Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

Device Advice

Teaching you how to be a device management expert

  • Defender / Intune / Security / Windows 10

Configure Microsoft Defender Antivirus with Intune

by Janusz · September 28, 2020

Microsoft Defender Antivirus is a component of Microsoft Defender for Endpoint, previously Microsoft Defender Advanced Threat Protection. But Microsoft Defender Antivirus does not require Microsoft Defender for Endpoint.

I personally think those sentences are incredibly confusing, which is part of the reason I’m writing this blog post now. As you may know, Microsoft Defender is built in to Windows 10 and provides native antivirus functionality. It doesn’t require a client to be installed or deployed, Defender is entirely built in. But since it is a component of Microsoft Defender for Endpoint (MDfE), if you’re using MDfE you get additional functionality .

Microsoft Defender for Endpoint is Microsoft’s Threat Protection solution that centers around 6 pillars – Threat & Vulnerability Management, Attack Surface Reduction, Next-generation protection, Endpoint detection and response, Automated investigation and remediation, and Microsoft Threat Experts. There’s a lot to unpack here, and certainly worth it’s own blog post. Start on this docs article if you have a few hours. For our purposes here is all you need to know – Microsoft Defender Antivirus is the Next-generation protection pillar. It sends data to Microsoft Defender for Endpoint for antivirus signals, threat analytics, gathering details about blocked malware, and more ( which you can read about here ). But Microsoft Defender Antivirus can also be used independent of MDfE.

So if you’re looking to use Intune to configure Microsoft Defender Antivirus and you don’t have a license for MDfE, you can absolutely do that. And if you don’t configure Microsoft Defender Antivirus, it is still native to the system and will still be default to enabled. It’s just that if you want advanced analytics and all of the goodies that MDfE has, you need MDfE.

Let’s jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy :

endpoint manager assignment status pending

Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns.

endpoint manager assignment status pending

Notice how it mentions Microsoft Defender ATP in the description. Just to show you that ATP/MDfE really is not required, here’s a screenshot of how I don’t have licenses for it.

endpoint manager assignment status pending

Once you click Create and provide a name for your policy, you’ll see a list of options for configuring Microsoft Defender:

endpoint manager assignment status pending

The usual guidance is to configure these settings as dictated by your organization/security team. If you’d like to use my personal configuration as a starting point, the next few screenshots provide each setting grouped by category.

Starting with Cloud protection , I turn this on with the High protection level and an extended timeout of 50 seconds. This provides real time scanning without impacting client performance (and was previously called “Microsoft Active Protection Service”).

endpoint manager assignment status pending

For Exclusions , here you would enter files to exclude from scanning and real-time protection. Generally this would be for other security software or management agents. No need to include any by default.

endpoint manager assignment status pending

For Real Time Protection, I basically enable every setting. I don’t enable scan network files because Microsoft Defender Antivirus running on fileservers provides the same benefit.

endpoint manager assignment status pending

For Remedation, I use the following:

endpoint manager assignment status pending

For Scan , we’ll actually be affecting the user experience a lot . Outside what I’ve selected, I would also consider: settings your daily and scheduled scan’s to after work hours for desktops (the below settings are better for laptops, which may be off at night), as well as increasing your CPU usage limit up to 50% is you don’t see any impact.

endpoint manager assignment status pending

For Updates , the default 8 hrs or 12 hrs is often enough. The other settings can be configured as required, like the exclusion settings.

endpoint manager assignment status pending

And then the final settings page, User Experience . So I will go ahead and say I leave this as not configured, but you may want to block users from the Microsoft Defender app if you don’t want them to add their own Exclusions. I have heard of this happening before, so it may be useful to block.

endpoint manager assignment status pending

And that’s it! Once you have the policy assigned to your users, they will notice that some settings are managed by your administrator in the Windows Security app .

endpoint manager assignment status pending

And hey, even though we don’t have Windows Defender ATP, we still see the Windows Defender AV policy as successfully deployed:

endpoint manager assignment status pending

Now you’ve deployed Defender Antivirus in your environment. Happy securing! ?

Tags: antivirus defender defender atp

You may also like...

endpoint manager assignment status pending

AD FS Authentication Methods supported during Autopilot

March 15, 2021

 by  Janusz

endpoint manager assignment status pending

Understanding Intune Application Protection

June 28, 2019

endpoint manager assignment status pending

Manage security settings for Windows Servers with Microsoft Endpoint Manager

January 20, 2022

24 Responses

  • Comments 22
  • Pingbacks 2

' src=

Hi, great write-up as I have not seen any detail like yours. I would like to ask, for the assignment. Do you assign to users or devices?

Your last comment “Once you have the policy assigned to your users…”. So that’s my question if create a group and throw machines in there or users. Also, I noticed there is an option for “Add all devices” as well. Just wondering what is the best practice or method.

endpoint manager assignment status pending

I generally target user groups but it’s mostly a matter of preference. My rationale for user groups is that if I target a user with a policy and they get a new device (can enroll personal/BYOD, for example) I don’t need to worry about adding that new device to a group or policy. I could be using dynamic device groups to get around that, but the evaluation for those groups isn’t instant.

