Forum Discussion
Get-IntuneDeviceConfigurationPolicy returns only some of my policies
FYI: I also opened an issue on the GitHub repo for the module
When I run Get-IntuneDeviceConfigurationPolicy, I'm getting 5 device configuration policies back, but I actually have 10:
>Get-IntuneDeviceConfigurationPolicy |select displayName
displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile
It's the same behavior when I use MS Graph directly without the Microsoft.Graph.Intune module:
>New-MSGraphRequest -AccessToken $NT -Request /deviceManagement/deviceConfigurations |select -ExpandProperty Value |select displayName
displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile
All 10 device configuration policies are assigned, and have settings configured etc. (obviously I suppose), so I can't seem to figure out what's up with this.
I get no results back for many of the cmdlets, for example there is no sign of my App Configuration policies for Managed Devices; only policies for Managed Apps come back. So it feels like I'm missing something big here, but it's not jumping out at me. Is there any kind of known issue that makes MS Graph unable to see certain items in Intune?
I am using the same account to login to endpoint.microsoft.com as I am when obtaining the access token in PowerShell (i.e. Connect-MSGraph, when using the module).
Thanks in advance.
What happens when you run this script? It shows me the stuff the other command didn't showed me
#oauth token
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceURI = "https://graph.microsoft.com/"
$authority = "https://login.microsoftonline.com/common"
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
$authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
$accessToken = $authResult.result.AccessToken
$apiUrl = 'https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations'
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUrl -Method get
$data.valueTHe script I posted is connecting to the beta and shows it all, but the msgraph is connecting to the v1.0
So if you want the get-intunedeviceconfiguraitonpolicy to connect to the beta:
Update-MSGraphEnvironment -SchemaVersion beta
connect-msgraph
- dkovarikCopper ContributorActually, what helped me after all tries to get ALL configuration policies is this:
1) use Beta version of Graph API
2) get data from all these API points:
- deviceManagement/deviceConfigurations
- deviceManagement/configurationPolicies
- deviceManagement/grouppolicyconfigurations
With the 3 API points above, you will get the list with record IDs, on which you can use further API calls like:
- deviceManagement/deviceConfigurations/{RECORD ID}/deviceStatusOverview
- deviceManagement/deviceConfigurations/{RECORD ID}/deviceStatuses- MrMattiPantsCopper Contributor
dkovarik
If you have any Hardware Configurations, you may also want to include the "hardwareConfigurations" Resource Type, as well.
- Jan BakkerIron Contributor
JeremyTBradshaw Do you get the same result if you run it from Graph Explorer (aka.ms/ge)
GET https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$select=Displayname
- JeremyTBradshawSteel Contributor
Jan Bakker Thanks for the idea, and I just checked/confirmed that indeed it's the same behavior in Graph Explorer. This is logged into Graph Explorer as the same user described in the first post, and having added the permission DeviceManagementConfiguration.Read.All (and DeviceManagementConfiguration.ReadWrite.All which got added automatically, so I consented to it too, just as a hail-mary). Still just getting the usual 5 policies back in the results:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/deviceConfigurations(displayName)", "value": [ { "@odata.type": "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration", "displayName": "Android Enterprise - Work profile" }, { "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration", "displayName": "Bitlocker" }, { "@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration", "displayName": "Broad" }, { "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "displayName": "Essential Settings" }, { "@odata.type": "#microsoft.graph.androidWorkProfileCustomConfiguration", "displayName": "Wi-Fi - Android Enterprise - Work profile" } ] }
So strange. There's nothing consistent about these 5 policies which do return either. Some are old, some relatively new, they're of different types, and of the types they are, I have other policies of the same type which do not return. But these 5 are consistently the only ones returned.
- jhl_2012Copper Contributor
JeremyTBradshaw did you ever find a solution to this? I am having the same issue.
It depends on what you want to know... If you are launching this command:
Get-IntuneDeviceConfigurationPolicy |select displayNameYou will get back your
https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations... and of course its missing the administrative templates
When you want to get them back you should query the
https://graph.microsoft.com/beta/deviceManagement/grouppolicyconfigurations
The same with the settings catalog that would be
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
But I must agree it's missing some other stuff 🙂 Like identity protection device configuration profiles... I am going to take a good look why they are not showing
What happens when you run this script? It shows me the stuff the other command didn't showed me
#oauth token
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceURI = "https://graph.microsoft.com/"
$authority = "https://login.microsoftonline.com/common"
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
$authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
$accessToken = $authResult.result.AccessToken
$apiUrl = 'https://graph.microsoft.com/beta/deviceManagement/deviceconfigurations'
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUrl -Method get
$data.valueTHe script I posted is connecting to the beta and shows it all, but the msgraph is connecting to the v1.0
So if you want the get-intunedeviceconfiguraitonpolicy to connect to the beta:
Update-MSGraphEnvironment -SchemaVersion beta
connect-msgraph
- JeremyTBradshawSteel Contributor
Rudy_Ooms_MVP Good catch - when I target the Beta endpoint, I get all 16 device configuration profiles back. I didn't use your script but instead used my New-MSGraphRequest and add -Endpoint Beta to it:
> $devConfigs = New-MSGraphRequest -AccessToken $RT -Request devicemanagement/deviceConfigurations -Endpoint beta > $devConfigs.value.Count 16
All 16, which as an FYI are of many different types, but are all showing in Devices > Device Configuration Profiles in MEM, so I assumed they should all come back when requesting to /devicemanagement/deviceConfiguration. When I was reading your first bit, I was thinking you were onto something with having to send separate requests for each of the different types' resources (e.g., .../deviceConfigurations, .../groupPolicyConfigurations, etc.). But since all types come back from just .../deviceConfigurations when using the Beta endpoint, I guess I'm back to assuming that it should (eventually at least) work on v1.0 too.
Here are all 16 of my profiles as returned from Beta (see all the different types):
> $devConfigs.value |select displayName, '@odata.type' displayName @odata.type ----------- ----------- 10 Pacer Ave #microsoft.graph.androidDeviceOwnerWiFiConfiguration Android Enterprise - Work profile #microsoft.graph.androidWorkProfileGeneralDeviceConfiguration Android Enterprise (Corporate) #microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration Autopilot Domain Join #microsoft.graph.windowsDomainJoinConfiguration Bitlocker #microsoft.graph.windows10EndpointProtectionConfiguration Broad #microsoft.graph.windowsUpdateForBusinessConfiguration DU - Windows 10 - VPN (Cisco AnyConnect) #microsoft.graph.windows10VpnConfiguration DU - Windows 10 Delivery Optimization #microsoft.graph.windowsDeliveryOptimizationConfiguration DU - Windows 10 Device Restrictions #microsoft.graph.windows10GeneralConfiguration Essential Settings #microsoft.graph.windows10CustomConfiguration Intune data collection policy #microsoft.graph.windowsHealthMonitoringConfiguration Local Administrators (Windows 10 20H2 and newer) #microsoft.graph.windows10CustomConfiguration Wi-Fi - Android Enterprise - Work profile #microsoft.graph.androidWorkProfileCustomConfiguration Wi-Fi - Windows 10 #microsoft.graph.windowsWifiConfiguration Windows 10 Home > Education #microsoft.graph.editionUpgradeConfiguration Windows Hello for Business #microsoft.graph.windowsIdentityProtectionConfiguration
Thanks for pointing us to the Beta endpoint!