Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script

Let’s discuss Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script. This post will help you export Microsoft Intune Device settings, configuration profiles, policies, etc., present in the Intune tenant using PowerShell Scripts and Microsoft Graph API. These settings are the core configurations for device management from the Intune tenant.

As we know, Intune Settings and Configurations can be exported directly from the Intune portal. But in this post, you will learn how to export all settings or configurations in bulk at once. Using different Intune Sample PowerShell scripts, we can export the desired types of configurations from the Intune tenant.

You may have exported Intune settings, policies, and profiles as Jason or ADMX files manually, one by one, from the Intune portal. Today, we will learn how to leverage Microsoft’s graph API and PowerShell scripts to export all required configurations from the Intune tenant simultaneously.

This can be helpful when replicating settings and configuration from one Intune tenant to another, backing up the tenant settings/profiles, or sharing the configuration settings.

Patch My PC
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script 1
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 01

Before You Get Started

Before you begin, ensure you have configured Entra App registration for Microsoft Graph’s identity and authentication purposes. As we will be using the Microsoft Entra app registration for authentication into the Tenant in order to export desired settings and profiles.

Let’s look at the Pre-requirements you need to consider.

Pre Requirements For Exporting Intune Configurations
Microsoft Entra App registration is needed for authentication and identity.
Microsoft sample PowerShell scripts from Github Repository
Update Sample scripts with MSAL authentication method and Entra App ID.
PowerShell v5.0 is required to use these Graph API Intune PowerShell samples.
Install the AzureAD PowerShell module by running ‘Install-Module AzureAD‘ from elevated PowerShell.
An Entra account with Intune administrator permissions
Requires a Global Administrator of the Tenant to accept the application’s permissions to run these scripts for the first time only.
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Table. 01

Using Microsoft Graph API Sample Scripts to Export Intune settings

Microsoft Graph is a RESTful API that allows access to Microsoft Cloud services. MS Graph can be used to build applications, analyze data, fetch data from external sources into Microsoft Graph, and manage user and device identity, compliance, access, and security. Vincent Biret has this great GitHub repository which contains Microsoft Graph API Intune PowerShell sample scripts. Thanks Vincent for the scripts..!

Note! Some of these MS PowerShell script samples retrieve information from your Intune tenant, and a few can create, update, or delete data for your tenant.  understand the impact of the sample script before running it; testing should be done in a non-production or test tenant account. 

Let’s understand how we can use these sample PowerShell scripts with Graph API to export Intune configurations.

  • Download the required scripts from GitHub repository.
  • Extract the files to a local folder (e.g. C:\IntuneGraphSamples)
  • Open PowerShell x64 as administrator.
  • Browse to the directory (e.g. cd C:\IntuneGraphSamples)
  • Update the downloaded PowerShell script with required authentication method as described in next section.
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script - Fig. 02
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 02

We can use any sample script per the requirement; we must update the script with our Entra registered application ID and tenant ID.

Update Sample PowerShell Script to Make It Working With Intune Tenant

Due to an update in the authentication method in the Graph SDK PowerShell module, Microsoft Intune PowerShell application ID-based authentication is no longer used. Hence, we will have to update the sample scripts with our Microsoft Entra ID registered application ID and change the Authentication method to make the script work. This authentication method has yet to be updated in the Sample scripts on GitHub.

This is a screenshot of the Sample PowerShell script SettingCatalog_export.ps1, downloaded from GitHub before any changes.

Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script - Fig. 03
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 03

Let’s Update the Sample script using the PowerShell code below for MSAL authentication so that it can work with our App registration.

Remove the “Authentication” part of the Sample script downloaded from Github. This part goes from line 12 to line 151 in the downloaded script. Delete the code until “Function Get-SettingsCatalogPolicy” and place the below code as a new authentication function on top of the script.

Replace ***** in $clientid and $tenantid with your Entra Application ID (client ID) and tenant ID (Object ID)

#######################

function Get-AuthToken {
Write-Host "Checking for MSAL module…"
$MsalModule = Get-Module -Name "MSAL.PS" -ListAvailable

if ($MsalModule -eq $null) {
    Write-Host "MSAL.PS PowerShell module not found, installing..."
    Install-Module -Name "MSAL.PS" -Scope CurrentUser -Force -AllowClobber
}

$clientId = "***************************"
$tenantId = "**************************"

$authority = "https://login.microsoftonline.com/$tenantId"
$scopes = "https://graph.microsoft.com/.default"

try {
    $authResult = Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Scopes $scopes -Interactive

    if($authResult.AccessToken){
        $authHeader = @{
            'Content-Type'='application/json'
            'Authorization'="Bearer " + $authResult.AccessToken
            'ExpiresOn'=$authResult.ExpiresOn
        }

        return $authHeader
    } else {
        Write-Host
        Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
        Write-Host
    }
}
catch {
    write-host $_.Exception.Message -f Red
    write-host $_.Exception.ItemName -f Red
    write-host
}
}
#########################

After updating the script, it will look like below. Now, the PowerShell script is ready to work with our registered App. We can run the updated script from elevated Powershell to export the Settings catalogue from the Intune tenant. Similarly we can download and update other sample scripts to export desired policies from Intune.

Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script - Fig. 04
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 04

How to Use PowerShell Sample Script to Export Settings Catalog from Intune Tenant

This will export all settings catalogues in JSON and CSV format to the output folder location. These JSON and CSV files contain all the configurations and settings code.

  • Launch PowerShell as an administrator.
  • Launch the updated Microsoft Graph API PowerShell script for Settingscatalog_export.
  • PowerShell will prompt you to enter the credentials to authenticate Microsoft Graph (Use Intune Administrator Credentials only)
  • Specify the output folder to save the exported settings catalogue files.
PS C:\IntuneGraphSamples\SettingsCatalog> .\SettingsCatalog_Export_Updated.ps1
Please specify a path to export the policy data to, e.g. C:\IntuneOutput: c:\temp\ExportSettingsCatalog
Path ‘c:\temp\ ExportSettingsCatalog doesn’t exist. Do you want to create this directory? Y or N? y
AllowTemporaryEnterpriseFeatureContro
Export Path: c:\temp\ ExportSettingsCatalog
JSON created in c:\temp\ ExportSettingsCatalog \AllowTemporaryEnterpriseFeatureContro_09-10-2024-20-37-30.json…
SEC-WIN-BITLOCKER-1.0
Found template reference
Export Path: c:\temp\testexport
JSON created in c:\temp\ ExportSettingsCatalog \SEC-WIN-BITLOCKER-1.0_09-10-2024-20-37-31.json…
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script - Fig. 05
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 05

Outcome – Exported Configuration Items

The settings catalog or any policy exported as a JSON (JavaScript Object Notation) file is a format used in development to transfer data between a server and an application. This JSON file contains different values and strings like Policy name, Description, settings etc. which are required to create a specific policy or profile in Intune using Graph API.

Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script - Fig. 06
Bulk Export Intune Settings and Configuration Profiles Using Sample PowerShell Script – Fig. 06

I hope this post was beneficial for you. I appreciate your patience in reading this post. Keep supporting the HTMD Community.

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Sachin Chauhan is a Microsoft certified professional and Modern device management consultant with over 10 years of experience in Microsoft technologies like MECM, Intune, Windows, Autopilot, Operating system deployments and management, Azure, and PowerShell Automation.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.