VIEW AND EXPORT YOUR INTUNE DEVICE MANAGEMENT SCRIPTS USING THE MICROSOFT GRAPH POWERSHELL SDK

INTRODUCTION.. If you’re familiar with Intune, you’re likely aware of its capability to deploy platform or PowerShell scripts to your endpoint devices. Unfortunately, once you upload your script to the portal, there is (at the time of writing this) no easy way to view the script content or download it.

RESOLUTION

To quickly and easily get Intune scripts, I created a function that allows me to export all the scripts from a tenant en masse and view them in the shell or terminal. Sometimes, I am auditing a new tenant and have no need to download the scripts to my local machine; I need to audit the code behind it to get an idea of what is being performed. Additionally, I added some other quality-of-life features that I did not find in other scripts online.

FEATURES

PLATFORM AGNOSTIC

The function will work on PowerShell Core (pwsh) and Windows PowerShell. Allowing you to run this on MacOS, Linux, and Windows without issues.

PAGINATION

There are a lot of other scripts that have very similar functionality out there. One thing I noticed with most of them is that they have no logic to account for pagination. I believe that there are two possible reasons for this:

1. By default, a single request may return a maximum of 100 items. So, if you have over 100 scripts in your Intune tenant, you must perform multiple API calls to gather them all. Many companies may never see 100 scripts in their tenant, so there is no reason to build in pagination logic.

2. Other SDK cmdlets perform pagination for you automatically, so there is no reason to think about it. Get-MgUser and Get-MgGroup has the parameter, “All” which gets all results for you automatically.

However, the SDK does not have a built-in cmdlet to get Device Configuration scripts, so we must use Invoke-MGGraphRequest which does not handle pagination on its own.

DIRECTORY VERIFICATION

Another feature I wanted to add was ensuring the directory where you specified to have the scripts exported was present. If it weren’t, it would create it automatically instead of just throwing an error.

QUICK VIEW

The last feature was the ability to view the scripts within the shell quickly. Sometimes, I do not need to export the script to my local machine but may need to view its contents quickly to understand what it is doing. In the picture below, you can see that I first view a table of all my Intune scripts, then select the last script and view its contents.

Even if the script spans multiple lines, you can still view it all in the shell.

FOLDER EXPORT

You can also choose to export all of the scripts to a specified directory. Doing so will create a subfolder with the name matching the script within the Intune portal.

HOW TO RUN IT

Note: The function requires you to have Microsoft.Graph.Authentication module, which you can install by running Install-Module -Name Microsoft.Graph.Authentication. The function will check for this module beforehand and attempt to install it if it’s not present.

1. The first step is to download the code from GitHub.

2. Next, copy and paste it into your terminal, dot-slash the script, add it to your PowerShell Profile, or run it in VSCode. For my example, I will just run it in VSCode.

3. Once I have run it so the function is in memory, I can call the function by typing: Get-IntuneDeviceConfigurationScripts

4. Next, I will be asked to authenticate and provide admin consent; you must be signed into the tenant with an account with the appropriate permissions, such as a Global Administrator. The function requires a single permission scope of DeviceManagementConfiguration.Read.All

PARAMETERS

The function has three parameters, two of which contain default values:

1. Uri: Default value is the API endpoint to get device management scripts: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts

2. Scope: The permission needed to get device management scripts; the default value is DeviceConfiguration.Read.All

The following code will show you your scripts within the console:

3. exportDirectory (optional): The directory path to output the device management scripts

The following code will export all of your scripts to a specific directory. If the directory is not present, it will automatically create it for you as long as it has permission:

AUTHENTICATION ADDITIONAL INFORMATION

Since we are using the PowerShell SDK to access the Mircosoft Graph API, we do not need to make our own service principal, but you may be wondering how we authenticate.

The PowerShell SDK uses the Microsoft Graph Command Line Tools service principal with an AppID of 14d82eec-204b-4c2f-b7e8-296a70dab67e. You can view it in the Azure Portal by going to Entra ID > Enterprise Applications

    You can view all permissions assigned to the service principal in the Permissions section.

      Contact

      Etecnest as your trusted IT and Cloud Service Provider. We are dedicated to delivering innovative solutions that propel your business into the digital future. Whether you are seeking robust IT services, comprehensive cloud solutions, or a tailored combination of both, we are here to meet your unique needs.

      Our Address

      J P Nagar 509 Area Pune 411032

      Email Us

      info@etecnest.com

      Call Us

      +91 7875092767

      Loading
      Your message has been sent. Thank you!