IntuneAutomation

// Pillar guide

Intune scripts: the complete library.

120+ open-source PowerShell scripts that automate Microsoft Intune device management, compliance reporting, proactive remediation, and Azure Automation runbooks. Categories, deployment paths, and the canonical scripts library — one page.

What are Intune scripts?

Intune scripts are PowerShell scripts that automate Microsoft Intune through the Microsoft Graph API. They cover the work that the Intune admin center either does not expose at all or only exposes one device at a time: bulk policy assignment, tenant-wide compliance audits, exporting device inventories, Conditional Access reporting, BitLocker key recovery, Autopilot diagnostics, and proactive remediation pairs that detect and fix issues on managed endpoints.

An Intune script and an Intune platform script are not the same thing. A platform script is a specific Intune feature that pushes a PowerShell file to Windows devices and runs it under SYSTEM or the signed-in user. An Intune script in the broader sense is any script that automates Intune via Graph — run by an administrator at the terminal, scheduled in Azure Automation as a runbook, executed in CI, or deployed through the platform-scripts feature. The library on this site covers the broader category; platform scripts are one of several deployment targets.

Every script in the IntuneAutomation library is open source under the MIT license, validated by PSScriptAnalyzer in CI, and documents its required Microsoft Graph scopes in a comment-based help header. Scripts depend only on theMicrosoft.Graph.Authenticationmodule — no resource-specific Graph SDK modules are required, which keeps installs lean and Azure Automation cold starts fast.

Categories of Intune scripts

The library is organised by the surface of Intune the script touches. Each category below links to a filtered view of the catalog so you can drill into the scripts relevant to your workload.

Three ways to run an Intune script

The same Intune script can run in three different places depending on whether you are testing, scheduling, or deploying. Scripts in this library detect the environment automatically and pick the right authentication path.

1. Local execution

Run the script from PowerShell ISE, VS Code, or a terminal on your admin workstation. Authentication uses interactive sign-in throughConnect-MgGraphwith the scopes the script declares. Best for development, one-off reports, and bulk operations you want to watch finish.

2. Azure Automation runbooks

Click the Deploy to Azure button on any script page and the Azure Portal will load a pre-configured ARM template that creates the runbook in your Automation account. Enable a system-assigned Managed Identity, grant it the Microsoft Graph permissions the script declares, and schedule the runbook. The script recognises the Automation environment and switches from interactive sign-in to Managed Identity automatically. Best for production, recurring jobs, and anything that must run without a human present.

3. Intune platform scripts (Windows)

For scripts that need to run on the managed endpoint itself — collecting client-side state, running detection logic, applying user-context settings — upload the script as an Intune platform script or package the detection/remediation pair as a proactive remediation in Endpoint Analytics. This path is for scripts that act on the device, not scripts that act on the tenant.

Why Invoke-MgGraphRequest instead of the full Graph SDK?

Scripts in this library call Microsoft Graph throughInvoke-MgGraphRequestrather than the resource-specific Graph PowerShell modules. The trade-off is deliberate: you give up auto-completion and typed cmdlets in exchange for direct REST access, a single small dependency, and one-to-one parity with the Graph documentation.

Three practical wins come from this choice. First, the F12 developer tools in the Intune Portal show you the exact Graph calls Microsoft itself makes — you can copy-paste the URL and body straight into a script. Second, only theMicrosoft.Graph.Authenticationmodule is required, instead of dozens of resource modules that bloat install size and Azure Automation cold starts. Third, when something breaks, the request and response match the Graph reference docs exactly — no SDK abstraction layer to debug through.

Most-used Intune scripts right now

Ranked by views across the community over the past quarter. Each script ships with the comment-based help header, declared Microsoft Graph permissions, and a Deploy to Azure button for Azure Automation.

  1. Device Compliance Report

    This script connects to Microsoft Graph, retrieves managed devices and their compliance status, and generates a detailed report in both CSV and HTML formats. The report includes device details, compliance status, and summary statistics.

