It appears to be an accepted norm that credentials are passed in a parameter named Credential (of type PSCredential) Examples off the top of my head: ActiveDirectory Module, Web cmdlets, New-PSDrive, MSOnline, AzureAD.

A proposed "fix" would be to change the parameter to be named Credential, and add an alias for PSCredential to ensure backwards compatibility with any existing code using PSCredential

The powershell script that I developed will add iOS Apps that I want and assigned security group using either required or Available for enrolled device.

I performed a test iPhone enrollment and noticed that the iOS App that is configured as required didn't download. I also notice that the Logo for iOS Apps were missing.

For verification, I removed one of the iOS Apps and manually re-add with same configuration (required). The required App started to download and installed.

I am using below code to add iOS Outlook app and assigned security group as required.
`#Outlook App (required)
$msOutlookApp = New-DeviceAppManagement_MobileApps -iosStoreApp -displayName 'Microsoft Outlook' -publisher 'Microsoft Corporation' -bundleId 'com.microsoft.Office.Outlook' -appStoreUrl ' https://itunes.apple.com/us/app/microsoft-outlook/id951937596?mt=8&uo=4' -applicableDeviceType (New-IosDeviceTypeObject -iPad $true -iPhoneAndIPod $true) -minimumSupportedOperatingSystem (New-IosMinimumOperatingSystemObject -v8_0 $true)

$mAppId = $msOutlookApp | ForEach-Object {
$_.id
}
Invoke-DeviceAppManagement_MobileApps_Assign -mobileAppId $mAppId -mobileAppAssignments $grpReqIds`

I believe that the issue may tie into how Intune register with App store on the backend that my script didn't do.

Any advice is appreciated.

Thanks

Danny

Hello. Running this cmdlet Get-IntuneTroubleshootingEvent created the following error message:

Intune-PowerShell-SDK\6.1902.00745.0001-release-97194499-netstandard2.0\drop\outputs\build\Release\netstandard2.0> Get-IntuneTroubleshootingEvent
Get-IntuneTroubleshootingEvent : 503 Service Unavailable
{
  "error": {
    "code": "CancelledOnServiceTimeout",
    "message": "{\r\n  \"_version\": 3,\r\n  \"Message\": \"ScenarioTimeout=15000ms, RequestTimeout=15000ms,Elaspsed=28387ms, CancelOnTimeout for #6374, Elapsed=28374ms,Timeout=15000ms,Checkpoint=EndExecuteAction - Operation ID (for customer support):
00000000-0000-0000-0000-000000000000 - Activity ID: 48dcc2a9-3982-4a52-851f-43fe0b58c237 - Url: https://fef.msua04.manage.microsoft.com/StatelessCustomerDataMTService/deviceManagement/troubleshootingEvents?api-version=2017-11-14 - CustomApiErrorPhrase:
CancelOnTimeout4EndExecuteAction\",\r\n  \"CustomApiErrorPhrase\": \"CancelOnTimeout4EndExecuteAction\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"StatelessCustomerDataMTService\",\r\n  \"HttpHeaders\": \"{}\"\r\n}",
    "innerError": {
      "request-id": "48dcc2a9-3982-4a52-851f-43fe0b58c237",
      "date": "2019-01-25T16:35:32"
    }
  }
}
At line:1 char:1
+ Get-IntuneTroubleshootingEvent
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Get-IntuneTroubleshootingEvent], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_IntuneTroubleshootingEvent

It looks like a service issue, however, does this work for others using this module?

Able to get 384 (less than one default page size) of device configurations back when I hit the following API:
https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations

Unable to get any results back using just the cmdlet: Get-DeviceManagement_DeviceConfigurations.

One of the parameters for Invoke-IntuneManagedDeviceWipeDevice is not applicable to Android or Win devices but still requires a macOsUnlockCode.

See ManagedDevices.cs
[Parameter(Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = @"The "macOsUnlockCode" action parameter of type "Edm.String".")]
public System.String macOsUnlockCode { get; set; }

Is there a technical reason for only accepting a PSCredential object within Windows PowerShell? As pwsh is able to use PSCredential objects, it would stand to reason this should be used there too...

According to this page: https://docs.microsoft.com/en-us/graph/auth-cloudsolutionprovider a CSP should have access to Intune data for tenants. As far as I can see, there is no way to do this with this SDK, e.g. using a -TenantId

I'm attempting to update some wonky compliance policies that should be coming up compliant on our devices and setting them manually to Compliant via this command.

