Introduction

Does it sound familiar if I would say that you have created a PowerShell script in the past, uploaded this particular PowerShell script in Endpoint Manager, and now you want to make changes or want to re-use the PowerShell script but you didn’t save it? No worries, at least we’ve both dealt with this situation. Microsoft doesn’t offer a download “script” button, so we have to make use of a PowerShell script that uses Graph to export these scripts. Follow the below steps to export PowerShell script from Endpoint Manager

Install the below modules

  1. MSAL.PS (this module is required to gain a token from Azure AD) Installation can also be done through PowerShell 7 with the below command.
Install-Module -Name MSAL.PS
  1. PowerShell 7

Make sure that you Install PowerShell 7 instead of the previous version

Receive the PowerShell scripts

Save the below PowerShell script to a location on your client.

[CmdletBinding()]
Param (
       [Parameter(Mandatory=$true)][String]$TenantName
)

$authParams = @{
clientId = '53405005-160e-44e4-a86a-8feb23429cf6' #well known intune / graph application
tenantId = "$TenantName"
Interactive = $true
DeviceCode = $true
}
$token = Get-MsalToken @authParams

$graphApiVersion = "beta";
$resource = "/deviceManagement/deviceManagementScripts";
$headers = @{
    "Authorization" = "Bearer $($token.AccessToken )";
    "Content-Type" = "application/json";
}

#region Get all device policies
$Scripts = Invoke-RestMethod -Uri "https://graph.microsoft.com/$($graphApiVersion)/$($resource)" -Method Get -Headers $headers -UseBasicParsing;
"Found $($Scripts.value.Count) script";
$ContentID = ($scripts.value | select DisplayName,ID | out-gridview -PassThru).ID
$Content = Invoke-RestMethod -Uri "https://graph.microsoft.com/$($graphApiVersion)/$($resource)/$ContentID" -Method Get -Headers $headers -UseBasicParsing;

#Decrypt Base64 and export
$EncodedText = $content.scriptcontent
$DecodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($EncodedText))
$DecodedText | out-file $env:temp\PowerShell-script.ps1 -Force

Notepad.exe $env:temp\PowerShell-script.ps1

This script is developed by Tristan and can also be downloaded from GitHub.

Connect with the Azure AD Tenant

Now that we have installed the two required modules and have saved the upper PowerShell script, we need to run it.

.\<name of the powershellscript>.ps1 -Tenantname <your tenant name>.onmicrosoft.com
Result of running the PowerShell script
PowerShell output

Give consent to the IntuneGraph application

It will now ask you to browse to https://microsoft.com/devicelogin and will ask you to enter the code that you can find in the PowerShell window. The next step is to authenticate through the browser and give consent. Don’t consent on behalf of your organization. After we have given the consent, we can see that there were found scripts. In my case, 11 in total.

Requesting consent
Consent request

Now that you have authenticated, it will ask you which PowerShell scripts you want to export. You can select more than one and then click on ok in the right bottom corner to download the PowerShell script. It will open in a new Notepad window.

PowerShell scripts
Select the PowerShell script(s) you want to export

It’s very common that you will need to change or re-use a PowerShell script, hope this blog helped you.

Please follow and like us:
Pin Share

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.