70 lines
2.9 KiB
PowerShell
70 lines
2.9 KiB
PowerShell
using namespace System.Management.Automation.Host
|
|
|
|
Connect-MgGraph -ContextScope Process -Scopes "BitLockerKey.Read.All"
|
|
|
|
# First, disable the devices.
|
|
$DisableDays = 180
|
|
$DisableDate = (Get-Date).AddDays(-$DisableDays)
|
|
$Params = @{
|
|
accountEnabled = $false
|
|
}
|
|
|
|
$DevicesToSetDisabled = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DisableDate) -and ($_.AccountEnabled -eq $true)}
|
|
$Count = $DevicesToSetDisabled.Count
|
|
|
|
$Title = "Disable inactive devices?"
|
|
$Question= "Would you like to disable $Count enabled devices that have been inactive for approximately $DisableDays days?"
|
|
$Choices = @(
|
|
[System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be disabled.")
|
|
[System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be disabled.")
|
|
)
|
|
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
|
|
|
|
If($Answer -eq 0) {
|
|
Write-Host "Disabling devices..."
|
|
foreach ($Device in $DevicesToSetDisabled) {
|
|
Write-Host "Disabling device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
|
|
Update-MgDevice -DeviceId $Device.Id -BodyParameter $params
|
|
}
|
|
}
|
|
|
|
# Then, delete devices that are disabled and have remained inactive for another month.
|
|
|
|
$DeleteDays = $DisableDays + 30
|
|
$DeleteDate = (Get-Date).AddDays(-$DeleteDays)
|
|
|
|
$DevicesToDelete = Get-MgDevice -All | Where {($_.ApproximateLastSignInDateTime -le $DeleteDate) -and ($_.AccountEnabled -eq $false)}
|
|
$Count = $DevicesToDelete.Count
|
|
|
|
$Title = "Delete inactive devices?"
|
|
$Question= "Would you like to delete $Count disabled devices that have been inactive for approximately $DeleteDays days?"
|
|
$Choices = @(
|
|
[System.Management.Automation.Host.ChoiceDescription]::new("&Yes", "Inactive devices will be deleted.")
|
|
[System.Management.Automation.Host.ChoiceDescription]::new("&No", "Inactive devices will NOT be deleted.")
|
|
)
|
|
$Answer = $Host.UI.PromptForChoice($Title, $Question, $Choices, 1)
|
|
|
|
If($Answer -eq 0) {
|
|
|
|
$ExportKeys = @()
|
|
$KeyList = Get-MgInformationProtectionBitlockerRecoveryKey -All
|
|
|
|
Write-Host "Deleting devices..."
|
|
foreach ($Device in $DevicesToDelete) {
|
|
# First save the bitlocker key.
|
|
Write-Host "Exporting Bitlocker keys for $($Device.DisplayName)."
|
|
$DeviceKeys = $KeyList | Where-Object {$_.DeviceID -eq $Device.DeviceId}
|
|
ForEach($Key in $DeviceKeys) {
|
|
$ExportKeys += Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $Key.Id -Property key
|
|
}
|
|
# Then delete the device.
|
|
Write-Host "Deleting device $($Device.DisplayName) (last active on $($Device.ApproximateLastSignInDateTime))."
|
|
Remove-MgDevice -DeviceId $Device.Id
|
|
}
|
|
Write-Host "Exporting Bitlocker keys to CSV file."
|
|
$ExportDate = Get-Date -Format "yyyy-MM-dd-HH-mm"
|
|
$ExportKeys | Export-Csv -Path "ExportedBitlockerKeys-$ExportDate.csv"
|
|
}
|
|
|
|
Disconnect-MgGraph
|