Use KQL to generate a report of disk free space (both percentage free and GB free) for Intune devices.
Prerequisites for using this KQL query
To use this KQL query, you must be sending your Intune logs to an Azure Log Analytics workspace.
KQL query to show disk free space (% and free GB) by Intune device
IntuneDevices
| where OS == "Windows"
| where StorageFree != "0" and StorageTotal != "0"
| where DeviceName != "User deleted for this device" and DeviceName != ""
| extend ['Free Storage'] = StorageFree
| extend ['Total Storage'] = StorageTotal
| extend Percentage = round(todouble(StorageFree) * 100 / todouble(StorageTotal), 2)
| distinct DeviceName, ['Free Storage'], ['Total Storage'], Percentage, UPN
| sort by Percentage asc
// credit: ugurkocde/KQL_Intune (github.com)
This will return a result set with columns Percentage, DeviceName, Free Storage, Total Storage, and UPN (of the primary user associated with the device).
Deconstructing the KQL query
Read on to understand HOW the query above works.
This query is designed to show a list of Windows devices managed by Intune, excluding any with missing or erroneous storage data, and display the percentage of free storage available on each device, sorted from least to most free space. It’s a useful way to quickly identify devices that might need attention due to low available storage.
IntuneDevices
We’re starting with the IntuneDevices table, which contains data about devices managed by Intune.
|
This is the pipe operator, which serves as a separator between different operations in KQL. It signifies that the output of the previous operation will be passed on to the next one. Going forward, we’ll include it at the beginning of the operation into which it is passing previous output.
where OS == "Windows"
The where operator filters the data. Here, we’re only looking at devices where the Operating System (OS) is “Windows”.
| where StorageFree != "0" and StorageTotal != "0"
Another where filter. We’re excluding devices that report “0” for StorageFree or StorageTotal, as this likely indicates an error or lack of data.
| where DeviceName != "User deleted for this device" and DeviceName != ""
This where clause filters out any devices that have been marked as deleted or have no name.
| extend ['Free Storage'] = StorageFree
| extend ['Total Storage'] = StorageTotal
The extend operator adds new columns to the table. We’re creating two new fields: ‘Free Storage’ and ‘Total Storage’, populated with the values from StorageFree and StorageTotal.
| extend Percentage = round(todouble(StorageFree) * 100 / todouble(StorageTotal), 2)
Here, we’re adding another new column called Percentage. We convert StorageFree and StorageTotal to doubles, calculate the free storage percentage, and round it to two decimal places.
| distinct DeviceName, ['Free Storage'], ['Total Storage'], Percentage, UPN
The distinct operator removes duplicate rows. We’re selecting unique rows based on the combination of DeviceName, ‘Free Storage’, ‘Total Storage’, Percentage, and UPN.
| sort by Percentage asc
Finally, the sort by operator orders the results. We’re sorting the devices in ascending order based on the Percentage of free storage.
Reference
- Log Analytics table: IntuneDevice | learn.microsoft.com
- ugurkocde/KQL_Intune | github.com
- Send Intune log data to Azure Storage, Event Hubs, or Log Analytics | learn.microsoft.com