Deploy power settings automated in Microsoft Intune

post-thumb

Climate changes are the talk of the day. Every little step to help the world is great. Power consumption is a big topic in those discussions. In this blog post, I show how to deploy power management settings automated in Microsoft Intune. This is to save battery on hardware devices. I also show how to assign the policy to the devices part with a filter.

Together with Mattias Melkersen (Twitter), we decided to write a blog about how to configure power settings in Microsoft Intune. Matthias has written a blog about how to configure power settings in the portal. Based on that post, I’m writing a post about how to configure power settings the automated way.

Table Of Contents

Authentication

To deploy settings in Microsoft Intune we need to authenticate. During deployment, I use the Graph API. To authenticate against the Graph API we need API permissions. The API permissions are set at an application registration. The application registration needs the following permissions:

  • DeviceManagementConfiguration.ReadWrite.All
    (Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.)

To authenticate against the Graph API I used the PowerShell code below:

$appId = "077d124e"
$appSecret = "0UF7Q"
$tenantId = "dag7"

$body = @{    
    grant_Type    = "client_credentials"
    scope         = "https://graph.microsoft.com/.default"
    client_Id     = $appId
    client_Secret = $appSecret 
} 
$connectParams = @{
    uri = "https://login.microsoftonline.com/{0}/oauth2/v2.0/token" -f $tenantId
    method = "POST" 
    body = $body
}
$connect = Invoke-RestMethod @connectParams
$authHeader = @{
    'Content-Type' = 'application/json'
    Authorization  = 'Bearer ' +$connect.access_token
}

If you are not that familiar with REST API authentication then it also possible to use the PowerShell command Get-AzAccessToken. To use that command you need to connect to Azure first with Connect-AzAccount. I also connect with the application. If you use these commands, install the Az.Accounts PowerShell module.

$passwd = ConvertTo-SecureString $appSecret -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($appId, $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
$token = Get-AzAccessToken -ResourceUrl 'https://graph.microsoft.com'
$authHeader = @{
    'Content-Type' = 'application/json'
    Authorization  = 'Bearer ' + $token.Token
}

Deploy power settings policy automated

In this chapter, we configure a configuration policy named Windows – Power management settings. The policy is created with the Graph API. In the first part, I discuss the settings and how it is formatted. In the second part, I show how to bring all parts together and sent the request to the Graph API.

Power management settings

A configuration policy consists of settings. Within this policy, I configure the following settings based on the settings catalog.

The settings are based on Mattias Melkersen his blogpost and Kenneth Van Surksum his blog post (scroll down to the Power Settings chapter) about power management. I also added some extra settings which I think also helps.

CategorySetting LocationSettingValue
GeneralAdministrative Templates > System > Power ManagementSelect an active power planEnabled
GeneralAdministrative Templates > System > Power ManagementActive Power Plan: (Device)Automatic
PowerAdministrative Templates > System > Power Management > Hard Disk SettingsTurn Off the hard disk (plugged in)Disabled
PowerAdministrative Templates > System > Power Management > Hard Disk SettingsTurn Off the Hard Disk (seconds)(Device)0
PowerAdministrative Templates > System > Power Management > Notification SettingsLow battery notification actionEnabled
PowerAdministrative Templates > System > Power Management > Notification SettingsLow Battery Notification Action (Device)Sleep
PowerAdministrative Templates > System > Power Management > Notification SettingsLow battery notification levelEnabled
PowerAdministrative Templates > System > Power Management > Notification SettingsLow Battery Notification Level (Device) (in percent)5
PowerAdministrative Templates > System > Power Management > Sleep SettingsRequire a password when a computer wakes (plugged in)Enabled
PowerAdministrative Templates > System > Power Management > Sleep SettingsSpecify the system sleep timeout (plugged in)Enabled
PowerAdministrative Templates > System > Power Management > Sleep SettingsSystem Sleep Timeout (seconds)1200
PowerSystem > Power Management > Video and Display SettingsTurn off the display (plugged in)Enabled
PowerSystem > Power Management > Video and Display SettingsWhen plugged in, turn display off after (seconds)300
PowerPowerSelect Lid Close Action Plugged InSleep
PowerPowerSelect Power Button Action Plugged InSystem

Power plugged in settings

CategorySetting LocationSettingValue
GeneralAdministrative Templates > System > Power ManagementSelect an active power planEnabled
GeneralAdministrative Templates > System > Power ManagementActive Power Plan: (Device)Automatic
BatteryAdministrative Templates > System > Power Management > Hard Disk SettingsTurn Off the hard disk (on battery)Enabled
BatteryAdministrative Templates > System > Power Management > Hard Disk SettingsTurn Off the Hard Disk (seconds)(Device)1
BatteryAdministrative Templates > System > Power Management > Sleep SettingsRequire a password when a computer wakes (battery)Enabled
BatteryAdministrative Templates > System > Power Management > Sleep SettingsSpecify the system sleep timeout (plugged in)Enabled
BatteryAdministrative Templates > System > Power Management > Sleep SettingsSystem Sleep Timeout (seconds)600
BatterySystem > Power Management > Video and Display SettingsTurn off the display (battery)Enabled
BatterySystem > Power Management > Video and Display SettingsWhen plugged in, turn display off after (seconds)60
PowerPowerSelect Lid Close Action Plugged InSleep
PowerPowerSelect Power Button Action Plugged InSystem
GeneralPowerEnergy Saver Battery Threshold On Battery10

