copy-intune-policy.ps1
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function', Target='Get-MSGraphAllPages')] <#PSScriptInfo .VERSION 2.0.1 .GUID 0238c6f7-5628-4e82-be48-381741b79a75 .AUTHOR AndrewTaylor .DESCRIPTION Copies any Intune Policy via Microsoft Graph to "Copy of (policy name)". Displays list of policies using GridView to select which to copy .COMPANYNAME .COPYRIGHT GPL .TAGS intune endpoint MEM environment .LICENSEURI https://github.com/andrew-s-taylor/public/blob/main/LICENSE .PROJECTURI https://github.com/andrew-s-taylor/public .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .SYNOPSIS Copies an Intune Policy .DESCRIPTION Copies any Intune Policy via Microsoft Graph to "Copy of (policy name)". Displays list of policies using GridView to select which to copy .INPUTS None .OUTPUTS Creates a log file in %Temp% .NOTES Version: 2.0.1 Author: Andrew Taylor Twitter: @AndrewTaylor_2 WWW: andrewstaylor.com Creation Date: 03/03/2022 Modified Date: 31/10/2022 Purpose/Change: Initial script development Update: Added support for Admin Templates Update: Changed to Microsoft Graph API from AAD .EXAMPLE N/A #> $version = "2.0.0" $ErrorActionPreference = "Continue" ##Start Logging to %TEMP%\intune.log $date = get-date -format ddMMyyyy Start-Transcript -Path $env:TEMP\intune-$date.log Write-Host "Installing Microsoft Graph modules if required (current user scope)" #Install MS Graph if not available if (Get-Module -ListAvailable -Name Microsoft.Graph) { Write-Host "Microsoft Graph Already Installed" } else { try { Install-Module -Name Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force } catch [Exception] { $_.message exit } } # Load the Graph module Import-Module microsoft.graph.authentication Function Connect-ToGraph { <# .SYNOPSIS Authenticates to the Graph API via the Microsoft.Graph.Authentication module. .DESCRIPTION The Connect-ToGraph cmdlet is a wrapper cmdlet that helps authenticate to the Intune Graph API using the Microsoft.Graph.Authentication module. It leverages an Azure AD app ID and app secret for authentication or user-based auth. .PARAMETER Tenant Specifies the tenant (e.g. contoso.onmicrosoft.com) to which to authenticate. .PARAMETER AppId Specifies the Azure AD app ID (GUID) for the application that will be used to authenticate. .PARAMETER AppSecret Specifies the Azure AD app secret corresponding to the app ID that will be used to authenticate. .PARAMETER Scopes Specifies the user scopes for interactive authentication. .EXAMPLE Connect-ToGraph -TenantId $tenantID -AppId $app -AppSecret $secret -#> [cmdletbinding()] param ( [Parameter(Mandatory = $false)] [string]$Tenant, [Parameter(Mandatory = $false)] [string]$AppId, [Parameter(Mandatory = $false)] [string]$AppSecret, [Parameter(Mandatory = $false)] [string]$scopes ) Process { Import-Module Microsoft.Graph.Authentication $version = (get-module microsoft.graph.authentication | Select-Object -expandproperty Version).major if ($AppId -ne "") { $body = @{ grant_type = "client_credentials"; client_id = $AppId; client_secret = $AppSecret; scope = "https://graph.microsoft.com/.default"; } $response = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$Tenant/oauth2/v2.0/token -Body $body $accessToken = $response.access_token $accessToken if ($version -eq 2) { write-host "Version 2 module detected" $accesstokenfinal = ConvertTo-SecureString -String $accessToken -AsPlainText -Force } else { write-host "Version 1 Module Detected" Select-MgProfile -Name Beta $accesstokenfinal = $accessToken } $graph = Connect-MgGraph -AccessToken $accesstokenfinal Write-Host "Connected to Intune tenant $TenantId using app-based authentication (Azure AD authentication not supported)" } else { if ($version -eq 2) { write-host "Version 2 module detected" } else { write-host "Version 1 Module Detected" Select-MgProfile -Name Beta } $graph = Connect-MgGraph -scopes $scopes Write-Host "Connected to Intune tenant $($graph.TenantId)" } } } #Connect to Graph Connect-ToGraph -Scopes "RoleAssignmentSchedule.ReadWrite.Directory, Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All, Policy.ReadWrite.ConditionalAccess, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, openid, profile, email, offline_access" ############################################################################################################### ###### Add Functions ###### ############################################################################################################### Function Get-ScriptVersion(){ <# .SYNOPSIS This function is used to check if the