Tutorials

MANAGING INTUNE WITH POWERSHELL

TFTD
Read Time:3 Minute, 46 Second

Managing Intune with PowerShell is possible by using the Intune PowerShell SDK which provides connection to the Microsoft Graph.

The Microsoft Graph is a REST API that allows developers (or smart administrators!) access to the data stored in the backend of Microsoft services. I won’t go into any more detail on this as there is plenty more information on MS Graph on the web if you would like to learn more.

Instead the rest of this post will aim to keep things simple and show you how to get started with practical PowerShell scripts that can help with typical Intune administration tasks.

GETTING STARTED

To begin we need to open a PowerShell console and install the Intune PowerShell module

Install the Intune PowerShell SDK

Install-Module -Name Microsoft.Graph.Intune

Next we need to set the relevant permissions to allow access to MS Graph

Configure Permissions

Connect-MSGraph -AdminConsent
THE INTUNE POWERSHELL COOKBOOK

This will aim to be an ever expanding list of scripts that I’ve either put together myself or plagiarised from other online sources.

I will aim to credit the original authors wherever possible and if you have scripts of your own you want to share please drop something in the comments or send via the site contact form if easier.

Show All Non-Compliant Devices
Show Non-Compliant Devices Not Synced for 30 Days
Show Devices With No User
Show Devices Not Encrypted
Sync All Devices
Sync All Non-Compliant Devices
Get All Intune Assignments Assigned to Group


Show All Non-Compliant Devices

Connect-MSGraph

Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm')} | Out-GridView


Show Non-Compliant Devices Not Synced for 30 Days

Connect-MSGraph

$30DaysAgo = (get-date).AddDays(-30)

Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm') -and ($_.lastSyncDateTime -lt $30DaysAgo)} | Select-object -Property deviceName,lastSyncDateTime | Out-GridView


Show Devices With No User

Connect-MSGraph

Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.userPrincipalName -eq ''} |  Select-object -Property deviceName,complianceState,lastSyncDateTime,userPrincipalName | Out-GridView


Show Devices Not Encrypted

Connect-MSGraph

Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.isEncrypted -ne 'True'} |  Select-object -Property deviceName,userPrincipalName,complianceState,isEncrypted,lastSyncDateTime | Out-GridView


Sync All Devices

Connect-MSGraph

$DevicesToSync = Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.managementAgent -eq 'mdm'}

Foreach ($Device in $DevicesToSync)
{
 
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $Device.managedDeviceId
Write-Host "Sending Sync request to Device with Name $($Device.deviceName)" -ForegroundColor Green
 
}


Sync All Non-Compliant Devices

Connect-MSGraph

$NonCompliantDevices = Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm')}

Foreach ($Device in $NonCompliantDevices)
{
 
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $Device.managedDeviceId
Write-Host "Sending Sync request to Device with Name $($Device.deviceName)" -ForegroundColor Green
 
}


Get All Intune Assignments Assigned to Group – Credit TimmyIT

# Connect and change schema 
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph
 
# Which AAD group do we want to check against
$groupName = "All-Windows"
 
#$Groups = Get-AADGroup | Get-MSGraphAllPages
$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"
 
#### Config Don't change
 
Write-host "AAD Group Name: $($Group.displayName)" -ForegroundColor Green
 
# Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {
 
Write-host $Config.displayName -ForegroundColor Yellow
 
}
 

# Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {
 
Write-host $Config.displayName -ForegroundColor Yellow
 
}
 
# Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {
 
Write-host $Config.displayName -ForegroundColor Yellow
 
}
 
# Device Configuration Powershell Scripts 
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan
 
Foreach ($Config in $AllDeviceConfigScripts) {
 
Write-host $Config.displayName -ForegroundColor Yellow
 
}
 
# Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {
 
Write-host $Config.displayName -ForegroundColor Yellow
 
}
5 4 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Usman Ghani

Very useful, especially the last, it’s not easy to find that a group is assigned to which apps and configs.

2
Reply
vijay

Very useful, appreciate your work

2
Reply
vijay

Can you please tell me is there any option to pull up BIOS details of all the windows devices connected from Intune

1
Reply
TFTD

Hi Vijay, that’s an interesting question. Intune does collect some details in the console automatically if you look in the Device > Hardware node. From here you can see MAC addresses, TPM version, serial number, physical RAM, etc. What BIOS information were you after specifically?

If Intune collects this information we can write something to extract it, no problem.

Last edited 2 years ago by TFTD
0
Reply
vijay

Thank you for the reply, if we can find the BIOS version, we can plan on which laptop BIOS firmware needs to be updated.

0
Reply
TFTD

I don’t think that information is collected natively by Intune but you could try a creative method. Running “wmic bios get smbiosbiosversion” from a command prompt will give you this information so perhaps you could deploy a PowerShell script that would run this command and write the output into a text file and then upload to Azure Blob Storage or some other online repository?

0
Reply
6
0
Would love your thoughts, please comment.x
()
x

Privacy Policy