Let’s learn how to export Intune Platform Windows PowerShell scripts using PowerShell Script and Graph API. This article presents a streamlined and dependable method for retrieving PowerShell scripts from Microsoft Intune using the Graph API. Designed for efficiency and ease of execution, this approach simplifies script management across Windows devices.
Driven by a passion for automation, I was keen to dive into the possibilities of managing Microsoft Intune using PowerShell. This approach unlocks a powerful way to streamline workflows, enforce consistency, and reduce manual overhead. Have you explored this space yet, or considered integrating it into your own automation toolkit?
Microsoft Graph is an API (Application programming interface) that provides a single endpoint for accessing data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services. It provides a single endpoint, https://graph.microsoft.com that enables access to various data and insights in the Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security.
By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration. In view of my enthusiasm towards automation, I have always found it intriguing to explore the Microsoft Graph API and PowerShell.
Table of Contents
Understanding Platform Scripts
Platform scripts offer a powerful way to execute single-use or infrequent actions on managed devices, especially when built-in Intune settings fall short. They’re ideal for initial configuration, applying custom fixes, or deploying lightweight changes that don’t require persistent enforcement.
On Windows, Intune allows you to upload PowerShell scripts and define the execution context , whether the script runs in the user or system scope, and whether it requires elevated permissions. Platform scripts are also supported on macOS and Linux, where you can deploy shell scripts tailored to those environments. For this guide, we’ll focus specifically on Windows.
- Best way to Deploy Shell Scripts using Intune
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
These scripts are designed to run once per device. After execution, they do not automatically rerun, even if the original issue reappears or the desired state changes. This makes them perfect for point-in-time tasks like installing a specific application, modifying a registry setting, or applying a one-time configuration tweak.
NOTE! Once a platform script is deployed via Intune, it becomes invisible within the portal, you cannot view or edit its contents afterward. The only way to retrieve the script is by exporting it using the Microsoft Graph API.
Install Microsoft Graph PowerShell Modules
This automation requires Microsoft Graph PowerShell modules. The SDK includes two modules, Microsoft. Graph and Microsoft.Graph.Beta, are respectively called the Microsoft Graph REST API v1.0 and Microsoft Graph REST API beta.
Install-Module Microsoft.Graph -Scope CurrentUser -forceThe above one-line command will install the SDK’s v1 module in PowerShell Core or Windows PowerShell within minutes of running the code. As module installation can exceed 15 minutes, it’s highly recommended to perform this step beforehand to ensure smoother script execution.
Read more : Best Guide to Install Microsoft Graph PowerShell Modules- Best way to Deploy Shell Scripts using Intune
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
Permissions Required to Run the Script
You should already have the Microsoft Graph PowerShell modules installed. Now, it’s time to understand the permissions required to export Intune platform PowerShell scripts via the Graph API. Below are the permissions you’ll need to run the automation successfully.
| Permissions |
|---|
| DeviceManagementConfiguration.Read.All |
| DeviceManagementScripts.Read.All |
- How to deploy Microsoft Defender for macOS using Intune
- Learn How to Configure macOS Antivirus Policy Using Intune
Export the Intune Platform PowerShell Scripts via Graph API
We’re all set to automate the process of exporting Intune platform PowerShell scripts via the Graph API. Open PowerShell ISE as an administrator and copy-paste the code below. The variable $FolderPath, will prompt you to specify the folder location where you’d like the scripts to be exported.
<#
.SYNOPSIS
Export Intune PowerShell scripts to local storage.
.DESCRIPTION
Retrieves all or specific PowerShell scripts from Microsoft Intune via Graph API and saves them locally.
Designed for automation workflows, script auditing, and compliance tracking.
.AUTHOR
Sujin Nelladath — Microsoft Graph MVP
.PARAMETER FolderPath
Destination folder for exported scripts.
.PARAMETER FileName
Optional: Specific script filename to export.
.EXAMPLE
Export all scripts:
.\Export-IntuneScripts.ps1 -FolderPath "C:\Intune\Scripts"
.EXAMPLE
Export a single script:
.\Export-IntuneScripts.ps1 -FolderPath "C:\Intune\Scripts" -FileName "IntuneScript.ps1"
#>
Param(
[Parameter(Mandatory)] [string]$FolderPath,
[Parameter()] [string]$FileName
)
#Connect to Microsoft Graph
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Cyan
try
{
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","DeviceManagementScripts.Read.All"
Write-Host "Connected successfully." -ForegroundColor Green
}
catch
{
Write-Error "Connection failed: $_"
exit
}
#Check Destination Folder
if (!(Test-Path $FolderPath))
{
New-Item -Path $FolderPath -ItemType Directory -Force | Out-Null
Write-Host "Created folder: $FolderPath" -ForegroundColor Yellow
}
#Export Function
function Export-IntuneScript
{
param (
[Parameter(Mandatory)] $ScriptObject,
[Parameter(Mandatory)] $DestinationFolder
)
$apiVersion = "beta"
$baseUri = "https://graph.microsoft.com/$apiVersion"
$scriptDetails = Invoke-MgGraphRequest -Uri "$baseUri/deviceManagement/deviceManagementScripts/$($ScriptObject.id)" -Method GET
$decodedContent = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($scriptDetails.scriptContent))
$outputPath = Join-Path $DestinationFolder $ScriptObject.fileName
$decodedContent | Out-File -Encoding ASCII -FilePath $outputPath
Add-Content -Path $outputPath -Value "`n# Exported by Sujin Nelladath — Microsoft Graph MVP"
}
#Retrieve and Export Scripts
$graphApiVersion = "beta"
$baseUri = "https://graph.microsoft.com/$graphApiVersion"
$scriptList = (Invoke-MgGraphRequest -Uri "$baseUri/deviceManagement/deviceManagementScripts" -Method GET).value
$totalScripts = $scriptList.Count
Write-Host "Found $totalScripts scripts." -ForegroundColor Cyan
$counter = 1
foreach ($script in $scriptList)
{
$progress = ($counter * 100 / $totalScripts)
Write-Progress -Activity "Exporting $($script.fileName)" -Status "$counter of $totalScripts" -PercentComplete $progress
if ($FileName)
{
if ($script.fileName -eq $FileName)
{
Export-IntuneScript -ScriptObject $script -DestinationFolder $FolderPath
}
}
else
{
Export-IntuneScript -ScriptObject $script -DestinationFolder $FolderPath
}
$counter++
}
Write-Host "Export complete." -ForegroundColor Green
#endThe $FolderPath variable is mandatory, the script cannot be executed without specifying a folder path. However, $FileName is optional and can be used only if you want to export any specific script. Let’s run the code now.
- PowerShell Script to Track Upcoming Microsoft Entra App Secret Expirations
- How to Restore Deleted Microsoft 365 Group using Microsoft Graph API and PowerShell
- How to Manage Outlook Out of Office Settings using Microsoft Graph API and PowerShell- A Complete Automation Guide
The script output will be generated within a few seconds. The exported PowerShell scripts will be saved to the following location: E:\Intune Training\Export. You can reuse the code for future automation or reference.
Download the script : Export-IntuneScripts.ps1I trust that this article will significantly benefit you and your organization. I appreciate your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About the Author: Sujin Nelladath, a Microsoft Graph MVP with over 12 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.