Automation, automation, automation!
Why should you manually set up dozens of groups, policies and other settings when it could be automated?
To automate our Intune setup, Microsoft Graph API is the answer.
And since most of us aren’t developers, we stick to PowerShell as our script language of choice.
You could write your own functions and do REST calls against Graph API, as I wrote about and shared my functions for in this post–
But the easiest way is by using the Microsoft.Graph.Intune PowerShell Module. At the moment it contains over 900 commands, ready for use.
You authenticate and get the needed auth token by running the simple command: Connect-MSGraph
In this post I will show you how to automate some of the tasks in Intune.
Connecting and authenticating
We start by making sure we got the Microsoft.Graph.Intune module and connect and authenticate to the Microsoft Graph API
The first time we run Connect-MSGraph we consent to giving Graph API permissions in our Azure AD tenant. After that you can find Graph API under your Enterprise Applications in Azure AD.
# Checking if the Microsoft.Graph.Intune module us installed
$IntuneModule = Get-Module -Name "Microsoft.Graph.Intune" -ListAvailable
if ($IntuneModule -eq $null) {
write-host
write-host "The module Microsoft.Graph.Intune was not found..." -f Red
write-host "Install by running the command 'Install-Module Microsoft.Graph.Intune' from an elevated PowerShell prompt" -f Yellow
write-host "Scriptet can not continue..." -f Red
write-host
exit
}
# Connecting to MS Graph API and get auth token
Connect-MSGraph
Set Intune as MDM Authority
Before we can start to use Intune we have to choose it as our MDM Authority. This can be done with the following function
# Checking if Intune already is the MDM Authority
$mdmAuth = (Invoke-MSGraphRequest -Url "https://graph.microsoft.com/beta/organization('$OrgId')?`$select=mobiledevicemanagementauthority" -HttpMethod Get -ErrorAction Stop).mobileDeviceManagementAuthority
# If not already set, set Intune as MDM Authority
if($mdmAuth -notlike "intune")
{
$OrgID = (Invoke-MSGraphRequest -Url "https://graph.microsoft.com/v1.0/organization" -HttpMethod Get -ErrorAction Stop).value.id
Invoke-MSGraphRequest -Url "https://graph.microsoft.com/v1.0/organization/$OrgID/setMobileDeviceManagementAuthority" -HttpMethod Post -ErrorAction Stop
}
Adding groups
We use the New-AADGroup command to add groups. Notice that we need the -mailNickname argument, even if the group isn’t mail enabled.
If you plan to assign policies to the group later in your script, add the groups id to a variable.
$Group1 = (New-AADGroup -description "This is a group" -displayName "Group1" -mailEnabled $false -mailNickname "group1" -securityEnabled $true).id
Windows Hello for Business settings
The easiest way to figure out the commands for policies are by using PowerShell ISE (sorry VS Code) Command View, choose the Microsoft.Graph.Intune module and the command for updating og creating a policy. You could then fill in the fields in command view and paste the complete command into your code.
This is an example of how you edit the Hello for Business default settings
$id = (Get-IntuneDeviceEnrollmentConfiguration -Filter "description eq 'This is the default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership.'").id
Update-IntuneDeviceEnrollmentConfiguration -deviceEnrollmentConfigurationId $id -deviceEnrollmentWindowsHelloForBusinessConfiguration -enhancedBiometricsState notConfigured -pinExpirationInDays 0 -pinLowercaseCharactersUsage disallowed -pinMaximumLength 127 -pinMinimumLength 4 -pinPreviousBlockCount 0 -pinSpecialCharactersUsage disallowed -pinUppercaseCharactersUsage disallowed -remotePassportEnabled $true -securityDeviceRequired $false -state enabled -unlockWithBiometricsEnabled $true
Adding notifications for Compliance Policies
Let us add a notification we can use as an action when devices are non compliant. You can create multiple localized versions.
