Forum Discussion

JeremyTBradshaw's avatar
JeremyTBradshaw
Steel Contributor
Jan 21, 2021

Get-IntuneDeviceConfigurationPolicy returns only some of my policies

FYI: I also opened an issue on the GitHub repo for the module

 

When I run Get-IntuneDeviceConfigurationPolicy, I'm getting 5 device configuration policies back, but I actually have 10:

>Get-IntuneDeviceConfigurationPolicy |select displayName

displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile

Device Configuration Profiles (GUI)

It's the same behavior when I use MS Graph directly without the Microsoft.Graph.Intune module:

>New-MSGraphRequest -AccessToken $NT -Request /deviceManagement/deviceConfigurations |select -ExpandProperty Value |select displayName                                                           
displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile

All 10 device configuration policies are assigned, and have settings configured etc. (obviously I suppose), so I can't seem to figure out what's up with this.

 

I get no results back for many of the cmdlets, for example there is no sign of my App Configuration policies for Managed Devices; only policies for Managed Apps come back. So it feels like I'm missing something big here, but it's not jumping out at me.  Is there any kind of known issue that makes MS Graph unable to see certain items in Intune?

 

I am using the same account to login to endpoint.microsoft.com as I am when obtaining the access token in PowerShell (i.e. Connect-MSGraph, when using the module).

 

Thanks in advance.

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    Jun 30, 2021

    What happens when you run this script? It shows me the stuff the other command didn't showed me

    #oauth token
    $clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $resourceURI = "https://graph.microsoft.com/"
    $authority = "https://login.microsoftonline.com/common"
    $AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
    $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
    $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
    [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
    [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
    $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
    $authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
    $accessToken = $authResult.result.AccessToken

    $apiUrl = 'https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations'

    $Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUrl -Method get
    $data.value

     

    THe script I posted is connecting to the beta and shows it all, but the msgraph is connecting to the v1.0 

     

     

    So if you want the get-intunedeviceconfiguraitonpolicy to connect to the beta:

     

    Update-MSGraphEnvironment -SchemaVersion beta

    connect-msgraph

     

     

  • dkovarik's avatar
    dkovarik
    Copper Contributor
    Actually, what helped me after all tries to get ALL configuration policies is this:
    1) use Beta version of Graph API
    2) get data from all these API points:
    - deviceManagement/deviceConfigurations
    - deviceManagement/configurationPolicies
    - deviceManagement/grouppolicyconfigurations

    With the 3 API points above, you will get the list with record IDs, on which you can use further API calls like:
    - deviceManagement/deviceConfigurations/{RECORD ID}/deviceStatusOverview
    - deviceManagement/deviceConfigurations/{RECORD ID}/deviceStatuses
    • MrMattiPants's avatar
      MrMattiPants
      Copper Contributor

      dkovarik 
      If you have any Hardware Configurations, you may also want to include the "hardwareConfigurations" Resource Type, as well.

    • JeremyTBradshaw's avatar
      JeremyTBradshaw
      Steel Contributor

      Jan Bakker  Thanks for the idea, and I just checked/confirmed that indeed it's the same behavior in Graph Explorer.  This is logged into Graph Explorer as the same user described in the first post, and having added the permission DeviceManagementConfiguration.Read.All (and DeviceManagementConfiguration.ReadWrite.All which got added automatically, so I consented to it too, just as a hail-mary).  Still just getting the usual 5 policies back in the results:

       

       

      {
          "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/deviceConfigurations(displayName)",
          "value": [
              {
                  "@odata.type": "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration",
                  "displayName": "Android Enterprise - Work profile"
              },
              {
                  "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
                  "displayName": "Bitlocker"
              },
              {
                  "@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration",
                  "displayName": "Broad"
              },
              {
                  "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
                  "displayName": "Essential Settings"
              },
              {
                  "@odata.type": "#microsoft.graph.androidWorkProfileCustomConfiguration",
                  "displayName": "Wi-Fi - Android Enterprise - Work profile"
              }
          ]
      }

       

       So strange.  There's nothing consistent about these 5 policies which do return either.  Some are old, some relatively new, they're of different types, and of the types they are, I have other policies of the same type which do not return.  But these 5 are consistently the only ones returned.

  • JeremyTBradshaw 

     

    It depends on what you want to know... If you are launching this command:
    Get-IntuneDeviceConfigurationPolicy |select displayName

     

    You will get back your

    https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations... and of course its missing the administrative templates

     

     

    When you want to get them back you should query the

    https://graph.microsoft.com/beta/deviceManagement/grouppolicyconfigurations

     

     

     

    The same with the settings catalog that would be 

    https://graph.microsoft.com/beta/deviceManagement/configurationPolicies

     

    But I must agree it's missing some other stuff 🙂  Like identity protection device configuration profiles... I am going to take a good look why they are not  showing

     

     

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP

      What happens when you run this script? It shows me the stuff the other command didn't showed me

      #oauth token
      $clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
      $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
      $resourceURI = "https://graph.microsoft.com/"
      $authority = "https://login.microsoftonline.com/common"
      $AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
      $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
      $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
      [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
      [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
      $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
      $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
      $authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
      $accessToken = $authResult.result.AccessToken

      $apiUrl = 'https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations'

      $Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUrl -Method get
      $data.value

       

      THe script I posted is connecting to the beta and shows it all, but the msgraph is connecting to the v1.0 

       

       

      So if you want the get-intunedeviceconfiguraitonpolicy to connect to the beta:

       

      Update-MSGraphEnvironment -SchemaVersion beta

      connect-msgraph

       

       

      • JeremyTBradshaw's avatar
        JeremyTBradshaw
        Steel Contributor

        Rudy_Ooms_MVP Good catch - when I target the Beta endpoint, I get all 16 device configuration profiles back.  I didn't use your script but instead used my New-MSGraphRequest and add -Endpoint Beta to it:

         

        > $devConfigs = New-MSGraphRequest -AccessToken $RT -Request devicemanagement/deviceConfigurations -Endpoint beta
        
        > $devConfigs.value.Count
        16

         

        All 16, which as an FYI are of many different types, but are all showing in Devices > Device Configuration Profiles in MEM, so I assumed they should all come back when requesting to /devicemanagement/deviceConfiguration.  When I was reading your first bit, I was thinking you were onto something with having to send separate requests for each of the different types' resources (e.g., .../deviceConfigurations, .../groupPolicyConfigurations, etc.).  But since all types come back from just .../deviceConfigurations when using the Beta endpoint, I guess I'm back to assuming that it should (eventually at least) work on v1.0 too.

         

        Here are all 16 of my profiles as returned from Beta (see all the different types):

        > $devConfigs.value |select displayName, '@odata.type'
        
        displayName                                      @odata.type
        -----------                                      -----------
        10 Pacer Ave                                     #microsoft.graph.androidDeviceOwnerWiFiConfiguration
        Android Enterprise - Work profile                #microsoft.graph.androidWorkProfileGeneralDeviceConfiguration
        Android Enterprise (Corporate)                   #microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration
        Autopilot Domain Join                            #microsoft.graph.windowsDomainJoinConfiguration
        Bitlocker                                        #microsoft.graph.windows10EndpointProtectionConfiguration
        Broad                                            #microsoft.graph.windowsUpdateForBusinessConfiguration
        DU - Windows 10 - VPN (Cisco AnyConnect)         #microsoft.graph.windows10VpnConfiguration
        DU - Windows 10 Delivery Optimization            #microsoft.graph.windowsDeliveryOptimizationConfiguration
        DU - Windows 10 Device Restrictions              #microsoft.graph.windows10GeneralConfiguration
        Essential Settings                               #microsoft.graph.windows10CustomConfiguration
        Intune data collection policy                    #microsoft.graph.windowsHealthMonitoringConfiguration
        Local Administrators (Windows 10 20H2 and newer) #microsoft.graph.windows10CustomConfiguration
        Wi-Fi - Android Enterprise - Work profile        #microsoft.graph.androidWorkProfileCustomConfiguration
        Wi-Fi - Windows 10                               #microsoft.graph.windowsWifiConfiguration
        Windows 10 Home > Education                      #microsoft.graph.editionUpgradeConfiguration
        Windows Hello for Business                       #microsoft.graph.windowsIdentityProtectionConfiguration

         Thanks for pointing us to the Beta endpoint!

Resources