Who should continue reading? Anyone who is using AAD, Intune or SCCM and want to know for example: which clients aren't synchronized to AAD, aren't co-managed, don't have SCCM client installed, haven't contacted AAD/Intune or SCCM for a long time, and much much more.
If you are in a similar situation, you probably know, it can be very difficult to get the meaningful overall status of your environment i.e. if all your clients are synchronized to Azure and are properly managed by SCCM and Intune, etc. It is hard because, for example, Intune can say that client XYZ is co-managed, but SCCM tells you otherwise. The problem is that information from Intune can be obsolete and vice versa, so you have to take into account also date when the client contacted such service. Another problem can be duplicity records in Azure/Intune.
I was in such situation too, so I decided to create a PowerShell function Get-MDMClientData to gather and merge information from all (or subset of) these services to be able to easily detect problematic clients. And function Get-ClientStatusReport to get the report with problematic clients.
For SCCM data retrieval:
- working SCCM Administration Service API (should be by default)
- account with proper permissions to read device data (SCCM admin or follow this tutorial)
For Intune & Azure data retrieval:
- Azure App registration ID & secret with permissions to read device data (follow this tutorial)
For AD data retrieval:
- AD PowerShell module
- domain user
I am using Azure App registration for authentication instead of user credentials because of the possibility to use it in an unattended way.
- Meet prerequisites for services you want to get data from
- Download Get-MDMClientData.ps1 script
- Search for "FIXME" in downloaded script and do what they say and save the file
- Dot source downloaded script in PowerShell console
- Run function Get-MDMClientData (with appropriate parameters)
- Download and (in the same console where you dot sourced Get-MDMClientData) dot source Get-ClientStatusReport and call Get-ClientStatusReport
Table of contents
- How function Get-MDMClientData works
- Getting problematic clients report
How function Get-MDMClientData works
The function Get-MDMClientData.ps1 purpose is to get client "health" data from one (or subset) of the services (Active Directory, Azure Active Directory, SCCM, Intune) into one place (object). To easily detect and diagnose problems. It uses Graph API for reading client's data from Intune ad AzureAD and SCCM Administration Service API for getting SCCM client's data. For each service, it gathers only chosen (important) properties and adds them to the resultant object.
! Beware that before first use, it has to be manually edited ! Search for "FIXME" inside the function text and do what they say, i.e. hardcode your SCCM server name and your Azure tenant name.
The function internally uses a lot of other custom functions. I've added them to the function body to make the usage as simple as possible.
How result can look like
As you can see the resulting object contains all necessary data from all services to understand the current situation of the client and to easily compare data between services.
In the last chapter of this post, I will show you an example of the report that can be generated from this data.
Getting problematic clients report
How function Get-ClientStatusReport works
Function Get-ClientStatusReport leverages function Get-MDMClientData for getting all necessary clients data. Then by defining several thresholds (which can be modified via function parameters) and some internal logic, it decides which clients are problematic. The result is returned as colored plaintext! So nothing fancy, therefore feel free to modify it to suit your needs.
How result can look like
As you can see report gives you a list of problematic clients per service and additional data that can help you solve the problems if available.