Essential Commands And Tasks
Introduction
Now that we’ve covered the basics of connecting to Microsoft Intune with PowerShell, it’s time to dive into managing Intune resources. In this post, I’ll introduce essential PowerShell commands for managing devices, configurations, and policies. By the end, you’ll have a toolkit of commands to simplify your day-to-day Intune administration tasks.
Why Manage Intune with PowerShell?
While the Intune admin portal offers a robust UI, PowerShell allows you to automate repetitive tasks and handle complex scenarios efficiently. Whether you’re managing hundreds or thousands of devices, automating with PowerShell helps you keep the environment consistent, secure, and up-to-date.
Step 1: Understanding Key Intune Resources
Microsoft Intune groups resources into several categories, with the most commonly managed ones being:
- Devices: All Intune-managed devices, such as desktops, laptops, and mobile devices.
- Users: Individual accounts and associated policies or applications.
- Device Configurations: Policies that manage device settings, such as security, compliance, and restrictions.
- Applications: Software deployed and managed through Intune, including required and available apps.
Each category has its own set of PowerShell commands, accessible via the Microsoft Graph SDK.
Step 2: Managing Devices
Let’s start with some core commands to manage devices in Intune. Here’s how to list, retrieve, and perform basic actions on devices.
Retrieve All Devices:
To get a list of all managed devices:
1 2
$devices = Get-MgDeviceManagementManagedDevice $devices | ForEach-Object { Write-Host $_.DeviceName }
This command retrieves all devices and displays each device’s name. You can adjust this output to show other properties like
DeviceType,OperatingSystem, orComplianceState.Retrieve a Specific Device:
To get details about a single device, specify its unique identifier (Device ID):
1 2 3 4
$deviceId = "<YourDeviceID>" $device = Get-MgDeviceManagementManagedDevice -ManagedDeviceId $deviceId Write-Host "Device Name: $($device.DeviceName)" Write-Host "Compliance State: $($device.ComplianceState)"
Remote Actions on Devices:
Using PowerShell, you can initiate remote actions on devices, like wiping or restarting them.
Restart a Device:
1 2
Invoke-MgDeviceManagementManagedDeviceRestart -ManagedDeviceId $deviceId Write-Host "Restart command sent to device $($device.DeviceName)"
Wipe a Device:
1 2
Invoke-MgDeviceManagementManagedDeviceWipe -ManagedDeviceId $deviceId Write-Host "Wipe command sent to device $($device.DeviceName)"
These commands help enforce security and troubleshooting remotely across your device fleet.
Step 3: Managing Device Configurations
Device configurations in Intune allow you to enforce settings on managed devices. Here’s how to view and manage them.
List All Device Configurations:
To see all configurations applied within Intune:
1 2
$configs = Get-MgDeviceManagementDeviceConfiguration $configs | ForEach-Object { Write-Host $_.DisplayName }
Retrieve a Specific Configuration:
To view details of a specific configuration, specify the configuration’s ID:
1 2 3 4
$configId = "<YourConfigID>" $config = Get-MgDeviceManagementDeviceConfiguration -DeviceConfigurationId $configId Write-Host "Configuration Name: $($config.DisplayName)" Write-Host "Description: $($config.Description)"
Assign a Configuration to a Group:
To assign a device configuration to a specific Azure AD group, use this command:
1 2 3 4 5 6 7 8
$assignment = @{ "@odata.type" = "#microsoft.graph.deviceConfigurationAssignment" "target" = @{ "groupId" = "<YourGroupID>" } } New-MgDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $configId -BodyParameter $assignment Write-Host "Configuration assigned to group."
This command links a configuration policy to a group of users or devices, ensuring that policies are enforced according to your organizational requirements.
Step 4: Managing Applications in Intune
Applications can also be managed directly through PowerShell, including adding, updating, and assigning apps.
List All Applications:
1 2
$apps = Get-MgDeviceAppManagementMobileApps $apps | ForEach-Object { Write-Host $_.DisplayName }
This command retrieves a list of all apps currently managed by Intune, allowing you to check what’s available or assigned.
Add a New Application:
Here’s an example of adding a Windows Line-of-Business (LOB) app. You’ll need the app package file path.
1 2 3 4 5 6 7 8 9 10 11 12 13
$app = @{ "displayName" = "YourAppName" "isFeatured" = $false "largeIcon" = @{ "@odata.type" = "microsoft.graph.mimeContent" "type" = "image/png" "value" = "Base64EncodedIcon" } "publisher" = "YourPublisher" "isRequired" = $true } New-MgDeviceAppManagementMobileApps -BodyParameter $app Write-Host "Application added."
Assign an App to a Group:
To assign an app to an Azure AD group, specify the app and group IDs:
1 2 3 4 5 6 7 8
$appId = "<YourAppID>" $groupId = "<YourGroupID>" New-MgDeviceAppManagementMobileAppAssignment -MobileAppId $appId -BodyParameter @{ "target" = @{ "groupId" = $groupId } } Write-Host "App assigned to group."
Summary of Common Intune Management Commands
Here’s a quick reference for commands covered:
- Devices:
Get-MgDeviceManagementManagedDevice,Invoke-MgDeviceManagementManagedDeviceRestart,Invoke-MgDeviceManagementManagedDeviceWipe - Configurations:
Get-MgDeviceManagementDeviceConfiguration,New-MgDeviceManagementDeviceConfigurationAssignment - Applications:
Get-MgDeviceAppManagementMobileApps,New-MgDeviceAppManagementMobileAppAssignment
Conclusion
With these foundational commands, you’re now equipped to automate and manage essential tasks in Intune. PowerShell’s flexibility gives you more control over your Intune environment, whether you’re managing devices, enforcing configurations, or deploying applications.
This concludes the foundational series. In future posts, I’ll dive deeper into advanced Intune automation, troubleshooting, and other specialized tasks. Thanks for following along—happy scripting!