Dear Microsoft Intune Friends,
In this article I will explain how you can compare two Microsoft Endpoint Manager (Intune) backups. Of course, we will also look at a restore of a backup together.
Note: I explain how to create a backup of your Microsoft Endpoint Manager (Intune) configuration in this article:
https://techcommunity.microsoft.com/t5/microsoft-intune/how-to-create-a-backup-of-your-microsoft-end...
Let us now start together.
I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):
#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE
Set-Location
Clear-Host
#Create a folder
New-Item -ItemType Directory -Path C:\Backup\IntuneBackup1
#Switch to the folder (it is optinal)
Set-Location C:\Backup\IntuneBackup1
We have created a first backup. Now let us make a change to a profile in the MEM portal. After that we create another backup.
#Create a new Full-Backup
Start-IntuneBackup -Path 'C:\Backup\IntuneBackup1'
#We need the path to the .json file
$Ref = "C:\Backup\IntuneBackup\Device Configurations\Microsoft Defender AntiiVirus.json"
$Diff = "C:\Backup\IntuneBackup1\Device Configurations\Microsoft Defender AntiiVirus.json"
#Compare two Backup Files for changes
Compare-IntuneBackupFile -ReferenceFilePath $Ref -DifferenceFilePath $Diff
Now we can see what changes have been made.
But what if you don't know where a change was made? Then you can also compare two complete backups. This works as follows:
#Compare all files in two Backup Directories for changes
Compare-IntuneBackupDirectories -ReferenceDirectory 'C:\Backup\IntuneBackup' -DifferenceDirectory 'C:\Backup\IntuneBackup1'
So how does the recovery work? A first variant would be the complete recovery. For this you use two CMDLET's. With the first CMDLET "Start-IntuneRestoreConfig" the configuration is restored and with the second CMDLET "Start-IntuneRestoreAssignments" the assignment is restored.
#Restore Intune configuration
Start-IntuneRestoreConfig -Path 'C:\Backup\IntuneBackup1'
#If you wish to restore the assignments for Intune configurations
Start-IntuneRestoreAssignments -Path 'C:\Backup\IntuneBackup1'
IMPORTANT: Restoring configurations will not overwrite existing configurations, but creates new ones. Restoring assignments may overwrite existing assignments.
You can also restore individual policies (The policy must not exist in the MEM portal). But beware, first create a copy (new folder) of your fullbackup. Navigate the new folder and remove everything you don't want to restore.
In the Intune Portal, I remove the Configuration Profile "Microsoft Defender AntiiVirus" (and yes I noticed earlier that I misspelled the name).
#Now we will first restore the configuration.
Invoke-IntuneRestoreDeviceConfiguration -Path 'C:\Backup\IntuneBackup2'
The configuration is restored, but did you notice, the assignment is not restored. This is where the second CMDLET comes in.
#Now the assignment is restored.
Invoke-IntuneRestoreDeviceConfigurationAssignment -Path 'C:\Backup\IntuneBackup2'
You can also restore the Administrative Templates, App Protection Policies, Client Apps, etc. with additional CMDLET's. For example:
Invoke-IntuneRestoreDeviceCompliancePolicy
Invoke-IntuneRestoreDeviceCompliancePolicyAssignment
Invoke-IntuneRestoreClientAppAssignment
Invoke-IntuneRestoreAppProtectionPolicy
Invoke-IntuneRestoreAppProtectionPolicyAssignment
With exactly the same preparations as shown in the example above.
I hope this article has given you a good foundation on how to compare and restore your Intune configuration. Thank you for taking the time to read this article.
Kind regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
