Monitoring and Responding to Windows Intune Alerts

4 min read

General Windows Intune alerts

Windows Intune will raise an alert in a number of situations where we, as the administrators, need to either be aware of an event or respond directly to it. The alerts will appear in a number of the screens and reports in Windows Intune. Windows Intune has seven alert categories:

  • Endpoint Protection
  • Monitoring
  • Notices
  • Policy
  • Remote Assistance
  • System
  • Updates

Some of these alerts require special attention and have their own section, while others can be generically dealt with. The two areas that need some special attention are the Endpoint Protection alerts relating to malware and remote assistance, as the actions taken here always need to be decisive. We have also already tackled the update alerts in the previous chapter.

Before we examine alerts in more detail, I thought I should share a quick, but obvious, note. The reporting of alerts from the client computer to Windows Intune requires an Internet connection from the client computer, so we are unlikely to see an alert saying that the user’s PC is having network trouble. However, if a computer has not checked in with Windows Intune for a while, we will see an alert for this from Windows Intune, pointing to a machine that has not been turned on for a while, or with problems! It is more likely that a user will contact us via other means if they are having a networking problem, but we should remember to tell users to do that in that situation rather than them requesting remote assistance and wondering why we don’t respond!

Monitoring alerts

There are two ways to monitor alerts once they have been enabled and the notification has been completed. The two choices are to either look at the console and refresh, or wait for notifications to arrive via e-mail. The e-mail notifications look similar to the one in the following screenshot. Clicking the link takes us to the Windows Intune console

To view the alerts in the Windows Intune console, go to the Alerts workspace and go to All Alerts. We can choose which alerts are displayed by changing the Filters selection at the top of the screen. All the filters shown open alerts, except for the filter choice of Closed. The filter choice of None shows all open Critical, Warning, and Informational alerts

We can also view alerts specific to the category by selecting one of the items below All Alerts selection tree. For example, in the Monitoring category, we can see one alert at the moment:

Finally, we can view alerts that relate to a specific computer by looking at the Alerts tab in the Computers workspace

Responding and closing alerts

Once we have an alert to deal with, we need to respond in some way. By clicking on the alert, the details pane is displayed. Under the Recommended Actions, there will either be a link to Click here to take action or one to View Troubleshooting Information.

If we click the information link, a window will open that, depending on the problem and potential solution, will show either a link to the Windows Intune help file or a link to carry out the action if appropriate. In the following example, the alert is for malware and a link to information on the specific malware that was seen. We can see that the following information does not show us a specific action for malware. We will discuss how to respond to malware a little later in this article

Once we have resolved the alert, it needs to be closed to remove it from the console and to enable us to demonstrate that we have resolved an issue with computers that we manage. Windows Intune will not close the alert for us unless one of these criteria is met:

  • Windows Intune can detect that the issues have been resolved
  • 45 days have passed since the alert was opened

To manually close an alert, follow these steps, but be careful to close the right one. While we can re-activate a closed alert in Windows Intune, if the alert is closed by mistake then we may miss taking important action:

  1. Open up the Windows Intune console and find the alert to close. We can select more than one alert if desired here.
  2. Click Close Alert in the toolbar, or right-click on the alert and select Close Alert from the menu. We can also close an alert when we have opened it fully and are looking at the Alert Properties by clicking the Close This Alert link under Tasks.

The automated closing of alerts, when an issue has been resolved, can be a little confusing as we see alert e-mails, but then they don’t exist in the console. This is most common when malware and policy issues occur as Windows Intune can detect the resolution of these. It is always worth checking the closed alert log to ensure these do not require further action or highlight an underlying issue, such as network or security, that needs resolving. A good example of where we might see this is with the Unable to Update Policies alert which are generated when a user’s computer is not in contact with Windows Intune. The alert e-mail looks similar to the following screenshot:

This is the type of alert that will be automatically closed once connectivity is resolved and the policies updated.


Please enter your comment!
Please enter your name here