Manage and deploy Intune scripts with Azure DevOps

Working with Intune scripts can be challenging when you need to know where the source file is located, determine latest version, who worked on it and what things were changed over time. That’s why I created a solution that will give you the possibility to manage and deploy Intune device and remediation scripts with Azure DevOps.
It will give the following benefits:
- Central location for all device and remediation scripts used in Intune.
- Version history so all changes made over time can be viewed.
- Always know what the latest version is and who worked on it.
- Controlled environment where people can review and approve changes made on scripts.
- No Intune role assignment needed for users to add, update or remove scripts.
What we need to implement this:
- Azure service connection in Azure DevOps with the tenant you want to manage and deploy Intune scripts on.
- An app registration with the Microsoft Graph Group.Read.All and DeviceManagementConfiguration.ReadWrite.All application permissions.
- Export the current Intune device and remediation scripts from the tenant you want to manage.
- Create a repository (or use existing one), upload the exported Intune scripts and create pipelines in Azure DevOps.
All scripts can be found on my GitHub. Be careful check variables and test it first before implementing it in production. |
Azure service connection
Check if your organization already has a service connection between Azure DevOps and the tenant you want to use. Go in Azure DevOps to your project settings and select service connections.
When a service connection is present, write down the connection name as we need it later in the vars.yml. Otherwise create an app registration in Microsoft Entra ID and add it in service connections.
Create app registration with Microsoft Graph permissions on Intune
Go to Microsoft Entra ID and create a new app registration. Add the following Microsoft Graph application permissions to the app registration you want to use for Intune: Microsoft Graph with Group.Read.All and DeviceManagementConfiguration.ReadWrite.All.
Security-wise it’s better to work with two app registrations (also known as service principals): one for the Azure DevOps service connection and another for making Microsoft Graph requests to Intune. |
I did these specific steps in the following order:
- Create an app registration that we can use for the communication with Intune.
- Assign the Microsoft Graph application permissions mentioned earlier.
- Generate the client secret for this new app registration.
- Create or use an existing Azure key vault and give the app registration used for the service connection in Azure DevOps read permissions on secrets.
- Add the application Id and client secret for the app registration used for Intune to the Azure key vault.
The PowerShell functions that are used in the Azure DevOps pipelines will retrieve the application Id and client secret for the Intune app registration from the Azure key vault. With that we can build an authentication header that we use to apply changes for Intune device and remediation scripts.
Export current Intune device and remediation scripts
Start by exporting all Intune device and remediation scripts used within your Intune environment. You can use the scripts from Oliver Kieselbach for this. I added those to my own repository in the export folder to have all necessary files in one place.
Export device scripts: https://github.com/iuenk/Blogs/blob/main/ManageIntuneScripts/export/Get-DeviceHealthScripts.ps1
Export remediation scripts: https://github.com/iuenk/Blogs/blob/main/ManageIntuneScripts/export/Get-DeviceHealthScripts.ps1
Azure DevOps repository
Create an Azure DevOps repository or use an existing one and upload all folders and files from https://github.com/iuenk/Blogs/tree/main/ManageIntuneScripts. The export folder can be skipped as it only used to export current Intune scripts and not part of the solution.
Check the remediation and scripts folder and upload the scripts you exported previously. Add for every script an environment folder.
The different environments can be used to deploy scripts to other tenants. Every environment folder has its own vars.txt. This file contains all parameters needed to successfully deploy an Intune device or remediation script. |
The nDisplayName in the vars.txt can be used if you want to change the displayName. Below an example for a device script.
The big difference for a remediation script is the assignedGroups parameter, because it needs to have a schedule. Every group is separated with a comma and all options for each group are added with a semicolon. In this way you are add multiple assigned groups with different schedules and filters.
IMPORTANT use the correct order [groupname];[scheduletype];[interval];[time];[date];[filtertype];[filtername] |
Based on the scheduletype some parameters are mandatory:
[once];[interval];[time];[date]
[hourly];[interval]
[daily];[interval];[time]
Below and example of three assigned groups with different scheduletypes and filters.
The solution will check if parameters like detect and remediate scripts, groups, scope tags, filters and schedule combinations are valid. When not found in the specified tenant the pipeline will fail. |
Create Azure DevOps pipelines
Create pipelines and connect those with the corresponding files that we uploaded previously set-device-script.yml and set-remediation-script.yml. In my case I named the pipeline set-device-script and set-remediation-script, but when you have multiple environments you can add DEV, ACC or PRD.
It’s necessary to create a separate pipeline for each environment when you want to push to different tenants. That’s because we refer within the pipeline to the vars.yml that’s stored in the vars folder. This file contains all static variables that we address within our pipelines.
The pipeline also has dynamic variables meaning that those can be different every time you run one of the pipelines manually. You can create the action and scriptFolder variable by editing the pipeline and select variables.
In the example below a new remediation script will be deployed with a detection and/or remediation script found in the specified scriptFolder.
action: must be one of create, update or remove (will be checked in the PowerShell functions).
scriptFolder: the folder where the device or remediation script is situated in your repository.
When done, select run and the action will be applied in Intune for the specified device or remediation script. In the example below we are creating a remediation script based on the vars.txt data mentioned in VirtualizationBasedProtection\prd\vars.txt. The pipeline output in blue will mention all steps done during the process.
The remediation script is created in Intune when the pipeline is finished successfully.
Verify that the Interval, Date and time, Filter and Filter mode is configured correctly for each included group based on the parameters specified in the vars.txt. |
[avs_posts_tag]