Intune Graph API – Complete Management

1[2026-02-21T18:30:21.147Z] Running @yourclaw/clawguard-rules pattern matcher
2Scanning: /tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill/SKILL.md
3Content length: 29004 chars
4Patterns matched: 80
5  [high] PERM-007: Skill explicitly requests credential access
6  [low] PI-041: Possible base64-encoded payload
7  [low] PI-041: Possible base64-encoded payload
8  [low] PI-041: Possible base64-encoded payload
9  [low] PI-041: Possible base64-encoded payload
10  [low] PI-041: Possible base64-encoded payload
11  [low] PI-041: Possible base64-encoded payload
12  [low] PI-041: Possible base64-encoded payload
13  [low] PI-041: Possible base64-encoded payload
14  [low] PI-041: Possible base64-encoded payload
15  [low] PI-041: Possible base64-encoded payload
16  [low] PI-041: Possible base64-encoded payload
17  [low] PI-041: Possible base64-encoded payload
18  [low] PI-041: Possible base64-encoded payload
19  [low] PI-041: Possible base64-encoded payload
20  [low] PI-041: Possible base64-encoded payload
21  [low] PI-041: Possible base64-encoded payload
22  [low] PI-041: Possible base64-encoded payload
23  [low] PI-041: Possible base64-encoded payload
24  [low] PI-041: Possible base64-encoded payload
25  [low] PI-041: Possible base64-encoded payload
26  [low] PI-041: Possible base64-encoded payload
27  [low] PI-041: Possible base64-encoded payload
28  [low] PI-041: Possible base64-encoded payload
29  [low] PI-041: Possible base64-encoded payload
30  [low] PI-041: Possible base64-encoded payload
31  [low] PI-041: Possible base64-encoded payload
32  [low] PI-041: Possible base64-encoded payload
33  [low] PI-041: Possible base64-encoded payload
34  [low] PI-041: Possible base64-encoded payload
35  [low] PI-041: Possible base64-encoded payload
36  [low] PI-041: Possible base64-encoded payload
37  [low] PI-041: Possible base64-encoded payload
38  [low] PI-041: Possible base64-encoded payload
39  [low] PI-041: Possible base64-encoded payload
40  [low] PI-041: Possible base64-encoded payload
41  [low] PI-041: Possible base64-encoded payload
42  [low] PI-041: Possible base64-encoded payload
43  [low] PI-041: Possible base64-encoded payload
44  [low] PI-041: Possible base64-encoded payload
45  [low] PI-041: Possible base64-encoded payload
46  [low] PI-041: Possible base64-encoded payload
47  [low] PI-041: Possible base64-encoded payload
48  [low] PI-041: Possible base64-encoded payload
49  [low] PI-041: Possible base64-encoded payload
50  [low] PI-041: Possible base64-encoded payload
51  [low] PI-041: Possible base64-encoded payload
52  [low] PI-041: Possible base64-encoded payload
53  [low] PI-041: Possible base64-encoded payload
54  [low] PI-041: Possible base64-encoded payload
55  [low] PI-041: Possible base64-encoded payload
56  [low] PI-041: Possible base64-encoded payload
57  [low] PI-041: Possible base64-encoded payload
58  [low] PI-041: Possible base64-encoded payload
59  [low] PI-041: Possible base64-encoded payload
60  [low] PI-041: Possible base64-encoded payload
61  [low] PI-041: Possible base64-encoded payload
62  [low] PI-041: Possible base64-encoded payload
63  [low] PI-041: Possible base64-encoded payload
64  [low] PI-041: Possible base64-encoded payload
65  [low] PI-041: Possible base64-encoded payload
66  [low] PI-041: Possible base64-encoded payload
67  [low] PI-041: Possible base64-encoded payload
68  [low] PI-041: Possible base64-encoded payload
69  [low] PI-041: Possible base64-encoded payload
70  [low] PI-041: Possible base64-encoded payload
71  [low] PI-041: Possible base64-encoded payload
72  [low] PI-041: Possible base64-encoded payload
73  [low] PI-041: Possible base64-encoded payload
74  [low] PI-041: Possible base64-encoded payload
75  [low] PI-041: Possible base64-encoded payload
76  [low] PI-041: Possible base64-encoded payload
77  [low] PI-041: Possible base64-encoded payload
78  [low] PI-041: Possible base64-encoded payload
79  [low] PI-041: Possible base64-encoded payload
80  [low] PI-041: Possible base64-encoded payload
81  [low] PI-041: Possible base64-encoded payload
82  [low] PI-041: Possible base64-encoded payload
83  [low] PI-041: Possible base64-encoded payload
84  [low] PI-041: Possible base64-encoded payload
85✓ Completed in 6ms

1[2026-02-21T18:32:21.350Z] $ gitleaks detect --source /tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill --report-format json --report-path /dev/stdout --no-git
2
3⚠ stderr output:
4○
5    │╲
6    │ ○
7    ○ ░
8    ░    gitleaks
9
106:32PM FTL Report path is not writable: /dev/stdout error="open /dev/stdout: no such device or address"
11
12Process exited with code 1
13✓ Completed in 120203ms

1[2026-02-21T18:33:09.981Z] $ semgrep scan --json --quiet --config auto /tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill
2{"version":"1.152.0","results":[],"errors":[],"paths":{"scanned":["/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill/README.md","/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill/SKILL.md","/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill/_meta.json"]},"time":{"rules":[],"rules_parse_time":11.646710872650146,"profiling_times":{"config_time":14.616976976394653,"core_time":16.54252028465271,"ignores_time":0.025228261947631836,"total_time":31.276248693466187},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":0.6838130950927734,"per_file_time":{"mean":0.09768758501325335,"std_dev":0.018380624155186674},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.9797297297297297,"rules_selected_ratio":0.02702702702702703,"rules_matched_ratio":0.02702702702702703},"targets":[],"total_bytes":0,"max_memory_bytes":1170957312},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]}