Gotcha, Thanks for the explanation. I think I might try out the “Add all devices” for the assignments. Hope that would work the same and I wouldn’t have to worry about missing any machines.

' src=

Great guide! I have a question, i followed the guide and if i go to the overview of the Defender policy it gives me no information. And if i go to “Device Status” it shows my test machines but under “Assignment Status” its shows the status as “Pending.” I left it like this overnight but it still shows as pending. I’d appreciate any help. Thanks!

It should be fairly instant as long as the device has an active network connection. If it’s pending for too long, it’s likely worth opening a support ticket with Microsoft.

' src=

Can we use a third-party antivirus Like Trend Micro Apex One with Microsoft Endpoint Manager (intune Device), is there a special setting or exclusions required, because facing performance issues. And it starts after implementing to MEM devices, before it all things working fine. Please reply to my mail id, if possible – [email protected] Anyone please help, thanks in advance.

Yeah, you can absolutely use a third party antivirus with a MEM managed device. It might be worth contacting Trend Micro to troubleshoot performance. Or alternatively take a fresh device and enroll it into Intune before installing Trend Micro Apex One and seeing what is causing the slowdown.

' src=

Thank you so such a detailed post! Would love to see something like this to configure MS defender for endpoint! I know it’s a huge monster of policies but MS does not provide structured guidance on this. I had to fish for info all over the place and still having a hard time understanding what policies fall under what…Can you recommend any resources? Thx!!

Thanks for the feedback! I’ll put that on the to-do list, I think it would make a great post. If you’re still looking for MDfE setup articles I would start with the Tech Community post: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-endpoint-manager-enable-endpoint-protection/ba-p/1801197

' src=

Thank you for this great, clear and thorough post, I had been struggling with this topic and all the different terms but if I not mistaken we can put it this way:

MDFE / MDATP = whole threat protection solution MD = Antivirus solution is is included in the MDFE solution But also works as standalone if we don’t own a MDFE subscription

Yes, that’s right! But just to be picky, I would specify that MDfE isn’t a WHOLE threat protection solution, it’s an endpoint solution. Microsoft’s 365 E5 license that includes the whole suite of security products (MDfE, Sentinel, Azure Defender, Cloud App Security, Defender for Identity, etc.) is the all up solution. If you want to know how all those pieces fit together then take a look at the Microsoft Cybersecurity Reference Architecture

' src=

Hi Janusz, Fantastic write up, i too was unclear on Windows Defender and Microsoft Defender for Endpoint. Just a quick question, is there anyway to put our business Support contact details some where in the Seurity area?

There is not, as far as I know. Closest I can think of is adding your support contact info in the Intune Company Portal app.

' src=

Hi, great sharing! I have a question: After configure Microsoft Defender Antivirus with Intune, can we see the virus alert and AV definition version on intune or somewhere?

Yup, you’ll see it in the MEM console under Reports > Microsoft Defender Antivirus. You can generate a detailed report that has the definition versions and more.

' src=

I want to configure daily quick scan at 11:00 AM everyday and weekly full scan at 12:00 PM every Thursday. But these settings don`t seem to be working as per your explained in the scan section of this article.

Run daily quick scan at : 11:00 AM Scan type : Full Scan Day of week to run a scheduled scan : Thursday Time of day to run a scheduled scan : 12:00 PM

Might be worth opening a case with Microsoft to investigate what’s going on. It should be possible to configure those scans as per the settings you have.

' src=

Have you ever figured out how to do this?

' src=

Have you ever had to disable the Defender temporarily to test if it blocks something? If so, do you have an easy way to do so (ex. PS or cmd)?

' src=

Great summary. We have the issue that the setting “Check for signature updates before running scan” has the status ERROR on a lot of devices – Error Code -2016281112. Any ideas what could cause this? I was not able to find information on the error code. Thanks

' src=

Please Add RSS feeds to this. That will help us to get the latest posts updated. Thanks

Sure – I’ve added the link to our RSS feed in the social media icons area. Can access the feed here: https://deviceadvice.io/feed/

[…] our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it […]

[…] Manager provides a ton of functionality for managing Defender Antivirus. In a previous post we dived into configuring Defender Antivirus, so today we’ll be reviewing some of the specifics around Signature updates. Maybe your […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

  • Next story  Deploy Microsoft Defender ATP Baseline with Intune (no Defender ATP license required!)
  • Previous story  How to disable the “Your organization requires Windows Hello” prompt during OOBE

Popular Posts

  • How to disable the “Your organization requires Windows Hello” prompt during OOBE 35 comments | 120.01 views per day | by Janusz | posted on September 17, 2020
  • Autopilot Reset – What does it do? How is it different? 26 comments | 32.43 views per day | by Janusz | posted on August 9, 2019
  • Enable Audio and Video Redirection for Windows Virtual Desktop 12 comments | 30.84 views per day | by Janusz | posted on March 20, 2020
  • Configure Microsoft Defender Antivirus with Intune 24 comments | 28.90 views per day | by Janusz | posted on September 28, 2020
  • Export & import your Intune tenant settings 19 comments | 28.27 views per day | by Janusz | posted on July 12, 2019
  • Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM 3 comments | 24.72 views per day | by Janusz | posted on June 28, 2021
  • Windows 10 update rings – the best user experience 12 comments | 24.56 views per day | by Janusz | posted on January 27, 2020
  • Block screenshots using Microsoft Information Protection 2 comments | 22.78 views per day | by Janusz | posted on November 1, 2021
  • How to set up Windows Hello for Business for cloud-only devices 5 comments | 20.39 views per day | by Janusz | posted on June 22, 2020
  • Set Time Zone Automatically during Autopilot 4 comments | 18.95 views per day | by Janusz | posted on October 21, 2021

Recent posts

  • Use DevTools to find the Graph API requests made by MEM
  • Use winget to install Microsoft Store apps on Windows 11
  • Enable 256-bit BitLocker Full Disk Encryption during Autopilot
  • Enable Tamper Protection for Windows Servers
  • Block remote support/assist applications using Windows Defender App Control & MEM

endpoint manager assignment status pending

Deployment / Intune / Microsoft Endpoint Manager / Mobile Device Management / Windows 10

Use Group Policy analytics to convert GPOs to Intune Configuration Profiles

November 23, 2020

endpoint manager assignment status pending

Autopilot / Azure AD / Deployment / Intune / Microsoft Endpoint Manager / Security / Windows 10 / Windows 11

Silently Encrypt Devices using MEM during Autopilot

August 24, 2021

endpoint manager assignment status pending

Azure AD / Intune / Mobile Device Management / Windows 10

How to change the primary user for an Intune managed device

March 9, 2020

endpoint manager assignment status pending

App Deployment

The modern way to remove Windows 10 in-box apps without them reinstalling

April 20, 2019

endpoint manager assignment status pending

Intune / Microsoft Endpoint Manager / Windows 10

Deploy Endpoint Analytics in 30 seconds

May 5, 2021

Privacy Overview

SCCM | Configuration Manager | Intune | Windows Forums

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members. Please post your questions in the correct category.

  • Endpoint Manager
  • Configuration Manager

PENDING   Co-managed windows 10 devices

  • Thread starter MJ-Tech
  • Start date Feb 23, 2023

MJ-Tech

Well-Known Member

  • Feb 23, 2023
  • We needed to check the compliance status on the Intune portal.
  • Deploy Windows 10 updates from Intune on a select number of PCs that are connected to a VPN or the company network.
  • Deploy few policies from Intune Issue description:

endpoint manager assignment status pending

Attachments

1677149219930.png

  • Feb 24, 2023

Hi. So in your Config Manager console under your Cloud Attach settings have you moved the workload from Configuration Manager to Pilot Intune or Intune?  

  • Feb 27, 2023
  • Thread Starter
GSTERLING said: Hi. So in your Config Manager console under your Cloud Attach settings have you moved the workload from Configuration Manager to Pilot Intune or Intune? Click to expand...
  • Feb 28, 2023

I've never played around with update rings in InTune but have you tried pushing any other policies to your test collection to see if anything is working?  

I deployed a few Win32 Windows apps on the testing device, however the status indicates that they are not applicable. (Note: I observe that a few testing device compliance status are appearing as compliant , but the update ring indicates that they are not applicable .) Let me reimage another Computer and repeat this setup.  

  • Even though the windows 10 machine is connected to the office network (LAN), the SCCM console device status indicates offline and the intune compliance status shows - see ConfigMgr

endpoint manager assignment status pending

  • Mar 14, 2023

Sorry for the delayed response, have been away. I would think since it says Co-Managed and you already switched the workloads in SCCM you shouldn't need to be connected to your corporate network. If you go on the computer under Settings -> Accounts -> Access Work or School -> click on the Connected to Domain and click Info it should tell you about any applied policies, applications, etc. You can export a report which might give you more info. Also if you go into Intune admin center and click on the device and click on the different tabs - Device Compliance, Device Configuration, Managed Apps you can click on the different items and possibly get more info there about why things aren't applying.  

Latest posts

Prajwal Desai

  • Latest: Prajwal Desai
  • 6 minutes ago
  • 7 minutes ago
  • 32 minutes ago
  • Latest: Ghostface95
  • 49 minutes ago
  • Latest: roger
  • Today at 8:06 PM

Forum statistics

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: this_feature_currently_may_not_be_available_in_some_browsers

  • This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register. By continuing to use this site, you are consenting to our use of cookies. Accept Learn more…

endpoint manager assignment status pending

Introduction To The Series

You have enrolled your endpoints into Microsoft Intune, you’ve configured policies, and you are managing your devices. What’s next? How do you validate your endpoints’ management states, and how do you track the health of your endpoints over time?

In previous posts we here at Model Technology Solutions have talked at length about the capabilities Intune provides for managing endpoints & operating system updates, endpoint configuration, application deployment, and more.

This series of posts will focus on another important element of endpoint management – reporting, or, the ability to understand current and historic data about your endpoints’ actual state and the results of your management configuration.