Using this: Update-IntuneManagedDeviceDeviceCompliancePolicyState -managedDeviceId 9f475a3a-147c-4386-8528-8fe5afa3d659 -deviceCompliancePolicyStateId 4f47066a-d2c8-40e3-8a8e-4f1a54ed5d10

Update-IntuneManagedDeviceDeviceCompliancePolicyState : 400 Bad Request
{
  "error": {
    "code": "No method match route template",
    "message": "No OData route exists that match template ~/singleton/navigation/key/navigation/key with http verb PATCH for request 
/StatelessDeviceConfigurationFEService/deviceManagement/managedDevices('9f475a3a-147c-4386-8528-8fe5afa3d659')/deviceCompliancePolicyStates('4f47066a-d2c8-40e3-8a8e-4f1a54ed5d10').",
    "innerError": {
      "request-id": "148ae4b2-2654-4f9d-b3bf-71df46245b62",
      "date": "2019-02-01T18:30:23"
    }
  }
}
At line:7 char:1
+ Update-IntuneManagedDeviceDeviceCompliancePolicyState -managedDeviceI ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Update-IntuneMa...ancePolicyState], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Update_IntuneManagedDeviceDeviceCompliancePolicyState

Any ideas?

edit: Seems to happen on the Get function as well. Only happens when I include the deviceCompliancePolicyStateId.

Hi,

I'm trying to update an OMA custom profile (local groups) via the SDK using Update-IntuneDeviceConfigurationPolicy. I've used New-DeviceConfigurationObject to create a copy of an existing policy:

$DConfigObject = New-DeviceConfigurationObject -displayName "Windows - Device - Development local groups" -omaSettings $devgroup.omaSettings -windows10CustomConfiguration

($devgroup is the result of Get-IntuneDeviceConfigurationPolicy for the same policy)

I then call Update-IntuneDeviceConfigurationPolicy:

Update-IntuneDeviceConfigurationPolicy -deviceConfigurationId aa160f87-a9c5-478e-9bf5-c0f1956993f4 -windows10CustomConfiguration -omaSettings $DConfigObject

I get this failure back:

Update-IntuneDeviceConfigurationPolicy : 400 Bad Request
{
"error": {
"code": "ModelValidationFailure",
"message": "Incompatible type kinds were found. The type 'microsoft.management.services.api.windows10CustomConfiguration' was found to be of kind 'Entity' instead of the expected kind 'Complex'.",
"innerError": {
"message": "Incompatible type kinds were found. The type 'microsoft.management.services.api.windows10CustomConfiguration' was found to be of kind 'Entity' instead of the expected kind 'Complex'.",
"request-id": "2bcfacf4-4880-45b9-8a43-8490cf3162d8",
"date": "2019-05-24T12:16:20"
}
}
}

Rather struggling with where to go next with this, any suggestions / worked examples would be much appreciated!

Rob

Hi guys,

Not sure if this is right place to complain about below, but still..
In graph 1.0 there is missing possibility to get\post to deviceManagement/deviceManagementScripts - no cmdlets and "400 Bad Request" for 'deviceManagementScripts' via Invoke-MSGraphRequest which is expected in this case..
Browser debug:

v1:

Beta:

After switching to beta, I can get\post via http call\Invoke-MSGraphRequest, but this is no bueno. :(
Maybe this resource is called differently in v1.0 or...
Please advise ?

Thanks.
/Maksim

I am trying to run the New-DeviceAppManagement_MobileApps to add Android Applications.
I have had it working with the following command:

New-DeviceAppManagement_MobileApps -androidStoreApp -displayName $Application.Name -appStoreUrl $application.URL -publisher $application.Publisher `
            -Description $application.Description -minimumSupportedOperatingSystem $androidVersion

But when I try to add an icon, I keep getting a 400 ERROR code back.
I tried to create the same application using the GRAPH API with the icon, and that works

I noticed the icon parameter requires a MimeContent Object
So first I created one.
The Value of the Mimecontent should be a byte, that is why I ran this code:

$encoding = [system.Text.Encoding]::UTF8
 $iconResponse = Invoke-WebRequest $application.Icon
 $iconExt = ([System.IO.Path]::GetExtension("$application.Icon")).replace(".","")
 $iconType = "image/$iconExt"
 $data = $encoding.GetBytes($iconResponse.Content) 

If I then run the following, it creates the object
$icon = New-MimeContentObject -type $iconType -value $data

But using that object in the New-DeviceAppManagement_MobileApps function gives a 404 error
400 Bad Request { "error": { "code": "BadRequest", "message": "{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: bcded7cb-75bc-4658-bc16-f333fd06f6c7 - Url: https://fef.amsub0102.manage.microsoft.com/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=2018-03-22\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}", "innerError": { "request-id": "bcded7cb-75bc-4658-bc16-f333fd06f6c7", "date": "2018-10-15T19:08:08" } } }

This is the command I use:
New-DeviceAppManagement_MobileApps -androidStoreApp -displayName $Application.Name -appStoreUrl $application.URL -publisher $application.Publisher
-Description $application.Description -minimumSupportedOperatingSystem $androidVersion -largeIcon $icon`

I also tried:
New-DeviceAppManagement_MobileApps -androidStoreApp -displayName $Application.Name -appStoreUrl $application.URL -publisher $application.Publisher
-Description $application.Description -minimumSupportedOperatingSystem $androidVersion -largeIcon (New-MimeContentObject -type $iconType -value $data)`
But that doesn't work aswell.
Running the same code without the largeicon URL fixes the problem

Is it possible to create (and upload) Win10 apps using the module? Uploading is the problem, and the example given is only for iOS apps.

