Getting local Azure AD / Intune device compliance state with a PowerShell Oneliner
The Graph API and Intune portal(s) give insight into device compliance status, but what about a local equivalent? How can we
locally detect from e.g. a script on a Windows 10 laptop if the device is compliant or not?
I couldn’t find any documentation, WMI properties or registry keys, but I did find that the Company Portal shows the compliance status and caches this in a file. So, although it isn’t pretty, I’ve settled for this method for now and created a
UserVoice item requesting a local W10 API/regkey/WMI property to query Intune compliance status of the device.
((get-content -Path (Get-Childitem –Path (Join-Path $env:LOCALAPPDATA `
-ChildPath "Packages\Microsoft.CompanyPortal_8wekyb3d8bbwe\TempState\ApplicationCache") `
-Include *.tmp* -File -Recurse | sort-object -Descending -Property lastWritetime) | convertfrom-json).data | convertfrom-json).ComplianceState
The good old Group Policy “Configuration\Policies\Administrative Templates\System\User Profiles\
Delete User Profiles Older than a Specified Number of Days on System Restart ” isn’t part of Intune yet. If you use shared devices in your environment, you can use below script to set the number of days after which a user profile is cleaned up on Windows 10 MDM / Intune managed. It has to run under SYSTEM context or it won’t be allowed to write the right key.
Intune does not have a native solution for logon scripts. The community has designed some interesting solutions to this problem using the Intune Management Extension, such as
Nicola’s Azure storage based method, Michael Mardahl’s IME reset method and my own hidden vbscript scheduled task method.
The problem with all these solutions is that they rely on
scheduled tasks. This is not the most reliable method as the user can easily influence it, and it usually does not support uninstalling or unassigning the script unless you write a specific script for that, assign it to the user, etc yada yada.
This solution can run at logon, at set intervals or both and supports ANY script you write in Intune.
invoke-asIntuneLogonScript on Git
Upload to Intune as usual, and set the properties as follows and assign to your users:
Edit: doesn’t happen often that people create the same thing on the same day, but Michael wrote the almost exact same thing so he’s not using scheduled tasks anymore either 🙂
Version 3.09 of OneDriveMapper has been released!
Just a minor fix to address a change in the Post-login redirect by Microsoft.
Get the new version