This series will cover:

  • Intune’s reporting approach
  • Capabilities provided out of the box
  • Methods of using Intune’s data to perform advanced reporting

This knowledge will enable you, as an Intune administrator, to better utilize the wealth of data contained within the Intune service for the benefit of your organization.

This series is for Intune administrators who want to better utilize the wealth of data contained within the Intune service to benefit their organization through increased visibility into and understanding of their endpoint devices’ state, as well as aiding with improving configuration and addressing potential security holes.

One important caveat – all information in this post is based on the current state of Intune as of January 2022. While the core Intune reporting structure is likely to persist well into the future, specific details of report names and locations may shift over time.

Intune Reporting Overview

Microsoft Intune – a core component of Microsoft Endpoint Manager – is Microsoft’s modern, cloud-based platform for managing endpoint devices and applications. Intune contains a wealth of data on the endpoints it manages, all of which is available in various ways for administrators to use in managing Intune and the endpoint configuration. Microsoft has established and defined a framework for how that data is exposed within Intune to ensure the data administrators need is close at hand alongside their management activities.

This framework not only defines several types of reports by their intended usage, but allows the reporting data to be made available throughout the Intune environment in places intended to be easily accessible and relevant to the specific report types.

An important takeaway from this is that the “Reports” node in the Intune navigation menu is not a holistic collection of all of Intune’s reporting data.

endpoint manager assignment status pending

This is unfortunately a common point of confusion for Intune users, and an understandable one at that. It would make sense that all of the reporting data would be found in a node called “Reports”…but in reality that is only a subset of the available data.

The following sections will discuss the various types of reports that comprise Intune’s reporting framework, the intent for each type, and where that data can be found in addition to the “Reports” module.

Types of Reports

The Intune reporting framework defines four types – or focus areas – of reports:

  • Provides timely, targeted data that helps you focus and take action.
  • Admins, subject matter experts, and help desk technicians will find these reports most helpful.
  • Provides a broader summary of an overall view, such as device management state.
  • Managers and admins will find these reports most helpful.
  • Provides patterns and trends over a period of time.
  • Allows you to use raw data to create your own custom reports.
  • Admins will find these reports most helpful.

In part one of this series, we will cover only the Operational Reports category. The remainder of the categories of data will be featured in future posts.

Where to Find Reports

As noted above, reports are found in different places in the Intune portal depending on their type and intended usage.

Operational reports comprise the majority of the reports available in Intune today. These can be found in numerous places throughout the Intune portal and can be grouped into three categories:

  • Overview reports
  • Monitor reports

When navigating through the Intune web portal, almost every section initially loads an “Overview” or “Summary” page which displays a set of reports as tabs in the workspace – these are the “Overview” reports.

Furthermore, each section has either a link labeled “Monitor”, which loads a list of reports, or a category of views labeled “Monitor”, under which additional reports are listed. Essentially, everywhere in the Intune portal that lists “Monitor” is a collection of the “Monitor” reports.

Finally, the main Intune node titled “Dashboard” is where Dashboard reports can be found, including the pre-configured Intune overview dashboard and any custom dashboards created by administrators.

Organizational and Historical reports can be found in the “Reports” node in the Intune navigation menu. These reports are grouped into several categories and provide broader views of the organization’s managed endpoints and management state.

“Specialist reports” refer to the abilities exposed by Intune for creating custom reports. This data can be accessed via the “Reports” node in the Intune navigation menu in the categories labeled “Intune Data Warehouse” and “Azure Monitor”.

The following sections will go into further detail on the different types of reports and, most importantly, how to go about configuring custom reports.

Operational Reports

As noted above, Operational reports are located throughout the Intune web portal and are intended to provide timely, targeted data within the context of the administrator’s current actions.

For example, Operational reports about Device state can be found in the Devices node alongside the tools for configuring device policy.

Overview Reports

Overview reports can be found at the top level of the Devices and Apps nodes in the Intune portal. These depict a collection of actionable and summary information about the state of managed devices and apps, providing administrators with immediate access to key information they need. These reports also alert the administrators to specific issues they may want to address.

In the Devices node, the Overview report contains four separate tabs, each displaying one or more reporting tiles with summary information, including:

  • The “Enrollment Status” tab displays the counts of Intune enrolled devices by operating system, the enrollment failures by operating system, and the top enrollment failures in the past week.
  • The “Enrollment Alerts” tab displays a list of any active alerts generated from enrollment issues.
  • Counts of managed devices by their compliance state.
  • Counts of managed devices broken into Compliant and Non-Compliant for each assigned Compliance Policy.
  • Number of devices without Compliance Policies assigned to them.
  • Compliance settings with the highest number of non-compliant devices.
  • The “Configuration Status” tab displays the counts of users and devices by configuration profile application status and the profiles with the highest count of deployment errors.