Hi guys,

Intune-PS is not returning Office Suite Apps.
Example:

$graphApiVersion = "Beta"
$Resource = "deviceAppManagement/mobileApps"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri –Headers $authToken –Method Get).Value | ? { (!($_.'@odata.type').Contains("managed")) } | select "@odata.type"

@odata.type
-----------
#microsoft.graph.windowsMobileMSI
#microsoft.graph.windowsMobileMSI
#microsoft.graph.windowsMobileMSI
#microsoft.graph.officeSuiteApp
#microsoft.graph.windowsMobileMSI

Calling with PS module:

Get-DeviceAppManagement_MobileApps | ? { (!($_.'@odata.type').Contains("managed")) } | s
elect "@odata.type"

@odata.type
-----------
#microsoft.graph.windowsMobileMSI
#microsoft.graph.windowsMobileMSI
#microsoft.graph.windowsMobileMSI
#microsoft.graph.windowsMobileMSI

However calling with precise AppID, it returns app as it should:

Get-DeviceAppManagement_MobileApps -mobileAppId '67248be8-2f1a-4992-bdea-7cd205174687'

@odata.context        : https://graph.microsoft.com/v1.0/$metadata#deviceAppManagement/mobileApps/$entity
id                    : 67248be8-2f1a-4992-bdea-7cd205174687
displayName           : Office 365 ProPlus
description           : 
publisher             : Microsoft
createdDateTime       : 8/9/2018 12:24:15 PM
lastModifiedDateTime  : 8/9/2018 12:24:15 PM
isFeatured            : False
privacyInformationUrl :
informationUrl        :
owner                 : Microsoft
developer             : Microsoft
notes                 :
publishingState       : published
largeIcon             : @{type=image/png; value=iVBORw0KGgoAAAANSUhEUgAAAF0AAAAeCAMAAAEOZNKlAAAAAXNSR0IArs4c6QAAAARnQU1
                        BAACxjwv8YQUAAAJhUExURf////7z7/i9qfF1S/KCW/i+qv3q5P/9/PrQwfOMae1RG+s8AOxGDfBtQPWhhPvUx/759/zg1v
                        Wgg+9fLu5WIvKFX/rSxP728/nCr/FyR+tBBvOMaO1UH+1RHOs+AvSScP3u6f/+/v3s5vzg1+xFDO9kNPOOa/i7pvzj2/vWy
                        es9Af76+Pzh2PrTxf/6+ 
etc...

Also multiple properties are missing when calling directly via AppID-
Native APIs:

InPS:

Thanks

/Maksim

PS C:\scripts\net471> import-module .\Microsoft.Graph.Intune.psd1
import-module : Could not load file or assembly 'file:///C:\scripts\net471\Microsoft.Intune.PowerShellGraphSDK.dll' or one of its
dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)
At line:1 char:1

• import-module .\Microsoft.Graph.Intune.psd1

•   + CategoryInfo          : NotSpecified: (:) [Import-Module], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

The extract seems fine and the file is present... I'm trying to setup the module here for the first time.

Kevin

Hello Guys,

Is anyone else facing too much timeout errors in MS Graph API?

below follow code I am using, do you know if there is any way to avoid it? or is this an endpoint issue?

$URL = "deviceManagement/importedDeviceIdentities"
$ImportedIdentifier = Invoke-MSGraphRequest -HttpMethod GET -Url $URL -Verbose | Get-MSGraphAllPages

Why, is that possible to have more information on how to upload the files (.msi and .intunewin) via this module if supported?? we're trying to automate all creation and deployment via graph API but its hard to find documentation around it.

Trying to create a test iOS App protection policy using New-DeviceAppManagement_IosManagedAppProtections but keep on receiving Bad Request 400 after connecting to MSGraph. I am using a demo tenant for this testing.

I use the below command and its parameters:
New-DeviceAppManagement_IosManagedAppProtections -ODataType microsoft.graph.iosManagedAppProtection -displayName TestIosAppPolicy -periodOfflineBeforeAccessCheck 00:12:00 -periodOnlineBeforeAccessCheck 00:00:30 -allowedInboundDataTransferSources allApps -allowedOutboundDataTransferDestinations managedApps -organizationalCredentialsRequired $false -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn -dataBackupBlocked $true -deviceComplianceRequired $true -managedBrowserToOpenLinksRequired $true -saveAsBlocked $true -periodOfflineBeforeWipeIsEnforced 90:00:00 -pinRequired $true -maximumPinRetries 5 -simplePinBlocked $false -minimumPinLength 4 -pinCharacterSet alphanumericAndSymbol -periodBeforePinReset 00:00:00 -allowedDataStorageLocations oneDriveForBusiness,sharePoint,localStorage -contactSyncBlocked $false -printBlocked $true -fingerprintBlocked $false -disableAppPinIfDevicePinIsSet $false -appDataEncryptionType whenDeviceLocked -faceIdBlocked $false

Not sure what I am missing. Appreciate your help with this.

