Table of Contents
Bulk Syncing Devices in Intune
During device enrollment, it is essential to sync the device with Intune to ensure it is properly configured with the latest policies and settings from the management server. In addition to enrollments, any policy changes made without a forced sync can take around eight hours in line with the Policy refresh intervals. During bulk device additions to the environment, or policy-wide changes, its better to use a simple PowerShell script to target a subset of devices based on their reported operating system.
Tools used for bulk syncing devices
The Microsoft.Graph.Beta PowerShell modules are essentially wrappers for the Microsoft Graph API, providing a convenient way to interact with Microsoft Graph using PowerShell cmdlets. These modules consist of two main components: Microsoft.Graph, which interacts with the stable v1.0 endpoints, and Microsoft.Graph.Beta, which targets the beta endpoints offering preview features. By using cmdlets, you can manage various resources like users, groups, and devices, all while following familiar PowerShell conventions. When calling Connect-MgGraph, you will typically need to specify user or admin consent, depending on the level of access required for the tasks you’re performing. User consent grants permissions for the authenticated user to access their own data, while admin consent is needed when performing actions that affect other users or require higher privileges. Permissions are required for each action you perform, so it’s important to ensure the necessary access rights are granted.
Permissions Needed
The delegated permissions needed are the following that coincide with least privilege when using the script.
- DeviceManagementManagedDevices.Read.All
- DeviceManagementManagedDevices.PrivilegedOperations.All
Script Explained
This PowerShell script interacts with Microsoft Graph to sync devices managed by Intune. It begins by accepting a parameter to filter devices based on their operating system (iOS, Android, or Windows), defaulting to Windows. The script then authenticates the user to Microsoft Graph, ensuring the necessary permissions are granted. After successful authentication, it queries for devices matching the specified OS and attempts to sync each device by invoking the sync action through the Microsoft Graph API. If any errors occur during the sync process, they are caught and logged for troubleshooting.
Full Script
param (
[Parameter()]
[ValidateSet('iOS', 'Android', 'Windows')]
[Alias('operatinSystem')]
[String] $OS = 'Windows'
)
Import-Module "Microsoft.Graph.Beta.DeviceManagement"
Import-Module "Microsoft.Graph.Beta.DeviceManagement.Actions"
try{
$t = Get-mgContext -ea SilentlyContinue
if($null -eq $t){
throw "Please login to Microsoft Graph"
}
Write-Output("{0} is authenticated to GRAPH." -f $env:USERNAME)
}catch{
Write-Output $_.Exception.Message
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All" -UseDeviceCode -NoWelcome
}
# $mobileDevices = Get-MgBetaDeviceManagementManagedDevice -Filter "operatingSystem eq 'iOS' or operatingSystem eq 'Android'"
$devices = Get-MgBetaDeviceManagementManagedDevice -Filter "operatingSystem eq '$OS'"
foreach($device in $devices){
try{
Write-Output "Syncing $($device.DeviceName) - Device ID: $($device.Id)"
Sync-MgBetaDeviceManagementManagedDevice -ManagedDeviceId $device.Id
}catch{
Write-Output $_.Exception.Message
}
}Conclusion
In conclusion, this PowerShell script provides a streamlined way to automate device synchronization with Intune using Microsoft Graph. By filtering devices based on their operating system, it ensures that only relevant devices are synced, improving efficiency. The script handles authentication and error management, making it easy for admins to keep devices up to date. Overall, it’s a simple yet effective tool for managing device compliance and ensuring that policies are applied consistently across all platforms.
Now loading...