Skip to main content
Glama
DynamicEndpoints

Microsoft 365 Core MCP Server

by DynamicEndpoints
OverviewInspectSchemaRelated ServersScoreDiscussions
TypeScript
Remote

manage_intune_windows_compliance

Assess and manage Windows device compliance in Intune by checking BitLocker encryption, antivirus status, and security configurations. Use to get compliance status, update policies, or force evaluations.

Instructions

Assess Windows device compliance status including BitLocker encryption, antivirus status, and security configurations.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
actionYesIntune Windows compliance action
deviceIdNoDevice ID for compliance assessment
complianceTypeNoType of compliance check
policiesNoSpecific policy IDs to assess
complianceDataNoCompliance assessment data

Implementation Reference

  • src/handlers/intune-windows-handler.ts:660-767 (handler)
    The core handler function implementing the tool logic for managing Intune Windows device compliance. Handles actions: get_status, get_details (including BitLocker), update_policy, force_evaluation, get_bitlocker_keys. Uses Microsoft Graph API endpoints for compliance states, policy states, BitLocker recovery keys, and device sync.
    // Intune Windows Compliance Management Handler export async function handleIntuneWindowsCompliance( graphClient: Client, args: IntuneWindowsComplianceArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'get_status': if (args.deviceId) { apiPath = `/deviceManagement/managedDevices/${args.deviceId}/deviceCompliancePolicyStates`; } else { apiPath = '/deviceManagement/deviceCompliancePolicyDeviceStateSummary'; } result = await graphClient.api(apiPath).get(); break; case 'get_details': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for get_details action'); } if (args.complianceType === 'bitlocker') { apiPath = `/informationProtection/bitlocker/recoveryKeys`; const filter = `$filter=deviceId eq '${args.deviceId}'`; result = await graphClient.api(`${apiPath}?${filter}`).get(); } else { apiPath = `/deviceManagement/managedDevices/${args.deviceId}/deviceConfigurationStates`; if (args.policies && args.policies.length > 0) { const policyFilter = args.policies.map(p => `id eq '${p}'`).join(' or '); apiPath += `?$filter=${policyFilter}`; } result = await graphClient.api(apiPath).get(); } break; case 'update_policy': if (!args.policies || args.policies.length === 0) { throw new McpError(ErrorCode.InvalidParams, 'policies array is required for update_policy action'); } const updateResults = []; for (const policyId of args.policies) { try { apiPath = `/deviceManagement/deviceCompliancePolicies/${policyId}`; const policy = await graphClient.api(apiPath).get(); // Force policy refresh const refreshPath = `/deviceManagement/deviceCompliancePolicies/${policyId}/scheduleActionsForRules`; await graphClient.api(refreshPath).post({ deviceCompliancePolicyId: policyId }); updateResults.push({ policyId: policyId, status: 'updated', name: policy.displayName }); } catch (error) { updateResults.push({ policyId: policyId, status: 'failed', error: error instanceof Error ? error.message : 'Unknown error' }); } } result = { updatedPolicies: updateResults }; break; case 'force_evaluation': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for force_evaluation action'); } // Trigger compliance evaluation apiPath = `/deviceManagement/managedDevices/${args.deviceId}/syncDevice`; await graphClient.api(apiPath).post({}); // Also trigger policy refresh const refreshPath = `/deviceManagement/managedDevices/${args.deviceId}/refreshDeviceComplianceReportSummarization`; result = await graphClient.api(refreshPath).post({}); break; case 'get_bitlocker_keys': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for get_bitlocker_keys action'); } apiPath = `/informationProtection/bitlocker/recoveryKeys`; const filter = `$filter=deviceId eq '${args.deviceId}'`; result = await graphClient.api(`${apiPath}?${filter}`).get(); break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return { content: [ { type: 'text', text: `Windows Compliance Management Result:\n${JSON.stringify(result, null, 2)}` } ] }; }
  • src/tool-definitions.ts:383-397 (schema)
    Zod schema definition for the tool input parameters used in MCP tool registration.
    export const intuneWindowsComplianceSchema = z.object({ action: z.enum(['get_status', 'get_details', 'update_policy', 'force_evaluation', 'get_bitlocker_keys']).describe('Intune Windows compliance action'), deviceId: z.string().optional().describe('Device ID for compliance assessment'), complianceType: z.enum(['security', 'configuration', 'update', 'bitlocker']).optional().describe('Type of compliance check'), policies: z.array(z.string()).optional().describe('Specific policy IDs to assess'), complianceData: z.object({ passwordCompliant: z.boolean().optional().describe('Password compliance status'), encryptionCompliant: z.boolean().optional().describe('Encryption compliance status'), osVersionCompliant: z.boolean().optional().describe('OS version compliance status'), threatProtectionCompliant: z.boolean().optional().describe('Threat protection compliance status'), bitlockerCompliant: z.boolean().optional().describe('BitLocker compliance status'), firewallCompliant: z.boolean().optional().describe('Firewall compliance status'), antivirusCompliant: z.boolean().optional().describe('Antivirus compliance status'), }).optional().describe('Compliance assessment data'), });
  • src/server.ts:876-895 (registration)
    MCP server tool registration mapping 'manage_intune_windows_compliance' name to the handleIntuneWindowsCompliance handler function with schema and annotations.
    this.server.tool( "manage_intune_windows_compliance", "Assess Windows device compliance status including BitLocker encryption, antivirus status, and security configurations.", intuneWindowsComplianceSchema.shape, {"readOnlyHint":true,"destructiveHint":false,"idempotentHint":true}, wrapToolHandler(async (args: IntuneWindowsComplianceArgs) => { this.validateCredentials(); try { return await handleIntuneWindowsCompliance(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
  • src/types/intune-types.ts:840-854 (schema)
    TypeScript interface defining the input arguments for the compliance handler, used to type-check the handler function parameters.
    export interface IntuneWindowsComplianceArgs { action: 'get_status' | 'get_details' | 'update_policy' | 'force_evaluation' | 'get_bitlocker_keys'; deviceId?: string; complianceType?: 'security' | 'configuration' | 'update' | 'bitlocker'; policies?: string[]; complianceData?: { passwordCompliant?: boolean; encryptionCompliant?: boolean; osVersionCompliant?: boolean; threatProtectionCompliant?: boolean; bitlockerCompliant?: boolean; firewallCompliant?: boolean; antivirusCompliant?: boolean; }; }
  • src/tool-metadata.ts:164-167 (helper)
    Tool metadata providing description, title, and annotations for UI/tool selection hints.
    manage_intune_windows_compliance: { description: "Assess Windows device compliance status including BitLocker encryption, antivirus status, and security configurations.", title: "Intune Windows Compliance Checker", annotations: { title: "Intune Windows Compliance Checker", readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true }

This server cannot be installed

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DynamicEndpoints/m365-core-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server