Battery settings mem-policy-power

Settings body

Because it makes life much easier, I converted all the settings into a JSON file. The idea is to read the content and add the content to the request body. The file with the power configuration policy setting is stored in my GitHub repository . A part file content looks like below.

{
    "id": "1",
    "settingInstance": {
      "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
      "settingDefinitionId": "device_vendor_msft_policy_config_admx_power_diskacpowerdowntimeout_2",
      "settingInstanceTemplateReference": null,
      "choiceSettingValue": {
        "settingValueTemplateReference": null,
        "value": "device_vendor_msft_policy_config_admx_power_diskacpowerdowntimeout_2_0",
        "children": []
      }
    }
  }

Deploy configuration policy automated

In the post body below I set up the name and description. The platforms and technologies objects are Microsoft predefined settings. The settings object is filled with the JSON content file. I convert the content back to a PowerShell object first. This to create a request body with PowerShell objects only. In the end, I convert the whole body into a JSON object.
If you are converting JSON content twice you get really strange content that the REST API is not accepting.

For more information about the request body, check the URL: https://docs.microsoft.com/en-us/graph/api/intune-deviceconfigv2-devicemanagementconfigurationpolicy-create?view=graph-rest-beta#request-body

$policyBody = @{
    "@odata.type"  = "#microsoft.graph.deviceManagementConfigurationPolicy"
    "name"         = "Windows - Power management Settings"
    "description"  = "Settings for Windows power management"
    "platforms"    = "windows10"
    "technologies" = "mdm"
    "settings"     = @( 
        Get-Content ./power-management-settings.json| ConvertFrom-Json
    )
}

After the body is done, I’m putting all the parts together into a PowerShell object. The URL, method, headers (from the first chapter), and the body with the settings. I’m using the PowerShell splatting technique to execute the command with all the parameters.

$policyUrl = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
$policyParams = @{
    URI     = $policyUrl 
    Method  = "POST"
    Headers = $authHeader
    Body    = $policyBody | ConvertTo-Json -Depth 99
}
$policy = Invoke-RestMethod @policyParams
$policy

mem-policy-powershell

The result

mem-policy-settings

Power settings assignment with filters

In the last part, we assign the policy to all NOT virtual machines. This is because virtual machines actually don’t have a battery and the policy is not applicable to those machines. To create a ‘NOT’-group I use filters. Based on the device’s model I created a filter where the module is not equal to virtual machines.

mem-devices-assign-model

mem-filters

For more information about filters, check the URL: https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters

Creating filters automated is out of the scope of the blog.

I searched for the created filter with the code below and used the ID in the assignment body.

$filterUrl = "https://graph.microsoft.com/beta/deviceManagement/assignmentFilters"
$filterParams = @{
    URI     = $filterUrl 
    Method  = "GET"
    Headers = $authHeader
}
$filters = Invoke-RestMethod @filterParams
$filters.value | Where-Object {$_.displayName -eq 'No virtual machines'}

To assign policies automated with PowerShell I used the code below. First is the request body. I create a new GUID and provided the $filters.value.id value as the filter ID. At last, I convert to body into JSON format.

$assignBody = @{
    "assignments" = @(
        @{
            id     = $(New-Guid).Guid
            target = @{
                "@odata.type"                              = "#microsoft.graph.allDevicesAssignmentTarget"
                deviceAndAppManagementAssignmentFilterType = "include"
                deviceAndAppManagementAssignmentFilterId   = $filters.value.id
            }
        }
    )
}
$assignBody = $assignBody | ConvertTo-Json -Depth 4

In the request, I provide the $assignBody and the $policy.Id from the steps above.

$assignmentUrl = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/{0}/assign" -f $policy.id
$policyParams = @{
    URI     = $assignmentUrl 
    Method  = "POST"
    Headers = $authHeader
    Body    = $assignBody
}
$assignment = Invoke-RestMethod @policyParams
$assignment

mem-filter-assignment

Summary

In this post, I showed how to configure power management settings in Microsoft Intune the automated way. I showed how to create a configuration policy and how to assign the policy to all devices. A part of the assignment is the use of filters.

Thank you for reading this blog about how to enroll power management settings automated in Microsoft Intune.

Thank you for reading my blog deploy power settings automated in microsoft intune.
I hope you got a bit inspired. Enjoy your day and happy automating 👋

comments powered by Disqus