activationLockBypassCode always return null value?

Question

I'm looking to backup the Activation Lock Bypass Code for iPads since the bypass code is lost if the device is removed from Intune. However, whenever I try to fetch the value using the PowerShell Intune SDK module it is returned $null.

Connect-MSGraph
$Devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'iOS')" | Get-MSGraphAllPages
$Devices | Select serialNumber, activationLockBypassCode

However, if I loop through the devices one by one the result isn't $null, so this works:

Connect-MSGraph
$Devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'iOS')" | Get-MSGraphAllPages

$Output = foreach ($Device in $Devices | select -first 30) {
    Get-IntuneManagedDevice -managedDeviceId $Device.id -select id, serialNumber, deviceName, userDisplayName, userPrincipalName, emailAddress, deviceCategoryDisplayName, activationLockBypassCode, managedDeviceOwnerType, managementAgent, isSupervised, model, enrolledDateTime, lastSyncDateTime
}
$Output | select id, serialNumber, deviceName, userDisplayName, userPrincipalName, emailAddress, deviceCategoryDisplayName, activationLockBypassCode, managedDeviceOwnerType, managementAgent, isSupervised, model, enrolledDateTime, lastSyncDateTime

As seen in this post as well.

The Intune module is written in .NET in which I'm not proficient, so I don't know why this method would work but not the first. I thought this to be a Intune module bug, but when trying to use the Graph API Explorer I only get a $null value as well.

GET /deviceManagement/managedDevices/{managedDeviceId}

The above workaround works when I manually run it as a global admin, but I'm currently learning Azure Automation and would like to schedule this. However, when I run it with the RunAsAccount the value is returned
$null, using both methods, while all other properties return a value as expected.

Is this a bug I should report somewhere or am I missing something? Does the activationLockBypassCode property require additional permissions or to be called in a specific manner?

Answer 1

@OskarNorn-0676 Thanks for posting in our Q&A.

Please understand for such strange situation, the resource that I have is limited and not enough to make sure if it is a known issue. Given this situation, it is better to create an online support ticket to double confirm and find if there is any method to fix it. Here is the online support link:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support

Hope this issue will be solved as soon as possible.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Here's the reply from the Support request:

This is by design. In the code, we limit the backend to query device hardware information only when querying all devices. This is to reduce cost. Only a specific query for device hardware will return the information included for activation bypass:

~/managedDevices(id)?$select=hardwareinformation,userId&$expand=detectedApps request.
StatelessManagedDeviceController.cs - Repos (visualstudio.com)

This returns null when there is no specific "select"

So the only workaround is to loop through each device to retrieve this information unfortunately.

However when specifically using select to retrieve the bypass code, running

Get-IntuneManagedDevice -managedDeviceId $id -select id, activationLockBypassCode

works when I'm running it "locally", but if I run it using Azure Automation only the id (or any other property I select) is returned, but not the bypass code. Don't know if this would be the right forum but do you have any idea why this would happen in AA?

Answer 3

Faceing the same issue. Opened a MS Support ticket as well. If I have any updates I will let you know.