While Intune stores some information about the devices it manages, at some point you will need some additional data. And with some extra steps, it is possible to fetch a custom inventory from the devices.
In this blog, we are going to fetch the Windows 11 readiness of all managed devices. This is done with the following three steps:
- Prepare the Script
- Deploy the Script
- Fetch the results
Prepare the Script
First thing we need to have is a PowerShell Script that returns some JSON-Data. This is crucial, as we need to parse the data that is returned from the script. So in this use case, we grab the Hardware Readiness Script directly from Microsoft: https://aka.ms/HWReadinessScript
If we run the script on our local machine with Administrative privileges, we get the following data:
{
"returnCode": 0,
"returnReason": "",
"logging": "Storage: OSDiskSize=476GB. PASS; Memory: System_Memory=16GB. PASS; TPM: TPMVersion=2.0, 0, 1.38. PASS; Processor: {AddressWidth=64; MaxClockSpeed=2419; NumberOfLogicalCores=8; Manufacturer=GenuineIntel; Caption=Intel64 Family 6 Model 140 Stepping 1; }. PASS; SecureBoot: Capable. PASS; ",
"returnResult": "CAPABLE"
}This looks good so far and returns some JSON-Data already. But to identify the devices, we add the following lines to the script to get the Hostname and Serial-Number in the output:
$outObject.Hostname = $env:computername
$outObject.SerialNumber = (Get-WmiObject -class win32_bios).SerialNumber
$outObject | ConvertTo-Json -CompressThis returns the following output. So now, we can identify the device and see if it is capable or not.
{
"returnCode": 0,
"returnReason": "",
"logging": "Storage: OSDiskSize=476GB. PASS; Memory: System_Memory=16GB. PASS; TPM: TPMVersion=2.0, 0, 1.38. PASS; Processor: {AddressWidth=64; MaxClockSpeed=2419; NumberOfLogicalCores=8; Manufacturer=GenuineIntel; Caption=Intel64 Family 6 Model 140 Stepping 1; }. PASS; SecureBoot: Capable. PASS; ",
"returnResult": "CAPABLE",
"Hostname": "DGMT-64915",
"SerialNumber":"CNDABCDEFG"
}Deploy the Script
Now, we need to deploy the script to the Clients. We do this with a simple Platform-Script. No App or Remediation required. So we create a new script, add a sensible name, upload the script and make sure to not run it with the logged on credentials, as the script needs to be run with administrative privileges.
We can either deploy the script to all devices or just a group of devices. In this case it would make sense to create a group with Windows 10 devices, as we are not interested in the readiness of Windows 11 devices. You may use the following filter to create a dynamic group with Windows 10 devices:
(device.deviceOSVersion -startsWith "10.0.1")After we have deployed the script, we wait. Intune evaluates the scripts only after quite a long period. Usually it makes sense to wait for the next reboot of the devices.
Fetch the results
After the script has been executed on the devices we can check for the results. This can be done in multiple ways, and we start with the simplest, the manual way.
In the Intune-Portal we can open the Platform-Script, head over to User-Status and select a user. Right there in the Results-Column we can already see the JSON-Data that has been returned for that user.
But we do not want to check for every user manually, but automate this and return a list of all devices. At first we need to grab the ID of the script, which can be found in the URL:
So let’s do a quick digression to the Microsoft Graph Explorer to see what data we can grab via the API. To run the query we need to have the following permissions: DeviceManagementConfiguration.Read
Now we can fire a request to the following URL (replace {ScriptID} with the ID you have copied in the step above).
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{ScriptID}/deviceRunStates?`$expand=managedDeviceAs you can see, you get the number of results in the @odata.count node and all the results in the value -> resultMessage nodes.
So, let’s put a small PowerShell script together, to fetch that data and consolidate it into one object.
As with the request above, we need the Script-ID, then we connect to Graph and fire the same request.
After that we just need to filter for successful runs of the script, parse the data and in this case, print it with Out-GridView to the screen.
$ScriptID = "b0b6d415-2d29-4890-bc90-b0023dd6aa44"
Connect-MgGraph
$result = Invoke-MgGraphRequest `
-Method GET `
-Uri "beta/deviceManagement/deviceManagementScripts/$($ScriptID)/deviceRunStates?`$expand=managedDevice"
$success = $result.value | Where-Object -Property errorCode -EQ 0
$resultMessage = $success.resultMessage
$objectResultMessage = $resultMessage | ConvertFrom-Json
$objectResultMessage | Out-GridViewAnd the results look as follows:
Of course, you can also create a CSV-File that use can use in other Applications like Excel for further editing:
$objectResultMessage | Export-Csv -Delimiter "," -Encoding UTF8 -Path "Windows11Readiness.csv"With the following result.
Conclusion
Even though this solution is not that native to Intune, it is still very easy to use, flexible and does not require any additional Service like a File-Share to store data, as it fetches the results from Intune itself. There are multiple use cases, like fetching Device-Hashes for Autopilot in case you need to enroll multiple devices in a new tenant.
Schreiben Sie einen Kommentar