Thanks
Danny

Hey,

i tried to use this module on macOS and successfully imported module, connected to Graph, but after it's failing with following error:

 PS /Users/vanyuale> Get-DeviceAppManagement_MobileApps
Get-DeviceAppManagement_MobileApps : Could not load file or assembly 'Newtonsoft.Json, Version=11.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'. Could not find or load a specific
file. (Exception from HRESULT: 0x80131621)
At line:1 char:1
+ Get-DeviceAppManagement_MobileApps
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-DeviceAppManagement_MobileApps], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceAppManagement_MobileApps

I tried to install package (Install-Package Newtonsoft.Json), but that didn't help. Is there anything i'm missing or that is not suppose to work.

Thank you.

Hello-hello,

Using API operatingSystemLanguage is under hardware information property:

$Resource = "deviceManagement/manageddevices('"+$id+"')?`$select=hardwareInformation"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri –Headers $authToken –Method get).hardwareinformation

serialNumber                                                   : 6242-1968-7072-4957-4783-9852-85
totalStorageSpace                                              : 53684994048
freeStorageSpace                                               : 9166786560
imei                                                           :
meid                                                           :
manufacturer                                                   : Microsoft Corporation
model                                                          : Virtual Machine
phoneNumber                                                    :
subscriberCarrier                                              :
cellularTechnology                                             :
wifiMac                                                        :
operatingSystemLanguage                                        : en-US
isSupervised                                                   : False
isEncrypted                                                    : False
isSharedDevice                                                 : False
tpmSpecificationVersion                                        :
operatingSystemEdition                                         : 4
deviceFullQualifiedDomainName                                  :
deviceGuardVirtualizationBasedSecurityHardwareRequirementState : meetHardwareRequirements
deviceGuardVirtualizationBasedSecurityState                    : notConfigured
deviceGuardLocalSystemAuthorityCredentialGuardState            : virtualizationBasedSecurityNotRunning
sharedDeviceCachedUsers                                        : {}

Using InPS there is no hardwareInformation property to select or operatingSystemLanguage property itself:

Thanks.
/Maksim

Hello. README.md references extract the "netstandard2.0" folder as a step however that folder is noted as being missing in the current Preview 3 release. Possible to update the README.md to reflect this reality?

Steps to reproduce

(Note: exact same results with up-to-date pwsh-preview.)

09:52:41 evil@P950ER ~/Downloads» pwsh
PowerShell 6.2.2
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs
Type 'help' to get help.

PS /data/Downloads> install-module Microsoft.Graph.Intune
PS /data/Downloads> Import-Module Microsoft.Graph.Intune
PS /data/Downloads> Connect-MSGraph

Expected behavior

I expected to be prompted for credentials and connect to the graph API.

Actual behavior

Connect-MSGraph : Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
At line:1 char:1
+ Connect-MSGraph
+ ~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Connect-MSGraph], TypeLoadException
+ FullyQualifiedErrorId : System.TypeLoadException,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Connect

Environment data

----                           -----
PSVersion                      6.2.2
PSEdition                      Core
GitCommitId                    6.2.2
OS                             Linux 5.2.0-8-generic #9-Ubuntu SMP Mon Jul 8 13:07:27 UTC 2019
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

This was tested with core 6 as well as the current pwsh-preview (PowerShell 7) github build from source (as of 8/6/2019) as well as current pwsh & pwsh-preview snaps on Ubuntu 18.04 and Ubuntu 19.10 (Eoan Ermine). See https://github.com/PowerShell/PowerShell/issues/10291.

I also reported this bug in the PowerShellModuleCoverage repo, PowerShell/PowerShellModuleCoverage#9 (comment), but they closed it and suggested I open it here. I'm not sure if it's because SHA256Cng is deprecated or if there's other reasoning.

All VPN profiles are not retrieved with Get-IntuneDeviceConfigurationPolicy

I am getting following error running cmdlet under GA account - Remove-DeviceAppManagement_MobileApps. In Intune Portal (portal.azure.com) i can remove app without any issues.

Remove-DeviceAppManagement_MobileApps : 403 Forbidden
{
"error": {
"code": "Forbidden",
"message": "{\r\n "_version": 3,\r\n "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID:
15b23f11-1eef-4818-9589-ef69e3d5cfed - Url:
https://.manage.microsoft.com/StatelessAppMetadataFEService/deviceAppManagement/mobileApps%28%27eedc0aeb-ec3f-4d32-aa7e-7036265c2007%27%29?api-version=2018-03-22",\r\n
"CustomApiErrorPhrase": "",\r\n "RetryAfter": null,\r\n "ErrorSourceService": "",\r\n "HttpHeaders": "{}"\r\n}",
"innerError": {
"request-id": "15b23f11-1eef-4818-9589-ef69e3d5cfed",
"date": "2018-12-04T12:15:17"
}
}
}
At line:1 char:1

• Remove-DeviceAppManagement_MobileApps -mobileAppId "eedc0aeb-ec3f-4d3 ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Remove-DeviceAppManagement_MobileApps], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Remove_DeviceAppManagement_MobileApps
  

I was trying to use Get-IntuneManagedDevice to get the activationLockBypassCode for a number of devices, but it was consistently leaving this property blank or empty on all devices, including ones I specifically checked via portal.azure.com, to ensure that this property wasn't actually blank.