In the Apps node, the Overview report contains two separate tabs with reporting tiles, including:

  • The “Installation Status” tab displays the applications with the highest counts of installation failures by device type and the total count of applications with installation failures.
  • The “App Protection Policy Status” tab displays the total count of users who have been assigned application protection policies which are grouped by whether they are licensed or not, along with the count of users that have been flagged from application protection policies.

endpoint manager assignment status pending

In both of these Overview reports, clicking on any of the reporting tiles drills down to specific Monitor reports with further information on the topic at hand.

Additional Overview reports can be found in the Endpoint Security node when selecting several of the options in the “Manage” category. These are functionally similar to the Devices and Apps Overview reports in that they may have multiple tabs of data with reporting tiles displaying high-level state information for administrators, though they also share the workspace with the interface for configuring the relevant endpoint security policies.

The specific reports at the time of writing include:

  • The “Summary” tab displays the counts of unhealthy endpoints by category, along with the count of active malware in the environment.
  • The “Unhealthy Endpoints” tab displays a list of all endpoints suffering from malware infection.
  • The “Active Malware” tab displays the identities of all active malware detected on managed devices.
  • The “Summary” tab lists the count of devices with the firewall turned off.
  • The “MDM Devices Running Windows 10 or Later with Firewall Off” displays the list of specific devices with the firewall turned off.

Monitor Reports

Monitor reports can be found at various locations within the Devices, Apps, and Endpoint Security nodes, providing more detailed information beyond that which is listed in the Overview reports.

Each of these reports provide the ability to search across the displayed columns, modify which columns are displayed, sort by any column displayed*, and export the data to CSV format for further exploration in Excel or other data analysis tools. Furthermore, items in each report can be clicked through to review the specific item’s details, providing access to further information that may be relevant for the report.

*Note: At the time of writing this, most Monitor reports allow sorting by every column available, however some reports do not. Microsoft has stated that their intent is to allow sorting of all columns and they are slowly rolling that out across the range of Monitor reports found in Intune.

In the Devices node, there is a dedicated Monitor link that loads a collection of reports, organized into categories named “Configuration”, “Compliance”, “Enrollment”, “Software Updates”, and “Other”. The following reports can be found there:

  • The “Assignment Status” report lists the counts of devices with errors, conflicts, or pending statuses for each Configuration Profile.
  • The “Assignment Failures” report lists the count of devices with errors for each configuration profile with assignment errors. Clicking through a profile provides more information on the specific devices that have failed.
  • The “Devices with Restricted Apps” report displays a list of devices upon which applications configured as restricted are currently installed. This report helps administrators quickly identify the users to contact and devices to align with organizational policy on restricted apps.
  • The “Encryption Report” lists each managed device along with their readiness for encryption, TPM chip version, and OS version. Individual devices can be clicked through to display the name of the profile applied to the device to enforce encryption and the status of the profile deployment.
  • The “Certificates” report lists the status of all certificates that have been deployed to devices from Intune.
  • The “Noncompliant Devices” report lists information for all devices that are in a “Not Compliant” state. Clicking through on a device pulls up the device’s full information in Intune for further analysis.
  • The “Devices without Compliance Policy” report lists devices of any operating system for which no compliance policy has been assigned.
  • The “Setting Compliance” report lists, for each setting enforced by any compliance policies, the counts of compliant and noncompliant devices. Each setting can be clicked through to list the specific devices that are not compliant for the setting.
  • The “Policy Compliance” report lists, for each compliance policy, the counts of devices that are compliant, noncompliant, or have errors with the policy’s contents. Clicking through a policy lists the specific devices that are not compliant or have errors.
  • The “Noncompliant Policies” report lists, for each compliance policy that has noncompliant devices, the counts of devices that are noncompliant or have errors with the policy’s contents. Clicking through a policy lists the specific devices that are not compliant or have errors.
  • The “Windows Health Attestation Report” report provides a collection of key Windows health metrics for each managed device.
  • The “Autopilot Deployments” report lists all Windows Autopilot-driven device enrollments within the past 30 days.
  • The “Enrollment Failures” report prompts for the selection of one or more users, then lists enrollment failures logged for the selected users.
  • The “Incomplete User Enrollments” report provides further details for enrollments that were initiated but failed to be completed, listing at which phase of the enrollment process the enrollment was ceased, among other related data.
  • The “Per-Update Ring Deployment State” displays, for each configured update deployment ring, the count of devices with errors, which devices failed to be updated, and which were updated successfully. Clicking through an update ring loads the relevant configuration page for the update ring along with an Overview report listing further status information for the update deployment.
  • The “Installation Failures for iOS Devices” report lists iOS devices for which update installation failed and provides additional details on the failures.
  • The “Feature Update Failures” report lists, for each configured Windows feature update deployment, the devices with errors from the update process. Clicking through a feature update deployment provides a list of the specific devices which generated errors.
  • The “Windows Expedited Update Failures” report lists, for each configured expedited Windows update deployment, the count of devices which failed to install the update. Clicking through an update displays a list of the specific devices which failed.
  • The “Device Actions” report lists a log of the device actions triggered within Intune for managed devices, along with the user initiating the action and the action’s result.

