This guide will help you automate the Microsoft Intune Device Non-Compliance Report using PowerShell Script. This article will teach us how to get Microsoft Intune Device Non-Compliance devices using PowerShell Script. This method is limited to devices enrolled in Microsoft Intune. Let’s learn together..!
You have likely automated numerous day-to-day Intune tasks using PowerShell and the Microsoft Graph API. If you have not yet begun automating tasks within Intune, this may serve as an excellent starting point.
Microsoft Graph, a RESTful web API, facilitates access to Microsoft Cloud service resources. It lets you access data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services through a single endpoint, including data from Microsoft 365, Windows, and Enterprise Mobility + Security.
Many readers would have already used Graph Explorer for the Microsoft Graph API calls. Graph Explorer is a handy browser-based tool for running your Graph calls; it doesn’t need any module or set-up file to be installed on your local machine. However, Installing the Microsoft Graph PowerShell SDK is necessary to automate Microsoft Graph tasks using PowerShell.
Table of Contents
Before you get started
Before you begin, make sure to install the Microsoft Graph PowerShell Modules. Microsoft has published the Microsoft Graph PowerShell SDK on the PowerShell Gallery. The SDK includes two modules, Microsoft. Graph and Microsoft.Graph.Beta are called the Microsoft Graph REST API v1.0 and Microsoft Graph REST API beta.
To install the Microsoft Graph PowerShell SDK, your PowerShell version should be at least 5.1 or later. However, Microsoft recommends having PowerShell 7 or later. As per Microsoft, no additional prerequisites are required to use the SDK with PowerShell 7 or later.
Read More : Best Guide to Install Microsoft Graph PowerShell Modules
You should have .NET Framework 4.7.2 or later installed on your machine before installing Microsoft Graph PowerShell modules. Microsoft suggests updating PowerShellGet to the latest version using the command Install-Module PowerShellGet
. Also, the PowerShell script execution policy must be set to remote signed or less restrictive.
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
- Intune Policy Assignment Classification Easy Secrets of using Graph API with PowerShell
- Manage Intune Tasks with PowerShell
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Automate Microsoft Intune Device Non-Compliance Report using PowerShell Script
Well, we discussed enough before we start coding.! Let’s write the PowerShell Script to get Microsoft Intune Non-Compliance Devices. We have already installed the Microsoft Graph PowerShell SDK on my local machine
You must Sign in using Connect-MgGraph
command each time to automate your daily tasks
- Open the PowerShell as an Administrator.
- Type
Connect-MgGraph
and hit enter - The PowerShell prompt you to enter the credentials to authenticate Microsoft Graph.
NOTE! To grant more permissions, you can repeat the Connect-MgGraph command with the new permission scopes added.
In this example, we need the below permissions to get Microsoft Intune Non-Compliance Devices using the PowerShell script.
Name | Description |
---|---|
DeviceManagementManagedDevices.Read.All | Read Intune managed devices |
DeviceManagementManagedDevices.ReadWrite.All | Read and Write Intune-managed devices |
Kindly repeat the Connect-MgGraph
cmdlet with the new permission scopes added using the below command.
Connect-MGGraph -Scopes DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
PowerShell Script
I have successfully connected to MgGraph with the necessary permissions. In this instance, I am utilizing the following script to assess all devices managed by Intune. The objective is to identify and display only those devices that are considered non-compliant.
###########################################################################
#Get-IntuneManagedNonComplianceDevices.ps1
#Scope : This script will retrive Microsoft Intune Non-Compliance Devices
#Author : Sujin Nelladath
#LinkedIn : https://www.linkedin.com/in/sujin-nelladath-8911968a/
############################################################################
# Connect to Microsoft Graph API with required permission
Connect-MGGraph -Scopes DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All
# Define the API endpoint for Intune devices
$endpoint = 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices'
# Get all managed devices
$devices = Invoke-MgGraphRequest -Uri $endpoint -Method GET
# Filter non-compliant devices
$nonCompliantDevices = $devices.value | Where-Object { $_.complianceState -eq "noncompliant" }
# Create a PS Object
$pSObject = [PSCustomObject]@{
DeviceName = $nonCompliantDevices.deviceName
ComplianceState = $nonCompliantDevices.complianceState
}
# List of Non-Compliant Devices
$nonCompliantDeviceDetails = @()
for ($i = 0; $i -lt $pSObject.DeviceName.Count; $i++) {
$nonCompliantDeviceDetails += [PSCustomObject]@{
DeviceName = $pSObject.DeviceName[$i]
ComplianceState = $pSObject.ComplianceState[$i]
}
}
#Display the Non-Compliant Devices
$nonCompliantDeviceDetails
- Time to use Microsoft Graph Device Management PS Module Instead of MS Graph Intune Module
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
Please click the green play button in the PowerShell ISE window to execute the script. This code is designed to identify Microsoft Intune-managed devices that are non-compliant within your organization. The output will be presented in PSCustomObject format and organized in a tabular structure for clarity.
- Intune Device Compliance Reports | Endpoint Manager
- Easiest Method to Enable MFA for Admins using Azure AD Conditional Access
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Export PowerShell output to CSV format
Let’s see how to export the PowerShell output to CSV (Comma-Separated Value ) format easily. The variable $nonCompliantDeviceDetails contains the entire script output in tabular form. This can be achieved simply by using the Export-Csv cmdlet.
$nonCompliantDeviceDetails | Export-Csv -Path C:\temp\IntuneNonComplaintDevices.csv -NoTypeInformation
- Be sure to include the -NoTypeInformation parameter, as it removes the information header from the output.
I trust that this article will greatly benefit you and your organization. Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
- How to Retrieve PowerShell Scripts from Intune using Microsoft Graph
- Explore Kusto Query Language (KQL) and Intune Device Query
- Best Guide to Restart Intune Devices Remotely using Microsoft Graph API and PowerShell
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About the Author: Sujin Nelladath, a Microsoft Graph MVP with over 10 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.