  2. Application Inventory Report

    This script connects to Microsoft Graph, retrieves all managed devices and their installed applications, and generates detailed reports in both CSV and HTML formats. The report includes application details, installation status, version information, and summary statistics across the entire device fleet.

  3. Cleanup Orphaned Autopilot Devices

    This script connects to Microsoft Graph and identifies Windows Autopilot devices that are registered in the Autopilot service but are no longer present as managed devices in Intune. These orphaned devices can accumulate over time when devices are retired, reimaged, or replaced without proper cleanup of the Autopilot registration. The script provides options to preview orphaned devices before removal and supports batch operations with confirmation prompts for safety. It helps maintain a clean Autopilot device inventory and prevents potential enrollment issues.

  4. Get Stale Intune Devices

    This script connects to Microsoft Graph and retrieves all managed devices from Intune, then identifies devices that are considered "stale" based on their last check-in date. The script supports all device platforms (Windows, iOS, Android, macOS) and provides comprehensive reporting with options to export results to CSV format. Stale devices may indicate hardware that is no longer in use, devices that have been reimaged without proper cleanup, or devices experiencing connectivity issues.

  5. BitLocker Key Storage Checker

    This script connects to Microsoft Graph API, retrieves all Windows devices from Intune, and checks if each device has BitLocker recovery keys stored in Entra ID. The script provides detailed reporting on compliance status, identifies devices without stored keys, and exports comprehensive results to CSV format for further analysis. This helps ensure proper BitLocker key escrow for data recovery scenarios.

  6. Sync Devices

    This script connects to Microsoft Graph and triggers synchronization operations on targeted devices. You can target devices by specific names, device IDs, or by Entra ID group membership. The script provides real-time feedback on sync operations and handles errors gracefully.

  7. Policy Changes Monitor

    This script connects to Microsoft Graph and retrieves recent changes to Policies configured in Intune. It checks audit logs for policy modifications, creations, deletions, and assignments within a specified time period. The script generates detailed reports in CSV format, highlighting policy changes with details about who made the changes, when they occurred, and what was modified. This helps administrators track configuration drift and maintain governance over device configuration policies.

  8. Create App-Based Entra ID Groups

    This script queries Intune-managed devices to identify which applications are installed, then creates or updates Entra ID groups containing devices with specific applications. It supports multiple detection methods including detected apps and deployment status, handles all app types (Win32, Store, LOB, Web apps), and provides flexible group creation options. Perfect for dynamic device targeting based on installed software.

  9. Wipe Devices

    This script connects to Microsoft Graph and triggers remote wipe operations on targeted devices. You can target devices by specific names, device IDs, or by Entra ID group membership. The script provides options for selective wipe (remove company data) or full wipe (factory reset). All operations include confirmation prompts to prevent accidental data loss.

  10. Multi-Admin Approval Pending Requests Monitor

    This script is designed to run as a scheduled Azure Automation runbook that monitors Multi-Admin Approval requests in Microsoft Intune and identifies pending approval requests. It tracks new requests, monitors request age, identifies approvers, and sends email notifications to administrators with detailed request information and direct links to the Intune portal. The script helps maintain security compliance by ensuring timely review of administrative changes and provides visibility into the MAA approval workflow. Key Features: - Monitors all MAA pending requests across protected resources - Tracks request age and highlights urgent requests - Identifies and notifies appropriate approvers - Provides direct links to Intune portal for quick action - Tracks previously notified requests to avoid spam - Sends escalation alerts for aging requests - Supports both Azure Automation runbook and local execution - HTML formatted email reports with actionable insights - Uses Microsoft Graph Mail API exclusively

  11. Application Installation Status Report

    This script connects to Microsoft Graph, retrieves all managed applications and their installation status across all devices, and generates detailed reports in both CSV and HTML formats. The report includes installation state (installed, pending, failed, not applicable), error codes, device details, and summary statistics to help identify and troubleshoot application deployment issues.

