Device compliance is an area which is getting increasingly important and having your devices reporting a “Compliant” status is crucial for Conditional Access to work in a user-friendly way.
But sometimes you end up with a bunch of devices reporting error on a specific compliance setting. The Intune reporting on Compliance leaves you hanging with either a report on just all your “non-compliant” devices or the count on how many devices have a specific error. Figuring out which devices has a specific error is not an easy task.
After digging around a bit I stumbled upon this post INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE – Microsoft Tech Community which explained how to get this data using Graph API. You get a lot of information from this query.
Since I wasn’t really interested in inactive devices, I needed to tweak the GET query a bit ending up with the following query, since I was looking for devices with a firewall issue.
https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries/Windows10CompliancePolicy.ActiveFirewallRequired/deviceComplianceSettingStates?$filter=state eq 'nonCompliant'
If we break down the string a bit you can actually filter this based on the specific compliance setting you want to find.
- “https://graph.microsoft.com/v1.0/deviceManagement/” – This is the Graph connection string
- “deviceCompliancePolicySettingStateSummaries/” – this defines that we want to look at compliance policy setting state
- “Windows10CompliancePolicy” – this is the name of my compliance policy, so this will depend on your naming
- “.ActiveFirewallRequired/” – this defines which setting we are looking at
- “deviceComplianceSettingStates?$filter=state eq ‘nonCompliant'” – this filters out which state we are looking for. You can change this to “Compliant” to find compliant devices instead
So, if you want to look at another setting than the firewall as in this example, you simply replace that part in the string with the name of what setting you are looking for. Easiest way to find all the setting names in your tenant is to simply run:
https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries
This will list all settings and setting names in your tenant.
When you have built your own GET string you will be able to pull the data you need and get information about what devices in a simpler way.
I’m still trying to figure out how to export this in a good way other than the classic copy paste (I’m really bad with PowerShell). Once I figure that out, I’ll post a part two of this! Or if you have a good solution for this, feel free to reuse this or post a link to your solution in the comments!
