Set up Enhanced Inventory

Enhanced Inventory is a PowerShell-based (Windows) and shell-based (macOS) collection pipeline that gathers device facts Intune doesn’t track natively — hardware specs, monitor model and serial, disk health, battery health, Microsoft 365 channel, driver inventory, and warranty data — and sends them to your Azure Log Analytics workspace via the Log Ingestion API. BI for Intune reads from that workspace to populate the Firewall Status, App Inventory, Driver Inventory, Microsoft 365, Monitor, Disk, Battery, and Warranty dashboards.

Prerequisites

• BI for Intune installed and configured (the Setup Guide is complete).
• A Log Analytics workspace set up per Set up the Log Analytics workspace, including the BI for Intune app registration’s Log Analytics API Data.Read permission and its Log Analytics Reader role on the workspace. If you also use Windows Update for Business reports, both add-ons share that same workspace.
• Microsoft Entra: Application Administrator or Global Administrator.
• Azure: Contributor or Owner on the target subscription or resource group, plus User Access Administrator or Owner to assign roles (only required for automatic RBAC assignment in Step 2).

One workspace for both add-ons

If you also set up Windows Update for Business reports, point it at this same workspace. BI for Intune reads both Enhanced Inventory data and Windows Update for Business Reports data from one Log Analytics workspace.

Step 1: Create the Enterprise application

The Enhanced Inventory scripts use a dedicated Microsoft Entra application to authenticate to Azure and send data via the Log Ingestion API. This is separate from the main BI for Intune app registration.

Enterprise Application, not App Registration

You must create an Enterprise Application first, not a standard App Registration. The ARM deployment template in Step 2 requires the Enterprise Application Object ID (the service principal Object ID), which is different from the App Registration Object ID.

1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
2. Select New application > Create your own application.
3. Enter a name (for example, PowerStacks-CustomInventory).
4. Select Integrate any other application you don’t find in the gallery.
5. Select Create.
6. From the Enterprise Application overview page, record the Object ID.

Switch to the App Registrations pane to get the credentials the inventory scripts will use:

1. Go to Microsoft Entra ID > App registrations.
2. Find the application you just created (search by name).
3. From the Overview page, record the Directory (Tenant) ID and the Application (Client) ID.
4. Go to Certificates & secrets > New client secret. Enter a description, select an expiration period, and select Add.
5. Immediately record the Value (not the Secret ID). The value is only shown once.

By the end of this step you should have:

Value	Where to find it	Used by
Enterprise App Object ID	Enterprise Applications > Overview	ARM deployment template
Directory (Tenant) ID	App Registrations > Overview	Inventory scripts
Application (Client) ID	App Registrations > Overview	Inventory scripts
Client Secret Value	App Registrations > Certificates & secrets	Inventory scripts

Step 2: Deploy the Azure resources

This step uses a one-click ARM template to configure the custom tables, Data Collection Endpoint (DCE), and Data Collection Rule (DCR) in your existing Log Analytics workspace.

Migrating an existing deployment?

If you already have Enhanced Inventory running and are upgrading the ingestion path (rather than setting it up for the first time), Step 5: Grant BI for Intune read access to the workspace and Step 6: Connect BI for Intune to the Log Analytics workspace were both completed during your original setup. You can skip them. Complete Steps 2 through 4 as written.

Prefer to watch a walkthrough first?

The interactive demo below is an optional supplement to the written steps on this page, not a replacement. The written instructions remain the canonical source of truth.

The deployment creates:

• Custom Log Analytics tables: PowerStacksDeviceInventory_CL, PowerStacksAppInventory_CL, PowerStacksDriverInventory_CL
• A Data Collection Endpoint (DCE)
• A Data Collection Rule (DCR)
• Automatic RBAC assignment (if the Enterprise App Object ID is provided)

Select the button below to deploy:

During deployment you will be prompted for:

• Workspace selection — select Use an existing workspace to reuse the workspace from your WUfB Reports setup.
• Workspace details — provide the subscription ID, resource group name, and workspace name.
• Enterprise App Object ID — paste the Object ID from Step 1.

After deployment completes, capture the outputs:

1. In the Azure portal, go to Resource group > Deployments.

2. Select the deployment name.

3. Select the Outputs tab and record:

   Output	Used by
   DceURI	Inventory scripts
   DcrImmutableId	Inventory scripts

If you skipped the Enterprise App Object ID

If you left the field blank during deployment, manually assign the Monitoring Metrics Publisher role to your Enterprise Application on the Data Collection Rule: DCR > Access control (IAM) > Add role assignment.

