Intune has many great reporting features, but sometimes we want a quick way to determine if a series of machines have all the necessary applications installed. This very question was asked of us by a large international manufacturer. How can we as an organization quickly determine if our machines meet certain application requirements once they are in the hands of users? One answer is Custom Compliance Policies.
Within Intune compliance, we can create custom elements of the policy for determining application installation states, application versioning, or any number of items. The following Microsoft documentation details how to build these custom elements and the user of PowerShell to perform the query.
Using this, we will provide an example json file and PowerShell script along with how these are integrated into Intune.
Let’s start with the JSON file. The JSON files tells Intune the items we want to evaluate the machines’ compliance against. These elements can be Boolean, String, or several other item types. Further details about the item types we can use for comparison are found in the following article:
Here is an example element in the JSON file:
{
"SettingName": "Google Chrome",
"Operator": "IsEquals",
"DataType": "Boolean",
"Operand": true,
"MoreInfoUrl": "https://www.google.com",
"RemediationStrings": [
{
"Language": "en_US",
"Title": "Google Chrome",
"Description": "Google Chrome must be installed."
}
]
},
SettingName - The name of the custom setting. In this case Google Chrome is the application name we are using for our compliance check
Operator – The comparison operation we are using. We are evaluating if the data type is equal to the value we specify
DataType - The type of data that you can use to build your compliance rule. In this example, we want to evaluate a true or false
Operand - Represent the values that the operator works on. If Google Chrome is installed, the value should be set to true
MoreInfoURL – Website that can provide additional information.
RemediationStrings - Information that gets displayed in the Company Portal.
We can have any number of elements within the JSON, with the only restriction being the JSON file size must be smaller than 1MB.
Once we have our JSON complete, we need to create a script that will run the compliance check on the machine itself.
Microsoft provides an example using the following link:
Here is an example script from a script we are currently:
$hash = @{}
$AppsList = (Get-WmiObject -Class Win32_Product)
#checks the Win32 Product Installed List for the following applications
$SoftwareList = "Google Chrome"
foreach ($AppName in $SoftwareList)
{
if($AppsList| Select-String -Pattern "$AppName")
{
$hash.Add($AppName,$true)
}
else
{
$hash.Add($AppName,$false)
}
}
return $hash | ConvertTo-Json -Compress
With this script, we create a hash table to store the information collected from the machine, and then return that data as a JSON file Intune will use. The script will search the Win32 Product list on the machine for specific applications listed in the SoftwareList variable, the will add the name of the application and if a true or false value to the hash table.
We can search for other elements of Windows, not just the Win32 Products list. For example, we can search for registry entries, file and folder names, etc. The main criteria is that what we search for must return a value recognizable by the JSON file above: Boolean, Int64, Double, String, DateTime, or Version
The script does have the following limitations placed on it: Both the script and the output must be less than 1MB in size, and can take no longer that five minutes to complete on Linux Systems, or ten minutes on Windows systems.
As an additional note, I Have found that sometimes the order of elements in the JSON compared to the order of searched items the script return need to be the same. In some cases, the compliance of a machine was return false value due to this inconsistency in the order. So in our policy, explicitly set them items to be searched in the HashTable to be in the exact same order as the JSON File.
Once we have the script and the JSON file complete, we add these elements to a custom policy within Intune
From the Intune Devices overview, select Compliance Policies from the left navigation pane:
Compliance Policies Main Page
From here, we first need to upload the PowerShell Script we created above:
Select Scripts, and then Add from the Top Navigation Pane
Select the operating system:
And Fill in the Details
Copy the contents of your PowerShell Script in the window below
The options at the bottom will determine how the script is run on the machine. I recommend leaving the default option for credentials selected as the user may not have the ability to run PowerShell scripts. I also recommend running the script in the 64-bit host if possible.
Select Next and review the script and options and select Create.
Once completed we are now presented with the following information:
Once the script has been uploaded, we can now create the compliance policy.
From the Policy overview, select Create Policy from the top navigation panel:
Select the appropriate platform from the popout:
And select Create
Fill in the details about the policy:
On the Compliance Settings screen, we can choose which items to validate against. For our example, we need to select Custom Compliance:
Select the down arrow:
Change Custom Compliance to Required
We now need to select the Script we want to use for validation: Click on Select Url and the below popout appears
Select the script we uploaded earlier and then hit select at the bottom.
Now we need to upload the JSON file. Select the Folder Link next to the Select a file option and browse out to the created JSON file
Intune will validate the JSON file for syntax accuracy. At this point, we can also add other Intune Standard Compliance items if necessary otherwise select Next
Set the action for Noncompliance:
The Scope Tags:
And finally, the Assignments:
Review the then create the compliance policy:
Now we just need to wait for Intune to run the script and process the information for validation. Generally speaking, custom compliance elements need the following two items to happen before Intune will properly report the information: 12 hours to run and evaluate compliance, and the machine needs to be rebooted. Even if the twelve hours have passed, Intune generally will not correctly report compliance status until after the machine has been rebooted as custom elements are not checked until then.
With the use of custom elements, we can quickly glance at a machine's compliance status and determine if the machine is end-user ready and meeting the deployment needs of the organization.
Comments