MSEndpointMgr
Home » Microsoft Endpoint Manager » Intune » Intune Graph API » Use Intune Graph API export and import Intune ADMX templates

Use Intune Graph API export and import Intune ADMX templates

Intune ADMX template is now in public preview, please read about the details from Maurice Daly’s post Configure ADMX settings with Microsoft Intune Administrative Templates ,  I have tested 151 settings in my test tenant and want import them to another tenant. But wait.. there is no export or import button? (in this moment). So I think of use Graph API and PowerShell.

I don’t cover the basic of Intune Graph in this post, if this is first time you use Intune Graph API, please take a look Dave Falkus’s PowerShell Intune Samples and Intune PowerShell SDK

And very much thanks for Ben Reader (@powers_hell) and Steven Hosking (@OnPremCloudGuy) who contributed make these scripts work on complex policies.

TL;DR

If you don’t want read this long post and just want to run export and import script, you can find them in my GitHub: https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/DeviceConfiguration

How to use these scripts

  1. Important: Please check you don’t have any ADMX template profiles have same name, if there is please change them.
  2. Run DeviceConfigurationADMX_Export.ps1
  3. Input your Azure AD credentials of tenant A
  4. Input export folder name, you should get results like this

  5. (Optional) Delete those profile folders if you don’t wish to import them, and change folder name if want to change ADMX template profile name
  6. Open another PowerShell command window
  7. Run DeviceConfigurationADMX_Import_FromJSON.ps1
  8. Input your Azure AD credential of tenant B
  9. Input the same folder as export folder in step 4

    You should able to see those ADMX template profiles are created in your tenant.

Now here is a long version of the story

Properties

For start, I need to find out how to get those ADMX templates information, I use my browser developer tool (F12) network monitor to find out what is REST URI and request header when configure ADMX template settings, then I test those commands in Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer

I am using this ADMX – TEST01 as example, and I have configured two settings in this profile:

  • Access data sources across domains is configured as Enabled.
  • Allow cut, copy or paste operation from the clipboard via script is configured as Disabled

When we import ADMX template profile, we need two or three properties, depends if configured as Disable or Enabled

  1. Each single ADMX policy setting has it’s own definition id.
  2. If configured as Enabled and has more options to choose, we will need presentation ID, it presents text box ” *Access data sources across domains”
  3. We need presentation Value property to define which settings we use for Enabled, example Prompt or Enable or Disable, or anything else.

     

Export settings

We will use Graph Explorer to find all those properties that we will need.

  • List all configured ADMX Templates profiles
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/

  • Let’s take this profile “ADMX – TEST01” for example, response of this profile id is 5133abf8-1026-48e7-a59c-0704fb2a9d04 , let’s get only details of this profile
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04

  • List what ADMX policy settings are configured
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues
  • Now that we have policy configuration id, we can list what setting has configured, from this we get the Value property
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues
    If setting has configured as Enabled , you will get response with value results.
    We only need @odata.type and value properties, we don’t need lastModifiedDataTime, createdDateTime and id.

     

    If this setting is configured as disabled, presentation Values response result is empty.

NOTE: Presentation Value can be also empty for those settings that have only disable or enable options, example “Allow printers to be published”

  • If Presentation Value is not empty, we continue get presentation id of this setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4/presentationValues?$expand=presentation
  • Now we also need this ADMX setting definition id, and we also get displayName of the setting
    GET https://graph.microsoft.com/Beta/deviceManagement/groupPolicyConfigurations/5133abf8-1026-48e7-a59c-0704fb2a9d04/definitionValues/ce9ec73d-6031-4cde-bcbe-900b2b5ca8b4//definition

    Now that we have everything we need, this is exported json file when using my PowerShell script.

    {
       "enabled":true,
       "presentationValues":[  
          {  
             
        "@odata.type":  "#microsoft.graph.groupPolicyPresentationValueText",
        "value":  "1"
    ,
             "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')/presentations('2ec9cd40-8ac8-4c6d-a547-7fda619491b8')"
          }
       ],
       "[email protected]":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('128b67df-30bf-4f5f-80c4-83c60163db05')"
    }
    

Import settings

  • Create new ADMX profile policy
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
    Request body:

    {
      "description": "",
      "displayName": "ADMX - Test02"
    }

  • Now we got the id of the new policy configuration we just created
  • Create/Import the settings
    POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/2fd791ad-af52-44ba-9da6-de122c8cda8b/definitionValues
    Request body, here we copy contents of the json file we exported earlier.

Enjoy testing, if you find some settings doesn’t work with my script, please give comments and describe which setting and what configuration. Thanks!

(3194)

Zeng (Sandy) Yinghua

Sandy is an Enterprise Mobility MVP since 2018. She has been working in the IT industry since 2009, primarily dealing with device management solution planning and implementation. Sandy has worked with SCCM, MDT, Group Policy, software packaging, problem solving. Sandy currently works for a large Finnish company with several thousand endpoints as system architect. In 2016, Sandy founded the https://thesccm.com blog and is now a blogger on SCConfigMgr.

5 comments

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.