summary before engaging the user on a remote session.
• You are auditing a fleet for under-provisioned or legacy devices.

After completing this recipe you will have:

• A confirmed inventory record for the user's device (name, model, manufacturer, enrollment date, ownership type).
• Key performance indicators: physical memory, total/free storage, OS build, last sync time.
• Security posture: BitLocker/FileVault encryption status, compliance state, configuration profile coverage.
• A list of detected apps installed on the device, useful for spotting known resource hogs or unauthorized software.
• A prioritized, actionable recommendation list (e.g. increase VM RAM, enable BitLocker, remediate compliance error) that you can paste into the ticket response.

Gotchas

• User Experience Analytics endpoints have limited filter support. The userExperienceAnalyticsDevicePerformance endpoint does not accept $filter=deviceId eq '...' or deviceName filters via Graph — you must query the collection and filter client-side, or use the Intune portal's Endpoint Analytics blade for that data.
• Compliance state of compliant can coexist with policy errors. A device may report complianceState: compliant at the top level while individual policies are in an error state. Always inspect deviceCompliancePolicyStates — don't trust the roll-up alone.
• detectedApps is paginated. Use @odata.nextLink to enumerate all apps; on a typical Windows device you'll see 60–200 entries.
• Last sync time matters. If lastSyncDateTime is more than 24 hours old, the data you are seeing is stale — trigger a sync action before drawing conclusions.

Privacy & compliance

• Detected app inventory can include personal apps on BYOD devices. Respect your organization's BYOD privacy policy when sharing this data.
• Document the investigation in your ticketing system; device inspection of a user's machine should be auditable.