I ended up chasing this issue a bit on my own, and it seems that it might be a problem with the Graph API itself, as this same value is also blank for all device objects when doing a direct call to the API such as

$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get

I did end up making a successful call for this information, eventually, by using a query in my URI, but this only worked when requesting information for one device. In other words this does successfully return this string:

$uriNew = "$uri/00000000-0000-0000-0000-000000000000?`$select=activationLockBypassCode"
Invoke-RestMethod -Uri $uriNew -Headers $authToken -Method Get

But this does not work for getting the activationLockBypassCode:

$uriNew = "$uri`?`$select=activationLockBypassCode"
Invoke-RestMethod -Uri $uriNew -Headers $authToken -Method Get

Perhaps, until this underlying issue is resolved in Graph, it might be a good idea to patch the SDK to retrieve this data separately and fill it in on these objects?

Hello the cmdlet Get-IntuneManagedDevice do not bing all device data, userPrincipalName and EmailAddress properties come blank, but on intune console this information exist.

is that the expected behavior?

below follow the command line
Get-IntuneManagedDevice -managedDeviceId "850c085b-deb0-46f8-a9c3-ac05f8f9bc26"

This is the only module I've ever seen where the "parent" module has puctuations (".") in the main name. This is confusing, and breaks the naming standard used by most (all?) other modules, also from Microsoft.

• Why is that? Is there a good reason?
• Any hope of a name change to comply with probably 99% of the other modules available from PowerShellGallery?

Running the command:
Get-IntuneManagedDevice -Filter "userPrincipalName eq '[email protected]'"

Retrieves non-exact matches, i.e., it will return devices for these UPN's:

[email protected]
[email protected]
[email protected]
[email protected]

This looks like it's finding all matches of a pattern rather than exact matching (i.e., what you expect "equals" to mean).

Hello,

I am trying to use this module in a Azure automation account with a runbook to automate some daily tasks, but the same fails to import, i have a premier support tickets openned, but for now i had no lucky, do you know if this should works there? if not the reason why it is not compatible?

Also if fails to work the only possible solution is using the intune powershell samples? that are basically REST API calls?

Thank you

Querying ICCID data is not available via Get-IntuneManagedDevice for SIM card auditing.

Firstly let me say I know it is not a field reported in Graph Explorer or something that is configured to be queried against in Intune GUI. But since the data is there I do not see why we should not be able to access it (which kind of makes it more of a "wish" rather than an "issue").

Secondly, why is the ICCID important? The switch -phoneNumber for Get-IntuneManagedDevice is the closest in functionality but nowadays the providers do not program the MSIN in the SIM card due to the portability of the numbers and phone number assignment on activation rather than pre-assigning phone numbers (business customers). Modern phones also lack the capability to write to the SIM card, to configure own number. With the lack of reported phone number, the ICCID is the only other SIM card identifier available.

In the documentation ManagedDevices un the Method "Update_DeviceManagement_ManagedDevices" it has System.Object deviceCategory as a parameter. As this is the only reference I could find that might be able to assign a Device category to a device.
I'm getting an error when trying to update this field for a device Using this command:
Update-DeviceManagement_ManagedDevices -managedDeviceId $id -deviceCategory $category

I also notice that deviceCategory wasn't specified in the Microsoft Graph REST API V1.0 or Beta documentation for Update managedDevice

Am I just missing something for the method call or it this a bug?

Thanks,

Johnathan

Output below. I can retrieve other settings without issue.

Get-DeviceManagement_ConditionalAccessSettings
Get-DeviceManagement_ConditionalAccessSettings : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "{\r\n "_version": 3,\r\n "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 9c3f35ca-e255-4a1e-aa55-6b33f64af339 - Url:
https://fef.msua05.manage.microsoft.com/StatelessOnboardingService/deviceManagement/conditionalAccessSettings?api-version=2018-01-11\",\r\n "CustomApiErrorPhrase": "",\r\n "RetryAfter": null,\r\n "ErrorSourceService": "",\r\n
"HttpHeaders": "{}"\r\n}",
"innerError": {
"request-id": "**************************",
"date": "2018-10-23T14:11:16"
}
}
}
At line:1 char:1

• Get-DeviceManagement_ConditionalAccessSettings

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Get-DeviceManag...lAccessSettings], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceManagement_ConditionalAccessSettings
  

Hey,

Its my understanding that Content will accept, Hash, Object, or a String.

The command i am using is:
Invoke-MSGraphRequest -Url $URL -HttpMethod PATCH -Content $IOSF -Debug -Verbose

If i pass a HASH i get this(Not Complete)
{"contentFilterSettings":{"CliXml":"<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04\">\r\n <Obj RefId="0">\r\n <TN RefId="0">\r\n
System.Management.Automation.PSCustomObject\r\n

If I pass an object, the body is empty
$IOSF = $IOSF | ConvertTo-Json | ConvertFrom-Json ##Convert hash to object

If i pass a string(Not Complete)
$IOSF = $IOSF | ConvertTo-Json
"{\r\n "contentFilterSettings": {\r\n "@odata.type": "#microsoft.graph.iosWebContentFilterAutoFilter",\r\n
"allowedUrls": [\r\n\r\n ],\r\n "blockedUrls": [\r\n
"https://facebook.com",\r\n "http://facebook.com",\r\n
"https://instagram.com",\r\n "http://instagram.com",\r\n
"https://mail.google.com",\r\n "http://mail.google.com",\r\n
"https://twitter.com",\r\n

How i was able to get it to work
$($($IOSF | ConvertTo-Json) -replace "rn","" -replace " ","")

PS Version: 5.1.17763.503
Module Version: 6.1902.1.10

defenderUntrustedUSBProcessType and defenderUntrustedUSBProcess aren't settable even though they are available in Get-IntuneDeviceConfigurationPolicy

 Get-IntuneDeviceConfigurationPolicy -deviceConfigurationId XXXXX
@odata.context                                                               : https://graph.microsoft.com/beta/$metadata#devic
                                                                               eManagement/deviceConfigurations/$entity
@odata.type                                                                  : #microsoft.graph.windows10EndpointProtectionConf
                                                                               iguration
..
defenderUntrustedUSBProcessType                                              : userDefined
defenderUntrustedUSBProcess                                                  : userDefined
...

$AuditUSBProcesses = New-IntuneDeviceConfigurationPolicy `
    -windows10EndpointProtectionConfiguration `
    -displayName "Audit untrusted USB processes" `
    -description "Use Windows Defender ASR to audit untrusted USB processes" `
    -defenderUntrustedUSBProcessType auditMode `
    -defenderUntrustedUSBProcess auditMode
New-IntuneDeviceConfigurationPolicy : A parameter cannot be found that matches parameter name 
'defenderUntrustedUSBProcessType'.
At line:5 char:5

I'm trying to use the New-IntuneDeviceConfigurationPolicy. It works for most settings with the exception of defenderScheduledScanTime, defenderScheduledQuickScanTime where I get the following error:

What format do I need to enter the time in? I've tried quite a few and have been unsuccessful.

The format that produced that error was:
$hash = @{
windows10GeneralConfiguration = $true
passwordPreviousPasswordBlockCount = 10
defenderSystemScanSchedule = "sunday"
defenderScheduledScanTime = "02:00:00.0000000"
passwordMinimumCharacterSetCount = 4
defenderScanMaxCpu = 50
passwordExpirationDays = 90
description = "Windows 10 Configuration"
passwordRequiredType = "alphanumeric"
passwordMinimumLength = 10
passwordMinutesOfInactivityBeforeScreenTimeout = 15
defenderSignatureUpdateIntervalInHours = 24
defenderMonitorFileActivity = "monitorAllFiles"
displayName = "Windows 10 Configuration"
defenderScheduledQuickScanTime = "05:00:00.0000000"
defenderScanType = "full"
defenderDaysBeforeDeletingQuarantinedMalware = 7
}

New-IntuneDeviceConfigurationPolicy @hash

This did not work either:
$hash.defenderScheduledScanTime = New-Timespan -Start "00:00:00.0000000" -end "02:00:00.0000000"
$hash.defenderScheduledQuickScanTime = New-Timespan -Start "00:00:00.0000000" -end "05:00:00.0000000"

or

$hash.defenderScheduledScanTime = New-Timespan -Hours 2
$hash.defenderScheduledQuickScanTime = New-Timespan -Hours 5

Same error.

I want to create an iosCustomConfiguration in version 6.1902.1.10 by doing the following. The "payload" parameter of New-IntuneDeviceConfigurationPolicy expects System.Byte[], but proceeds to try to convert this into System.Object[] which fails.

Am I doing something wrong?

$encoding = [System.Text.UTF8Encoding]::new()
$configXmlPayload = $encoding.GetBytes($configXml.OuterXml)
$configXmlPayload.GetType()

New-IntuneDeviceConfigurationPolicy `
    -ODataType "#microsoft.graph.iosCustomConfiguration" `
    -displayName "Test" `
    -description "Some text" `
    -payloadName "Test_Payload" `
    -payloadFileName "testpayload.xml" `
    -payload $configXmlPayload

This results in:

IsPublic IsSerial Name                                     BaseType                                                                                                                                     
-------- -------- ----                                     --------                                                                                                                                     
True     True     Byte[]                                   System.Array                                                                                                                                 


