Is your Intune environment actually healthy?

Most Intune environments score below 70 on their first health check. Not because IT teams are doing a bad job - but because Intune was never designed to show you a clear picture of your estate's health. The problems are in there. They're just not visible.

This post walks through what a proper health check looks at and what it typically finds. If you want to run one against your own environment, you can do it free at the end - all it takes is a CSV export from Intune and a work email address to receive your report.

What a proper Intune health check looks at

A good health check should work from data you already have. The one we built uses a standard CSV export from Intune's All Devices view - no agent, no tenant connection, nothing leaving your browser. Every device gets scored locally against six risk factors.

Estate Risk Score (0-100)

A single number built from compliance rate, encryption coverage, stale check-ins, cert expiry, and management state. Each factor is weighted and shown, so you know exactly what is driving the result.

Top 10 riskiest devices

Each device gets its own score. The ones at the top of the risk list come with the specific issues driving that score and a suggested fix - useful for triaging a ticket queue or briefing a manager.

Remediation priorities

Issues sorted by their impact on the overall score, not just by count. Fixing the top three items on the list will move the needle more than clearing fifty low-risk ones.

The report also covers: compliance and encryption breakdown by device, stale and unmanaged device detection, missing primary user identification, and management certificate expiry - all from a static CSV export, with nothing sent externally.

Estate Health Score

/100

AT RISK

What feeds your score

Calculated locally from your CSV. Each factor contributes a penalty based on how many devices are affected and how severely - shown transparently so you can act on the highest-impact items first.

Compliance rate Encryption coverage Stale check-ins Cert expiry Management state Missing primary user

Most environments score between 55 and 75 on first run.

What it tends to find

The assumption is usually that smaller environments are fine - "we'd notice if something was wrong." In practice, they often carry more drift than larger ones, precisely because there's been no formal baseline, no compliance tooling, and onboarding has been done ad-hoc over years. Here is what tends to show up, by environment size.

In larger environments (500+ devices)

+Stale device records quietly inflating licence costs

+Non-compliant devices invisible within specific departments

+Management certs expiring without anyone noticing

+Devices with no primary user silently skipping targeted policies

+Audit prep becomes a multi-day manual exercise

In smaller environments (under 500 devices)

+No baseline to know what "good" looks like

+Configuration drift from onboarding shortcuts

+Security gaps invisible until something goes wrong

+No easy way to prove compliance to stakeholders or insurers

+One-person IT teams with no time for routine reviews

Neither of these is unusual. Most environments have at least some of this. Running the health check takes about five minutes and gives you a scored, prioritised list of exactly where your estate stands - so instead of a general sense that something is probably wrong, you have a specific list of what to fix first.

How it works: Drop your CSV in and the analysis runs locally in your browser - nothing is sent to any server. When you're ready to see the full scored report, you'll be asked for a work email address. That's it. No account setup.

What continuous visibility looks like

Beyond the snapshot

Eido connects directly to Intune and tracks everything your CSV cannot - live, continuously, without manual work. This is what your dashboard looks like once connected. Sample data

Book a live demo

● LIVEUpdated just now

86%

Compliant

841

Total Devices

829 inactive

117

Compliance Issues

117 HIGH

502

Config Issues

319 HIGH

1016

App Issues

LIVE ONLY

22%

Patches Overdue

LIVE ONLY

Active Malware

LIVE ONLY

38%

Out of Warranty

LIVE ONLY

Compliance by Department

Sales

17%

83%

Engineering

13%

87%

Marketing

11%

89%

C-Level

14%

86%

Management

100%

Top Issues

CrowdStrike (Win)App

221

Cisco AnyConnectApp

170

CIS BaselineConfig

170

Screen Saver PolicyConfig

PostmanApp

EIDO-CIS-F172B Unhealthy - High

Last Sync

5 days ago

Compliance

Compliant

Patch Status

Unhealthy - High

Warranty

Active

Device Properties

OS Version10.0.26100.7840

Owner TypeCorporate

Device NameEIDO-CIS-F172B

Intune TenantEido Production

Patch Status

Patch OS Date Status

2026-05 B Win 11 24H2 12 May 26 ⚠ Overdue (Med)