Scaling to very large fleets

Each Data Collection Rule has its own ingestion limit, so a very large fleet can saturate a single DCR. The inventory script accepts a list of DCR immutable IDs and spreads devices evenly across them, giving each device a stable starting DCR so no single rule becomes a bottleneck:

$DcrImmutableId = @("dcr-aaaa...", "dcr-bbbb...", "dcr-cccc...")

To add capacity, provision additional DCRs behind this same Data Collection Endpoint (re-run the deployment with a different DCR name, or add them in Azure), then list their immutable IDs as shown. Each enabled inventory type is sent as its own call; combining types into one call was tested and dropped because it saves nothing, since the limit is per DCR, not per call.

Step 3: Deploy the Windows inventory script

The script gathers data from each Windows endpoint and sends it to the Log Analytics workspace via the Log Ingestion API.

Download Intune_Windows_Inventory.ps1 from the PowerStacks Windows-Enhanced-Inventory repository.

Update the following settings near the top of the script:

Parameter	Value
LogAPIMode	LogIngestionAPI
TenantId	Directory (Tenant) ID from Step 1
ClientId	Application (Client) ID from Step 1
ClientSecret	Client Secret value from Step 1
DceURI	From Step 2 outputs
DcrImmutableId	From Step 2 outputs

Collection toggles

Each major inventory category can be turned on or off independently. The defaults work for most BI for Intune deployments.

Variable	Description	Default
CollectDeviceInventory	Hardware inventory (CPU, memory, disks, monitors, chassis, OS install date, battery)	$true
CollectAppInventory	Installed Win32 applications	$true
CollectDriverInventory	Installed and optional drivers	$true
CollectMicrosoft365	Microsoft 365 update channel and compliance (sub-toggle of device inventory)	$true
CollectWarranty	Warranty lookups via vendor APIs (sub-toggle of device inventory)	$false
CollectUWPInventory	UWP (modern app) inventory in addition to Win32 (sub-toggle of app inventory)	$false
MatchDrivers	Match installed driver packages to PnP devices for richer driver records	$true
RemoveBuiltInMonitors	Exclude internal laptop monitors from monitor inventory	$false
WarrantyMaxCacheAgeDays	Days before cached warranty data is refreshed from the vendor API	180
WarrantyForceRefresh	Ignore the local cache and force a fresh warranty API lookup	$false

Warranty API credentials

If CollectWarranty is enabled, you need API credentials from each vendor whose devices you want to look up. The Warranty dashboard remains blank for vendors you don’t supply credentials for; the script skips them silently.

• Dell — apply at Dell TechDirect for a Client ID and Client Secret.
• Lenovo — contact your Lenovo account representative to request a Client ID. There is no self-service portal.
• HP — sign up at the HP Developer Portal or work with your HP rep for a Client ID and Client Secret. HP secrets expire frequently and must be refreshed.
• Getac — contact your Getac account representative for API credentials.

Fill in the credentials you have:

$WarrantyDellClientID     = "<your Dell client ID>"
$WarrantyDellClientSecret = "<your Dell client secret>"
$WarrantyLenovoClientID   = "<your Lenovo client ID>"
$WarrantyHPClientID       = "<your HP client ID>"
$WarrantyHPClientSecret   = "<your HP client secret>"

Deploy via Intune

Deploy the script as a detection script in an Intune remediation:

1. In the Intune admin center, go to Devices > Remediations.
2. Create a new remediation package.
3. Upload Intune_Windows_Inventory.ps1 as the detection script.
4. Set Run this script using the logged-on credentials to No. The script runs as SYSTEM.
5. Set Run script in 64-bit PowerShell to Yes.
6. Assign the remediation to your target device groups.
7. Set the schedule to run once per day.

Step 4: (Optional) Deploy the macOS inventory script

If you also manage macOS devices, deploy the macOS script to extend the same custom-inventory pattern to Mac endpoints.

Download Mac_Custom_Inventory.sh from the PowerStacks Mac-Enhanced-Inventory repository.

