Intune ADMX template is now in public preview, please read about the details from Maurice Daly’s post Configure ADMX settings with Microsoft Intune Administrative Templates , I have tested 151 settings in my test tenant and want import them to another tenant. But wait.. there is no export or import button? (in this moment). So I think of use Graph API and PowerShell.
I don’t cover the basic of Intune Graph in this post, if this is first time you use Intune Graph API, please take a look Dave Falkus’s PowerShell Intune Samples and Intune PowerShell SDK
And very much thanks for Ben Reader (@powers_hell) and Steven Hosking (@OnPremCloudGuy) who contributed make these scripts work on complex policies.
TL;DR
If you don’t want read this long post and just want to run export and import script, you can find them in my GitHub: https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/DeviceConfiguration
How to use these scripts
- Important: Please check you don’t have any ADMX template profiles have same name, if there is please change them.
- Run DeviceConfigurationADMX_Export.ps1
- Input your Azure AD credentials of tenant A
- Input export folder name, you should get results like this
- (Optional) Delete those profile folders if you don’t wish to import them, and change folder name if want to change ADMX template profile name
- Open another PowerShell command window
- Run DeviceConfigurationADMX_Import_FromJSON.ps1
- Input your Azure AD credential of tenant B
- Input the same folder as export folder in step 4
You should able to see those ADMX template profiles are created in your tenant.
Now here is a long version of the story
Properties
For start, I need to find out how to get those ADMX templates information, I use my browser developer tool (F12) network monitor to find out what is REST URI and request header when configure ADMX template settings, then I test those commands in Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer
I am using this ADMX – TEST01 as example, and I have configured two settings in this profile:
- Access data sources across domains is configured as Enabled.
- Allow cut, copy or paste operation from the clipboard via script is configured as Disabled
When we import ADMX template profile, we need two or three properties, depends if configured as Disable or Enabled
- Each single ADMX policy setting has it’s own definition id.
- If configured as Enabled and has more options to choose, we will need presentation ID, it presents text box ” *Access data sources across domains”
- We need presentation Value property to define which settings we use for Enabled, example Prompt or Enable or Disable, or anything else.
Export settings
We will use Graph Explorer to find all those properties that we will need.
- List all configured ADMX Templates profiles
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/ - Let’s take this profile “ADMX – TEST01” for example, response of this profile id is 5133abf8-1026-48e7-a59c-0704fb2a9d04 , let’s get only details of this profile
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04
- List what ADMX policy settings are configured
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues - Now that we have policy configuration id, we can list what setting has configured, from this we get the Value property
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues
If setting has configured as Enabled , you will get response with value results.
We only need @odata.type and value properties, we don’t need lastModifiedDataTime, createdDateTime and id.If this setting is configured as disabled, presentation Values response result is empty.
NOTE: Presentation Value can be also empty for those settings that have only disable or enable options, example “Allow printers to be published”
- If Presentation Value is not empty, we continue get presentation id of this setting
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues?$expand=presentation - Now we also need this ADMX setting definition id, and we also get displayName of the setting
GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4//definitionNow that we have everything we need, this is exported json file when using my PowerShell script.
{ "enabled":true, "presentationValues":[ { "@odata.type": "#microsoft.graph.groupPolicyPresentationValueText", "value": "1" , "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')/presentations('2ec9cd40-8ac8-4c6d-a547-7fda619491b8')" } ], "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')" }
Import settings
- Create new ADMX profile policy
POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
Request body:{ "description": "", "displayName": "ADMX - Test02" }
- Now we got the id of the new policy configuration we just created
- Create/Import the settings
POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/2fd791ad-af52-44ba-9da6-de122c8cda8b/definitionValues
Request body, here we copy contents of the json file we exported earlier.
Enjoy testing, if you find some settings doesn’t work with my script, please give comments and describe which setting and what configuration. Thanks!
Thank you Sandy, after hours of search your solution fixed my problem! Thank you so much.
Really helpful Sandy, thank you very much
I needed to duplicate all the profiles in the tenant, so was easy to export all, rename the folder then import again, job done.
Looking forward to more nice work from you.
Mahmoud
Thank you Mahmoud for your kind word. Regards, Sandy
This is extremely useful, thank you! However, the import does not take into account Scope Tags. That would be easy to resolve by adding “roleScopeTagIds”:[“$ScopeId”] to the $jsonCode block, provided $ScopeId is determined somewhere else in the script. When testing, I did not have access to https://graph.microsoft.com/beta/deviceManagement/roleAssignments. DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All are required for that. As such, I just input the ID I know it to be for the environment I expect.
Thanks for your input!
Thanks, just what i needed!
Thanks for the great blog and script! Think many will benefit.
Thanks, I have updated the script today, found a bug myself. 🙂