In the Apps node, there is a dedicated Monitor link that loads a collection of reports, described as follows:

  • The “App Licenses” report is used to track consumed and available licenses for applications for which license tracking is managed in Intune.
  • The “Discovered Apps” report provides a holistic list of all applications discovered on all managed devices. Clicking through an application lists the specific devices upon which that application has been found to be installed.
  • The “App Install Status” report lists, for each application, the install failure percentage, along with the counts of install failures for deployments targeting devices and users.
  • The “App Protection Status” report lists the count of all users that have been assigned application protection policies, broken down by whether they are licensed or not. Additionally, it lists the counts of flagged users and users with potentially harmful apps. Furthermore, it provides links to download more detailed app protection reports for iOS & Android, for Windows Information Protection without Enrollment, for Windows Information Protection via MDM, and for Application Configuration.

In the Endpoint Security node, a single Monitor report can be found at this time:

  • The “Assignment Failures” report lists the count of devices with errors for each configuration profile with assignment errors. Clicking through a profile lists more information on the specific devices that have failed. This is the same report that is listed in the Devices -> Monitor section and described above.

Many of the reports listed are currently in “Preview” mode and may see changes and expansions of capability before they are fully released.

Intune’s Dashboard reports are accessed via the Dashboard node in the navigation menu. This view is a pre-configured version of the standard Azure Dashboard functionality with a number of tiles listing key information about the Intune environment.

This dashboard can be rearranged and can have tiles removed, though very few tiles exist to be added which aren’t already present on the pre-configured dashboard.

Custom dashboards can also be created, though they are limited to the existing tiles, again, most of which are already present on the pre-configured dashboard. Still, this can be used to create more targeted views for specific subsets of Intune administrators.

Additionally, the reporting tiles link to relevant Monitor and Overview reports throughout the Intune interface, providing easy access to configuration options.

The data listed by default on the pre-configured dashboard includes:

  • Device enrollment status and count of enrollment failures in the past 7 days
  • Device compliance status and count of noncompliant devices
  • Device configuration status and count of policies with errors or conflicts
  • Client apps status and count of apps with installation failures
  • App protection policy user status per operating system
  • Count of Intune-enrolled devices per operating system
  • Count of devices per device compliance status
  • Device configuration profile status and count of users and devices by status, along with a weekly trend

endpoint manager assignment status pending

More Coming Soon!

This is just the first of multiple posts in our Intune reporting series that are going to be coming out in the next month or so. These posts are going to continue to explore the different places that data can be retrieved from Intune and how to utilize it to gain valuable insights into the state of your endpoints and improve security.

The level of granular data that Intune provides with which to make improvements, decisions, and policies is by-far some of the best in the industry. Gartner agrees. We’re committed to supporting IT pros to fully utilize these tools for which they’ve already paid and gained access. We write posts like this as part of that support, to enable administrators like you with the knowledge and power you need to ensure your infrastructure is as secure and efficient as possible.

If you haven’t already done so, sign up for our email list to get the other posts in this series in the next month. If you’re already on it, just stick around. We’re committed to taking you as deep as possible into this software so that you know exactly what’s possible and how you can use Intune’s data for the betterment of your company and the improvement of your endpoint management.

Related Posts

Manage multi-cloud & hybrid-platform server resources with azure arc + automanage.

Oct 16, 2023

Azure Arc and Automanage are two services Microsoft has developed to address common challenges...

[Case Study] Helping a Leading Healthcare Data and Analytics Firm Boost Their Cybersecurity and Get More Business

Aug 7, 2023

When it comes to patient health information, more security isn't just better, it's must. As...

How Microsoft Is Modernizing The Patch Management Process

Feb 7, 2023

The rapid rise in remote work, cybercrime, and the decentralization of devices has caused...

Save Hours Of Work With Our Full Intune Reporting Guide

Like this post? Download our entire Intune Reporting Guide to access difficult to find reports and save hours getting the data that you need.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Pending devices in Microsoft Entra ID

  • 11 contributors

Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.

Pending devices are devices that are synced to Microsoft Entra ID from your on-premises Active Directory, but haven't completed registration with the Microsoft Entra device registration service. When the registered state of a device is pending, the device can't complete any authorization or authentication requests, such as requesting a Primary Refresh token for single sign-on, or applying device-based Conditional Access policies .

The pending state exists only for Microsoft Entra hybrid joined devices.

Why a device might be in a pending state

When you configure a Microsoft Entra hybrid join task in the Microsoft Entra Connect Sync for your on-premises devices, the task will sync the device objects to Microsoft Entra ID, and temporarily set the registered state of the devices to "pending" before the device completes the device registration. This is because the device must be added to the Microsoft Entra directory before it can be registered. For more information about the device registration process, see How it works: Device registration .

For more information about how to troubleshoot pending devices, see the following video:

How a device gets stuck in a pending state

There are two scenarios in which a device can be stuck in a pending state.

Sync a new on-premises domain joined device to Microsoft Entra ID

A new on-premises device can get stuck in a pending state if it can't complete the device registration process. This problem can be caused by several factors, such as that the device can't connect to the registration service.