3
4Process exited with code 0
5✓ Completed in 168830ms

1[2026-02-21T18:32:31.991Z] $ mcp-scan --skills /tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill --json
2{
3  "/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo": {
4    "client": "not-available",
5    "path": "/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo",
6    "servers": [
7      {
8        "name": "openclaw-intune-skill",
9        "server": {
10          "path": "/tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill",
11          "type": "skill"
12        },
13        "signature": {
14          "metadata": {
15            "meta": null,
16            "protocolVersion": "built-in",
17            "capabilities": {
18              "experimental": null,
19              "logging": null,
20              "prompts": null,
21              "resources": null,
22              "tools": {
23                "listChanged": false
24              },
25              "completions": null,
26              "tasks": null
27            },
28            "serverInfo": {
29              "name": "Intune Graph API \u2013 Complete Management",
30              "title": null,
31              "version": "skills",
32              "websiteUrl": null,
33              "icons": null
34            },
35            "instructions": "A comprehensive skill enabling OpenClaw agents to fully manage Microsoft Intune via the Graph API. Covers devices, apps, policies, compliance, users, groups, reporting, Autopilot, scripts, and remote actions.",
36            "prompts": {
37              "listChanged": false
38            },
39            "resources": {
40              "subscribe": null,
41              "listChanged": false
42            }
43          },
44          "prompts": [
45            {
46              "name": "SKILL.md",
47              "title": null,
48              "description": "\n\n# Microsoft Intune \u2013 Complete Management Skill\n\nThis skill gives the agent **full control over Microsoft Intune** via the Microsoft Graph API. It covers device management, application deployment, compliance & configuration policies, user & group management, Autopilot, PowerShell scripts, reporting, and all remote device actions.\n\n---\n\n## \ud83d\udd11 Authentication\n\nBefore ANY Intune operation, the agent MUST obtain an OAuth 2.0 access token.\n\nThe following environment variables must be configured:\n- `INTUNE_TENANT_ID` \u2013 Microsoft 365 Tenant ID\n- `INTUNE_CLIENT_ID` \u2013 Entra ID App Registration Client ID\n- `INTUNE_CLIENT_SECRET` \u2013 Entra ID App Registration Secret\n\n### Token Request\n**POST** `https://login.microsoftonline.com/{INTUNE_TENANT_ID}/oauth2/v2.0/token`\n\n**Body (x-www-form-urlencoded):**\n```\nclient_id={INTUNE_CLIENT_ID}\n&scope=https://graph.microsoft.com/.default\n&client_secret={INTUNE_CLIENT_SECRET}\n&grant_type=client_credentials\n```\n\nExtract `access_token` from the JSON response. Use it as:\n```\nAuthorization: Bearer <access_token>\n```\n\n### Required API Permissions (App Registration)\nThe Entra ID App Registration needs the following Microsoft Graph **Application** permissions:\n- `DeviceManagementManagedDevices.ReadWrite.All`\n- `DeviceManagementConfiguration.ReadWrite.All`\n- `DeviceManagementApps.ReadWrite.All`\n- `DeviceManagementServiceConfig.ReadWrite.All`\n- `DeviceManagementRBAC.ReadWrite.All`\n- `Directory.Read.All`\n- `User.Read.All`\n- `Group.ReadWrite.All`\n- `GroupMember.ReadWrite.All`\n\n---\n\n## \ud83d\udee1\ufe0f Safety Rules (CRITICAL)\n\n1. **Read operations (GET):** Always safe. Execute without confirmation.\n2. **Sync/Restart operations:** Ask for confirmation: *\"Soll ich Ger\u00e4t X wirklich syncen/neustarten?\"*\n3. **Destructive operations (Wipe, Retire, Delete):** ALWAYS require explicit confirmation. Say: *\"\u26a0\ufe0f Achtung: Das l\u00f6scht alle Daten auf dem Ger\u00e4t. Bist du sicher?\"*\n4. **Policy creation/modification:** Confirm before applying: *\"Soll ich diese Policy wirklich erstellen/\u00e4ndern?\"*\n5. **Never dump raw JSON** to the user. Always format output as readable Markdown tables or summaries.\n6. **Error handling:** If an API call returns an error, explain the error in simple German and suggest a fix.\n\n---\n\n## \ud83d\udcf1 1. Device Management\n\n### 1.1 List All Managed Devices\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices`\n\nUse `$select` to limit fields: `?$select=deviceName,operatingSystem,complianceState,lastSyncDateTime,userPrincipalName`\n\nPresent results as a table: | Ger\u00e4tename | OS | Compliance | Letzter Sync | Benutzer |\n\n### 1.2 Search for a Specific Device\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{deviceName}'`\n\nAlternative search by user: `?$filter=userPrincipalName eq '{user@domain.com}'`\n\n### 1.3 Get Device Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`\n\nShow: Device name, Serial number, OS version, Compliance state, Encryption status, Last sync, Enrolled date, Primary user.\n\n### 1.4 Remote Actions on a Device\n\n#### Sync Device\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/syncDevice`\n\n#### Reboot Device\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/rebootNow`\n\n#### Lock Device (Remote Lock)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/remoteLock`\n\n#### Reset Passcode\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/resetPasscode`\n\n#### Locate Device (Lost Mode \u2013 iOS/Android)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/locateDevice`\n\n#### Retire Device (Remove Company Data Only)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/retire`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n#### Wipe Device (Factory Reset)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/wipe`\n\u26a0\ufe0f SAFETY: ALWAYS ask twice! This deletes ALL data!