Contents
Introduction
In today’s modern workplace, ensuring device performance and application reliability is critical for maintaining user productivity. Microsoft Intune’s Endpoint Analytics provides valuable insights into device health, enabling IT administrators to proactively identify and resolve application issues before they impact end users.
One powerful feature within Endpoint Analytics is Application Reliability, which helps IT teams monitor application crashes, hangs, and failures across managed devices. Using PowerShell with Microsoft Graph API, we can take this a step further—automating the process of identifying devices that need attention, retrieving the primary user, and sending an HTML email notification using the PSWriteHTML module.
Application Reliability & Licensing Requirements
Application Reliability in Endpoint Analytics provides deep insights into how frequently applications crash and how they affect end-user productivity. It helps IT teams take data-driven actions to mitigate software issues. However, to use Application Reliability, devices must have appropriate licensing, including:
- Microsoft 365 Business Premium, E3, or E5
- Windows 10/11 Enterprise E3 or E5 (part of M365 F3, E3, or E5)
- Windows Virtual Desktop Access E3 or E5
For a complete breakdown, check Microsoft’s official documentation.
Automating Insights with PowerShell and Microsoft Graph API
While Endpoint Analytics offers a user-friendly dashboard, automation can take things further. The script available at Github demonstrates how we can:
âś” Authenticate to Microsoft Graph API
âś” Fetch a list of devices flagged by Endpoint Analytics
âś” Retrieve the primary user of each affected device
âś” Generate a structured HTML email using the PSWriteHTML module
âś” Notify users about detected issues with a professional-looking email
This approach allows IT administrators to move from passive monitoring to proactive communication.
The script requires DeviceManagementConfiguration.Read.All API permissions (least Privileged)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
<# .SYNOPSIS This script generates an email report for devices that need attention based on Intune Analytics data. .DESCRIPTION The script checks if the required graph modules are installed and installs them if necessary. It then connects to the Microsoft Graph API using the Connect-MgGraph cmdlet. It retrieves a list of devices that need attention and sends an email report to the specified recipient(s) with details about the devices and their application crash/hang information. .PARAMETER EmailTitle The subject of the email. .PARAMETER EmailFrom The email address from which the email will be sent. .PARAMETER EmailBCC The email address(es) to be BCC'd on the email. .PARAMETER tenantId The ID of the tenant to connect to. .PARAMETER EmailTo The email address to which the email will be sent. .EXAMPLE .\EndpointAnalyticsGraph.ps1 -EmailTitle "Your Device Needs Attention" -EmailFrom "[email protected]" -EmailTo "[email protected]" -tenantId "<YourTenantId>" .NOTES Author: Your Name Date: Current Date #> # Prerequisites #check if the required graph modules are installed if (-not (Get-Module -Name Microsoft.Graph.Authentication -ListAvailable)) { # If not installed, install the Microsoft.Graph.Authentication Write-output "Microsoft.Graph.Authentication module is not installed. Installing Microsoft.Graph.Authentication" Install-Module Microsoft.Graph.Authentication -Force Import-Module Microsoft.Graph.Authentication Write-output "Microsoft.Graph.Authentication has been installed." } else { Write-output "Microsoft.Graph.Authentication module is already installed." Import-Module Microsoft.Graph.Authentication } if (-not (Get-Module -Name Microsoft.Graph.beta.DeviceManagement -ListAvailable)) { # If not installed, install the Microsoft.Graph.beta.DeviceManagement Write-output "Microsoft.Graph.beta.DeviceManagement module is not installed. Installing Microsoft.Graph.beta.DeviceManagement" Install-Module Microsoft.Graph.beta.DeviceManagement -Force Import-Module Microsoft.Graph.beta.DeviceManagement Write-output "Microsoft.Graph.beta.DeviceManagement has been installed." } else { Write-output "Microsoft.Graph.beta.DeviceManagement module is already installed." Import-Module Microsoft.Graph.beta.DeviceManagement } # Check if the PSWriteHTML module is installed if (-not (Get-Module -Name PSWriteHTML -ListAvailable)) { # If not installed, install the PSWriteHTML Write-output "PSWriteHTML module is not installed. Installing PSWriteHTML" Install-Module PSWriteHTML -Force