To troubleshoot a device registration problem, see:

  • Troubleshooting Microsoft Entra hybrid joined devices
  • Test Device Registration Connectivity

The state of a registered device is changed to pending

This problem can occur in the following scenario:

  • The device object is moved to another organizational unit (OU) that isn't in the sync scope in Microsoft Entra Connect Sync.
  • Microsoft Entra Connect Sync recognizes this change as the device object being deleted in the on-premises Active Directory. Therefore, it deletes the device in Microsoft Entra ID.
  • The device object was moved back to the OU in the sync scope.
  • Microsoft Entra Connect Sync creates a pending device object for this device in Microsoft Entra ID.
  • The device fails to complete the device registration process because it was registered previously.

To fix the problem, unregister the device by running dsregcmd /leave at an elevated command prompt, and restart the device. The device will reinitiate the device registration process through the scheduled task. For Windows 10-based devices, the scheduled task is under Task Scheduler Library > Microsoft > Windows > Workplace Join > Automatic-Device-Join Task .

Get a list of pending devices

The Microsoft Graph PowerShell SDK must be installed to execute Microsoft Graph PowerShell commands.

Use the Connect-MgGraph command to sign in to your Microsoft Entra tenant. For more information, see Get started with the Microsoft Graph PowerShell SDK .

Count all pending devices:

You can also save the returned data in a CSV file:

Contact us for help

If you have questions or need help, create a support request , or ask Azure community support . You can also submit product feedback to Azure feedback community .

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

endpoint manager assignment status pending

IMAGES

  1. Manage pending application assignments

    endpoint manager assignment status pending

  2. Microsoft Endpoint Manager

    endpoint manager assignment status pending

  3. How to Boss Device Management with Endpoint Manager (aka Intune)

    endpoint manager assignment status pending

  4. Microsoft Endpoint Manager

    endpoint manager assignment status pending

  5. Setting up Endpoint Manager for success: Step-by-step guide

    endpoint manager assignment status pending

  6. Deploy applications with Microsoft Endpoint Manager

    endpoint manager assignment status pending

VIDEO

  1. PENDING ASSIGNMENT BUT VALORANT LIVE INDIA

  2. The manager alternate pending @GachaSam- @mayagreene6796

  3. How I Became Senior Product Manager #productmanagement #productmanager #shorts #careergrowth

  4. Seamless Endpoint Management with ManageEngine's Endpoint Central solution

  5. Updating Database on Policy File Tracking System Part 2

  6. What is Endpoint Security Why is it Important

COMMENTS

  1. Support Tip: Configuration Policy Shows as Pending on Windows Devices

    Make sure the UPN shown is the Azure AD user email address. Assign the policy to a device group containing the affected device. Then, from Settings > Accounts > Access work or school, click on the Connected to <aad_account> > Info > Sync to perform a device sync. While typically you want policies to apply to the user, not the device, this is a ...

  2. Configuration profile state pending on some devices

    If I look under configuration profiles --> device status, I see some devices, where the deployment status is "Pending". I have noticed that all these devices have no "User Principal Name". This column is blank for alle the pending devices. See the attached image. I have tried to manullay sync the computer and restart several times.

  3. Troubleshooting policies and profiles in Microsoft Intune

    Pending: The device hasn't checked into Intune to get the policy. Or, the device received the policy but hasn't reported the status to Intune. Errors: Look up errors and possible resolutions at Troubleshoot company resource access problems. Check tenant status. Check the Tenant Status and confirm the subscription is Active. You can also view ...

  4. Intune Policies stuck at Pending : r/Intune

    Mchead22. •. not exactly sure as to the exact cause, but I can say in my experience, our policies will get stuck in pending status when they cant be applied for some reason. for instance, if i were to make a typo in the string value of a setting, so Intune therefore cant apply that setting, the policy status will just stay in pending and ...

  5. Support Tip: Known Issues with Intune policy reports

    A policy report shows two records for the same device: one with a 'user' account and one with a 'system' account. Policy reporting records are based on the configured assignment and the enrollment of the devices checking in. Intune will surface a unique record for the user checking in to the device to receive the policy.

  6. Monitor security baselines and profiles in Microsoft Intune

    However, devices that have an Assignment status of Pending don't have results to display. Selecting a setting from this view opens the Setting Details pane, same as via the main report-drill in. Per setting status report. Select the Per setting status tile to view this report. This report displays a list of the settings in the profile and for ...

  7. See device configuration policies with Microsoft Intune

    In Devices > Configuration > Policies tab, select an existing policy. The Device and user check-in status shows the number of all users or devices that checked-in with the policy. If one device has multiple users, this report shows the status for each user. When the user or device checks in with Intune, they receive the settings in your policy.

  8. Monitor app information and assignments

    Next steps. Intune provides several ways to monitor the properties of apps that you manage and to manage app assignment status. Sign in to the Microsoft Intune admin center. Select Apps > All apps. In the list of apps, select an app to monitor. You'll then see the app pane, which includes an overview of the device status and the user status.

