Intune: Export Policies for Comparison

Hey everyone, Theron (aka T-) here, Senior Consultant with Microsoft Consulting Services (MCS), deeply involved in a current project to configure Intune for a customer’s use.

As with many of your customers, mine found themselves in a situation where they needed to get a secure ‘remote’ working solution in place quickly due to the COVID-19 pandemic. This customer is a large US federal agency and typically didn’t support a true telework scenario in the past, but with the closure of their offices, they needed something to allow continuity of business, to some extent.

One of the things we’re working on using Intune as the MDM for disconnected laptops, and as such Intune Policies are in play. However, we ran into issues where several policies were being created that was causing a an issue with management of what settings were in which policies. Typically you can use the Intune portal to discover ‘conflicting’ policies, but that wasn’t sufficient for what we were trying to do…a comparison of policies.

To resolve the issue for the team, as quickly as possible, I wrote a PS script that utilizes the Intune PowerShell SDK to export all of the policies and create CSV files based on the ‘Intune PowerShell SDK‘.

The script will get all of your policies in Intune and create CSV files based on the ‘Policy Type‘, allowing you to quickly look to see what setting is configured in what policy.

Disclaimer: the out CSV isn’t pretty. The settings are identified by the property of it in Azure, not the user-friendly settings you’d see in the console. For example, the exported ‘edgeBlockPrinting’ Device Restriction policy setting from the spreadsheet relates to the ‘Allow printing’ setting under ‘Microsoft Edge Browser’ in the console.

You’re probably saying “What? No big deal, that setting makes sense and is easy to correlate to the console.” and you’d be right, for that particular setting. It does make sense and is easy to figure out, but if you export and use the CSVs, you’ll find isn’t the case for everything. So, be patient.

As with any scripts I write, they’re generally done to fulfill a need I had at the time and may not be the ‘best’ way of doing something, but worked for me and the situation. Feedback is encouraged and always appreciated.

You can get the script here.

Final note, this is configured to use Azure Gov. If you want to use it in your commercial tenant, change the first command to use:

Update-MSGraphEnvironment -AuthUrl 'https://login.microsoftonline.com/common' -GraphBaseUrl 'https://graph.microsoft.com' -GraphResourceId 'https://graph.microsoft.com' -SchemaVersion 'beta'

Stay safe and Roll Tide!

T-