$id = (New-IntuneNotificationMessageTemplate -brandingOptions includeCompanyLogo -displayName "Notification").id
New-IntuneLocalizedNotificationMessage -notificationMessageTemplateId $id -locale en-us -subject "Non compliance notification" -messageTemplate "One of your devices are not in compliance"
Adding and assigning Compliance Policies
Again I suggest using the command view in PowerShell ISE to get this correct.
I haven’t figured out a way to add notification as an action together with the default set non compliant action. If anyone knows how to add multiple actions at once, please leave a comment.
$Comp_Android = (New-IntuneDeviceCompliancePolicy -androidCompliancePolicy -displayName Android -passwordMinimumLength 4 -passwordMinutesOfInactivityBeforeLock 15 -passwordRequired $true -passwordRequiredType numeric -storageRequireEncryption $true -scheduledActionsForRule (New-DeviceComplianceScheduledActionForRuleObject -ruleName "Mark device noncompliaant" -scheduledActionConfigurations (New-DeviceComplianceActionItemObject -actionType block -gracePeriodHours 72))).id
Invoke-IntuneDeviceCompliancePolicyAssign -deviceCompliancePolicyId $Comp_Android -assignments (New-DeviceCompliancePolicyAssignmentObject -target (New-DeviceAndAppManagementAssignmentTargetObject -groupAssignmentTarget -groupId $group1))
Adding and assigning Windows Updates settings and Configurations policies
The same goes for this, use command view to find the correct attributes you need.
$DevConf_Update = (New-IntuneDeviceConfigurationPolicy -windowsUpdateForBusinessConfiguration -automaticUpdateMode autoInstallAtMaintenanceTime -businessReadyUpdatesOnly all -deliveryOptimizationMode httpWithPeeringNat -displayName "Windows 10 update rings" -driversExcluded $false -featureUpdatesDeferralPeriodInDays 0 -featureUpdatesPaused $false -featureUpdatesPauseExpiryDateTime 0001-01-01T00:00:00Z -installationSchedule (New-Object PSObject -Property ([Ordered]@{'@odata.type'='#microsoft.graph.windowsUpdateActiveHoursInstall'; activeHoursStart='07:00:00.0000000'; activeHoursEnd='20:00:00.0000000' })) -microsoftUpdateServiceAllowed $true -prereleaseFeatures userDefined -qualityUpdatesDeferralPeriodInDays 0 -qualityUpdatesPaused $false -qualityUpdatesPauseExpiryDateTime 0001-01-01T00:00:00Z).id
New-IntuneDeviceConfigurationPolicyAssignment -deviceConfigurationId $DevConf_Update -target (New-Object PSObject -Property ([Ordered]@{'@odata.type' = '#microsoft.graph.groupAssignmentTarget'; groupId = $group1 }))
$DevConf_Android = (New-IntuneDeviceConfigurationPolicy -androidGeneralDeviceConfiguration -displayName "Device restriction - Android" -passwordBlockFingerprintUnlock $false -passwordBlockTrustAgents $false -passwordMinimumLength 4 -passwordMinutesOfInactivityBeforeScreenTimeout 15 -passwordRequired $true -passwordRequiredType numeric -passwordSignInFailureCountBeforeFactoryReset 11 -storageRequireDeviceEncryption $true).id
New-IntuneDeviceConfigurationPolicyAssignment -deviceConfigurationId $DevConf_Android -target (New-Object PSObject -Property ([Ordered]@{'@odata.type' = '#microsoft.graph.groupAssignmentTarget'; groupId = $group1 }))
Hi Jens, Great tutorial!
You can set the the scheduled actions like this:
$defaultScheduledActionsMobile = (New-DeviceComplianceScheduledActionForRuleObject `
-ruleName PasswordRequired `
-scheduledActionConfigurations `
((New-DeviceComplianceActionItemObject `
-gracePeriodHours 0 `
-actionType block `
-notificationTemplateId “” `
),(New-DeviceComplianceActionItemObject `
-gracePeriodHours 24 `
-actionType notification `
-notificationTemplateId $($notificationMobileResult.id) `
))