  12. Apple Token Validity Checker

    This script connects to Microsoft Graph and retrieves all Apple Device Enrollment Program (DEP) tokens and Apple Push Notification Certificates configured in Intune. It checks their validity status, expiration dates, and sync status to help administrators proactively manage Apple Business Manager integrations. The script generates detailed reports in CSV format, highlighting tokens and certificates that are expired, expiring soon, or have sync issues.

Browse all 120+ scripts →

Frequently asked questions

What are Intune scripts?
Intune scripts are PowerShell scripts that automate Microsoft Intune device management tasks by calling the Microsoft Graph API. They cover everything from one-off reporting and bulk policy assignment to scheduled compliance audits and proactive remediations. Scripts can run locally with interactive authentication, in Azure Automation as runbooks with Managed Identity, or be deployed to managed devices through the Intune platform-scripts feature.
Where can I find a library of free Intune PowerShell scripts?
IntuneAutomation maintains an open-source library of 120+ Intune PowerShell scripts at intuneautomation.com/scripts. Every script is MIT-licensed, validated by PSScriptAnalyzer in CI, documents its required Microsoft Graph permissions, and ships with a one-click Deploy to Azure button for Azure Automation runbooks. The full source lives on GitHub at github.com/ugurkocde/IntuneAutomation.
What is the difference between an Intune script and an Intune platform script?
An Intune script in the general sense is any PowerShell script that automates Intune via the Microsoft Graph API — run by an administrator, scheduled in Azure Automation, or executed in CI. An Intune platform script is a specific Intune feature that deploys a PowerShell script to managed Windows devices and runs it under SYSTEM or the logged-on user. The library on this site covers the first category; the platform-scripts feature is one of several deployment targets for that work.
How do I run an Intune script in Azure Automation?
Open the script page, click Deploy to Azure, and Azure Portal will load a pre-configured ARM template that creates the runbook in your Automation account. After deployment, enable a system-assigned Managed Identity on the Automation account and grant it the Microsoft Graph permissions the script declares. The script automatically detects the Azure Automation environment and uses Managed Identity authentication instead of interactive sign-in.
What Microsoft Graph permissions do Intune scripts need?
Each script lists the exact Microsoft Graph scopes it requires in its comment-based help header. Read-only scripts typically need DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All, or DeviceManagementApps.Read.All. Scripts that modify state require the corresponding ReadWrite scopes. Apply least privilege: grant only the scopes the script actually needs, and audit Managed Identity permissions periodically.
Are Intune PowerShell scripts safe to use in production?
Yes, with the same precautions as any production change. Every script in the IntuneAutomation library is open source on GitHub, validated by PSScriptAnalyzer in CI, and documents its behavior and required permissions. Read the script before running it, test in a non-production tenant or pilot group, prefer Azure Automation runbooks with Managed Identity over long-lived credentials, and back up policies before bulk changes.
Do these scripts work with PowerShell 5.1 and PowerShell 7?
Yes. All scripts are written to run on Windows PowerShell 5.1 and PowerShell 7+ on Windows, macOS, and Linux. They depend only on the Microsoft.Graph.Authentication module — no resource-specific Graph SDK modules are required, which keeps installs fast and the cold-start time low for Azure Automation runbooks.
Can I generate a new Intune script with AI?
Yes. The IntuneAutomation Script Generator at intuneautomation.com/generator produces production-shaped Intune scripts from a natural-language description. It is purpose-built for Intune and Microsoft Graph, runs a PSScriptAnalyzer-style lint pass on every result, redacts secrets before sending the prompt, and outputs scripts that follow the same comment-based help conventions as the curated library.

Build your own with the Script Generator

Need a script the library does not have? The IntuneAutomation Script Generator produces production-shaped Intune scripts from a natural-language description — purpose-built for Intune and Microsoft Graph, with a PSScriptAnalyzer-style lint pass on every result.

Browse the libraryTry the generator