running script is the latest version .DESCRIPTION This function checks GitHub and compares the 'live' version with the one running .EXAMPLE Get-ScriptVersion Returns a warning and URL if outdated .NOTES NAME: Get-ScriptVersion #> [cmdletbinding()] param ( $liveuri ) $contentheaderraw = (Invoke-WebRequest -Uri $liveuri -Method Get) $contentheader = $contentheaderraw.Content.Split([Environment]::NewLine) $liveversion = (($contentheader | Select-String 'Version:') -replace '[^0-9.]','') | Select-Object -First 1 $currentversion = ((Get-Content -Path $PSCommandPath | Select-String -Pattern "Version: *") -replace '[^0-9.]','') | Select-Object -First 1 if ($liveversion -ne $currentversion) { write-host "Script has been updated, please download the latest version from $liveuri" -ForegroundColor Red } } Get-ScriptVersion -liveuri "https://raw.githubusercontent.com/andrew-s-taylor/public/main/Powershell%20Scripts/Intune/copy-intune-policy.ps1" ############################################################################################################### function Get-MSGraphAllPages { [CmdletBinding( ConfirmImpact = 'Medium', DefaultParameterSetName = 'SearchResult' )] param ( [Parameter(Mandatory = $true, ParameterSetName = 'NextLink', ValueFromPipelineByPropertyName = $true)] [ValidateNotNullOrEmpty()] [Alias('@odata.nextLink')] [string]$NextLink, [Parameter(Mandatory = $true, ParameterSetName = 'SearchResult', ValueFromPipeline = $true)] [ValidateNotNull()] [PSObject]$SearchResult ) begin {} process { if ($PSCmdlet.ParameterSetName -eq 'SearchResult') { # Set the current page to the search result provided $page = $SearchResult # Extract the NextLink $currentNextLink = $page.'@odata.nextLink' # We know this is a wrapper object if it has an "@odata.context" property if (Get-Member -InputObject $page -Name '@odata.context' -Membertype Properties) { $values = $page.value } else { $values = $page } # Output the values if ($values) { $values | Write-Output } } while (-Not ([string]::IsNullOrWhiteSpace($currentNextLink))) { # Make the call to get the next page try { $page = Get-MSGraphNextPage -NextLink $currentNextLink } catch { throw } # Extract the NextLink $currentNextLink = $page.'@odata.nextLink' # Output the items in the page $values = $page.value if ($values) { $values | Write-Output } } } end {} } ############################################################################################################# Function Get-DeviceConfigurationPolicy(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ########################################################################################## Function Get-DeviceConfigurationPolicyGP(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface - Group Policies .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicyGP #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } #################################################### Function Get-GroupPolicyConfigurationsDefinitionValues() { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID ) $graphApiVersion = "Beta" #$DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues?`$filter=enabled eq true" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } #################################################### Function Get-GroupPolicyConfigurationsDefinitionValuesPresentationValues() { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID, [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/presentationValues" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } Function Get-GroupPolicyConfigurationsDefinitionValuesdefinition () { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationID, [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$GroupPolicyConfigurationID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/definition" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" $responseBody = Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } $responseBody } Function Get-GroupPolicyDefinitionsPresentations () { <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicy Returns any device configuration policies configured in Intune .NOTES NAME: Get-GroupPolicyConfigurations #> [cmdletbinding()] Param ( [Parameter(Mandatory = $true)] [string]$groupPolicyDefinitionsID, [Parameter(Mandatory = $true)] [string]$GroupPolicyConfigurationsDefinitionValueID ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/groupPolicyConfigurations/$groupPolicyDefinitionsID/definitionValues/$GroupPolicyConfigurationsDefinitionValueID/presentationValues?