\n\n#### Delete Device from Intune\n**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n#### Rename Device\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/setDeviceName`\nBody: `{\"deviceName\": \"NEW-NAME\"}`\n\n#### Enable/Disable Lost Mode (iOS supervised)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/enableLostMode`\nBody: `{\"message\": \"Dieses Ger\u00e4t wurde als verloren gemeldet.\", \"phoneNumber\": \"+49...\", \"footer\": \"Kaffee & Code IT\"}`\n\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/disableLostMode`\n\n---\n\n## \ud83d\udccb 2. Compliance Policies\n\n### 2.1 List All Compliance Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`\n\nPresent as: | Policy Name | Platform | Created | Last Modified |\n\n### 2.2 Get Compliance Policy Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`\n\n### 2.3 Get Compliance Policy Assignments\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments`\n\n### 2.4 Get Device Compliance Status per Policy\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses`\n\n### 2.5 Create a Compliance Policy\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n\n### 2.6 Delete a Compliance Policy\n**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n---\n\n## \u2699\ufe0f 3. Configuration Policies & Profiles\n\n### 3.1 List Configuration Policies (Recommended API)\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`\n\nThis is the modern, recommended endpoint covering Endpoint Security, Administrative Templates, and Settings Catalog.\n\n### 3.2 List Legacy Device Configuration Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`\n\n### 3.3 Get Configuration Policy Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`\n\n### 3.4 Get Policy Settings\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/settings`\n\n### 3.5 Get Policy Assignments\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assignments`\n\n### 3.6 Get Device Status per Config Profile\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/deviceStatuses`\n\n### 3.7 Create Configuration Policy\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n\n### 3.8 Delete Configuration Policy\n**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n---\n\n## \ud83d\udce6 4. App Management\n\n### 4.1 List All Apps\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps`\n\nPresent as: | App Name | Type | Publisher | Created |\n\n### 4.2 Get App Details\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}`\n\n### 4.3 Get App Assignments (Who gets the app?)\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments`\n\n### 4.4 List App Configuration Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies`\n\n### 4.5 List App Protection Policies (MAM)\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations`\n\n### 4.6 Assign App to a Group\n**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments`\n\u26a0\ufe0f SAFETY: Confirm before assigning.\n\n### 4.7 List Detected Apps on Devices\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/detectedApps`\n\n### 4.8 Get Devices with a Specific Detected App\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{detectedAppId}/managedDevices`\n\n---\n\n## \ud83d\udd12 5. Endpoint Security\n\n### 5.1 List Security Baselines\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'baseline'`\n\n### 5.2 List Disk Encryption Policies (BitLocker/FileVault)\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityDiskEncryption'`\n\n### 5.3 List Firewall Policies\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityFirewall'`\n\n### 5.4 List Antivirus Policies (Defender)\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAntivirus'`\n\n### 5.5 List Attack Surface Reduction Rules\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=templateReference/templateFamily eq 'endpointSecurityAttackSurfaceReduction'`\n\n---\n\n## \ud83d\ude80 6. Windows Autopilot\n\n### 6.1 List Autopilot Devices\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities`\n\nPresent as: | Serial Number | Model | Group Tag | Enrollment State | Last Seen |\n\n### 6.2 Get Autopilot Device Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}`\n\n### 6.3 List Autopilot Deployment Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeploymentProfiles`\n\n### 6.4 Assign Autopilot Profile\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}/assignUserToDevice`\nBody: `{\"userPrincipalName\": \"user@domain.com\"}`\n\n### 6.5 Delete Autopilot Device\n**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities/{id}`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n---\n\n## \ud83d\udcdc 7. PowerShell Scripts & Remediation\n\n### 7.1 List Device Management Scripts\n**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts`\n\n### 7.2 Get Script Details\n**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}`\n\n### 7.3 Get Script Execution Status per Device\n**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/{scriptId}/deviceRunStates`\n\n### 7.4 Create/Upload a PowerShell Script\n**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts`\nBody must include `scriptContent` as Base64-encoded string.