PS Oneliner to get local device compliance state

Getting local Azure AD / Intune device compliance state with a PowerShell Oneliner

The Graph API and Intune portal(s) give insight into device compliance status, but what about a local equivalent? How can we locally detect from e.g. a script on a Windows 10 laptop if the device is compliant or not?

I couldn’t find any documentation, WMI properties or registry keys, but I did find that the Company Portal shows the compliance status and caches this in a file. So, although it isn’t pretty, I’ve settled for this method for now and created a UserVoice item requesting a local W10 API/regkey/WMI property to query Intune compliance status of the device.

((get-content -Path (Get-Childitem –Path (Join-Path $env:LOCALAPPDATA `
-ChildPath "Packages\Microsoft.CompanyPortal_8wekyb3d8bbwe\TempState\ApplicationCache") `
-Include *.tmp* -File -Recurse | sort-object -Descending -Property lastWritetime)[0] | convertfrom-json).data | convertfrom-json).ComplianceState

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
4 months ago

Hi! Building a remediation script that helps users getting their devices compliant after enrollment, and needed a way of checking that the device is not compliant (locally). I’ve searched and searched, and yet I only find this 3 year old post, nothing new seems to have come from Microsoft. Your solution works, most of the time, but I do have a few issues: Like the other comment from Sjors, I also have multiple temp files in my folder, and they all write different things. Some contain the json with the information we’re after, but some contain just seemingly random numbers.… Read more »

3 years ago

Hi Jos! Thanks for this message. Are you sure this script is working correctly? When I run it locally, it mentions my device is non-compliant, but when checking the company portal and intune portal, my device is compliant. In reality, the device is fully compliant with the policies that I set, but this script mentions otherwise :/