`$expand=presentation" try { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value.presentation } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } #################################################### ########################################################################################## Function Get-DeviceConfigurationPolicySC(){ <# .SYNOPSIS This function is used to get device configuration policies from the Graph API REST interface - SETTINGS CATALOG .DESCRIPTION The function connects to the Graph API Interface and gets any device configuration policies .EXAMPLE Get-DeviceConfigurationPolicySC Returns any device configuration policies configured in Intune .NOTES NAME: Get-DeviceConfigurationPolicySC #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/configurationPolicies" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################ Function Get-DeviceCompliancePolicy(){ <# .SYNOPSIS This function is used to get device compliance policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device compliance policies .EXAMPLE Get-DeviceCompliancepolicy Returns any device compliance policies configured in Intune .NOTES NAME: Get-devicecompliancepolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceCompliancePolicies" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-DeviceSecurityPolicy(){ <# .SYNOPSIS This function is used to get device security policies from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any device security policies .EXAMPLE Get-DeviceSecurityPolicy Returns any device compliance policies configured in Intune .NOTES NAME: Get-DeviceSecurityPolicy #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/intents" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-ManagedAppProtectionAndroid(){ <# .SYNOPSIS This function is used to get managed app protection configuration from the Graph API REST interface Android .DESCRIPTION The function connects to the Graph API Interface and gets any managed app protection policy Android .EXAMPLE Get-ManagedAppProtectionAndroid .NOTES NAME: Get-ManagedAppProtectionAndroid #> param ( $id ) $graphApiVersion = "Beta" try { $Resource = "deviceAppManagement/androidManagedAppProtections" if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource('$id')" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } } catch { } } ################################################################################################# Function Get-ManagedAppProtectionIOS(){ <# .SYNOPSIS This function is used to get managed app protection configuration from the Graph API REST interface IOS .DESCRIPTION The function connects to the Graph API Interface and gets any managed app protection policy IOS .EXAMPLE Get-ManagedAppProtectionIOS .NOTES NAME: Get-ManagedAppProtectionIOS #> param ( $id ) $graphApiVersion = "Beta" try { $Resource = "deviceAppManagement/iOSManagedAppProtections" if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource('$id')" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject) } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject } } catch { } } #################################################### Function Get-AutoPilotProfile(){ <# .SYNOPSIS This function is used to get autopilot profiles from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any autopilot profiles .EXAMPLE Get-AutoPilotProfile Returns any autopilot profiles configured in Intune .NOTES NAME: Get-AutoPilotProfile #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/windowsAutopilotDeploymentProfiles" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-AutoPilotESP(){ <# .SYNOPSIS This function is used to get autopilot ESP from the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and gets any autopilot ESP .EXAMPLE Get-AutoPilotESP Returns any autopilot ESPs configured in Intune .NOTES NAME: Get-AutoPilotESP #> [cmdletbinding()] param ( $id ) $graphApiVersion = "beta" $DCP_resource = "deviceManagement/deviceEnrollmentConfigurations" try { if($id){ $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)?`$filter=id eq '$id'" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).value } else { $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" (Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host } } ################################################################################################# Function Get-DecryptedDeviceConfigurationPolicy(){ <# .SYNOPSIS This function is used to decrypt device configuration policies from an json array with the use of the Graph API REST interface .DESCRIPTION The function connects to the Graph API Interface and decrypt Windows custom device configuration policies that is encrypted .EXAMPLE Decrypt-DeviceConfigurationPolicy -dcps $DCPs Returns any device configuration policies configured in Intune in clear text without encryption .NOTES NAME: Decrypt-DeviceConfigurationPolicy #> [cmdletbinding()] param ( $dcpid ) $graphApiVersion = "Beta" $DCP_resource = "deviceManagement/deviceConfigurations" $dcp = Get-DeviceConfigurationPolicy -id $dcpid if ($dcp.