\n\u26a0\ufe0f SAFETY: Confirm before uploading. Show the script content to the user first.\n\n### 7.5 List Proactive Remediations (Health Scripts)\n**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts`\n\n### 7.6 Get Remediation Script Execution Results\n**GET** `https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/{scriptId}/deviceRunStates`\n\n---\n\n## \ud83d\udc65 8. Users & Groups\n\n### 8.1 List Users\n**GET** `https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,accountEnabled,jobTitle`\n\n### 8.2 Search User\n**GET** `https://graph.microsoft.com/v1.0/users?$filter=startsWith(displayName,'{name}')`\n\n### 8.3 Get User Details\n**GET** `https://graph.microsoft.com/v1.0/users/{userId}`\n\n### 8.4 List Groups\n**GET** `https://graph.microsoft.com/v1.0/groups?$select=displayName,description,groupTypes,membershipRule`\n\n### 8.5 Get Group Members\n**GET** `https://graph.microsoft.com/v1.0/groups/{groupId}/members`\n\n### 8.6 Add User to Group\n**POST** `https://graph.microsoft.com/v1.0/groups/{groupId}/members/$ref`\nBody: `{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/{userId}\"}`\n\u26a0\ufe0f SAFETY: Confirm before adding.\n\n### 8.7 Remove User from Group\n**DELETE** `https://graph.microsoft.com/v1.0/groups/{groupId}/members/{userId}/$ref`\n\u26a0\ufe0f SAFETY: Confirm before removing.\n\n### 8.8 List Devices for a User\n**GET** `https://graph.microsoft.com/v1.0/users/{userId}/managedDevices`\n\n---\n\n## \ud83d\udcca 9. Reporting & Dashboards\n\n### 9.1 Device Compliance Summary\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=complianceState`\nAgent should calculate: X compliant, Y non-compliant, Z in-grace-period, and present as summary + table.\n\n### 9.2 OS Distribution Summary\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$select=operatingSystem`\nAgent should group by OS and present: \"42 Windows, 15 iOS, 8 Android, 3 macOS\"\n\n### 9.3 Stale Devices (Not synced recently)\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=lastSyncDateTime lt {30_days_ago}&$select=deviceName,lastSyncDateTime,userPrincipalName`\nAgent should calculate the date for 30 days ago automatically.\n\n### 9.4 Non-Compliant Devices Report\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,complianceState,userPrincipalName,operatingSystem`\n\n### 9.5 Export Report Job\n**POST** `https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs`\nBody: `{\"reportName\": \"Devices\", \"filter\": \"\", \"select\": [\"DeviceName\",\"OS\",\"ComplianceState\"]}`\n\n---\n\n## \ud83c\udff7\ufe0f 10. Device Categories & Enrollment\n\n### 10.1 List Device Categories\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories`\n\n### 10.2 Create Device Category\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories`\nBody: `{\"displayName\": \"Kategoriename\", \"description\": \"Beschreibung\"}`\n\n### 10.3 Set Device Category on a Device\n**PUT** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{deviceId}/deviceCategory/$ref`\n\n### 10.4 List Enrollment Restrictions\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations`\n\n---\n\n## \ud83d\udd04 11. RBAC (Role-Based Access Control)\n\n### 11.1 List Intune Roles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions`\n\n### 11.2 List Role Assignments\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleAssignments`\n\n### 11.3 Get Role Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/{roleId}`\n\n---\n\n## \ud83d\udca1 Agent Response Guidelines\n\nWhen the user asks a question, follow this logic:\n1. **\"Zeig mir alle Ger\u00e4te\"** \u2192 Use 1.1, format as table.\n2. **\"Ist Ger\u00e4t X compliant?\"** \u2192 Use 1.2 to find it, then check `complianceState`.\n3. **\"Sync Laptop von Max\"** \u2192 Use 1.2 to find `managedDeviceId`, then use 1.4 Sync.\n4. **\"Wie viele Ger\u00e4te hab ich?\"** \u2192 Use 9.2, give OS distribution + total count.\n5. **\"Welche Ger\u00e4te haben sich lange nicht gemeldet?\"** \u2192 Use 9.3.\n6. **\"Erstell mir eine Compliance Policy f\u00fcr Windows\"** \u2192 Use 2.5, ask for requirements first.\n7. **\"Welche Apps sind deployed?\"** \u2192 Use 4.1.\n8. **\"F\u00fcg User Max zur Gruppe IT-Ger\u00e4te hinzu\"** \u2192 Use 8.2 to find user, 8.4 to find group, then 8.6.\n9. **\"Zeig mir den Status vom PowerShell Script XY\"** \u2192 Use 7.3.\n10. **\"Gib mir einen Compliance Report\"** \u2192 Use 9.1 + 9.4.\n11. **\"Zeig mir die Conditional Access Policies\"** \u2192 Use 12.1.\n12. **\"Welche WLAN-Profile sind deployed?\"** \u2192 Use 13.1.\n13. **\"Wie sind meine Windows Update Ringe konfiguriert?\"** \u2192 Use 14.1.\n14. **\"Wer hat letzte Woche was in Intune ge\u00e4ndert?\"** \u2192 Use 17.1.\n15. **\"Kann Intune die Einstellung XY konfigurieren?\"** \u2192 Use 18.1 Settings Catalog search.\n16. **\"Zeig mir alle Autopilot-Ger\u00e4te ohne zugewiesenes Profil\"** \u2192 Use 6.1 + filter.\n\n---\n\n## \ud83d\udee1\ufe0f 12. Conditional Access (Bedingter Zugriff)\n\n### 12.1 List Conditional Access Policies\n**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies`\n\nPresent as: | Policy Name | State (enabled/disabled/report) | Conditions | Grant Controls |\n\n### 12.2 Get Conditional Access Policy Details\n**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`\n\n### 12.3 Create Conditional Access Policy\n**POST** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies`\n\u26a0\ufe0f SAFETY: Always confirm before creating. Show the user a summary of what the policy will do first.\n\ud83d\udca1 TIP: Recommend creating in \"reportOnly\" state first for testing.