Efficiency Unleashed : Create Intune Configuration Profiles with Powershell

You’re looking for automating configuration profiles creation ? You came to the right place.

Imagine having a multitude of configuration profiles to generate and wanting to simplify the process with PowerShell. Additionally, you aim to efficiently assign these profiles to various groups and include a scope tag for each of them.

If you’re as enthusiastic about Intune’s user interface as I am, you’ll appreciate the idea that behind the scenes, everything operates with JSON.

Why not leverage the power of automation to make the entire process smoother and more efficient?

Tools used

• Graph Explorer
• Powershell (we’ll use MG-Graph module here. I love it and you should too ^^)
• A registered app with « Device Configuration » ReadWrite permissions as application mode
• Intune console
• Coffee (beer accepted)

Here are the steps we’re going to follow :

• Create a profile manually as an example
• Get informations from graph explorer
• Build your script
• Assign the profile
• Automate
• Run you clever boy !

Create a profile manually

Let’s create a profile to disable bluetooth and remove gaming services from windows menu.

Now scope tag and assignments :

Get informations from Graph Explorer

My configuration profile name is : Admin0 – DisableBluetoothandGaming

Let’s connect to graph explorer using an account with sufficient privilegies to read the newly created conf profile. Then, search for you conf profile by filtering with the name :

Here is the uri : https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations?$filter=displayname eq ‘Admin0 – DisableBluetoothandGaming’&?$expand=assignments

Where $filter is the name of the configuration and $expand is about seeing the group assignment at the end of the results.

Notice the response from your get call ? We’re use that in our powershell script later on.

Notice also the bluetooth and gaming value :

Build your Powershell script :

For connecting to graph, i suggest you create first a registered application with sufficient permissions to create configuration profile. You use the connect-mggraph command as below with your client id and the method used to secure the app (secret or certificate) :

Back to Graph Explorer, we are not interested in every info in the response get from the get call. But basically, everything under « value » is what we’re looking for !

Store in a variable named JSON the response you got from Graph Explorer. Bluetooth and gaming payload are configured in it :

Most important values are Displayname, odata type and of course the settings values.

Then pick the uri to create a configuration profile : https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations

And finally, make the call to create the profile with POST action.

Regarding the scope tag, if you don’t name it during the creation, it will use the « Default » scope tag.

To use one of your custom scope tag, get the role scope tag ID from Graph Explorer using the URI : https://graph.microsoft.com/beta/deviceManagement/roleScopeTags

Easy, i want to use my Admin0 scopetag so id is « 1 »

Once you got the scope tag id, go back to your powershell script and insert the scope tag as below in the JSON content :

Let’s do a first run to confirm the profile correctly created.

Created ! And the values are corrected !

We’ll take care of the automation later on. We have validated the creation process !

Assign the profile

Ok, you had created the profile but noticed there is no assignment yet.

Here are the steps to follow : Get id of your conf created, get id of your group and finally assign

Which give in term of Powershell scripting :

What we do is getting the id of your conf and group so you can assign it one to the other.

I get the id with a get call on the API but you can for sure use another loop with a csv or your favorite method ! Groups ids are easy to get with export.

Finally, assign the conf with the POST action.

Confirm in the UI :

Nice !

Automate creation

You did the biggest part.

Now you’re looking for parsing a list of your countries / entities / departments.

For each country, create the configuration with the country name on it, and assign it to the country devices group.

To do that, create a foreach loop at the beginning of your script which parse the countries.

Notice that i don’t create the group in the script. But you can imagine the following steps :

For each country :
Do the group exist ? If no, create the group (basically an if with a try and catch).
Create the conf
Assign the conf

Conclusion

You can imagine multiple usecases here.

Parse groups directly from Entra.
Create different kind of configuration profiles.
Look into applications creation.
Run the script as soon a country is onboarded.
Add devices to groups.

Explore these possibilities to optimize your IT operations and become an efficiency champion in your organization.

Looking for more API content ? You’ll love Andrew ‘s blog for sure 🙂