Intune Diagnostics & Audit Evidence
Policy Troubleshooting
Policy Delivery and Check-In
Intune policies push to devices on check-in, which occurs approximately every 8 hours. A check-in can also be triggered manually without waiting for the scheduled interval.
Force a check-in on device: Settings → Accounts → Work or school → Info → Sync
Force a check-in from Intune portal: Devices → [Device] → Sync
Check-in status is visible per profile at: Devices → [Device] → Device configuration. Each profile listed shows its assignment status — Succeeded, Pending, Error, or Conflict.
Diagnosing Policy Conflicts
A policy conflict occurs when two policies configure the same setting with different values. Intune reports the setting as "Conflict" and does not apply either value — the setting is effectively unmanaged until the conflict is resolved.
Finding conflicts:
- Navigate to Devices → [Device] → Device configuration
- Filter the profile list by "Conflict" status
- Drill into the conflicting profile to identify which specific setting is in conflict
Resolution: Determine which policy should own the setting and remove or reconcile the conflicting setting from the other policy. For settings managed by Security Baselines, note that baseline settings take precedence — a custom profile that overlaps with a baseline will frequently conflict.
Filter Troubleshooting
Assignment filters allow targeting based on device properties (OS version, manufacturer, Entra group membership) without creating additional groups. A filter that evaluates to false silently skips policy assignment — this is one of the most common causes of a policy not applying despite correct group membership.
Testing a filter: Tenant administration → Filters → [Filter] → Device preview — enter a specific device to see whether it matches the filter criteria and why.
MDM Diagnostic Report
The MDM Diagnostic Report is a full snapshot of all policies applied to a specific Windows device, generated on the device itself.
Generate on device: Settings → Accounts → Access work or school → [Account] → Info → Create report
This produces a ZIP file at %TEMP%\MDMDiagReport containing:
| File | Contents |
|---|---|
MDMDiagReport.xml | All MDM policies applied, their values, and error codes |
MDMDiagHtmlReport.html | Human-readable summary of enrollment status, configuration policies, compliance results, certificate profiles, Wi-Fi and VPN profiles |
DeviceEnrollment.log | Enrollment events and errors |
The HTML report is the fastest way to confirm what policies are applied and whether any returned errors. Share this file with the help desk or use it during remote troubleshooting sessions.
Remote Log Collection
For devices that cannot be physically accessed, Intune supports remote diagnostic log collection without user involvement.
Trigger from portal: Devices → [Device] → Collect diagnostics (Windows)
This instructs the device to collect and upload a log bundle to Intune. Logs are available for download from the portal within 15–30 minutes.
Collected logs include:
- Windows event logs: System, Application, Security, MDM
- Registry exports for common MDM keys
- Scheduled task status
- Installed applications list
Use remote log collection when investigating a policy failure or enrollment issue on a device at a remote site.
Intune Audit Log
The Intune audit log records all administrative actions taken in the Intune portal or via API — policy creation, modification, deletion, device wipes, compliance policy changes, and app assignments.
Access: Tenant administration → Audit logs
Key fields per entry:
| Field | Description |
|---|---|
| Date | Timestamp (UTC) |
| Initiated by | UPN of the admin who performed the action |
| Activity | Action type (e.g., Create, Update, Delete, DeviceWipe) |
| Target resource | Policy name, device name, or app name |
| Result | Success or Failure |
Retention: Intune audit logs are retained for 1 year by default. For longer retention, export to Azure Monitor Log Analytics or Azure Storage via Diagnostic Settings.
Export to Log Analytics:
In the Azure portal: Intune → Diagnostic settings → Add diagnostic setting → select AuditLogs and OperationalLogs → route to a Log Analytics workspace.
- GCC High (CMMC)
- Commercial
For GCC High, route diagnostic logs to a Log Analytics workspace in Azure Government. The ingestion endpoint uses the *.ods.opinsights.azure.us domain. Confirm your Log Analytics workspace is deployed in an Azure Government region (USGov Virginia or USGov Texas) before configuring the diagnostic setting.
For commercial tenants, route diagnostic logs to any Log Analytics workspace in the standard Azure regions. The ingestion endpoint uses the *.ods.opinsights.azure.com domain.
Device Compliance Audit Evidence
Compliance policy results are per-device, per-policy, and time-stamped. This is the primary evidence source for demonstrating that managed devices meet configuration baselines.
Access: Devices → Monitor → Device compliance — provides an overview and supports per-policy drill-down.
Exporting compliance state:
# Using Microsoft Graph — works for both commercial and GCC High with the appropriate environment parameter
# GCC High
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All" -Environment USGov
# Commercial
# Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
$devices = Get-MgDeviceManagementManagedDevice -All
$devices | Select-Object DeviceName, ComplianceState, LastSyncDateTime, OperatingSystem, OSVersion |
Export-Csv -Path ".\DeviceCompliance_$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation
Per-device compliance evidence: Devices → [Device] → Device compliance — lists every compliance policy assigned to the device and each policy's result: Compliant, Noncompliant, or Not applicable. This per-device view is the configuration evidence an auditor typically requests.
Configuration Profile Evidence
Configuration profiles define the security baseline applied to each device. Profile assignment status and compliance state constitute evidence that security controls are enforced.