\n\n### 12.4 Update Conditional Access Policy\n**PATCH** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`\n\u26a0\ufe0f SAFETY: Confirm before modifying. Explain what will change.\n\n### 12.5 Delete Conditional Access Policy\n**DELETE** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{policyId}`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n### 12.6 List Named Locations (Trusted IPs / Countries)\n**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`\n\n### 12.7 Create Named Location\n**POST** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations`\nExample IP-based:\n```json\n{\n  \"@odata.type\": \"#microsoft.graph.ipNamedLocation\",\n  \"displayName\": \"B\u00fcro-Netzwerk\",\n  \"isTrusted\": true,\n  \"ipRanges\": [{\"@odata.type\": \"#microsoft.graph.iPv4CidrRange\", \"cidrAddress\": \"192.168.1.0/24\"}]\n}\n```\n\n### 12.8 List Authentication Strengths\n**GET** `https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationStrength/policies`\n\n---\n\n## \ud83d\udcf6 13. WLAN, VPN & Zertifikate\n\n### 13.1 List WLAN Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsWifiConfiguration') or isof('microsoft.graph.iosWiFiConfiguration') or isof('microsoft.graph.androidWorkProfileWiFiConfiguration')`\n\nAlternative (all configs, then filter by odata.type for Wi-Fi):\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`\nAgent should filter results where `@odata.type` contains `WiFi` or `wifi`.\n\n### 13.2 List VPN Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`\nAgent should filter results where `@odata.type` contains `Vpn` or `vpn`.\n\n### 13.3 Get WLAN/VPN Profile Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}`\n\n### 13.4 Get WLAN/VPN Profile Assignment\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/assignments`\n\n### 13.5 List SCEP Certificate Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`\nAgent should filter results where `@odata.type` contains `Scep` or `Certificate`.\n\n### 13.6 List PKCS Certificate Profiles\nSame endpoint, filter for `Pkcs` in `@odata.type`.\n\n### 13.7 List Trusted Root Certificate Profiles\nSame endpoint, filter for `TrustedRootCertificate` in `@odata.type`.\n\n---\n\n## \ud83d\udd04 14. Windows Update Management\n\n### 14.1 List Windows Update Rings\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=isof('microsoft.graph.windowsUpdateForBusinessConfiguration')`\n\nPresent as: | Ring Name | Deferral (Days) | Quality Updates | Feature Updates | Assigned To |\n\n### 14.2 Get Update Ring Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{ringId}`\n\n### 14.3 List Feature Update Profiles\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles`\n\n### 14.4 Get Feature Update Profile Details\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}`\n\n### 14.5 Get Feature Update Deployment State per Device\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsFeatureUpdateProfiles/{profileId}/deviceUpdateStates`\n\n### 14.6 List Driver Update Profiles\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles`\n\n### 14.7 Get Driver Update Profile Details\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles/{profileId}`\n\n### 14.8 List Quality Update Profiles (Expedited Updates)\n**GET** `https://graph.microsoft.com/beta/deviceManagement/windowsQualityUpdateProfiles`\n\n### 14.9 Pause/Resume an Update Ring\n**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/pause`\n**POST** `https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{ringId}/windowsUpdateForBusinessConfiguration/resume`\n\u26a0\ufe0f SAFETY: Confirm before pausing/resuming.\n\n---\n\n## \ud83c\udf4e 15. Apple Device Management\n\n### 15.1 List Apple DEP/ADE Enrollment Profiles\n**GET** `https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings`\n\n### 15.2 List Apple DEP Tokens\n**GET** `https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings/{depId}/enrollmentProfiles`\n\n### 15.3 List Apple Push Notification Certificate Info\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate`\n\nShows: Expiration date, Subject, Certificate serial number.\n\ud83d\udca1 Agent should proactively warn if certificate expires within 30 days!\n\n### 15.4 List VPP Tokens (Volume Purchase Program)\n**GET** `https://graph.microsoft.com/beta/deviceManagement/vppTokens`\n\n### 15.5 List iOS/macOS Managed App Configurations\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies`\nFilter for iOS/macOS types.\n\n### 15.6 Activation Lock Bypass (iOS Supervised)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/bypassActivationLock`\n\u26a0\ufe0f SAFETY: Requires explicit user confirmation!\n\n---\n\n## \ud83e\udd16 16. Android Enterprise Management\n\n### 16.1 List Android Managed Store Apps\n**GET** `https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings`\n\n### 16.2 List Android Enrollment Profiles\n**GET** `https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles`\n\n### 16.3 Get Android Enterprise Binding Status\n**GET** `https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings`\n\nShows if Android Enterprise (Work Profile / Fully Managed / Dedicated) is connected.\n\n### 16.4 List Android App Protection Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`\n\n---\n\n## \ud83d\udcdd 17. Audit Logs & Activity\n\n### 17.1 List Intune Audit Events\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents`\n\nPresent as: | Date | Activity | Actor (who) | Target | Result |\n\n### 17.2 Filter Audit Events by Date Range\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=activityDateTime gt {startDate} and activityDateTime lt {endDate}`\n\nAgent should calculate the date range based on user request (e.g., \"letzte Woche\" \u2192 last 7 days).