Top 10 Intune PowerShell Commands Every Admin Should Know

If you manage Intune at scale, PowerShell with Microsoft Graph is your most important tool. These 10 commands are the foundation every IT admin, EUC engineer, and Modern Workplace engineer needs before moving to advanced automation. Master these and you can handle device inventory, compliance reporting, remote actions, and cleanup — all from the terminal.

Prerequisites

Install the Microsoft Graph PowerShell SDK if you have not already. Run this once in an elevated PowerShell session:

# Install the Microsoft Graph module (run once, elevated)
Install-Module Microsoft.Graph -Scope CurrentUser

# Import for the current session
Import-Module Microsoft.Graph

Requires PowerShell 5.1 or PowerShell 7+. The module works in Windows PowerShell, PowerShell Core, and the VS Code terminal. Official docs: Microsoft Graph PowerShell SDK overview.

1. Connect to Microsoft Graph

Every Intune automation script starts here. This authenticates your session and defines which Graph API permissions you are requesting.

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "Directory.Read.All"

This opens a browser window for interactive sign-in. For unattended automation (scheduled tasks, Azure Automation), use a service principal with app-only permissions instead. Without a successful connection, all downstream commands will fail with an authentication error. See: Connect-MgGraph authentication.

2. Get All Managed Devices

Returns every device enrolled in Intune. Use this as the starting point for any inventory, reporting, or bulk operation.

Get-MgDeviceManagementManagedDevice

Returns objects with properties including DeviceName, UserPrincipalName, ComplianceState, OperatingSystem, LastSyncDateTime, and more. Pipe to Select-Object or Where-Object to filter. Reference: Get-MgDeviceManagementManagedDevice.

3. Get a Specific Device

Filter by device name for targeted troubleshooting or support work.

Get-MgDeviceManagementManagedDevice |
  Where-Object {$_.DeviceName -eq "LAPTOP-001"}

For large tenants, retrieving all devices before filtering is slow. Use the -Filter parameter to push filtering to the Graph API instead:

Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'"

4. Export Devices to CSV

Build audit-ready reports or feed data into Excel, Power BI, or a ticketing system.

Get-MgDeviceManagementManagedDevice |
  Select-Object DeviceName, UserPrincipalName, ComplianceState, OperatingSystem, LastSyncDateTime |
  Export-Csv "C:\Temp\IntuneDevices.csv" -NoTypeInformation

Add -Encoding UTF8 if you are sharing the CSV with teams on different locales to avoid character encoding issues.

5. Get Non-Compliant Devices

The most important command for security operations. Returns every device that is currently failing compliance policy.

Get-MgDeviceManagementManagedDevice |
  Where-Object {$_.ComplianceState -ne "compliant"} |
  Select-Object DeviceName, UserPrincipalName, ComplianceState, LastSyncDateTime |
  Export-Csv "C:\Temp\NonCompliant.csv" -NoTypeInformation

ComplianceState values include compliant, noncompliant, unknown, conflict, and error. Filtering for anything other than compliant catches all risk states. See: Monitor Intune device compliance policies.

6. Force Sync a Device

When a policy change is not reaching a device, or a user reports Intune settings are not applying, force a sync without waiting for the next scheduled check-in.

# Get the device ID first
$device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'"

# Trigger sync
Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId $device.Id

The sync request is queued and delivered when the device next communicates with Intune — it is not instant if the device is offline. Reference: Sync devices with Intune.

7. Restart a Device Remotely

Remote reboot without RDP. Useful after policy changes that require a restart, or during troubleshooting when the user is unavailable.

$device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'"

Invoke-MgDeviceManagementManagedDeviceRebootNow -ManagedDeviceId $device.Id

The device must be online and able to receive the command from Intune. The user will see a notification before the reboot occurs. Reference: Remotely restart devices with Intune.

8. Wipe a Device Remotely

Factory reset a device over the air — the most critical remote action for lost, stolen, or employee exit scenarios.

$device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-001'"

Invoke-MgDeviceManagementManagedDeviceWipe -ManagedDeviceId $device.Id `
  -KeepEnrollmentData:$false `
  -KeepUserData:$false

Warning: this is irreversible. Set -KeepEnrollmentData:$true if you want the device to automatically re-enrol into Autopilot after the wipe. Set -KeepUserData:$true for a selective wipe that removes corporate data only (for BYOD). Reference: Remove devices by using wipe, retire, or manually unenrolling the device.

9. Delete a Stale Device Record

Removes the device object from Intune. Use this for devices that are already decommissioned, reset, or no longer exist — not as a substitute for wipe on active devices.

$device = Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'LAPTOP-OLD'"

Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id

For bulk cleanup of devices inactive for 90+ days, combine with a LastSyncDateTime filter:

$cutoff = (Get-Date).AddDays(-90)

Get-MgDeviceManagementManagedDevice |
  Where-Object { $_.LastSyncDateTime -lt $cutoff } |
  ForEach-Object {
    Write-Host "Removing: $($_.DeviceName) — last sync $($_.LastSyncDateTime)"
    Remove-MgDeviceManagementManagedDevice -ManagedDeviceId $_.Id
  }

10. Get Device Last Sync Time

Identify devices that have gone dark — not communicating with Intune. Essential for identifying stale records, offline devices, and potential security gaps.

Get-MgDeviceManagementManagedDevice |
  Select-Object DeviceName, UserPrincipalName, LastSyncDateTime |
  Sort-Object LastSyncDateTime |
  Export-Csv "C:\Temp\LastSync.csv" -NoTypeInformation

Sorting ascending puts the most outdated devices at the top, making it easy to spot devices that have not synced in weeks or months.

Bonus: Bulk Wipe Script

This pattern iterates all managed devices and wipes each one. Only use this in decommission or emergency scenarios — it is irreversible across your entire fleet.

# CAUTION: wipes every device in the array — test in a lab first
$devices = Get-MgDeviceManagementManagedDevice

foreach ($device in $devices) {
  Invoke-MgDeviceManagementManagedDeviceWipe `
    -ManagedDeviceId $device.Id `
    -KeepEnrollmentData:$false `
    -KeepUserData:$false
  Write-Host "Wipe initiated for $($device.DeviceName)" -ForegroundColor Green
}

Best Practices

• Least privilege: request only the Graph scopes your script needs — not DeviceManagementManagedDevices.ReadWrite.All when read-only is sufficient
• Service principal for automation: use app-only authentication for scheduled tasks; never embed user credentials in a script
• Secure credentials: store secrets in Azure Key Vault or use managed identity — never hardcode tokens
• Log everything: capture device names and IDs before any destructive action so you have an audit trail
• Test in a lab group: run wipe, delete, and bulk operations against a test device group before touching production

Official Resources

• Microsoft Graph PowerShell SDK overview
• Microsoft.Graph.DeviceManagement module reference
• Intune remote device actions overview
• Monitor Intune device compliance
• Microsoft Graph Explorer — test API calls interactively before scripting