Message        : Unable to cast object of type 'System.Byte[]' to type 'System.Object[]'.
Data           : {}
InnerException : 
TargetSite     : System.String ToODataString(System.Object, System.String, Boolean, Boolean)
StackTrace     :    at Microsoft.Intune.PowerShellGraphSDK.ODataTypeUtils.ToODataString(Object value, String oDataTypeFullName, Boolean isArray, Boolean isUrlValue)
                    at Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.ODataCmdletBase.WriteJsonFromProperties(IEnumerable`1 properties, String oDataType)
                    at Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.ODataCmdletBase.Run()
                    at System.Management.Automation.CommandProcessor.ProcessRecord()
HelpLink       : 
Source         : Microsoft.Intune.PowerShellGraphSDK
HResult        : -2147467262

I'm trying to call the cmdlet Get-IntuneManagedDevice and my environment has more than 1000 devices so only the first 1000 are retrieved.

I'm trying to understand how to use the data and the @odata.nextLink parameter to loop through all devices. In my reading, there's a Get-MSGraphAllPages. What's not clear to me is why is there a 'NextLink' parameter when the cmdlet name implies it retrieves "all" data.

I'm trying to install the module in my Win 10 client and not in Cloud Shell.

A search for Intune at the PowerShell Gallery doesn't return a module named Intune: http://www.powershellgallery.com/items?q=Intune&x=0&y=0

I would hate to compile and install locally...

Results of attempt below:

PS C:\WINDOWS\system32> install-module Intune
PackageManagement\Install-Package : No match was found for the specified search criteria and module name 'Intune'. Try
Get-PSRepository to see all available registered module repositories.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21
+ ...          $null = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Ex
   ception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

PS C:\WINDOWS\system32> Get-PSRepository

Name                      InstallationPolicy   SourceLocation
----                      ------------------   --------------
PSGallery                 Untrusted            https://www.powershellgallery.com/api/v2/

Issue

When using the Get-IntuneDeviceConfigurationPolicy cmdlet, data recieved for the microsoft.graph.windows10NetworkBoundaryConfiguration odata type is invalid. When attempting to re-upload the content the content fails to upload due to invalid format.

Futher investigation

Export / and reimport attempts using the API directly are successful.

Examples

CMDLET output:
"@{ipAddressOrFQDN=portal.office.com; proxy=}"

Examples of API output:
"{
"ipAddressOrFQDN": "portal.office.com",
"proxy": null
}"

I don't see a functional way to add devices to an AAD Group. I can use the script from the Intune PowerShell repository, but then I have to authenticate separately just to run those commands because the authtoken is not stored in the same place as is used by those scripts. Since AAD Groups are used to targeting policies/configs/apps, this seems a bit of an omission.

Experiencing the similar experience issue #2 when attempting to load the module Import-Module ./Microsoft.Graph.Intune.psd1

Results in an error:

Intune-PowerShell-SDK\6.1902.00745.0001-release-97194499-net471\drop\outputs\build\Release\net471\Microsoft.Intune.PowerShellGraphSDK.dll' or one of its dependencies. Operation is not supported. (Exception
from HRESULT: 0x80131515)
At line:1 char:1
+ Import-Module ./Microsoft.Graph.Intune.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Module], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand

with Release Preview 3, however, unblocking the net471\Microsoft.Intune.PowerShellGraphSDK.dll file is not yet resolving this error. Tried with elevated privileges. Working with Windows 10 Version 1803 with .NET framework version 4.7.2 (release 461808). Other suggestions to resolve?

Hello,
i've installed the module in https://shell.azure.com with install-module -name microsoft.graph.intune.

PS Azure:> get-module -name microsoft.graph.intune -ListAvailable
ModuleType Version Name PSEdition ExportedCommands

Binary 6.1907.1.0 Microsoft.Graph.Intune Desk {Set-MSGraphAlias, ......

It installs the desk version, and not the core version.
Running a cmdlet throws the error:
Could not load file or assembly 'Microsoft.IdentityModel.Clients.ActiveDirectory, Version=5.0.5.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. Could not find or load a specific file. (Exception from HRESULT: 0x80131621)

How do I install the module in the Cloud Shell?

Regards from Germany
Frank

When running, the version property is always empty.

Running Invoke-IntuneManagedDeviceWipeDevice fails although working in Graph explorer.

Steps to repro:
Connect-MSGraph
$devices = Get-IntuneManagedDevice

Invoke-IntuneManagedDeviceWipeDevice -managedDeviceId $devices[].id -keepEnrollmentData $false -keepUserData $false -macOsUnlockCode "111111"

Failure:
Invoke-IntuneManagedDeviceWipeDevice : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "{\r\n "_version": 3,\r\n "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 13b1d9ee-b9d2-49c4-bff7-d7afd9dff0cb - Url:
https://fef.amsua0502.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/managedDevices%28%27b0fe8aa9-7d00-43f1-9ffb-1e2e5c2f66f3%27%29/microsoft.management.services.api.wipe?api-version=2018-05-24\",\r\n "CustomApiErrorPhrase":
"",\r\n "RetryAfter": null,\r\n "ErrorSourceService": "",\r\n "HttpHeaders": "{}"\r\n}",
"innerError": {
"request-id": "13b1d9ee-b9d2-49c4-bff7-d7afd9dff0cb",
"date": "2019-07-02T19:36:21"
}
}
}

Fiddler trace shows post going to same path as Graph Explorer which works.

