Platform scripts provides ability to run scripts to configure devices that cannot be accomplished using built-in configuration settings In Intune. With Windows platform, PowerShell scripts are executed once per logged in user or retried thrice if the script failed to execute. However, if the script is updated, it is run again on the targeted devices. More details on PowerShell scripts for Windows is documented here.
While creating a new PowerShell Script policy in Intune, admin uploads the script, configures the run time settings and assigns it to user/device group. In a tenant, over a period of time, multiple admins would have created many such PowerShell scripts and deployed to specific users/devices as per the requirement. Without a version control in Intune and the inability of admin to export the scripts from Admin portal, it is challenging to understand what is configured and getting executed when new devices are provisioned.
This blog discusses the details of a PowerShell script that leverages the deviceManagementScripts Graph API to download the scripts previously uploaded. Review the minimum permissions required here.
This script can be utilized to export all or a specific PowerShell script uploaded in Intune portal. The script takes -FolderPath as mandatory parameter where you want to export the scripts. The folder is created, if not available in the computer where the script is executed. The script also takes -FileName as optional parameter, if you want to export a particular PowerShell script.
Note: In all my sample scripts, I use delegated permissions. If you to run the script unattended in any automation tool, modify the script to leverage a client app registration along with a client secret – see Connect To Microsoft Graph PowerShell With a Client Secret (ourcloudnetwork.com) for details on how to do this.
The script requires Microsoft Graph PowerShell modules. You can install these using the commands below. While the script has capability to check and install modules as required, since this may take 20 minutes, I strongly recommend to do this prior invoking script. Refer to Install the Microsoft Graph PowerShell SDK documentation for more info.
For this script, Microsoft.Graph.Beta module is not required.
Install-Module Microsoft.Graph<#
.SYNOPSIS
Get all or individual Intune PowerShell scripts and save them in specified folder.
.DESCRIPTION
The Get-DeviceManagementScripts.ps1 script downloads all or individual PowerShell scripts from Intune to a specified folder.
The script is provided "AS IS" with no warranties.
.PARAMETER FolderPath
The folder where the script(s) are saved.
.PARAMETER FileName
An optional parameter to specify an explicit PowerShell script to download.
.EXAMPLE
Download all Intune PowerShell scripts to the specified folder
.\Get-DeviceManagementScripts.ps1 -FolderPath C:\Temp\IntuneScripts
.EXAMPLE
Download an individual PowerShell script to the specified folder
.\Get-DeviceManagementScripts.ps1 -FolderPath C:\Temp\IntuneScripts -FileName myScript.ps1
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true)][String] $FolderPath,
[Parameter(Mandatory=$false)][String] $FileName
)
#region Download and Import Modules
$mGraph = Get-Module -Name Microsoft.Graph -ListAvailable
if (-not $mGraph)
{
Write-Host "Installing Module Microsoft.Graph"
Install-Module Microsoft.Graph
}
<#
$mGraphBeta = Get-Module -Name Microsoft.Graph.Beta -ListAvailable
if (-not $mGraphBeta)
{
Write-Host "Installing Module Microsoft.Graph.Beta"
#Install-Module Microsoft.Graph.Beta
}
#>
Write-Host "Importing Modules"
If ($PSVersionTable.PSVersion.Major -ne 7) {
$MaximumFunctionCount = 16384
}
Import-Module Microsoft.Graph -ErrorAction SilentlyContinue
#Import-Module Microsoft.Graph.Beta -ErrorAction SilentlyContinue
#endregion
#region Connect MgGraph
Write-Host "Connecting to Microsoft Graph"
Connect-MgGraph -Scopes DeviceManagementConfiguration.Read.All
#endregion
#region Get-DeviceManagementScripts
If (!(Test-Path $FolderPath)){
New-Item -Path $FolderPath -ItemType "Directory" -Force
}
$graphApiVersion = "beta"
$graphUri = "https://graph.microsoft.com/$graphApiVersion"
$Scripts = (Invoke-MgGraphRequest -Uri "$graphUri/deviceManagement/deviceManagementScripts" -Method GET).value
$Count = $Scripts.count
write-host "Found $Count scripts"
$n = 1
foreach ($script in $scripts){
$percentage = ($n*100/$count)
Write-Progress -Activity "Processing $($Script.filename)" -Status "$n out of $count" -PercentComplete $percentage
if ($FileName){
If ($script.filename -eq $FileName){
$result = Invoke-MgGraphRequest -Uri "$graphUri/deviceManagement/deviceManagementScripts/$($script.id)" -Method GET
$ScriptContent = $result.scriptContent
$FilePath = $(Join-Path $FolderPath $($script.fileName))
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ScriptContent)) | Out-File -Encoding ASCII -FilePath $FilePath
}
}
else{
$result = Invoke-MgGraphRequest -Uri "$graphUri/deviceManagement/deviceManagementScripts/$($script.id)" -Method GET
$ScriptContent = $result.scriptContent
$FilePath = $(Join-Path $FolderPath $($script.fileName))
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ScriptContent)) | Out-File -Encoding ASCII -FilePath $FilePath
}
$n++
}
write-host "Export Complete"
#endregion
Try this tool: https://github.com/SMSAgentSoftware/IntuneScriptsViewer