  9. Troubleshooting policies and profiles in Microsoft Intune

    Every device lists its profiles. Each profile has a Status. The status applies when all of the assigned profiles, including hardware and OS restrictions and requirements, are considered together. Possible statuses include: \n \n \n. Conforms: The device received the profile and reports to Intune that it conforms to the setting. \n \n \n

  10. Intune Policy Device Assignment Status Report HTMD Blog

    Let's check the Intune Policy Device Assignment Status Report in the Intune aka, Endpoint Manager portal. The updated policy experience for Configuration profiles or the Endpoint security node, helps to reorganize how we surface policy reports and provide a better overall reporting experience.. Starting in Intune Service release 2203, Microsoft Endpoint Manager Admin Center announced the ...

  11. Announcing updated policy reporting experience in Microsoft Endpoint

    Screenshot of the 'Device assignment status' report in the Endpoint Manager admin center. It shows a dropdown field above the aggregate chart where you can select an Assignment status to filter on. ... Improved definitions of 'Pending' state - We have improved the way we determine a device to be in a 'Pending' state ...

  12. Intune policies in pending state : r/sysadmin

    Hi all, I've setup Intune in a test environment using Windows 10 Pro and a Business Premium license. The device enrolls in Intune perfectly fine. However, all of the Device Configuration policies are stuck in Pending state on the endpoint. I've tried re-enrolling, restarting the endpoint, etc. But nothing seems to apply the policies.

  13. Configure Microsoft Defender Antivirus with Intune

    Let's jump to configuring Microsoft Defender Antivirus. First, open the MEM portal and select Endpoint security > Antivirus > + Create Policy: Create a Microsoft Defender Antivirus policy. Then, select Windows 10 and later and Microsoft Defender Antivirus from the dropdowns. Create Policy screen.

  14. Device config profiles pending : r/Intune

    Device config profiles pending. Anyone else get this issue randomly happening to devices. Been using Intune daily for 18months now and from time to time come across devices that have a large amount of config profiles just sat at pending, sometimes the same with device compliance policies too. Seem to get most policies and report sucess but then ...

  15. PENDING

    The reason for the above question is, when I check at the complaint status on the Intune portal, I get some random results, i.e., Even though the windows 10 machine is connected to the office network (LAN), the SCCM console device status indicates offline and the intune compliance status shows - see ConfigMgr; SCCM: Intune:

  16. Support Tip: Intune Co-Managed Windows 10 Device Apps in Pending State

    By Lee Yan | Sr. Service Engineer | Intune Support as a Feature . We have received a few support cases recently where customers using co-management - when a Windows 10 device has the Configuration Manager client and is enrolled to Intune - reported that apps are unexpectedly shown as pending in the Intune admin console or download pending in the Company Portal app after the user has clicked on ...

  17. Win10, device policy, status set as pending, ahhh

    I have created a Windows 10 device policy and set removable drive as blocked. I have a test group of computers I am testing intune with. It just says pending. In overview it says devices with errors 2. But no further granular details anywhere. Both systems are running Windows 10 Pro - 1709 update installed.

  18. Intune (Microsoft Edge Baseline pending)

    Generally speaking, pending means the device hasn't checked in with Intune to receive the policy yet. However, if the setting is in conflict with another policy, it will also shows the Pending status. You can select a profile for a Security Baseline, and drill-in to view a list of settings from that profile as they apply to an individual device ...

  19. Overview and Operational Reports

    Microsoft Intune - a core component of Microsoft Endpoint Manager - is Microsoft's modern, cloud-based platform for managing endpoint devices and applications. ... The "Assignment Status" report lists the counts of devices with errors, conflicts, or pending statuses for each Configuration Profile.

  20. Troubleshoot and review Wi-Fi device configuration profiles in Intune

    Test connecting to the same Wi-Fi endpoint (as mentioned in the first step) again. Roll out to larger groups and eventually to all expected users in your organization. All Wi-Fi profiles report as failing. For Android Enterprise fully managed, dedicated, and corporate-owned work profile devices, you might get a report that all profiles have failed.

  21. Tips and tricks for managing Microsoft Endpoint Manager

    By Carolina de Sa Luz - Program Manager | Microsoft Endpoint Manager - Intune. Microsoft Endpoint Manager lets you manage a wide set of endpoint platforms by configuring and deploying policies and applications to users and devices from the cloud. This blog post describes best practices to enroll users, set up certificates, assign access and ...

  22. Pending devices in Microsoft Entra ID

    Why a device might be in a pending state. When you configure a Microsoft Entra hybrid join task in the Microsoft Entra Connect Sync for your on-premises devices, the task will sync the device objects to Microsoft Entra ID, and temporarily set the registered state of the devices to "pending" before the device completes the device registration. This is because the device must be added to the ...

  23. Troubleshooting BitLocker from the Microsoft Endpoint Manager admin

    Encryption status explained: This happens when a device that has already been encrypted using another method—either manually by the user, with Microsoft BitLocker Administration and Monitoring (MBAM), or by the Microsoft Endpoint Configuration Manager before enrollment. To rectify this, decrypt the device manually or by using Windows PowerShell.