Powershell extract TPM and Envryption Readiness information from Intune

Iron Contributor

Hi,

I'm trying to automate a report on Bitlocker coverage on Intune managed devices. I'm using Graph API to extract device information from Intune, querying this URL: 

The result have a property named "isEncrypted" which has true or false. But I also need the information that exists on the Encryption report, about the TPM Version and Encryption readiness. Basically I need what is shown here:
dmarquesgn_0-1714892839193.png

How can I extract this information over powershell?


Thanks

9 Replies

Hi @dmarquesgn, have you tried the excellent solution called Graph X-Ray (merill.net)? It will help you find which Powershell commands to use when using the Intune portal. 

 The answer I got from the addon was the following:

Import-Module Microsoft.Graph.Beta.DeviceManagement.Actions

$params = @{
	select = @(
		"DeviceId"
		"DeviceName"
		"DeviceType"
		"OSVersion"
		"TpmSpecificationVersion"
		"EncryptionReadinessState"
		"EncryptionStatus"
		"UPN"
	)
	filter = ""
	skip = 0
	search = ""
	top = 50
}

Get-MgBetaDeviceManagementReportEncryptionReportForDevice -BodyParameter $params

@tobiassandberg Thanks for the tip, I didn't knew it.

Abou the cmdlet "Get-MgBetaDeviceManagementReportEncryptionReportForDevice", is the only form of extracting the data to output it to a file? This way we need to then import it.

 

One other question, I'm exporting the results and import them into a variable with "Get-Content". When I look at the content, this seems a JSON, so I convert it using the option "ConvertFrom-Json" and then I get a PSCustomObject variable. But the format seems odd, as I can't access it's individual values like in an array.

Is there any option to import this directly as an array so I can parse it easily?

 

Thanks

Thanks @dmarquesgn!

With the recent changes to Intune’s reporting mechanism by Microsoft, the method you’re using is the only one I’m aware of to retrieve such information. Regrettably, this process generates a file rather than a direct output, necessitating the need to save it for subsequent processing. Docs are describing it here: Use Graph APIs to export Intune Reports | Microsoft Learn

Regarding your second question, try this and see if it helps you:

# Assume that $jsonFilePath contains the path to your JSON file
$jsonFilePath = "path_to_your_json_file.json"

# Read the JSON file and convert it to a PowerShell object
$json = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json

# Now $json is a PowerShell object that represents the JSON data
# You can access its properties like this:
$columns = $json.columns
$values = $json.values

# Now $columns is an array of column names and $values is an array of rows
# You can access individual items in these arrays like this:
$firstColumnName = $columns[0]
$firstRow = $values[0]

# Now $firstColumnName is the first column name and $firstRow is the first row
# $firstRow is a PSCustomObject that represents a row, you can access its properties like this:
$firstDeviceName = $firstRow.DeviceName

 

@tobiassandberg Thanks for the inputs, they are quite useful. 

I've been playing with that code you've send, and it's not quite that, but I've found how to access each element. So now I would like to circle each element and add the values into an array, so I can then do the usual searching and sorting. But I'm yet not too familiar with arrays. So how can I build an array just like a csv file with properties or headers, which are:

DeviceId, DeviceName, DeviceType, etc, etc, and then add the values into each property?

 

Thanks

@dmarquesgn maybe this will work better for you? It's two different ways of handling the array.

 

# Assume that $jsonFilePath contains the path to your JSON file
$jsonFilePath = "path_to_your_json_file.json"

# Read the JSON file and convert it to a PowerShell object
$json = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json

# Now $json is a PowerShell object that represents the JSON data
# You can access its properties like this:
$columns = $json.columns
$values = $json.values

# Array
$values

# We can loop through the array and get specific values
foreach($value in $values){
    $DeviceName = $value.DeviceName
    $ManagedBy = $value.ManagedBy
    $Ownership = $value.Ownership
    $CompliantState = $value.CompliantState
    $OS = $value.OS
    $OSVersion = $value.OSVersion
    $LastContact = $value.LastContact
    $UPN = $value.UPN
    $DeviceId = $value.DeviceId
}