\n\n### 17.3 Filter Audit Events by User\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$filter=actor/userPrincipalName eq '{user@domain.com}'`\n\n### 17.4 Get Audit Event Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/auditEvents/{auditEventId}`\n\n### 17.5 List Directory Audit Logs (Entra ID level)\n**GET** `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'Device'`\n\n### 17.6 List Sign-In Logs\n**GET** `https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=appDisplayName eq 'Microsoft Intune'`\n\n---\n\n## \ud83c\udfd7\ufe0f 18. Settings Catalog & GPO Analytics\n\n### 18.1 Search Settings Catalog\n**GET** `https://graph.microsoft.com/beta/deviceManagement/configurationSettings?$search=\"{searchTerm}\"`\n\nThis is extremely useful when the user asks: \"Can Intune configure setting X?\" or \"Hat Intune eine Einstellung f\u00fcr Bildschirmschoner?\"\n\n### 18.2 List Group Policy Migration Reports\n**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports`\n\nUse this when the user asks about migrating from on-premises GPO to Intune.\n\n### 18.3 Get Migration Report Details\n**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/{reportId}`\n\nShows: Which GPO settings are supported in Intune, which are not, and recommended alternatives.\n\n### 18.4 List Group Policy Uploaded Definition Files\n**GET** `https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles`\n\n---\n\n## \ud83d\udcc4 19. Terms & Conditions and Notifications\n\n### 19.1 List Terms & Conditions\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions`\n\n### 19.2 Get Terms & Conditions Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}`\n\n### 19.3 Get Terms Acceptance Status\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions/{termsId}/acceptanceStatuses`\n\nShows which users have accepted which version.\n\n### 19.4 Create Terms & Conditions\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/termsAndConditions`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n\n### 19.5 List Notification Message Templates\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates`\n\n### 19.6 Create Notification Template (Non-Compliance Email)\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n\n### 19.7 Send Test Notification\n**POST** `https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates/{templateId}/sendTestMessage`\n\n---\n\n## \ud83d\udd10 20. App Protection Policies (MAM)\n\n### 20.1 List iOS App Protection Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections`\n\n### 20.2 List Android App Protection Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`\n\n### 20.3 List Windows Information Protection Policies\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/windowsInformationProtectionPolicies`\n\n### 20.4 Get App Protection Policy Details\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections/{policyId}`\nor\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections/{policyId}`\n\n### 20.5 Get App Protection Status per User\n**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistrations?$filter=userId eq '{userId}'`\n\n### 20.6 Create App Protection Policy\n**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/iosManagedAppProtections`\nor\n**POST** `https://graph.microsoft.com/v1.0/deviceAppManagement/androidManagedAppProtections`\n\u26a0\ufe0f SAFETY: Confirm before creating. Show policy summary first.\n\n---\n\n## \ud83d\udcf1 21. Enrollment Configuration\n\n### 21.1 List All Enrollment Configurations\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations`\n\nIncludes: Device Limit Restrictions, Platform Restrictions, Enrollment Status Page (ESP), Windows Hello for Business.\n\n### 21.2 Get Enrollment Configuration Details\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}`\n\n### 21.3 Get Enrollment Configuration Assignments\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations/{configId}/assignments`\n\n### 21.4 List Enrollment Status Page (ESP) Profiles\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.windows10EnrollmentCompletionPageConfiguration')`\n\n### 21.5 List Windows Hello for Business Configurations\n**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceEnrollmentConfigurations?$filter=isof('microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration')`\n\n---\n\n## \ud83e\uddee 22. Filters & Scope Tags\n\n### 22.1 List Assignment Filters\n**GET** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters`\n\nPresent as: | Filter Name | Platform | Rule | Created |\n\n### 22.2 Get Filter Details\n**GET** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}`\n\n### 22.3 Create Assignment Filter\n**POST** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n\n### 22.4 Test/Preview Filter Results\n**POST** `https://graph.microsoft.com/beta/deviceManagement/assignmentFilters/{filterId}/getState`\n\n### 22.5 List Scope Tags\n**GET** `https://graph.microsoft.com/beta/deviceManagement/roleScopeTags`\n\n### 22.6 Create Scope Tag\n**POST** `https://graph.microsoft.com/beta/deviceManagement/roleScopeTags`\n\u26a0\ufe0f SAFETY: Confirm before creating.\n",
49              "arguments": [],
50              "icons": null,
51              "meta": null
52            },
53            {
54              "name": "README.md",
55              "title": null,
