Hello everyone, I was working on a scenario where customer wanted to take backup of Intune Configurations on regular intervals. You may want to ask on why anyone would need that. The situation was, someone gained access to Intune admin and made every possible disaster. Of course, the first action item would be to ensure that Intune admin account is secured. However, if we have a backup, it will be easy for us to restore it. Also, these settings can be exported and replicated in another environment as well if needed.
For those who are not aware of Intune, Microsoft Intune is a cool service that lets you manage and secure your mobile devices, apps, and data. But what if you want to save and restore your Intune settings? You need to use a tool called Microsoft 365 Desired State Configuration (M365DSC).
M365DSC is an open-source PowerShell module that helps you export, import, and compare the settings of different Microsoft 365 services, including Intune. With M365DSC, you can create a script that tells Intune how you want it to be configured, and then apply it to another account or environment.
In this article, we will show you how to backup Intune using M365DSCConfiguration.
Prerequisites
Before you start, make sure you have these things:
- A device that runs Windows 10 and has PowerShell 5.1 or higher installed.
- The latest version of the Microsoft365DSC module. You can install it from the PowerShell Gallery with this command: Install-Module -Name Microsoft365DSC -Force.
- A global administrator account in Azure AD for the tenant that you want to backup or restore.
- A device enrollment manager account in Intune, if you want to backup or restore device enrollment settings.
- A certificate to encrypt and decrypt the sensitive settings in the script file. You can use either a self-signed certificate or a certificate from a trusted authority. You can also use the same certificate or different certificates for encryption and decryption.
Steps to backup Intune
Here is a possible way to rewrite the text:
If you want to backup Intune using M365DSC, you need to do the following:
- Launch PowerShell as an administrator and execute this command:
Connect-M365DSCServiceAdminAccount - You will be prompted to sign in with your Azure AD global administrator account and grant permission to the M365DSC app.
- Execute this command:
Export-M365DSCConfiguration -ComponentsToExtract @("MSFT_IntuneDeviceConfigurationPolicy","MSFT_IntuneDeviceEnrollmentLimitRestriction","MSFT_IntuneDeviceEnrollmentPlatformRestriction","MSFT_IntuneDeviceCompliancePolicy","MSFT_IntuneDeviceCategory","MSFT_IntuneManagedAppProtection") -GlobalAdminAccount $creds -Path "C:\Backup\IntuneBackup.ps1" -CertificateThumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX". - This will create a PowerShell script file named IntuneBackup.ps1 in the C:\Backup folder that contains the settings of the Intune components that you selected. You can modify the components and the path as you wish. For a complete list of Intune components, refer to the M365DSC documentation. The -CertificateThumbprint parameter indicates the thumbprint of the certificate that you want to use to encrypt the sensitive settings in the script file. You can obtain the thumbprint of your certificate by executing this command:
Get-ChildItem Cert:\CurrentUser\My | Select-Object Subject, Thumbprint. - Verify the script file and ensure it has the settings that you want to backup. You can also edit the script file to add or remove any settings as you want. The sensitive settings will be encrypted with the certificate that you specified.
Hope this helps.
Binlabs 
Leave a comment