# Initialize an empty array to hold the row objects
$rows = @()

# Loop through each element in your data
foreach ($element in $values) {
    # Create a new object to represent the row
    $row = New-Object PSObject

    # Add properties to the row object
    $row | Add-Member -MemberType NoteProperty -Name "DeviceId" -Value $element.DeviceId
    $row | Add-Member -MemberType NoteProperty -Name "DeviceName" -Value $element.DeviceName
    $row | Add-Member -MemberType NoteProperty -Name "DeviceType" -Value $element.DeviceType
    # Add more properties as needed...

    # Add the row object to the rows array
    $rows += $row
}

# Array formatted differently
$rows

# Now $rows is an array of objects, each representing a row from your data
# You can access individual rows and their properties like this:
$firstRow = $rows[0]
$firstDeviceId = $firstRow.DeviceId

 

@tobiassandberg Thanks for the tip. Meanwhile I was searching around a bit and found a way to do it, probably with less code than yours :)

 

$jsonFilePath = "C:\Temp\Intune-Encryption.json"
$json = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json
$DevicesEncryptionStatus = @()

foreach ($value in $values)
{
    $row = new-object PSObject -Property @{
        DeviceId = $value[0];
        DeviceName = $value[1];
        DeviceType = $value[2];
        DeviceType_loc = $value[3];
        EncryptionReadinessState = $value[4];
        EncryptionReadinessState_loc = $value[5];
        EncryptionStatus = $value[6];
        EncryptionStatus_loc = $value[7];
        OSVersion = $value[8];
        TpmSpecificationVersion = $value[9];
        UPN = $value[10]
        }
        $DevicesEncryptionStatus += $row
}

Now I want to start using this data, so what I did was I removed the row "top = 50" from your @params variable. Then I run the Get-MgBetaDeviceManagementReportEncryptionReportForDevice. But I always get 50 results. I even changed to "top = 100" and other values, but the results are always the same, always 50 results. Do you have an idea why is this?

 

Thanks

 

@dmarquesgn I have tried but I cannot get it to work. I would recommend a Microsoft support case for this one.

@tobiassandberg Thanks for trying. I'll open a case and let you know something here if I find out the solution for it.

@tobiassandberg Hi, after all it was not needed to open a case, as I figured it out. You have to increment the skip in order to move to the next page.

Here's my full code to get it working and now I've got all the devices just like I want.

 

$skip = 0
$DevicesEncryptionStatus = @()
do {
$params = @{
	select = @(
		"DeviceId"
		"DeviceName"
		"DeviceType"
		"OSVersion"
		"TpmSpecificationVersion"
		"EncryptionReadinessState"
		"EncryptionStatus"
		"UPN"
	)
	filter = ""
	skip = $skip
	search = ""
	top = 50
}

Get-MgBetaDeviceManagementReportEncryptionReportForDevice -BodyParameter $params -OutFile "C:\Temp\Intune-Encryption.json"

# Assume that $jsonFilePath contains the path to your JSON file
$jsonFilePath = "C:\Temp\Intune-Encryption.json"
# Read the JSON file and convert it to a PowerShell object
$json = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json
$totalrows = $json.TotalRowCount
$values = $json.values

foreach ($value in $values)
{
    $row = new-object PSObject -Property @{
        DeviceId = $value[0];
        DeviceName = $value[1];
        DeviceType = $value[2];
        DeviceType_loc = $value[3];
        EncryptionReadinessState = $value[4];
        EncryptionReadinessState_loc = $value[5];
        EncryptionStatus = $value[6];
        EncryptionStatus_loc = $value[7];
        OSVersion = $value[8];
        TpmSpecificationVersion = $value[9];
        UPN = $value[10]
        }
        $DevicesEncryptionStatus += $row
}
$skip += 50
} while ($skip -le $totalrows)

Hope it might help anyone in the future.