Write-output "PSWriteHTML has been installed." } else { Write-output "PSWriteHTML module is already installed." } # Variables $EmailTitle = "Your Device Needs Attention" $EmailCC = "" $EmailBCC = "" $TenantId = "<YourTenantId>" # Funtions Function Send-Email { Param ($subj, $Body, $priority, $EmailCC, $Attachments, $EmailFrom, $EmailTo, $EmailBCC) $SendMailProps = @{ From = $EmailFrom To = $EmailTo Subject = $subj Body = $Body SmtpServer = "internalsmtp.uk.corp.investec.com" Priority = $priority } If($emailCC){$SendMailProps.Add("CC",$emailCC)} If($EmailBCC){$SendMailProps.Add("BCC",$EmailBCC)} Send-MailMessage @SendMailProps -BodyAsHtml } # Main Script # connect to the Microsoft Graph API Connect-MgGraph -TenantId $tenantId -Scopes "DeviceManagementConfiguration.Read.All" -NoWelcome -TenantId $tenantId -Interactive #filter by "needs attention" $DeviceNeedsAttention = Get-MgBetaDeviceManagementUserExperienceAnalyticAppHealthDevicePerformance -all -Filter "healthStatus eq microsoft.graph.UserExperienceAnalyticsHealthState'needsAttention'" | Select-Object DeviceDisplayName, DeviceId, HealthStatus #get the user details for each device in $deviceNeedsAttention foreach ($device in $DeviceNeedsAttention) { #get the primary user of the device $DevicePrimaryUser = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/manageddevices('$($device.DeviceId)')/users" #initialize the $UserDetails variable $UserDetails = @() #if the device has a primary user, get the user details $UserDetails = $DevicePrimaryUser.value | Select-Object displayName, userPrincipalName #if no user details are found, skip the device if ($null -eq $UserDetails) { continue } # group appdisplayname and event type when they are the same and count the number of occurences $AppCrashDetails = Get-MgBetaDeviceManagementUserExperienceAnalyticAppHealthDevicePerformanceDetail -Filter "deviceId eq '$($device.DeviceId)'" -all | Group-Object appDisplayName | Select-Object Name, Count, @{Name='EventType';Expression={$_.Group[0].eventType}} # email users with devices that need attention and their app crash details using PSWriteHTML $EmailBodyReport = EmailBody { EmailText -FontFamily 'Calibri' -FontSize 16 -Color Black -Alignment left -FontStyle normal -Text "Hello, $($UserDetails.displayName)" EmailText -LineBreak EmailTextBox -FontFamily 'Calibri' -Size 16 -Color Black -Alignment left -FontStyle normal { "Intune Analytics has identified that your device $($device.DeviceDisplayName) has been having few application crashes/hangs in the last 14 days." "Please see the details below:" } EmailTable -DataTable ($AppCrashDetails) -AutoSize { $AppCrashDetails | Get-Member -MemberType NoteProperty | Select-Object -ExpandProperty Name | % { EmailTableHeader -BackGroundColor SkyBlue -FontSize 18 -Color Black -Names $_ } } -HideFooter EmailText -LineBreak EmailTextBox -FontFamily 'Calibri' -Size 16 -Color Black -Alignment left -FontStyle normal { "Should you need any assistance, please contact the Technology Service Desk." } EmailText -LineBreak } # Set the email recipient $Emailto = $UserDetails.userPrincipalName # Send the email Send-Email -subj "$EmailTitle" -Body $EmailBodyReport -priority "normal" -emailBCC $emailBCC -EmailFrom $EmailFrom -EmailTo $Emailto } # disconnect from the Microsoft Graph API Disconnect-MgGraph |
By implementing such a script, organizations can proactively engage users in the troubleshooting process, potentially reducing downtime and enhancing the overall efficiency of IT operations. This approach not only showcases the technical capabilities of integrating PowerShell with the Microsoft Graph API but also emphasizes the importance of user communication in maintaining application reliability.
Users (or IT Support) would get an email showing details of apps crashing in the last 14 days
Expanding the Use Case: IT Support Notifications
While this script is designed to notify end users, it can easily be repurposed for IT teams. Instead of notifying users directly, we can send a report to IT support, highlighting devices with repeated failures and suggesting proactive troubleshooting steps.
Â
Conclusion
This PowerShell + Microsoft Graph API integration, combined with PSWriteHTML, showcases “the art of what’s possible” with Intune Endpoint Analytics. By automating issue detection and proactively engaging users, IT teams can minimize downtime, enhance user experience, and demonstrate the power of automation in device management.
🚀 Ready to try it out? Grab the script here: EndpointAnalyticsGraph.ps1.
Let me know if you’d like further refinements!