2026-04 B Win 11 24H2 14 Apr 26 ⚠ Overdue (High)

2026-03 B Win 11 24H2 10 Mar 26 ⚠ Overdue (High)

2026-02 B Win 11 24H2 10 Feb 26 ✓ Installed

2026-01 B Win 11 24H2 13 Jan 26 ✓ Installed

2025-12 B Win 11 24H2 09 Dec 25 ✓ Installed

Patch history is only available via live connection - not in a CSV export.

Active Devices

Active Users

28.7

Avg Hrs / User

0.96

Avg Hrs / Day

TeamCollab · Usage by User · Last 30 daysteamcollab.exe

UserTotal (hrs)Last Used

J. Hartwell84.32026-05-07

S. Okafor29.52026-05-07

P. Monteiro29.02026-05-07

+ 6 more users…

Licence usage by app, user, and device

Useful for identifying unused software spend before renewal conversations.

See Demo

TABLESYSTEM

Compliance Policy Summary

All compliance policies with assignment counts and health breakdown

TABLESYSTEM

Active Malware Summary

All active malware detections with active and resolved counts by name

PIESYSTEM

App Deploy by Severity

Open app deployment issues grouped by severity for drill-down

BARSYSTEM

Autopilot by Profile

Deployment count grouped by Autopilot profile over last 30 days

TABLESYSTEM

Intune Audit Log

All Intune admin audit events in one filterable table

TABLESYSTEM

Warranty Expiry Report

Devices approaching or past warranty expiry, sortable by date

Plus 100+ more covering patch exposure, Defender posture, Autopilot deployments, config policy drift, app deployment failures, and certificate expiry - all runnable and droppable onto any dashboard.

QueryHub - Drop any report onto a custom dashboard. Schedule as a weekly digest to IT, security, or leadership. No manual work, no exports.

If you want to go further than a one-off check

The health check is a useful starting point - run it, work through the list, and most environments are already in a better position. But a snapshot only tells you where things stood when you exported the CSV. Warranty expiry, missing patches, and config policy drift don't wait for your next review. For teams who want Eido to watch these things continuously and alert them the moment something changes, here is how that works.

Direct connection, no CSV required

Eido reads from Intune via read-only Graph API permissions. Dashboards reflect the current state without any manual export or refresh step.

Signals a static export does not contain

Patch exposure, warranty status, app usage, Defender posture, install failures, and policy drift are tracked continuously and historically - none of these appear in a standard device export.

Alerts when something changes

You can set thresholds for compliance rate, cert expiry windows, and Defender coverage. When something crosses a threshold, it routes to Slack, Teams, or ServiceNow rather than waiting for someone to notice.

Automated reporting for stakeholders

Weekly or monthly summaries for IT leads, security teams, or senior management, generated automatically from live data. No manual compilation, no spreadsheet exports.

Multi-tenant support

For MSPs or IT teams managing multiple tenants, everything sits in one view. No switching between portals or maintaining separate logins per customer.

Worth doing even if everything looks fine

The value of running this is not finding catastrophic problems - most environments do not have those. It is finding the low-level drift that accumulates quietly and invisibly: devices that haven't checked in for months, a cert expiring in six weeks, machines where Defender has silently stopped reporting. None of these announce themselves. They just sit there until an audit, an incident, or a renewal conversation makes them someone's problem.

Five minutes and a CSV export is all it takes to find out. Most people come away with two or three things to fix immediately and a clearer picture of where their estate actually stands. If what you find makes you want to track this properly going forward, that is what Eido is for.

Free · No account required

Check your Intune estate for free

Export your devices from Intune, drop the CSV in, and the analysis runs instantly in your browser. You'll need a work email address to unlock the full scored report - no account required, no agent installed.

Run the health check
or get in touch if you have questions