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration") { # Convert policy of type windows10CustomConfiguration foreach ($omaSetting in $dcp.omaSettings) { try { if ($omaSetting.isEncrypted -eq $true) { $DCP_resource_function = "$($DCP_resource)/$($dcp.id)/getOmaSettingPlainTextValue(secretReferenceValueId='$($omaSetting.secretReferenceValueId)')" $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource_function)" $value = ((Invoke-MgGraphRequest -Uri $uri -Method Get -OutputType PSObject).Value) #Remove any unnecessary properties $omaSetting.PsObject.Properties.Remove("isEncrypted") $omaSetting.PsObject.Properties.Remove("secretReferenceValueId") $omaSetting.value = $value } } catch { $ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host "Response content:`n$responseBody" -f Red Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" write-host break } } } $dcp } ################################################################################################# function addpolicy() { <# .SYNOPSIS This function is used to add a new device policy by copying an existing policy, manipulating the JSON and then adding via Graph .DESCRIPTION The function grabs an existing policy, decrypts if requires, renames, removes any GUIDs and then re-adds with the new name .EXAMPLE addpolicy -policy $policy -name $name .NOTES NAME: Get-AddPolicy #> param ( $resource, $policyid ) write-host $resource $graphApiVersion = "beta" switch ($resource) { "deviceManagement/deviceConfigurations" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-DecryptedDeviceConfigurationPolicy -dcpid $id $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy.displayName = $newname # Set SupportsScopeTags to $false, because $true currently returns an HTTP Status 400 Bad Request error. if ($policy.supportsScopeTags) { $policy.supportsScopeTags = $false } $policy.PSObject.Properties | Foreach-Object { if ($null -ne $_.Value) { if ($_.Value.GetType().Name -eq "DateTime") { $_.Value = (Get-Date -Date $_.Value -Format s) + "Z" } } } } "deviceManagement/groupPolicyConfigurations" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-DeviceConfigurationPolicyGP -id $id $oldname = $policy.DisplayName $newname = "Copy Of " + $oldname $policy.displayName = $newname # Set SupportsScopeTags to $false, because $true currently returns an HTTP Status 400 Bad Request error. if ($policy.supportsScopeTags) { $policy.supportsScopeTags = $false } $policy.PSObject.Properties | Foreach-Object { if ($null -ne $_.Value) { if ($_.Value.GetType().Name -eq "DateTime") { $_.Value = (Get-Date -Date $_.Value -Format s) + "Z" } } } } "deviceManagement/configurationPolicies" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-DeviceConfigurationPolicysc -id $id $policy | Add-Member -MemberType NoteProperty -Name 'settings' -Value @() -Force $settings = Invoke-MSGraphRequest -HttpMethod GET -Url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$id/settings" | Get-MSGraphAllPages if ($settings -isnot [System.Array]) { $policy.Settings = @($settings) } else { $policy.Settings = $settings } # $oldname = $policy.Name $newname = "Copy Of " + $oldname $policy.Name = $newname } "deviceManagement/deviceCompliancePolicies" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-DeviceCompliancePolicy -id $id $oldname = $policy.DisplayName $newname = "Copy Of " + $oldname $policy.DisplayName = $newname $scheduledActionsForRule = @( @{ ruleName = "PasswordRequired" scheduledActionConfigurations = @( @{ actionType = "block" gracePeriodHours = 0 notificationTemplateId = "" } ) } ) $policy | Add-Member -NotePropertyName scheduledActionsForRule -NotePropertyValue $scheduledActionsForRule } "deviceManagement/intents" { $policy = Get-DeviceSecurityPolicy -id $id $templateid = $policy.templateID $uri = "https://graph.microsoft.com/beta/deviceManagement/templates/$templateId/createInstance" $template = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$templateid" -Method Get -OutputType PSObject $templateCategory = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$templateid/categories" -Method Get -OutputType PSObject | Get-MSGraphAllPages $intentSettingsDelta = (Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$id/categories/$($templateCategory.id)/settings" -Method Get -OutputType PSObject).value $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy = @{ "displayName" = $newname "description" = $policy.description "settingsDelta" = $intentSettingsDelta "roleScopeTagIds" = $policy.roleScopeTagIds } $policy | Add-Member -NotePropertyName displayName -NotePropertyValue $newname } "deviceManagement/windowsAutopilotDeploymentProfiles" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-AutoPilotProfile -id $id $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy.displayName = $newname } "deviceManagement/deviceEnrollmentConfigurations" { $uri = "https://graph.microsoft.com/$graphApiVersion/$Resource" $policy = Get-AutoPilotESP -id $id $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy.displayName = $newname } "deviceAppManagement/managedAppPoliciesandroid" { $uri = "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/managedAppPolicies" $policy = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/managedAppPolicies('$id')" -Method Get -OutputType PSObject $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy.displayName = $newname # Set SupportsScopeTags to $false, because $true currently returns an HTTP Status 400 Bad Request error. if ($policy.supportsScopeTags) { $policy.supportsScopeTags = $false } $policy.PSObject.Properties | Foreach-Object { if ($null -ne $_.Value) { if ($_.Value.GetType().Name -eq "DateTime") { $_.Value = (Get-Date -Date $_.Value -Format s) + "Z" } } } } "deviceAppManagement/managedAppPoliciesios" { $uri = "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/managedAppPolicies" $policy = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/$graphApiVersion/deviceAppManagement/managedAppPolicies('$id')" -Method Get -OutputType PSObject $oldname = $policy.displayName $newname = "Copy Of " + $oldname $policy.displayName = $newname # Set SupportsScopeTags to $false, because $true currently returns an HTTP Status 400 Bad Request error. if ($policy.supportsScopeTags) { $policy.supportsScopeTags = $false } $policy.PSObject.Properties | Foreach-Object { if ($null -ne $_.Value) { if ($_.Value.GetType().Name -eq "DateTime") { $_.Value = (Get-Date -Date $_.Value -Format s) + "Z" } } } } } # Remove any GUIDs or dates/times to allow Intune to regenerate $policy = $policy | Select-Object * -ExcludeProperty id, createdDateTime, LastmodifieddateTime, version, creationSource | ConvertTo-Json -Depth 100 try { # Add the policy $body = ([System.Text.Encoding]::UTF8.GetBytes($policy.tostring())) Invoke-MgGraphRequest -Uri $uri -Method Post -Body $body -ContentType "application/json; charset=utf-8" #invoke-MSGraphRequest -Url $uri -HttpMethod POST -Content $body } catch { Write-Error $_.Exception } } ############################################################################################################### ###### Grab the Profiles ###### ############################################################################################################### ##Get Config Policies $configuration = Get-DeviceConfigurationPolicy | Select-Object ID, DisplayName, Description ##Get Admin Template Policies $configuration += Get-DeviceConfigurationPolicyGP | Select-Object ID, DisplayName, Description ##Get Settings Catalog Policies $configuration += Get-DeviceConfigurationPolicySC | Select-Object ID, @{N='DisplayName';E={$_.Name}}, Description ##Get Compliance Policies $configuration += Get-DeviceCompliancePolicy | Select-Object ID, DisplayName, Description ##Get Security Policies $configuration += Get-DeviceSecurityPolicy | Select-Object ID, DisplayName, Description ##Get Autopilot Profiles $configuration += Get-AutoPilotProfile | Select-Object ID, DisplayName, Description ##Get Autopilot ESP $configuration += Get-AutoPilotESP | Select-Object ID, DisplayName, Description ##Get App Protection Policies #Android $androidapp = Get-ManagedAppProtectionAndroid | Select-Object -expandproperty Value $configuration += $androidapp | Select-Object ID, DisplayName, Description #IOS $iosapp = Get-ManagedAppProtectionios | Select-Object -expandproperty Value $configuration += $iosapp | Select-Object ID, DisplayName, Description $configuration | Out-GridView -PassThru | ForEach-Object { ##Find out what it is $id = $_.ID write-host $id $policy = Get-DeviceConfigurationPolicy -id $id $gp = Get-DeviceConfigurationPolicyGP -id $id $catalog = Get-DeviceConfigurationPolicysc -id $id $compliance = Get-DeviceCompliancePolicy -id $id $security = Get-DeviceSecurityPolicy -id $id $autopilot = Get-AutoPilotProfile -id $id $esp = Get-AutoPilotESP -id $id $android = Get-ManagedAppProtectionAndroid -id $id $ios = Get-ManagedAppProtectionios -id $id # Copy it if ($null -ne $policy) { # Standard Device Configuratio Policy write-host "It's a policy" $id = $policy.id $Resource = "deviceManagement/deviceConfigurations" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $gp) { # Standard Device Configuratio Policy write-host "It's an Admin Template" $id = $gp.id $Resource = "deviceManagement/groupPolicyConfigurations" $copypolicy = addpolicy -resource $Resource -policyid $id ##Now grab the JSON $GroupPolicyConfigurationsDefinitionValues = Get-GroupPolicyConfigurationsDefinitionValues -GroupPolicyConfigurationID $id $OutDefjson = @() foreach ($GroupPolicyConfigurationsDefinitionValue in $GroupPolicyConfigurationsDefinitionValues) { $GroupPolicyConfigurationsDefinitionValue $DefinitionValuedefinition = Get-GroupPolicyConfigurationsDefinitionValuesdefinition -GroupPolicyConfigurationID $id -GroupPolicyConfigurationsDefinitionValueID $GroupPolicyConfigurationsDefinitionValue.id $DefinitionValuedefinitionID = $DefinitionValuedefinition.id $DefinitionValuedefinitionDisplayName = $DefinitionValuedefinition.displayName $GroupPolicyDefinitionsPresentations = Get-GroupPolicyDefinitionsPresentations -groupPolicyDefinitionsID $id -GroupPolicyConfigurationsDefinitionValueID $GroupPolicyConfigurationsDefinitionValue.id $DefinitionValuePresentationValues = Get-GroupPolicyConfigurationsDefinitionValuesPresentationValues -GroupPolicyConfigurationID $id -GroupPolicyConfigurationsDefinitionValueID $GroupPolicyConfigurationsDefinitionValue.id $OutDef = New-Object -TypeName PSCustomObject $OutDef | Add-Member -MemberType NoteProperty -Name "definition@odata.bind" -Value "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$definitionValuedefinitionID')" $OutDef | Add-Member -MemberType NoteProperty -Name "enabled" -value $($GroupPolicyConfigurationsDefinitionValue.enabled.tostring().tolower()) if ($DefinitionValuePresentationValues) { $i = 0 $PresValues = @() foreach ($Pres in $DefinitionValuePresentationValues) { $P = $pres | Select-Object -Property * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version $GPDPID = $groupPolicyDefinitionsPresentations[$i].id $P | Add-Member -MemberType NoteProperty -Name "presentation@odata.bind" -Value "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$definitionValuedefinitionID')/presentations('$GPDPID')" $PresValues += $P $i++ } $OutDef | Add-Member -MemberType NoteProperty -Name "presentationValues" -Value $PresValues } $OutDefjson += ($OutDef | ConvertTo-Json -Depth 10).replace("\u0027","'") foreach ($json in $OutDefjson) { $graphApiVersion = "beta" $policyid = $copypolicy.id $DCP_resource = "deviceManagement/groupPolicyConfigurations/$($policyid)/definitionValues" $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" $ProgressPreference = 'SilentlyContinue' $apply = Invoke-MgGraphRequest -Uri $uri -Method Post -Body $json -ContentType "application/json" $ProgressPreference = 'Continue' } } } if ($null -ne $catalog) { # Settings Catalog Policy write-host "It's a Settings Catalog" $id = $catalog.id $Resource = "deviceManagement/configurationPolicies" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $compliance) { # Compliance Policy write-host "It's a Compliance Policy" $id = $compliance.id $Resource = "deviceManagement/deviceCompliancePolicies" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $security) { # Security Policy write-host "It's a Security Policy" $id = $security.id $Resource = "deviceManagement/intents" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $autopilot) { # Autopilot Profile write-host "It's an Autopilot Profile" $id = $autopilot.id $Resource = "deviceManagement/windowsAutopilotDeploymentProfiles" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $esp) { # Autopilot ESP write-host "It's an AutoPilot ESP" $id = $esp.id $Resource = "deviceManagement/deviceEnrollmentConfigurations" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $android) { # Android App Protection write-host "It's an Android App Protection Policy" $id = $android.id $Resource = "deviceAppManagement/managedAppPoliciesandroid" $copypolicy = addpolicy -resource $Resource -policyid $id } if ($null -ne $ios) { # iOS App Protection write-host "It's an iOS App Protection Policy" $id = $ios.id $Resource = "deviceAppManagement/managedAppPoliciesios" $copypolicy = addpolicy -resource $Resource -policyid $id } } Stop-Transcript |