Get-IntuneDeviceConfigurationPolicy returns only some of my policies

%3CLINGO-SUB%20id%3D%22lingo-sub-2082462%22%20slang%3D%22en-US%22%3EGet-IntuneDeviceConfigurationPolicy%20returns%20only%20some%20of%20my%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2082462%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FIntune-PowerShell-SDK%2Fissues%2F99%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EI%20also%20opened%20an%20issue%20on%20the%20GitHub%20repo%20for%20the%20module%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20run%20Get-IntuneDeviceConfigurationPolicy%2C%20I'm%20getting%205%20device%20configuration%20policies%20back%2C%20but%20I%20actually%20have%2010%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3BGet-IntuneDeviceConfigurationPolicy%20%7Cselect%20displayName%0A%0AdisplayName%0A-----------%0AAndroid%20Enterprise%20-%20Work%20profile%0ABitlocker%0ABroad%0AEssential%20Settings%0AWi-Fi%20-%20Android%20Enterprise%20-%20Work%20profile%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-01-21%20101732.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248048iEAE8BE2908D23CEC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-01-21%20101732.png%22%20alt%3D%22Device%20Configuration%20Profiles%20(GUI)%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EDevice%20Configuration%20Profiles%20(GUI)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIt's%20the%20same%20behavior%20when%20I%20use%20MS%20Graph%20directly%20without%20the%20Microsoft.Graph.Intune%20module%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%26gt%3BNew-MSGraphRequest%20-AccessToken%20%24NT%20-Request%20%2FdeviceManagement%2FdeviceConfigurations%20%7Cselect%20-ExpandProperty%20Value%20%7Cselect%20displayName%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0AdisplayName%0A-----------%0AAndroid%20Enterprise%20-%20Work%20profile%0ABitlocker%0ABroad%0AEssential%20Settings%0AWi-Fi%20-%20Android%20Enterprise%20-%20Work%20profile%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EAll%2010%20device%20configuration%20policies%20are%20assigned%2C%20and%20have%20settings%20configured%20etc.%20(obviously%20I%20suppose)%2C%20so%20I%20can't%20seem%20to%20figure%20out%20what's%20up%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20get%20no%20results%20back%20for%20many%20of%20the%20cmdlets%2C%20for%20example%20there%20is%20no%20sign%20of%20my%20App%20Configuration%20policies%20for%20Managed%20Devices%3B%20only%20policies%20for%20Managed%20Apps%20come%20back.%20So%20it%20feels%20like%20I'm%20missing%20something%20big%20here%2C%20but%20it's%20not%20jumping%20out%20at%20me.%26nbsp%3B%26nbsp%3BIs%20there%20any%20kind%20of%20known%20issue%20that%20makes%20MS%20Graph%20unable%20to%20see%20certain%20items%20in%20Intune%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20the%20same%20account%20to%20login%20to%20endpoint.microsoft.com%20as%20I%20am%20when%20obtaining%20the%20access%20token%20in%20PowerShell%20(i.e.%20Connect-MSGraph%2C%20when%20using%20the%20module).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2082462%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2090937%22%20slang%3D%22en-US%22%3ERe%3A%20Get-IntuneDeviceConfigurationPolicy%20returns%20only%20some%20of%20my%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2090937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3BDo%20you%20get%20the%20same%20result%20if%20you%20run%20it%20from%20Graph%20Explorer%20(aka.ms%2Fge)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FdeviceManagement%2FdeviceConfigurations%3F%24select%3DDisplayname%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGET%20https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FdeviceManagement%2FdeviceConfigurations%3F%24select%3DDisplayname%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

FYI: I also opened an issue on the GitHub repo for the module

 

When I run Get-IntuneDeviceConfigurationPolicy, I'm getting 5 device configuration policies back, but I actually have 10:

>Get-IntuneDeviceConfigurationPolicy |select displayName

displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile

Device Configuration Profiles (GUI)Device Configuration Profiles (GUI)

It's the same behavior when I use MS Graph directly without the Microsoft.Graph.Intune module:

>New-MSGraphRequest -AccessToken $NT -Request /deviceManagement/deviceConfigurations |select -ExpandProperty Value |select displayName                                                           
displayName
-----------
Android Enterprise - Work profile
Bitlocker
Broad
Essential Settings
Wi-Fi - Android Enterprise - Work profile

All 10 device configuration policies are assigned, and have settings configured etc. (obviously I suppose), so I can't seem to figure out what's up with this.

 

I get no results back for many of the cmdlets, for example there is no sign of my App Configuration policies for Managed Devices; only policies for Managed Apps come back. So it feels like I'm missing something big here, but it's not jumping out at me.  Is there any kind of known issue that makes MS Graph unable to see certain items in Intune?

 

I am using the same account to login to endpoint.microsoft.com as I am when obtaining the access token in PowerShell (i.e. Connect-MSGraph, when using the module).

 

Thanks in advance.

2 Replies

@Jan Bakker  Thanks for the idea, and I just checked/confirmed that indeed it's the same behavior in Graph Explorer.  This is logged into Graph Explorer as the same user described in the first post, and having added the permission DeviceManagementConfiguration.Read.All (and DeviceManagementConfiguration.ReadWrite.All which got added automatically, so I consented to it too, just as a hail-mary).  Still just getting the usual 5 policies back in the results:

 

 

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/deviceConfigurations(displayName)",
    "value": [
        {
            "@odata.type": "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration",
            "displayName": "Android Enterprise - Work profile"
        },
        {
            "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
            "displayName": "Bitlocker"
        },
        {
            "@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration",
            "displayName": "Broad"
        },
        {
            "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
            "displayName": "Essential Settings"
        },
        {
            "@odata.type": "#microsoft.graph.androidWorkProfileCustomConfiguration",
            "displayName": "Wi-Fi - Android Enterprise - Work profile"
        }
    ]
}

 

 So strange.  There's nothing consistent about these 5 policies which do return either.  Some are old, some relatively new, they're of different types, and of the types they are, I have other policies of the same type which do not return.  But these 5 are consistently the only ones returned.