56              "description": "# \ud83d\udd27 OpenClaw Intune Skill \u2013 Complete Microsoft Intune Management\n\n> **Author:** Mattia Cirillo\n> **Website:** [kaffeeundcode.com](https://kaffeeundcode.com)\n> **License:** MIT\n> **Platform:** [OpenClaw](https://github.com/openclaw/openclaw)\n\n---\n\n## \ud83c\udf10 About This Project\n\nThis skill was built by **Mattia Cirillo**, an IT administrator and automation enthusiast from Germany. It is part of the **[Kaffee & Code](https://kaffeeundcode.com)** project \u2013 a platform dedicated to sharing real-world PowerShell scripts, n8n automation workflows, and Microsoft Intune knowledge with the IT community.\n\n### What is this Skill?\n\nThe **OpenClaw Intune Skill** is a comprehensive AI skill file that teaches any [OpenClaw](https://github.com/openclaw/openclaw)-compatible AI agent how to **fully manage Microsoft Intune** through the Microsoft Graph API. Instead of manually navigating the Intune admin portal or writing custom scripts for every task, you can simply talk to your AI agent in natural language \u2013 and it handles the rest.\n\n### What does it actually do?\n\nOnce installed, your AI agent gains the ability to:\n\n- **Query your entire device fleet** \u2013 list all managed devices, search by name or user, check compliance status, and generate reports\n- **Execute remote actions** \u2013 sync, reboot, lock, wipe, retire, rename, or locate any managed device with built-in safety confirmations\n- **Manage compliance & configuration policies** \u2013 list, create, modify, or delete compliance policies and configuration profiles (including the modern Settings Catalog)\n- **Handle app deployment** \u2013 view all deployed apps, check assignments, inspect detected apps across your fleet, and assign apps to groups\n- **Control endpoint security** \u2013 manage security baselines, BitLocker/FileVault encryption, Windows Firewall, Microsoft Defender Antivirus, and Attack Surface Reduction (ASR) rules\n- **Automate Windows Autopilot** \u2013 list Autopilot devices, manage deployment profiles, assign users, and clean up old device entries\n- **Deploy PowerShell scripts** \u2013 upload, manage, and monitor the execution of PowerShell scripts and Proactive Remediations (Health Scripts) across your fleet\n- **Manage users & groups** \u2013 search users, list group memberships, add/remove users from groups, and view all devices per user\n- **Generate reports & dashboards** \u2013 compliance summaries, OS distribution, stale device reports, non-compliance lists, and export jobs\n- **Configure Conditional Access** \u2013 list, create, and modify Conditional Access policies, named locations, and authentication strengths\n- **Manage network profiles** \u2013 WLAN (Wi-Fi), VPN, and certificate profiles (SCEP, PKCS, Trusted Root)\n- **Control Windows Updates** \u2013 manage update rings, feature updates, quality updates, driver updates, and pause/resume deployments\n- **Administer Apple devices** \u2013 DEP/ADE enrollment, APNS certificate monitoring, VPP token management, and Activation Lock bypass\n- **Manage Android Enterprise** \u2013 Managed Google Play, enrollment profiles, binding status, and app protection policies\n- **Audit everything** \u2013 query Intune audit logs, directory audit events, and sign-in logs to track who changed what and when\n- **Search the Settings Catalog** \u2013 find out if Intune supports a specific setting and explore GPO migration reports\n- **And much more** \u2013 Terms & Conditions, notification templates, enrollment restrictions, ESP, Windows Hello for Business, assignment filters, scope tags, and RBAC roles\n\n### Who is this for?\n\nThis skill is perfect for:\n\n- **IT administrators** who manage Intune environments and want to speed up their daily workflows with AI\n- **MSPs (Managed Service Providers)** who manage multiple tenants and need a fast, conversational interface to Intune\n- **DevOps / automation engineers** who want to integrate Intune management into their AI-powered workflows\n- **Anyone learning Intune** who wants an intelligent assistant that knows every Graph API endpoint\n\n### Why use this instead of the Intune portal?\n\n| Task | Intune Portal | With this Skill |\n|---|---|---|\n| Check compliance for 1 device | 5+ clicks, navigate menus | *\"Ist MAX-LAPTOP compliant?\"* \u2192 instant answer |\n| Sync 10 devices | Click each one individually | *\"Sync alle Ger\u00e4te von Team Marketing\"* \u2192 done |\n| Find stale devices | Export report, filter in Excel | *\"Welche Ger\u00e4te haben sich seit 30 Tagen nicht gemeldet?\"* \u2192 table |\n| Create a compliance policy | Navigate wizard, 10+ steps | *\"Erstell eine Compliance Policy f\u00fcr Windows mit BitLocker-Pflicht\"* \u2192 draft + confirm |\n| Check who changed a policy | Dig through audit logs | *\"Wer hat letzte Woche Policies ge\u00e4ndert?\"* \u2192 formatted list |\n\n### Built-in Safety\n\nThis skill was designed with **enterprise safety** in mind. Every destructive operation (wipe, retire, delete) requires **explicit double confirmation** from the user before execution. Read-only operations (listing devices, checking compliance) execute instantly without prompts. The agent never dumps raw JSON \u2013 it always formats output as readable Markdown.\n\n> \ud83d\udca1 **More scripts, tutorials, and automation workflows:**\n> Visit **[kaffeeundcode.com](https://kaffeeundcode.com)** for 150+ PowerShell scripts, n8n workflows, weekly Intune updates, and more.