Automate (one example) a Microsoft Endpoint Manager (Intune) backup!

MVP

 

Dear Microsoft Intune Friends,

 

Before we start preparing, it is important for you to know that you have read the following article. In this article I explain how an Intune backup works. These preparations are important because this article builds on them.

 

Note: How to create a backup of your Microsoft Endpoint Manager (Intune) infrastructure!
https://techcommunity.microsoft.com/t5/microsoft-intune/how-to-create-a-backup-of-your-microsoft-end...

 

I use an existing management system (Windows) as the platform for the following configuration example. I want to emphasize it again here, it is important that you have made the preparations (which are in the article above). For example, the Consent for the Intune management account is executed and also the PowerShell modules are installed. If all this is in place...Let us now start together.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

We need login information in the script. But we don't want to store this login information in plain text in the script. For this reason I create a file and put it in the directory C:\.

 

# Let's create the credential file
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content c:\encrypted_password.txt

 

Please create a PowerShell script file (for example: IntuneBackup.ps1) with the following content (between the equal signs). Save it on the C:\ drive. For the variable, replace the username with your Intune management account (which made the Consent).

=========================================================
$User = "yourname@yourdomain.com"

$encrypted = Get-Content c:\encrypted_password.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($User, $encrypted)

#Populate Variables
$FilePath = "C:\Backup"

#Create New Folder According to date
$BackupFolder = New-Item -ItemType Directory -Path "C:\Backup\$((Get-Date).ToString('yyyy-MM-dd'))"

#Connect to Graph API to Backup Intune
Connect-MSGraph -credential $Credential

#Start Intune Backup
Start-IntuneBackup -Path $BackupFolder

#Clean Up Old Intune Backups
Get-ChildItem -Path $FilePath | where-object {$_.LastWriteTime -lt (get-date).AddDays(-90)} |Remove-Item -Force
=========================================================

Now we create a basic task in the task scheduler, select daily execution and include our script.

_MEM_0.PNG_MEM_1.PNG_MEM_2.PNG_MEM_3.PNG_MEM_4.PNG_MEM_5.PNG_MEM_6.PNG_MEM_7.PNG

 

The result will be (after a few days) that the backups will be listed in your specified path.

_MEM_8.PNG_MEM_9.PNG

 

After 90 days, the oldest backups are deleted by the script. You can customize the days for your needs.

 

If you ever need to compare or restore from a backup, please check out this article:
https://techcommunity.microsoft.com/t5/microsoft-intune/compare-and-restore-a-microsoft-endpoint-man...

 

Of course, the whole thing can be extended, for example, with an automated notification. But this step I leave to you ;-).

 

I hope this article has given you a good foundation on how to automate your Intune Backup. Thank you for taking the time to read this article.

 

Kind regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

5 Replies

Hi Tom,

Just curious why you use a password in the script and not connecting to the graph api with azure app registration and an app secret?

Kind regards,

René

It depends I guess. When using application permissions you could sometimes end up with some weird errors.. Not saying that delegated permissions are better but :) until know i only have seen this API errors only with application permissions.. so that could be a good reason i guess ;) ?

https://call4cloud.nl/2021/09/the-isencrypted-with-steve-zissou/
Hi René, the customer wanted a local solution (everything on the management server). I had also thought of a "cloud solution". I will probably write another article about this ;-). What I want to mention is that the password is not directly in the script, that's what the intermediate step is for.
Greetings, Tom

Did any manage to run this in Cloud. I am trying to run in Azure Automation and copy to Blog storage. But having issues

May be a dumb question.. one of the SME challenge us why we need to back up Intune, AAD configurations, etc.. the point that was brought in "its SaaS app, there is an audit log, limited admin access and there is a change management process".. :) How do we address this query and educate the need for backup