Identify and respond to anomaly detection insights

  • 8 minutes

Objective: Proactively detect and remediate emerging hardware and software issues before they generate widespread helpdesk tickets by leveraging the machine learning capabilities of Intune Advanced Analytics.

In a traditional IT environment, administrators often don't know an issue exists until the helpdesk is flooded with angry calls. By the time you notice a trend, user productivity has already been severely impacted.

Anomaly Detection (part of the Microsoft Intune Suite) flips this reactive model into a proactive one. Instead of requiring you to set manual alerts and thresholds, Intune uses machine learning to establish a baseline of "normal" behavior specific to your unique tenant. When a sudden deviation occurs—such as a massive spike in application crashes or blue screens—Intune instantly flags it.

Here is how to identify these insights and translate them into actionable IT responses.

How Anomaly Detection works

To trust the insights, you must understand how the system generates them.

  1. Baselining: The Intune agent continuously collects telemetry from your enrolled Windows devices regarding app reliability, boot times, and system crashes.
  2. Machine Learning: The system builds a dynamic model of your environment. It learns that, for example, your legacy accounting app natively crashes about 2% of the time, so a 2% crash rate is considered "normal."
  3. Triggering: If that accounting app suddenly starts crashing 15% of the time, the system registers a deviation from the baseline and generates an Anomaly.

Identify active anomalies

To monitor the health of your environment, you should make checking the Anomalies dashboard a part of your daily IT operations routine.

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Reports > Endpoint analytics > Anomalies.
  3. Review the active list. Anomalies are prioritized by Severity:
    • High: A critical issue affecting a large percentage of your fleet or causing severe disruptions (e.g., frequent Blue Screens of Death or core security agent crashes). Requires immediate attention.
    • Medium: A noticeable degradation in experience, but not completely halting productivity (e.g., an increase in background app hangs).
    • Low: Minor deviations from the baseline that may not require immediate action but should be monitored.
  4. Check the State column to see if an anomaly is Active (currently happening) or Resolved (the system detected the metric has naturally returned to the baseline).

Investigate and respond to an insight

Seeing an anomaly is only the first step; you must investigate its root cause. Intune provides automated correlations to help you connect the dots.

Scenario: The dashboard flags a High Severity anomaly: "High crash rate for Cisco AnyConnect."

Step 1: Review the Anomaly details

Click on the specific anomaly in the list. The detail pane will show you exactly how many devices are affected and the trajectory of the issue (e.g., "Crashes have increased by 400% in the last 24 hours").

Step 2: Check for Correlations

Intune's AI will automatically attempt to find common denominators among the crashing devices. Look at the Correlations tab.

  • Do all the crashing devices share the exact same device model (e.g., only Lenovo ThinkPad T14s)?
  • Are they all running a specific OS Version (e.g., Windows 11 25H2)?
  • Response: If the correlation points to a specific hardware model, you immediately know to investigate recent OEM firmware or driver updates pushed to those specific machines.

Step 3: Analyze the Device Timeline

To see what happened right before the failure, pick one of the affected devices from the list and open its Device Timeline.

  • Filter the timeline to the exact hour the crashes started.
  • You might see a chronological sequence like this:
    1. 10:00 AM: Windows Quality Update KB503xxxx installed successfully.
    2. 10:05 AM: Device rebooted.
    3. 10:12 AM: Cisco AnyConnect crashed.
    4. 10:15 AM: Cisco AnyConnect crashed again.
  • Response: You have now successfully isolated the root cause. The new Windows update is conflicting with your VPN client.

Step 4: Execute the Remediation

Because you caught the anomaly early, you can contain the blast radius:

  1. Pause Deployments: Go to your Intune Update Rings and immediately pause the deployment of that specific KB update to the rest of your fleet.
  2. Alert the Helpdesk: Post an advisory in your IT ticketing system so helpdesk agents know the issue is identified and can provide a pre-scripted workaround to affected users instead of spending hours troubleshooting blindly.
  3. Test a Fix: Deploy an updated version of the VPN client to a small test group of the affected devices to verify if the vendor has already patched the conflict.

Managing Anomaly Fatigue

Just like traditional alerting systems, "alert fatigue" can be a problem if administrators are overwhelmed by Low-severity anomalies.

  • If Intune flags an anomaly for an application that you know is being deprecated or is inherently unstable, you can select the anomaly and click Mute. This tells the machine learning model to ignore this specific deviation in the future, keeping your dashboard clean and focused on actionable insights.