activationLockBypassCode always return null value?

p0shkar 26 Reputation points
2021-08-02T12:06:23.26+00:00

I'm looking to backup the Activation Lock Bypass Code for iPads since the bypass code is lost if the device is removed from Intune. However, whenever I try to fetch the value using the PowerShell Intune SDK module it is returned $null.

Connect-MSGraph
$Devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'iOS')" | Get-MSGraphAllPages
$Devices | Select serialNumber, activationLockBypassCode

However, if I loop through the devices one by one the result isn't $null, so this works:

Connect-MSGraph
$Devices = Get-IntuneManagedDevice -Filter "contains(operatingsystem, 'iOS')" | Get-MSGraphAllPages

$Output = foreach ($Device in $Devices | select -first 30) {
    Get-IntuneManagedDevice -managedDeviceId $Device.id -select id, serialNumber, deviceName, userDisplayName, userPrincipalName, emailAddress, deviceCategoryDisplayName, activationLockBypassCode, managedDeviceOwnerType, managementAgent, isSupervised, model, enrolledDateTime, lastSyncDateTime
}
$Output | select id, serialNumber, deviceName, userDisplayName, userPrincipalName, emailAddress, deviceCategoryDisplayName, activationLockBypassCode, managedDeviceOwnerType, managementAgent, isSupervised, model, enrolledDateTime, lastSyncDateTime

As seen in this post as well.

The Intune module is written in .NET in which I'm not proficient, so I don't know why this method would work but not the first. I thought this to be a Intune module bug, but when trying to use the Graph API Explorer I only get a $null value as well.

GET /deviceManagement/managedDevices/{managedDeviceId}

The above workaround works when I manually run it as a global admin, but I'm currently learning Azure Automation and would like to schedule this. However, when I run it with the RunAsAccount the value is returned
$null, using both methods, while all other properties return a value as expected.

Is this a bug I should report somewhere or am I missing something? Does the activationLockBypassCode property require additional permissions or to be called in a specific manner?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,840 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,480 questions
{count} vote

3 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,356 Reputation points
    2021-08-03T02:18:24.57+00:00

    @OskarNorn-0676 Thanks for posting in our Q&A.

    Please understand for such strange situation, the resource that I have is limited and not enough to make sure if it is a known issue. Given this situation, it is better to create an online support ticket to double confirm and find if there is any method to fix it. Here is the online support link:
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support

    Hope this issue will be solved as soon as possible.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. p0shkar 26 Reputation points
    2021-08-09T08:21:39.56+00:00

    Here's the reply from the Support request:

    This is by design. In the code, we limit the backend to query device hardware information only when querying all devices. This is to reduce cost. Only a specific query for device hardware will return the information included for activation bypass:

    ~/managedDevices(id)?$select=hardwareinformation,userId&$expand=detectedApps request.
    StatelessManagedDeviceController.cs - Repos (visualstudio.com)

    This returns null when there is no specific "select"

    So the only workaround is to loop through each device to retrieve this information unfortunately.

    However when specifically using select to retrieve the bypass code, running

    Get-IntuneManagedDevice -managedDeviceId $id -select id, activationLockBypassCode

    works when I'm running it "locally", but if I run it using Azure Automation only the id (or any other property I select) is returned, but not the bypass code. Don't know if this would be the right forum but do you have any idea why this would happen in AA?


  3. Sascha Reichhardt 36 Reputation points
    2021-09-01T16:44:45.253+00:00

    Faceing the same issue. Opened a MS Support ticket as well. If I have any updates I will let you know.