Access: Devices → Configuration profiles → [Profile] → Device status — lists every device the profile is assigned to and the application result per device.
Key evidence artifacts:
| Artifact | Location | Purpose |
|---|---|---|
| Profile name and settings | Configuration profiles → [Profile] → Properties | Documents the security controls configured |
| Device assignment list | Configuration profiles → [Profile] → Device status | Shows which devices received the profile and whether it applied successfully |
| Per-device status | Succeeded / Error / Conflict / Not applicable | Confirms recency of enforcement and identifies failures |
| Last report time | Device status → Last report column | Confirms the profile state is current |
For audit packages, export the profile assignment report and supplement with a screenshot or Graph API export of the profile settings.
Intune Diagnostics — Compliance Control Mapping
- GCC High (CMMC)
- Commercial
CMMC Evidence Requirements
The following Intune artifacts directly satisfy CMMC Level 2 assessment objectives:
| NIST Control | Assessment Objective | Intune Evidence |
|---|---|---|
| CM.L2-3.4.1 — Baseline configurations | Demonstrate a baseline configuration is established and applied | Configuration profile export; device profile assignment report showing Succeeded |
| CM.L2-3.4.2 — Security config enforcement | Demonstrate baseline is enforced and deviations are identified | Device compliance report; noncompliant device list; compliance policy settings export |
| CM.L2-3.4.6 — Least functionality | Demonstrate unnecessary services and features are disabled | ASR rules policy export; app control policy; configuration profile showing disabled features |
| CM.L2-3.4.9 — User-installed software | Demonstrate controls on user software installation | Endpoint Privilege Management policy; Win32 app blocklist policy export |
| SI.L2-3.14.1 — Flaw remediation | Demonstrate patches are applied | Windows Update for Business ring configuration; device update compliance report |
| SI.L2-3.14.2 — Malicious code protection | Demonstrate AV is deployed and active | Defender for Endpoint onboarding policy status; Tamper Protection configuration |
| AC.L2-3.1.1 — Authorized access | Demonstrate only authorized devices access the system | Entra device compliance state in Conditional Access; Intune compliance policy list |
| AU.L2-3.3.1 — Audit records | Demonstrate audit logging of admin actions | Intune audit log export (1 year) |
CMMC Evidence Package — Intune Artifacts
For a CMMC assessment, prepare the following exports from Intune:
- Configuration profile export — screenshot or Graph API export of every configuration profile showing the security settings applied
- Device compliance report — CSV export of all managed devices with compliance state (target greater than 95% compliant; document exceptions for any noncompliant devices)
- Compliance policy settings export — the conditions each device must meet: encryption, Secure Boot, OS version minimum, and others
- Audit log export — 90-day export of the Intune audit log showing administrative actions with initiator identity
- Enrollment report — all managed devices with enrollment date, OS, and last check-in, demonstrating that all in-scope devices are under management
NIST SP 800-171 and SOC 2 Evidence
For commercial organizations undergoing SOC 2 Type II audits or NIST SP 800-171 assessments, the same Intune artifacts apply but the framing differs.
SOC 2 Type II — Relevant Trust Service Criteria
| TSC | Criteria | Intune Evidence |
|---|---|---|
| CC6.1 | Logical and physical access controls | Device compliance policy; Entra Conditional Access requiring compliant device |
| CC6.6 | Logical access security measures | Configuration profiles enforcing encryption, screen lock, and USB disable |
| CC6.8 | Prevention of unauthorized software | App control policies; Endpoint Privilege Management |
| CC7.1 | Configuration monitoring | Noncompliant device alerts; compliance policy enforcement |
| CC7.2 | Monitoring for anomalies | Intune noncompliance notifications; integration with Microsoft Sentinel |
NIST SP 800-171 Rev. 3 Control Mapping
| Control | Intune Evidence |
|---|---|
| 3.4.1 — Baseline configurations | Configuration profile assignments with Succeeded status |
| 3.4.2 — Configuration change control | Intune audit log showing configuration changes with initiator identity |
| 3.4.6 — Least functionality | ASR rules policy; disabled services configuration |
| 3.14.1 — Flaw remediation | Windows Update ring compliance report |
| 3.14.2 — Malicious code protection | Defender policy assignment and device status |
For SOC 2 auditors, export the Intune audit log for the audit period (typically 12 months) and the device compliance state as of the audit date. Most SOC 2 auditors accept Intune portal screenshots supplemented by a Graph API CSV export as sufficient evidence for configuration management controls.
Diagnostic Tools Reference
| Tool | Access | Use |
|---|---|---|
| Intune portal — Device diagnostics | Intune → Devices → [Device] → Collect diagnostics | Remote log collection without user involvement |
| MDM Diagnostic Report | On device: Settings → Work account → Info → Create report | Full policy report on the device |
| Intune Troubleshooting blade | Intune → Troubleshoot + support → Troubleshoot → select user | See all devices, policies, and app assignments for a specific user |
| Graph Explorer | graph.microsoft.com (commercial) or graph.microsoft.us (GCC High) | Query device compliance, configuration, and audit data via API |
| CMTrace | Included in Configuration Manager client; works on standalone systems | Parse Intune log files in real time with color-coded error and warning indicators |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.