Managing Intune with PowerShell is possible by using the Intune PowerShell SDK which provides connection to the Microsoft Graph.
The Microsoft Graph is a REST API that allows developers (or smart administrators!) access to the data stored in the backend of Microsoft services. I won’t go into any more detail on this as there is plenty more information on MS Graph on the web if you would like to learn more.
Instead the rest of this post will aim to keep things simple and show you how to get started with practical PowerShell scripts that can help with typical Intune administration tasks.
GETTING STARTED
To begin we need to open a PowerShell console and install the Intune PowerShell module
Install the Intune PowerShell SDK
Install-Module -Name Microsoft.Graph.Intune
Next we need to set the relevant permissions to allow access to MS Graph
Configure Permissions
Connect-MSGraph -AdminConsent
THE INTUNE POWERSHELL COOKBOOK
This will aim to be an ever expanding list of scripts that I’ve either put together myself or plagiarised from other online sources.
I will aim to credit the original authors wherever possible and if you have scripts of your own you want to share please drop something in the comments or send via the site contact form if easier.
Show All Non-Compliant Devices
Connect-MSGraph
Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm')} | Out-GridView
Show Non-Compliant Devices Not Synced for 30 Days
Connect-MSGraph
$30DaysAgo = (get-date).AddDays(-30)
Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm') -and ($_.lastSyncDateTime -lt $30DaysAgo)} | Select-object -Property deviceName,lastSyncDateTime | Out-GridView
Show Devices With No User
Connect-MSGraph
Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.userPrincipalName -eq ''} | Select-object -Property deviceName,complianceState,lastSyncDateTime,userPrincipalName | Out-GridView
Show Devices Not Encrypted
Connect-MSGraph
Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.isEncrypted -ne 'True'} | Select-object -Property deviceName,userPrincipalName,complianceState,isEncrypted,lastSyncDateTime | Out-GridView
Sync All Devices
Connect-MSGraph
$DevicesToSync = Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {$_.managementAgent -eq 'mdm'}
Foreach ($Device in $DevicesToSync)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $Device.managedDeviceId
Write-Host "Sending Sync request to Device with Name $($Device.deviceName)" -ForegroundColor Green
}
Sync All Non-Compliant Devices
Connect-MSGraph
$NonCompliantDevices = Get-IntuneManagedDevice | Get-MSGraphAllPages | where-object {($_.complianceState -ne 'compliant') -and ($_.managementAgent -eq 'mdm')}
Foreach ($Device in $NonCompliantDevices)
{
Invoke-IntuneManagedDeviceSyncDevice -managedDeviceId $Device.managedDeviceId
Write-Host "Sending Sync request to Device with Name $($Device.deviceName)" -ForegroundColor Green
}
Get All Intune Assignments Assigned to Group – Credit TimmyIT
# Connect and change schema
Connect-MSGraph -ForceInteractive
Update-MSGraphEnvironment -SchemaVersion beta
Connect-MSGraph
# Which AAD group do we want to check against
$groupName = "All-Windows"
#$Groups = Get-AADGroup | Get-MSGraphAllPages
$Group = Get-AADGroup -Filter "displayname eq '$GroupName'"
#### Config Don't change
Write-host "AAD Group Name: $($Group.displayName)" -ForegroundColor Green
# Apps
$AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllAssignedApps) {
Write-host $Config.displayName -ForegroundColor Yellow
}
# Device Compliance
$AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceCompliance) {
Write-host $Config.displayName -ForegroundColor Yellow
}
# Device Configuration
$AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfig) {
Write-host $Config.displayName -ForegroundColor Yellow
}
# Device Configuration Powershell Scripts
$Resource = "deviceManagement/deviceManagementScripts"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments"
$DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllDeviceConfigScripts) {
Write-host $Config.displayName -ForegroundColor Yellow
}
# Administrative templates
$Resource = "deviceManagement/groupPolicyConfigurations"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments"
$ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id}
Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan
Foreach ($Config in $AllADMT) {
Write-host $Config.displayName -ForegroundColor Yellow
}