Intune: Grouping based on Hardware Inventory data

Microsoft Endpoint Manager, Microsoft Entra ID, Microsoft Intune, PowerShell 4 Minutes

It’s been couple of years since I blogged a post. In the meantime, I moved to Intune Product Group as a Product Manager and now I’m a member of Grouping and Targeting team. One of the top blocker in grouping and targeting space is the lack of ability to group the managed devices based on the hardware information collected as part of device management. While we are working on improving the experience, I thought I would share a possible workaround that can unblock the customers in certain scenarios.

Here are the high-level steps which will allow you to build a solution as per your requirement.

  1. Connect with Microsoft Graph Beta
  2. Get list of managed devices based on platform (Windows, Android, iOS etc)
  3. Iterate each device to get hardware information of each device and obtain specific property of interest.
  4. Patch the corresponding Entra device object’s extension attribute with the property value.
  5. Use it in Entra dynamic device group.

There are several ways to build the solution – PowerShell, Power Automate flow etc., While I will discuss on how to accomplish this using PowerShell scripting, I recommend using Power Automate flow which will provide consistency and concurrency which are useful especially in large environments and also can run on a defined schedule (We will discuss this in a seperate post, based on need).

Connecting with Microsoft Graph Beta:

With Microsoft Graph PowerShell modules, connecting to Graph and retrieving data is simplified. Since the hardware information of managed devices is available only in beta version, I would recommend installing both Microsoft.Graph and Microsoft.Graph.Beta modules. Also, I encountered some issues with PowerShell 5.1 and hence strongly recommend to install PowerShell 7. Use MSI method if you are installing on Jump Servers.

Once you install the required modules and import them, you can use Connect-MgGraph command to initiate the connection with the tenant. Since we are accessing the managed device information as the user, we need a minimum of DeviceManagementManagedDevices.Read.All delegated permission. Also, we need to update the extension attribute(s) of Entra Device which requires Directory.AccessAsUser.All delegated permission.

Run below command to connect with the tenant. You will be prompted to sign in in a browser page and to provide consent. Please use the account that has the least permissions mentioned above and close the browser once the authentication and consent are completed.

Connect-MgGraph -Scopes DeviceManagementManagedDevices.Read.All,Directory.AccessAsUser.All

Get list of managed devices:

Once you are connected to the Intune tenant, now you can use $Devices = Get-MgbetaDeviceManagementManagedDevice -All command to get all managed devices. The -All switch takes care of pagination and allows you to get all devices. You can use where clause to limit the devices based on any broader condition such as platform. In this example I will show you with Android Devices.

$ManagedDevices = Get-MgbetaDeviceManagementManagedDevice -All | where {$_.OperatingSystem -eq "Android"}

Iterate the list and get specific property:

Now that you have list of devices, let’s choose a property and then populate its value to corresponding Entra device object’s extension attribute. In this example, I will show how to get the Operating System build number property of android devices and update the extension attribute 1 of corresponding Entra device object. Operating System build number of Android device is different from the OS version as you can see in below screenshot from my mobile. The OS build number is based on monthly security patch and you can find more details here.

To get hardware information, you must iterate on each managed device object and property switch.

Foreach ($ManagedDevice in $ManagedDevices){
$DeviceHWInfo = $Null
$DeviceHWInfo = (Get-MgbetaDeviceManagementManagedDevice -ManagedDeviceId $ManagedDevice.id -Property HardwareInformation).HardwareInformation
}

Below are the screenshots of Harware Inventory information for an android device from Intune Portal and Powershell. As you can see, not all property values are available in PowerShell output.

Screenshot of Harware Inventory information for an android device from Powershell

Patch the corresponding Entra device object’s extension attribute with the property value:

Now that you have the hardware information, you can either compare the values with desired value within the script and patch the extension attribute with yes/no, true/false or any other value of interest. Else, you can just map the property’s value to an extension attribute and use the values for comparison in Entra dynamic device group queries.

$Parameters = @{
		extensionAttributes = @{
		extensionAttribute1 = $DeviceHWInfo.OSBuildNumber
	}
}
#Get Entra Device Object
$EntraDevice = Get-MgDevice | where {$_.DeviceId -eq $ManagedDevice.AzureADDeviceId}
# Add extensionAttribute1 to Device
Update-MgDevice -DeviceId $EntraDevice.Id -BodyParameter $Parameters

Entra Device Object before updating Extension Attribute:

Entra Device Object after updating Extension Attribute:

Entra Dynamic Device Group:

Here is screenshot of the group’s dynamic device query.

Save the query and after waiting for few minutes, voila! the dynamic group membership got evaluated and you have the device populated.

Exploration:

This solution works with the data that is already available as part of Hardware Inventory. I understand that this may not be always sufficient especially with Windows devices, but now that you know how you can update the extension attributes and use it in dynamic device group population, this opens up a sea of possibilities. One such possibility is where you can run scripts in your managed windows devices as part of proactive remediation and update the extension attribute based on files or registry keys. But that needs application permisisons as it will be unattended and the script needs to be tweaked accordingly.

Script:

Here is a sample script putting all pieces together. You need to schedule this script using task scheduler based on how frequently the data could change. Once you understand the framework, you can build your own scripts to solve your specific needs.

<#
DISCLAIMER STARTS 
THIS SAMPLE CODE IS PROVIDED FOR THE PURPOSE OF ILLUSTRATION ONLY AND IS NOT INTENDED TO BE USED IN A PRODUCTION ENVIRONMENT. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED IS "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE."
DISCLAIMER ENDS
#>

#Connect to Microsoft Graph using delegated permissions
Connect-MgGraph -Scopes DeviceManagementManagedDevices.Read.All,Directory.AccessAsUser.All
#Get List of Managed Devices. Here the platform is scoped to Android.
$ManagedDevices = Get-MgbetaDeviceManagementManagedDevice -All | where {$_.OperatingSystem -eq "Android"}
#Iterate each managed device and map OSBuildNumber with extensionAttribute1
Foreach ($ManagedDevice in $ManagedDevices){
	$DeviceHWInfo = $Null
	#Get Device Hardware Information
	$DeviceHWInfo = (Get-MgbetaDeviceManagementManagedDevice -ManagedDeviceId $ManagedDevice.id -Property HardwareInformation).HardwareInformation
	#Map OSBuildNumber with extensionAttribute1
	If ($DeviceHWInfo -ne $Null){
		$Parameters = @{
				extensionAttributes = @{
				extensionAttribute1 = $DeviceHWInfo.OSBuildNumber
			}
		}
		#Get Entra Device Object
		$EntraDevice = Get-MgDevice | where {$_.DeviceId -eq $ManagedDevice.AzureADDeviceId}
		# Add extensionAttribute1 to Device
		Update-MgDevice -DeviceId $EntraDevice.Id -BodyParameter $Parameters
	}
}
Published

Leave a Reply