Difference appears to be parameters sent are passed with Powershell SDK version and the authentication / authorization header is different with Powershell SDK

{
"keepEnrollmentData": false,
"keepUserData": false,
"macOsUnlockCode": "11111"
}

I'm getting an error similar to another reported issue #23 but with this cmdlet:

$schedAction = Get-IntuneDeviceCompliancePolicyScheduledActionsForRule -deviceCompliancePolicyId $iOSCompliancePolicy.deviceCompliancePolicyId

Error:

Get-IntuneDeviceCompliancePolicyScheduledActionsForRule : 400 Bad Request
{
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/singleton/navigation/key/navigation with http verb GET for request
/StatelessDeviceConfigurationFEService/deviceManagement/deviceCompliancePolicies('6f33b117-9d38-4894-88ff-7ba6bdc8d6a7')/scheduledActionsForRule.",
"innerError": {
"request-id": "2fe38179-9f6b-4d67-8e5e-783dd35561a8",
"date": "2019-04-03T13:38:51"
}
}
}

I did try adding this to before calling the cmdlet (as suggested in the other issue) but got the same error:
Update-MSGraphEnvironment -Schema beta
Connect-MSGraph

Hi how do I publish the Office 365 suite for Windows in Intune? I can see that you can see the info from Get-IntuneMobileApp:

But the New-IntuneMobileApp does not allow me to upload with similar parameters. Am I using the wrong cmdlet?

I'm trying to look up an objectID of a selected group and get a BadRequest error.

$groupObjectID = (Get-AADGroup -Search "Intune-Personal-Device-User").ObjectID #fails

#"code": "BadRequest",
#"message": "Syntax error: character '-' is not valid at position 6 in 'Intune-Personal-Device-User'.",

I tried looking up a group without hyphens and got this error:

$groupObjectID = (Get-AADGroup -Search "Testing").ObjectID

Get-AADGroup : 400 Bad Request
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "This query is not supported.",
"innerError": {
"request-id": "f7408771-2167-46f3-9cc1-4d8057d7503a",
"date": "2019-04-10T18:29:35"
}
}
}

Looking up those same groups using the AzureAD module works.

$groupObjectID = (Get-AzureADGroup -SearchString "Intune-Personal-Device-User").ObjectID $testgroupID = (Get-AzureADGroup -SearchString "Testing").ObjectID

When viewing devices in Intune, there is a "Device Action" column. When I call Get-IntuneManagedDevice, I see no object properties showing me that data for the devices. For example, I have a single Android device registered in different modes (Android and Android Work Profile). One has a Device Action status showing in the console as "Retire Pending". However, I don't see that value in any of the object properties.

Is it not being populated? Is it supposed to be in the deviceActionResults property? I'd like to be able to query on that data and filter those devices out.

Hey,

If i try to import the module, then remove it from memory, then import it again i get "An item with the same key has already been added"

Removing the module:

PS C:\> Remove-Module Microsoft.Graph.Intune -Force -Verbose
VERBOSE: Performing the operation "Remove-Module" on target "UtilCmdlets (Path:
'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Graph.Intune\CustomModules\UtilCmdlets.psm1')".
VERBOSE: Performing the operation "Remove-Module" on target "AliasCmdlets (Path:
'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Graph.Intune\CustomModules\AliasCmdlets.psm1')".
VERBOSE: Performing the operation "Remove-Module" on target "Microsoft.Graph.Intune (Path:
'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Graph.Intune\Microsoft.Intune.PowerShellGraphSDK.dll')".
VERBOSE: Removing the imported "Get-MSGraphAllPages" function.
VERBOSE: Removing the imported "Get-MSGraphDebugInfo" function.
VERBOSE: Removing the imported "Set-MSGraphAlias" function.

Importing the module again

PS C:\> Import-Module Microsoft.Graph.Intune -Force
Import-Module : An item with the same key has already been added.
At line:1 char:1
+ Import-Module Microsoft.Graph.Intune -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Module], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ImportModuleCommand

Any ideas why and how to solve it?

It does successfully get all others just not the Win32 Windows app Types

When i get a managed device (in this case the ipad is supervised and corporate so a rename of the device is possible in Intune and Graph) and update the object with the new name , the name is not stored in Intune nor do i get an error.

This is the code i execute.
$device = Get-IntuneManagedDevice -managedDeviceId "e3dca79c-07d6-4447-a76b-20a2516f309e"
$device.deviceName = "Ipad_Kiosk"
$device | Update-IntuneManagedDevice

for reference i added a blogpost on how to do it with graph , but i would like to do it with the sdk
https://wolfgangontheroad.wordpress.com/2018/07/23/296-intune-rename-managed-ios-device-with-graph/