Let’s learn how to Retrieve PowerShell scripts that have been added to the Intune portal using the Microsoft Graph. This article will explore the most straightforward approach to retrieving PowerShell scripts from Intune via Microsoft Graph. This method is highly efficient and reliable and can be easily executed.
The implementation of automation is a crucial aspect for businesses to consider. It can aid in the reduction of costs, increase efficiency, and save time. By automating repetitive tasks, companies can allocate their employees to focus on more significant work, such as developing new products or enhancing customer service
Have you ever used Intune to run scripts for automation or remediation? If yes, have you ever tried to access those scripts again? Unfortunately, the Intune platform does not currently offer the ability to retrieve or download scripts once they have been uploaded to the portal. As a result, users may be unable to obtain copies of scripts they have previously generated or executed using the platform.
By following the instructions outlined in this article, you can successfully retrieve PowerShell scripts from Intune using Microsoft Graph. We encourage you to carefully read and follow each step to ensure that you achieve the desired outcome.
- Intune Policy Assignment Classification Easy Secrets of using Graph API with PowerShell
- Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period
Overview of Microsoft Graph
Microsoft Graph is an API (Application programming interface) that provides a single endpoint for accessing data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services. It provides a single endpoint, https://graph.microsoft.com, that enables access to various data and insights in the Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security.
By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.
Microsoft Graph can be leveraged to create personalized experiences catering to individual users’ unique contexts, thereby increasing their productivity. It offers a robust suite of services for managing user and device identity, access, compliance, security and data access on the following Microsoft cloud services
- Best way to Deploy Shell Scripts using Intune
- Run Remediation Script on-demand for Windows Devices using Intune
- PowerShell Script to Create a Local Admin Account using Intune
Deploy a PowerShell Script using Intune
As many of my readers may be new to Intune and may not have deployed any script before, I will provide a comprehensive overview of the process from the ground up. The objective is to create a straightforward script, which will be explained in detail below. If you’re comfortable with deploying scripts using Intune, feel free to drag it down.
I have a PowerShell script that is capable of producing a new folder on the test device. The script can be executed with ease and will automatically create a folder with the specified name in the desired location.
New-Item -Path 'C:\temp\HTMD Test Folder' -ItemType Directory- Sign in to the Microsoft Intune Admin portal.
- Navigate to Devices > Scripts >Add and select Windows 10 and later. Click Next to go further.
Navigate to the Basics tab and input the Name and Description for the script.
In Script Settings, enter the information below according to the requirement.
| Script Settings | Descriptions |
|---|---|
| Script Location | Browse the PowerShell script where you placed it; the script must be less than 200 KB. |
| Run the script using the logged-on credentials | Select Yes to run the script on the user credential. Otherwise, select No (default); it will run in a system context. The administrator must decide on this setting according to the requirements. |
| Enforce script signature check | Select Yes if the script is signed by a trusted publisher, else, select No if there is no requirement. |
| Run the script in a 64-bit PowerShell host | Select Yes to run the script in a 64-bit PowerShell host on a 64-bit client. Otherwise, select No (default) to run the script in a 32-bit PowerShell host |
Click Next to continue
Click Next to display the Scope tags page. Add the Scope tags if you wish and click Next to assign the policy to computers. I will deploy it to the HTMD – Test Computers Group. Also, you can select multiple groups.
On the Review + Add page, carefully review all your defined settings. Once you have confirmed that everything is correct, select Add to implement the changes. You can see the script which you just created in the Devices > Scripts section.
As I mentioned above, the Intune platform does not currently offer the ability to retrieve or download scripts once they have been uploaded to the Intune portal. If you’re interested in learning how to manage Intune tasks using PowerShell, follow my guide below.
Explore the Microsoft Graph and Scripts Detail
Here, I will use Graph Explorer, a handy browser-based tool to run your Graph calls, but it does not support commands in batch. It is a single-line command executor. API calls will be made by utilizing the Graph Explorer.
NOTE : You may need to log in to Graph Explorer using your credentials if it's your first time. You will get a webpage as below when you go to Graph Explorer. You can get all the script information that has been added to the Intune portal with a GET call in Graph Explorer.
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts
You will receive the API output response below once you click the Run query button.
The API call above retrieves all device management script details. However, to obtain more granular information about a specific script, it is imperative to utilize its unique identifier, also known as the ID. The ID serves as a key reference point for accessing additional data pertaining to a particular script. You can locate the ID directly in the web console URL.
The Graph Explorer can also be used to locate the same ID by searching for the script name or deployment. In this example, 4edea87d-c1ff-40ff-a38d-738732c73ba5 is the ID.
Retrieve PowerShell Scripts using Microsoft Graph
We now have sufficient information to retrieve the PowerShell script by using Microsoft Graph. We will use the API GET call below to retrieve the script you deployed above. The ID received from the previous API call will be used to obtain more specific information. Please ensure that you replace the ID with your own.
https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/4edea87d-c1ff-40ff-a38d-738732c73ba5
You will receive the API output response below once you click the Run query button. You can see a scriptContent field in the Response Preview panel.
Awesome..! We’re all set to bring back the PowerShell script. The scriptContent is a base-64 encoded value. Let’s decrypt the scriptContent value by pasting it into an online decoder. You can also use Visual Studio Code to decode base-64 encoded value. Let’s try it now..!
When you click the Decode button, the online decoder provides you with your invisible Powershell script!
Decode a Base-64 string through PowerShell
It is worth noting that access to the online decoder, being an external website, may be restricted by several organizations. This limitation can potentially hinder the effectiveness of the decoder, making it inaccessible to users who are under such restrictions.
I have developed a PowerShell script to address this issue. The script has been designed to resolve the problem at hand and print the output effectively.
####################################################
# Script: Decodebase64.ps1
# Scope: The code will decode a Base64 Encoded String and print output
# Author: Sujin Nelladath
####################################################
# $encodedString contains the Base64 encoded string value
$encodedString = "Your Base64 Encoded String"
# Decode the Base64 string
$decodedValue = [System.Convert]::FromBase64String($encodedString)
# Convert the decoded value to a string using UTF8 encoding
$decodedString = [System.Text.Encoding]::UTF8.GetString($decodedValue)
# Print the decoded string
Write-Host $decodedString
Please ensure that you replace the $encodedString with your own. The script initially converts a Base64 encoded string into a byte array and subsequently decodes it into a string representation utilizing the UTF8 encoding scheme
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Thank you for your patience in reading this post. See you in the next post. Keep supporting the HTMD Community.
Author
About Author – Sujin Nelladath has over ten years of experience in SCCM device management and Automation solutions. He writes and shares his experiences with Microsoft device management technologies, Azure, and PowerShell automation.