This guide will help you automate theMicrosoft Intune Device Non-Compliance Report using PowerShell Script. This article will teach us how to get Microsoft Intune Device Non-Compliance devices using PowerShell Script. This method is limited to devices enrolled inMicrosoft Intune. Let’s learn together..!
You have likely automated numerous day-to-day Intune tasks using PowerShell and the Microsoft Graph API. If you have not yet begun automating tasks within Intune, this may serve as an excellent starting point.
Microsoft Graph, a RESTful web API, facilitates access to Microsoft Cloud service resources. It lets you access data, intelligence, and insights fromMicrosoft 365and other Microsoft Cloud services through a single endpoint, including data from Microsoft 365, Windows, and Enterprise Mobility + Security.
Many readers would have already used Graph Explorer for the Microsoft Graph API calls. Graph Explorer is a handy browser-based tool for running your Graph calls; it doesn’t need any module or set-up file to be installed on your local machine. However, Installing the Microsoft Graph PowerShell SDK is necessary to automate Microsoft Graph tasks using PowerShell.
Table of Contents
Before you get started
Before you begin, make sure to install the Microsoft Graph PowerShell Modules. Microsoft has published the Microsoft Graph PowerShell SDK on the PowerShell Gallery. The SDK includes two modules, Microsoft. Graph and Microsoft.Graph.Beta are called the Microsoft Graph REST API v1.0 and Microsoft Graph REST API beta.
To install the Microsoft Graph PowerShell SDK, your PowerShell version should be at least 5.1 or later. However, Microsoft recommends having PowerShell 7 or later. As per Microsoft, no additional prerequisites are required to use the SDK with PowerShell 7 or later.
Read More : Best Guide to Install Microsoft Graph PowerShell Modules
You should have .NET Framework 4.7.2 or later installed on your machine before installing Microsoft Graph PowerShell modules. Microsoft suggests updatingPowerShellGetto the latest version usingthe command Install-Module PowerShellGet
. Also, the PowerShell script execution policy must be set toremote signedorless restrictive.
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
- Intune Policy Assignment Classification Easy Secrets of using Graph API with PowerShell
- Manage Intune Tasks with PowerShell
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Automate Microsoft Intune Device Non-Compliance Report using PowerShell Script
Well, we discussed enough before we start coding.! Let’s write the PowerShell Script to get Microsoft Intune Non-Compliance Devices. We have already installed theMicrosoft Graph PowerShell SDKon my local machine
You must Sign in usingConnect-MgGraph
command each time to automate your daily tasks
- Open thePowerShellas anAdministrator.
- Type
Connect-MgGraph
and hit enter - ThePowerShellprompt you to enter thecredentialsto authenticateMicrosoft Graph.
NOTE! To grant more permissions, you can repeat the Connect-MgGraph command with the new permission scopes added.
In this example, we need the below permissions to get Microsoft Intune Non-Compliance Devices using the PowerShell script.
Name | Description |
---|---|
DeviceManagementManagedDevices.Read.All | Read Intune managed devices |
DeviceManagementManagedDevices.ReadWrite.All | Read and Write Intune-managed devices |
Kindly repeat theConnect-MgGraph
cmdlet with the new permission scopes added using the below command.
Connect-MGGraph -Scopes DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
PowerShell Script
I have successfully connected to MgGraph with the necessary permissions. In this instance, I am utilizing the following script to assess all devices managed by Intune. The objective is to identify and display only those devices that are considered non-compliant.
############################################################################Get-IntuneManagedNonComplianceDevices.ps1#Scope : This script will retrive Microsoft Intune Non-Compliance Devices #Author : Sujin Nelladath#LinkedIn : https://www.linkedin.com/in/sujin-nelladath-8911968a/############################################################################# Connect to Microsoft Graph API with required permissionConnect-MGGraph -Scopes DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All# Define the API endpoint for Intune devices$endpoint = 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices'# Get all managed devices$devices = Invoke-MgGraphRequest -Uri $endpoint -Method GET# Filter non-compliant devices$nonCompliantDevices = $devices.value | Where-Object { $_.complianceState -eq "noncompliant" }# Create a PS Object$pSObject = [PSCustomObject]@{ DeviceName = $nonCompliantDevices.deviceName ComplianceState = $nonCompliantDevices.complianceState}# List of Non-Compliant Devices$nonCompliantDeviceDetails = @()for ($i = 0; $i -lt $pSObject.DeviceName.Count; $i++) { $nonCompliantDeviceDetails += [PSCustomObject]@{ DeviceName = $pSObject.DeviceName[$i] ComplianceState = $pSObject.ComplianceState[$i] }}#Display the Non-Compliant Devices$nonCompliantDeviceDetails
- Time to use Microsoft Graph Device Management PS Module Instead of MS GraphIntuneModule
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
Please click thegreenplay button in the PowerShell ISE window to execute the script. This code is designed to identify Microsoft Intune-managed devices that are non-compliant within your organization. The output will be presented inPSCustomObjectformat and organized in atabularstructure for clarity.
- Intune Device Compliance Reports | Endpoint Manager
- Easiest Method to Enable MFA for Admins using Azure AD Conditional Access
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Export PowerShell output to CSV format
Let’s see how to export the PowerShell output toCSV(Comma-Separated Value ) format easily. The variable $nonCompliantDeviceDetails contains the entire script output in tabular form. This can be achieved simply by using the Export-Csv cmdlet.
$nonCompliantDeviceDetails | Export-Csv -Path C:\temp\IntuneNonComplaintDevices.csv -NoTypeInformation
- Be sure to include the -NoTypeInformationparameter, as it removes the information header from the output.
I trust that this article will greatly benefit you and your organization. Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting theHTMD Community.
- How to Retrieve PowerShell Scripts from Intune using Microsoft Graph
- Explore Kusto Query Language (KQL) and Intune Device Query
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
Need Further Assistance or Have Technical Questions?
Join theLinkedIn PageandTelegram groupto get the latest step-by-step guides and news updates. Join ourMeetup Pageto participate in User group meetings. Also, Join theWhatsApp Communityto get the latest news on Microsoft Technologies. We are there onRedditas well.
Author
About the Author:Sujin Nelladath, aMicrosoft Graph MVPwith over 10 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.