Custom Hardware Inventory with Intune

Those coming from SCCM to Intune will discover that yet another feature Intune is missing is decent hardware inventory. There are various solutions online that try to address this and below I present my own version. My solution differs from others in that it is:

1. Not limited by the maximum 2048 character return limit in Remediation scripts.
2. Doesn’t require any additional resources that aren’t already included with E3 or E5 licensing. Most other solutions rely on additional Azure storage and uploading to Log Analytics. In highly politically managed organisations it can be near impossible to have these additional resources created.

Requirements:

1. Microsoft Defender and your devices need to be onboarded in it / sending data to it

Solution Overview

1. A PowerShell Remediation script is deployed to all devices and runs on a fixed schedule.
2. The PowerShell script collects your desired custom inventory data and “echo”s this on the command line in JSON format.
3. Microsoft Defender automatically captures this echo command
4. Using Microsoft Defender’s Advanced Hunting, we search for all of these events and extract the JSON. The data can then be used in Microsoft Defender to do additional querying/analysis or exported to other tools.

The Script

My sample PowerShell script can be found here: https://gist.github.com/auash/a8b2b570f390538429fba5252c599dc9

Take note of Line 3 $ScriptVersion = “02” and the 2nd last line:

Start-Process -FilePath cmd.exe -ArgumentList “/c HardwareInventory$ScriptVersion $CompressedJSON” -NoNewWindow

The command runs with a string (ie: HardwareInventory02) This is the “magic string” that you will use later to uniquely identify these events in Microsoft Defender. You can change this string if you need to. The version number facilitates changing the JSON data schema in future while still allowing you to use data from older versions.

Deploy this as a Remediation script on whatever schedule suits.

Viewing captured inventory data

Open Microsoft Defender’s Advanced Hunting and enter the following KQL query:

DeviceProcessEvents
| where ProcessCommandLine contains “HardwareInventory02” and FileName contains “cmd”
| summarize arg_max(Timestamp, *) by DeviceName
| extend d=parse_json(substring(ProcessCommandLine, 33))
| evaluate bag_unpack(d)

Note the following:

• where ProcessCommandLine contains “HardwareInventory02” — identifying events via the magic string discussed earlier
• summarize arg_max(Timestamp, *) by DeviceName — select only the most recent event per device
• extend d=parse_json(substring(ProcessCommandLine, 33)) — extract the JSON created by the PowerShell script
• evaluate bag_unpack(d) — convert all the JSON properties into table columns within the output in Microsoft Defender

Don’t forget to increase the time period (default is 7 days) that the search covers if your script run schedule is large.

Example output: