How to create a backup of your Microsoft Endpoint Manager (Intune) infrastructure!

MVP

 

Dear Microsoft Intune Friends,

 

Imagine the following situation. You have invested several hours to build your Microsoft Endpoint Manager (Intune) infrastructure. After the final tests, everything is now working exactly as you imagined. Now the question arises how can I backup all these settings and configurations? I will answer this question in this article.

 

Note: I will describe how to compare and restore the backup in a next article.

https://techcommunity.microsoft.com/t5/microsoft-intune/compare-and-restore-a-microsoft-endpoint-man...

 

What we can do in the Microsoft Endpoint Manager portal is export configuration settings to a CSV file. However, this is not exactly what I wanted.

_MEM_0.JPG_MEM_0a.JPG

 

To create a complete backup of our tenant we need the power of PowerShell (power of PowerShell - funny :smile:)

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE
Set-Location
Clear-Host

 

#Customize the ExecutionPolicy (absolutely OK for this demo)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

 

#Install the Module
Install-Module -Name Microsoft.Graph.Intune -Verbose -Force -AllowClobber

 

#Install the Module
Install-Module -Name MSGraphFunctions -Verbose -Force -AllowClobber

 

#Import the Module
Import-Module -Name MSGraphFunctions

 

#Install the Module
Install-Module -Name AzureAD -Verbose -Force -AllowClobber

 

#Install IntuneBackupAndRestore from the PowerShell Gallery
Install-Module -Name IntuneBackupAndRestore -Verbose -Force -AllowClobber

 

#Update the Module
Update-Module -Name IntuneBackupAndRestore -Verbose

 

#Import the Module
Import-Module IntuneBackupAndRestore

 

#Connect to Microsoft Graph
Connect-MSGraph

 

Here you must agree to the extended permissions.

_MEM_1.JPG_MEM_2.JPG

 

#Create a folder
New-Item -ItemType Directory -Path C:\Backup\IntuneBackup

 

#Switch to the folder
Set-Location C:\Backup\IntuneBackup

 

#Create the Full-Backup
Start-IntuneBackup -Path 'C:\Backup\IntuneBackup'

 

It starts with the creation of the backup.

_MEM_3.JPG

 

#Let's look at the content
Get-ChildItem -Path 'C:\Backup\IntuneBackup'

 

Let's start Windows Explorer and navigate to our backup folder, Bingo....we have a complete backup!

_MEM_4.JPG

 

I know that was nothing spectacular, but I still wanted to share my experience with you.

Thank you for taking the time to read this article.

 

Kind regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

13 Replies

@TomWechsler 

 

How we can automate this process via Azure Automation? I would like to schedule Intune Backup. 

 

Best Regards

Rashad Bakirov

@rashadbakirov maybe use storage account and file share and schedule the script to run.

@rashadbakirov 

 

Here's a method (using a different module though) for backup and documentation of your tenant using Azure DevOps or GitHub:

https://stealthpuppy.com/automate-intune-documentation-azure/
https://stealthpuppy.com/automate-intune-documentation-github/

This is great but it seems to overlook the Endpoint Security profiles. Like security baselines and any other security profiles. Is there a way to grab those configurations?

@TomWechsler 

 

Hi! This is great article for not only me but also every modern windows management engineer!

 

I would ask one going wrong thing. With this script, it seems that I can get full-backup from my Intune.

But more looking, There are not Backup of "Setting Catalog" which is Profile type of Device Configuration Profile.

 

With this script,  Is "Setting Catalog" type not available to get backup from Device Configuration Profile ?

 

 

 

Sorry for my misunderstand....

Setting Catalog is also available with this PS script
There is a different folder named "Setting Catalog". And it placed at there.

@Ytk_OD 

Is there a way to copy the data, user profile, security profile and applications off a customer's asset prior to imaging the new replacement asset to ensure that the new refreshed asset can be quickly swapped out to allow the customer to return back to work quickly with no interruptions beyond swapping out the old asset with the new and booting up?

@TomWechsler 

 

Hi Tom 

 

Thanks for the backup script. I tried it out today and the full Intune configuration and catalogs got backed up. A little tinkering was required on the permissions part and it did work 100%!!

 

I will be trying out the steps you have mentioned for backup restoration. 

 

Thanks a ton !!!

 

Best regards 

Manoj

@TomWechsler 
The script no longer works.
Microsoft deleted Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) which by default is used  in Connect-MsGraph.
Resolution
Create Azure AD application in tenant with permission the same as Enterprise Application Microsoft Intune PowerShell then before cmdlet Connect-MsGraph  
Use Update-MSGraphEnvironment -AppId yournewappid -AuthUrl "https://login.microsoftonline.com/yourTenantID"

This worked for me:

 

Created new APP reg with same permissions as "Microsoft Intune PowerShell" application.  Added Authentication platform of type Mobile and desktop application with Reply URL of urn:ietf:wg:oauth:2.0:oob.

Run:

Update-MSGraphEnvironment -AppId <new app ID> -AuthUrl https://login.microsoftonline.com/<tenantID>

 

Then connect-MSGraph -ForceInteractive  and use you intune admin account.