\n\n---\n\n## \ud83d\ude80 What Can It Do? (22 Categories, 110+ Endpoints)\n\n| # | Category | Capabilities |\n|---|---|---|\n| 1 | \ud83d\udcf1 **Device Management** | List, search, sync, reboot, lock, wipe, retire, rename, locate devices |\n| 2 | \ud83d\udccb **Compliance Policies** | List/create/delete compliance policies, check device status |\n| 3 | \u2699\ufe0f **Configuration Profiles** | Config profiles, Settings Catalog, assignments |\n| 4 | \ud83d\udce6 **App Management** | List apps, assignments, detected apps, app configs |\n| 5 | \ud83d\udd12 **Endpoint Security** | Baselines, BitLocker, Firewall, Defender, ASR rules |\n| 6 | \ud83d\ude80 **Windows Autopilot** | Devices, profiles, assign users, delete |\n| 7 | \ud83d\udcdc **PowerShell Scripts** | Upload, manage, execution status, proactive remediations |\n| 8 | \ud83d\udc65 **Users & Groups** | Search users, manage group memberships, list devices per user |\n| 9 | \ud83d\udcca **Reporting** | Compliance summary, OS distribution, stale devices, exports |\n| 10 | \ud83c\udff7\ufe0f **Device Categories** | Categories, enrollment restrictions |\n| 11 | \ud83d\udd04 **RBAC** | Roles and role assignments |\n| 12 | \ud83d\udee1\ufe0f **Conditional Access** | Policies, named locations, authentication strengths |\n| 13 | \ud83d\udcf6 **WLAN, VPN & Certificates** | Wi-Fi profiles, VPN, SCEP, PKCS, trusted root certs |\n| 14 | \ud83d\udd04 **Windows Updates** | Update rings, feature/quality/driver updates, pause/resume |\n| 15 | \ud83c\udf4e **Apple Management** | DEP/ADE, APNS certificate, VPP tokens, activation lock bypass |\n| 16 | \ud83e\udd16 **Android Enterprise** | Managed Store, enrollment profiles, binding status |\n| 17 | \ud83d\udcdd **Audit Logs** | Intune audit events, directory audits, sign-in logs |\n| 18 | \ud83c\udfd7\ufe0f **Settings Catalog & GPO** | Search settings, GPO migration reports, definition files |\n| 19 | \ud83d\udcc4 **Terms & Notifications** | Terms & conditions, notification templates, test messages |\n| 20 | \ud83d\udd10 **App Protection (MAM)** | iOS/Android/Windows protection policies, per-user status |\n| 21 | \ud83d\udcf1 **Enrollment Config** | Platform restrictions, ESP, Windows Hello for Business |\n| 22 | \ud83e\uddee **Filters & Scope Tags** | Assignment filters, scope tags, filter preview |\n\n## \ud83d\udce6 Installation\n\n```bash\n# Copy into your OpenClaw workspace\nmkdir -p ~/.openclaw/workspace/skills/intune-graph\ncp SKILL.md ~/.openclaw/workspace/skills/intune-graph/\n```\n\n## \ud83d\udd11 Setup\n\n1. Create an **App Registration** in Microsoft Entra ID (Azure AD)\n2. Grant the required Microsoft Graph API permissions (see SKILL.md)\n3. Set environment variables:\n```bash\nexport INTUNE_TENANT_ID=\"your-tenant-id\"\nexport INTUNE_CLIENT_ID=\"your-client-id\"\nexport INTUNE_CLIENT_SECRET=\"your-client-secret\"\n```\n\n## \ud83d\udcac Example Usage\n\n> **You:** \"Zeig mir alle Ger\u00e4te die nicht compliant sind\"\n> **Agent:** \"5 Ger\u00e4te nicht compliant. 3 Windows (fehlende Updates), 2 iOS (kein Passcode). Soll ich die syncen?\"\n\n> **You:** \"Sync den Laptop von Max M\u00fcller\"\n> **Agent:** \"Done \u2705 Sync-Befehl an MAX-LAPTOP gesendet.\"\n\n> **You:** \"Wie viele Ger\u00e4te haben wir insgesamt?\"\n> **Agent:** \"127 Ger\u00e4te: 89 Windows, 22 iOS, 12 Android, 4 macOS.\"\n\n## \ud83d\udee1\ufe0f Safety\n\n- Read operations execute without confirmation\n- Sync/Reboot requires simple confirmation\n- **Wipe/Retire/Delete** always requires explicit double confirmation\n- The agent never dumps raw JSON \u2013 always formatted Markdown\n\n## \ud83d\udd17 Links\n\n- \ud83c\udf10 [Kaffee & Code](https://kaffeeundcode.com) \u2013 Blog, Skripte & Automatisierung\n- \ud83e\udd9e [OpenClaw](https://github.com/openclaw/openclaw)\n- \ud83d\udcd6 [Microsoft Graph API Docs](https://learn.microsoft.com/en-us/graph/api/resources/intune-graph-overview)\n\n---\nMade with \u2615 by [Mattia Cirillo](https://kaffeeundcode.com)\n",
57              "arguments": null,
58              "icons": null,
59              "meta": null
60            }
61          ],
62          "resources": [
63            {
64              "name": "_meta.json",
65              "title": null,
66              "uri": "skill://_meta.json",
67              "description": "{\n  \"owner\": \"mattiacirillo\",\n  \"slug\": \"openclaw-intune-skill\",\n  \"displayName\": \"Openclaw Intune Skill\",\n  \"latest\": {\n    \"version\": \"1.0.1\",\n    \"publishedAt\": 1771685328992,\n    \"commit\": \"https://github.com/openclaw/skills/commit/3447db7cdfdcdc935384abfdc842205b11197c9a\"\n  },\n  \"history\": []\n}\n",
68              "mimeType": null,
69              "size": null,
70              "icons": null,
71              "annotations": null,
72              "meta": null
73            }
74          ],
75          "resource_templates": [],
76          "tools": []
77        },
78        "error": null
79      }
80    ],
81    "issues": [],
82    "labels": [
83      [
84        {
85          "is_public_sink": 0.07,
86          "destructive": 0.08,
87          "untrusted_content": 0.04,
88          "private_data": 0.23
89        },
90        {
91          "is_public_sink": 0.12,
92          "destructive": 0.1,
93          "untrusted_content": 0.16,
94          "private_data": 0.07
95        },
96        {
97          "is_public_sink": 0.01,
98          "destructive": 0.15,
99          "untrusted_content": 0.14,
100          "private_data": 0.19
101        }
102      ]
103    ],
104    "error": null
105  }
106}
107
108Process exited with code 0
109✓ Completed in 130838ms

1No package.json found at /tmp/clawguard-scan-ZfyVfO/repo/skills/mattiacirillo/openclaw-intune-skill/package.json
2Skipping npm audit.