Update the following settings near the top of Mac_Custom_Inventory.sh:

Parameter	Value
LogAPIMode	LogIngestionAPI
TenantId	Directory (Tenant) ID from Step 1
ClientId	Application (Client) ID from Step 1
ClientSecret	Client Secret value from Step 1
DceURI	From Step 2 outputs
DcrImmutableId	From Step 2 outputs

Variable	Description	Default
CollectDeviceInventory	Hardware inventory (CPU, memory, disks, battery, model)	true
CollectAppInventory	Installed-application list	true
InventoryDateFormat	date format string for the final status timestamp	"%m-%d %H:%M"

Deploy the script via Intune Shell scripts:

1. In the Intune admin center, go to Devices > macOS > Shell scripts.
2. Upload Mac_Custom_Inventory.sh.
3. Set Run script as signed-in user to No. The script runs as root.
4. Set Script frequency to Every 1 day.
5. Assign the script to your target device groups.

Step 5: Grant BI for Intune read access to the workspace

The main BI for Intune app registration reads inventory data from this Log Analytics workspace using the Log Analytics Reader role. This is configured in Set up the Log Analytics workspace. If you completed that page, this is already done; confirm the role is assigned and continue. Without it, data flows into the workspace but the Enhanced Inventory dashboards stay blank.

Two roles, two apps

This is the read counterpart to the Monitoring Metrics Publisher role on the DCR. The Enterprise Application from Step 1 writes inventory data (Monitoring Metrics Publisher on the DCR); the BI for Intune app registration reads it (Log Analytics Reader on the workspace). They are separate applications with separate roles.

Step 6: Connect BI for Intune to the Log Analytics workspace

May already be done

If you set up WUfB Reports before Enhanced Inventory, this step is already done. Check that the AzureAD LogAnalytics WorkspaceID parameter in your BI for Intune dataset matches the workspace from Step 2. If it does, skip to Verify data ingestion below.

1. In the Power BI service, open the BI for Intune workspace.
2. Open the BI for Intune semantic model settings.
3. Expand Parameters and update:
   • AzureAD LogAnalytics Enable = TRUE
   • AzureAD LogAnalytics WorkspaceID = the Workspace ID of the Log Analytics workspace from Step 2. Find it at Azure portal > Log Analytics workspaces > your workspace > Overview > Workspace ID.
4. Select Apply.

Optional: secretless ingestion with a managed identity

By default, each endpoint authenticates with the inventory app registration’s client secret, set in the script in Step 1 and Step 3. This is the supported default, the simplest to run, and the reason the separate Enterprise Application is required.

If a security review objects to a write-capable secret on every device, there is an optional path that removes it. You deploy a small Azure Function into your own subscription, and endpoints post their inventory to that Function instead of straight to the Log Ingestion API. The Function writes to your Data Collection Rule using its own system-assigned managed identity, so no Entra client secret is distributed to endpoints, and the inventory-upload app registration is no longer needed.

What this changes, and what it does not

This removes the Entra client secret from endpoints, but it is not a security upgrade on its own. The endpoint still holds a low-privilege function key in the Function URL: a different, instantly rotatable secret that can only call that one Function and reaches nothing else in Entra or Azure. And because any process running as SYSTEM on a device can post inventory either way, the device stays the trust boundary. Use this when a security team specifically objects to a distributed write secret, not as a way to make ingestion un-spoofable.

To enable it, deploy the ingestion Function with the deploy script in the EnhancedInventoryDeploy repository, then set FunctionUrl in the inventory script to the URL it prints and leave the TenantId, ClientId, and ClientSecret placeholders as-is. Setting FunctionUrl switches the script to the secretless path; clearing it returns to the default.

Verify data ingestion

After the script has run on at least one device, verify data is flowing:

1. In the Azure portal, go to your Log Analytics workspace.

2. Go to Logs and run:

   PowerStacksDeviceInventory_CL
   | take 10

If data appears, the pipeline is working. For deeper troubleshooting, run the LogIngestionAPI_CheckDCR PowerShell script from the EnhancedInventoryDeploy repository.

What you’ll see in BI for Intune

After data starts flowing, the following BI for Intune dashboards populate:

• Firewall Status
• App Inventory
• Driver Inventory
• Microsoft 365
• Monitor
• Disk
• Battery
• Warranty (per-vendor data depends on warranty API credentials supplied in Step 3)

What gets collected

The scripts write three custom tables to your Log Analytics workspace:

• PowerStacksDeviceInventory_CL — hardware (CPU, memory, disks, monitors, battery, chassis), Microsoft 365 channel, warranty
• PowerStacksAppInventory_CL — installed applications
• PowerStacksDriverInventory_CL — installed and optional drivers (Windows only)

For the full field-by-field schemas, see the scripts in the Windows-Enhanced-Inventory and Mac-Enhanced-Inventory repositories.