Introduction:
As organizations continue to embrace mobility and cloud computing, the need for robust endpoint management solutions has become increasingly important. One such solution is Microsoft Intune, which provides a unified endpoint management (UEM) platform that enables IT pros to manage and secure devices across their organization. In this blog post, we’ll explore how you can use PowerShell to automate a report on BitLocker coverage for Intune managed devices.
Background:
BitLocker is a built-in encryption feature in Windows operating systems that provides protection against unauthorized access to data stored on the device. When enabled, BitLocker encrypts all data on the device, including the operating system, apps, and user files. This provides an additional layer of security for organizations that require sensitive data to be protected.
Intune is a cloud-based UEM platform that provides centralized management and security for mobile devices, Windows computers, and other endpoints. Intune integrates with BitLocker to provide encryption for devices and protect against unauthorized access. By automating a report on BitLocker coverage for Intune managed devices, IT pros can easily identify which devices are encrypted and which ones are not.
Extracting Device Information Using Graph API:
To extract device information from Intune using PowerShell, you’ll need to use the Microsoft Graph API. The Graph API provides a set of APIs that enable developers to access data in Microsoft services such as Azure Active Directory (AAD), Office 365, and Intune. You can use the Graph API to query for device information, including BitLocker status, using the following URL:
“`
https://graph.microsoft.com/v1.0/deviceManagement/devices?$filter=status eq ‘enabled’ and type eq ‘windows’ and not (platform eq ‘macOS’)
“`
This URL retrieves a list of all Windows devices that are enabled and have the status “enabled”. You can modify the filter clause to retrieve information based on other criteria, such as device type or location.
Extracting BitLocker Coverage Information:
To extract BitLocker coverage information for Intune managed devices using PowerShell, you’ll need to iterate through the list of devices returned by the Graph API and check if BitLocker is enabled for each device. You can use the following code to achieve this:
“`
$devices = Get-GraphDevice -Filter “status eq ‘enabled’ and type eq ‘windows’ and not (platform eq ‘macOS’)”
foreach ($device in $devices) {
$bitlockerStatus = Get-GraphDeviceBitLocker -DeviceId $device.id
if ($bitlockerStatus.status -eq “enabled”) {
Write-Host “Device $($device.name) has BitLocker enabled.”
} else {
Write-Host “Device $($device.name) does not have BitLocker enabled.”
}
}
“`
This code retrieves the list of devices from Intune using the Graph API, and then iterates through each device to check if BitLocker is enabled. If BitLocker is enabled, the code prints a message indicating that the device has BitLocker enabled. If BitLocker is not enabled, the code prints a message indicating that the device does not have BitLocker enabled.
Automating the Report:
To automate the report on BitLocker coverage for Intune managed devices, you can use Windows PowerShell’s built-in scheduling feature to run the script at a specific time or interval. You can use the following code to schedule the script to run every day at 12:07 AM:
“`
$schedule = New-ScheduledTask -Action “C:\Path\To\YourScript.ps1” -TriggerDate (Get-Date).AddDays(1) -StartTime 12:07 AM
“`
This code creates a scheduled task that runs the script every day at 12:07 AM. You can modify the trigger date and start time to schedule the report to run at a different time or interval.
Conclusion:
In this blog post, we explored how you can use PowerShell to automate a report on BitLocker coverage for Intune managed devices. We demonstrated how to extract device information using the Microsoft Graph API and how to check if BitLocker is enabled for each device. By automating the report, IT pros can easily identify which devices are encrypted and which ones are not, and take appropriate action to ensure all devices are protected with BitLocker encryption.