Intune
Collecting Custom Inventory with Intune: A Step-by-Step Guide
Jannik ReinhardTopics: Intune
Intune has significantly expanded its capabilities in recent years, emerging as a robust tool for managing major client operating systems with ease. A key element in managing this effectively is the custom inventory feature. This blog will cover how custom inventory works, and then demonstrate how to effectively collect custom inventory with Intune and integrate it using Azure resources.
Understanding Custom Inventory
Custom Inventory is a feature that allows administrators to define and track additional, specific information about their devices beyond the standard data typically collected. This can be highly beneficial for managing a diverse or specialized set of devices.
Some examples include connected hardware, versions of 3rd party agents, or anything else that can be read from the client.
Creating a Custom Inventory for Intune
To collect custom inventory, you need three components:
- Remediation Script: Added in Intune, this script is pushed to the device to collect inventory data and unique information, ensuring the inventory originates from the correct client.
- Azure Functions: These validate and authenticate the client and push the results to the log analytics workspace to save the data and provide it to the admin.
- Log Analytics: Provides a powerful interface to query the data via KQL.
Deploying Your Custom Inventory Solution in Intune
First, deploy a log analytics workspace to your subscription in a resource group. For this you open the Azure Portal and search in the search bar for “log analytics workspace.” Click + Create and select the subscription, resource group, and enter a name and a region.
When this is done you have to open the workspace and copy and save the Workspace ID and the Primary key from the Agent menu.
The next service you need is an Azure Function. The process is the same. Search in the search bar for Function App. Click + Create. Here you also have to fill out the information. It is important to select PowerShell Core as Runtime stack, Windows as Operating system, and select consumption plan. Click next and configure the other option.
Now you have to activate the managed Identity of the function. For this, open the Function and select Identity and set this to On. Now you have to add permissions to this Identity for Device.Read.All and Organization.Read.All. You have to do this via a PowerShell script. You can find the script in this repository.
In the App files menu, you have to select the requirements.psd1 file. In this file you have to copy the following content:
@{
‘Az’ = ’10.*’
‘Microsoft.Graph’ = ‘2.*’
}
After this, you then create a new function app in the Overview menu. Click + Create and then copy/paste the following script and click save.
Hint: You can also use Visual Studio Code with the Azure Functions extension to deploy the app.
When this is done, the infrastructure is then ready. The final step is to add the remediation script to Intune. I have already created an example script which collects some information like CPU and Ram utilization from the clients. You can adapt this script and everything that you want to collect. To add this script to Intune, open the Intune Portal and navigate to Remediations and click + Create script package. Here you have to enter a name for the remediation and insert the script as a detection script. For the first run, assign it to a group with test devices and verify that everything works as expected. Once this is tested, you can assign it to more devices.
Conclusion: Collecting Custom Inventory with Intune
Now you can find your data in the log workspace. Here you can also create multiple tables for the different inventory categories and query the data with the powerful KQL language.
When you combine Intune with Azure, you can more-or-less handle every challenge. You also have a very powerful environment to build custom solutions for automation and analytics.
If you have questions or if you want to learn more about Intune and Azure, contact me via my blog jannikreinhard.com.
