Best Automation Tools for Microsoft Intune

A PowerShell application with WPF GUI for managing Microsoft Intune and Azure policies. Features export, import, copy, delete, document, and compare operations across 30+ object types with cross-tenant migration, ADMX import, bulk operations, and automated documentation.

A powerful Python package for backup and continuous delivery of Microsoft Intune configurations. Backs up configurations to Git repositories, detects changes automatically, propagates updates between environments, and integrates with Azure DevOps and GitHub Actions pipelines.

A PowerShell-based GUI solution for managing Microsoft Intune policies. Features Microsoft Graph authentication, multi-platform policy and app management, assignment operations, backup/restore in JSON format, CSV/Markdown export, and comprehensive activity logging.

Toast Notification Script is a Windows 10/11 tool designed for Intune Remediations to deliver native toast notifications to the logged-on user. It supports weekly reminders, reboot prompts, and general announcements with configurable scheduling, branding, languages, and snooze/dismiss actions. Includes a detection script, configuration validation, and robust logging to support reliable remote remediation.

A PowerShell-based GUI application for streamlined device lifecycle management across Microsoft cloud services. Enables bulk device offboarding from Intune, Autopilot, and Entra ID from a single interface. Features real-time dashboard analytics, stale device tracking, automatic BitLocker and FileVault key retrieval, CSV/TXT import for bulk operations, and pre-built playbooks for automated workflows.

A web-based tool that generates PowerShell scripts for network drive mapping on Intune-managed Windows 10 devices. Converts existing Group Policy drive exports to Intune-compatible scripts, supports security group filtering with nested groups, and enables recurring execution.

A web-based tool that converts Windows Registry files to PowerShell scripts for Intune remediations. Generates detection scripts to validate registry states and remediation scripts to apply changes. Also available as CLI tool (Reg2CI) for SCCM configuration items.

Win32 App Migration Tool inventories ConfigMgr applications and deployment types, builds .intunewin files, and creates Win32 apps in Intune. It automates exporting application details, deployment type data, and icons, prepares the Intune JSON payloads, and handles content upload to Intune. The tool supports end-to-end migration from ConfigMgr to Intune (Preview status) with configurable prerequisites and detailed logging.

A PowerShell module that automates Microsoft Intune tenant setup by deploying 70+ security baselines, 43 dynamic groups, 24 device filters, compliance policies, app protection policies, and Conditional Access policies in a single command. Integrates OpenIntuneBaseline and supports multi-cloud environments.

A collection of community-tested PowerShell scripts for automating Microsoft Intune management tasks. Features device lifecycle management, compliance reporting, application deployment automation, and threat detection workflows. Scripts support both local execution and Azure Automation Runbook deployment with automatic environment detection for authentication. Uses direct Graph API access for minimal dependencies and easier troubleshooting.

A set of AutoPkg processors for uploading apps to Microsoft Intune. Automates downloading, packaging, and uploading applications including LOB apps, app icons, scripts, and supports Teams/Slack notifications for deployment workflows.

Intune App Factory is a set of PowerShell scripts run in an Azure DevOps Pipeline that automatically detects, downloads, packages, and publishes onboarded applications as Win32 apps to Microsoft Intune, ensuring up-to-date deployments. It supports onboarding via manifests, integrates the PowerShell App Deployment Toolkit, and automates version checks from Winget, Evergreen, or Storage Account sources to streamline packaging and publishing.

Intuneomator is a macOS enterprise tool that automates Microsoft Intune app lifecycle management, leveraging Installomator’s 900+ label database for multi-arch apps. It enables end-to-end workflows (download, package, upload, deploy), group targeting, metadata and script automation, plus Teams-based status and CVE alerts. Built with a secure XPC architecture, keychain-backed credentials, and dual authentication for enterprise-grade security.

Autopilot Management is a Windows-based Intune utility that simplifies Autopilot device administration. It supports searching by serial number or device name, bulk updates to Group Tags, bulk or single deletions, and uploading hardware hashes. It can load and verify devices from CSV, backup data, and query with an optional cache for large environments. Authentication uses Azure Graph tools (MFA supported) for secure admin access.

TenuVault is a safe backup and restore solution for Microsoft Intune configurations. It backs up Intune policies to JSON files, detects configuration drift, and restores by creating new policies with a [Restored] prefix - never overwriting existing ones. It supports multiple export formats (JSON, CSV, HTML), full audit logs, and a read-only backup model with preview mode to ensure non-destructive changes.

AutopilotGroupTagger is a PowerShell-based utility for bulk updating and managing Windows Autopilot Device Group Tags, with optional unblocking of devices. It supports updating tags by group, manufacturer, model, purchase order, and interactive selection, plus exporting data and creating dynamic Entra ID groups. The tool runs with Microsoft Graph authentication and supports PowerShell 7 on Windows/macOS, including a whatIf simulation mode and Community Tool status.

Entra ID Device Trust enables binding Function Apps to Entra ID joined devices by validating requests originate from trusted devices via the device certificate enrolled during device registration. It combines client-side data gathering (signature hash, device CN, public key, thumbprint) with server-side validation, and can be embedded as a module in your Function App or installed as a dependency. The solution supports embedding EntraIDDeviceTrust.Client on clients and EntraIDDeviceTrust.FunctionApp in Function Apps for seamless, enhanced request security.

A PowerShell-based GUI tool that streamlines Windows Autopilot device enrollment during the Out-of-Box Experience (OOBE). Automates hardware hash collection and submission to Autopilot with Group Tag selection support and automatic system reboot after profile assignment. Includes network connectivity diagnostics to troubleshoot configuration issues. Built on Michael Niehaus's Get-WindowsAutoPilotInfo script.

A command-line tool for managing the removal of macOS applications and their associated files. Features multiple matching modes, dry-run previews, JSON manifest generation, catalog synchronization, and Homebrew integration with pre/post-flight command hooks.

A PowerShell module with UI for extending Microsoft Intune device management. Adds custom properties to Intune devices, enables bulk operations including device sync and BitLocker key rotation, with both PowerShell module and standalone UI interfaces.

IntuneComplianceMaintainer is a PowerShell automation script that keeps Microsoft Intune compliance and app-protection policies up to date with the latest supported OS minimums across iOS, iPadOS, macOS, Android, and Windows. It uses endoflife.date and the Graph Windows Update Catalog to drive cadence-based updates, with flexible authentication (Managed Identity, App Registration with certificate or secret, plus Key Vault integration) and safety features like dry-run and downgrade protection. It provides comprehensive logging and built-in retry logic for resilience.

IntuneAppAssigner is a PowerShell tool that enables bulk assignment of mobile apps in Microsoft Intune. It provides an interactive interface to select apps, choose assignment mode (replace, add, or review), set installation intent (Required, Available, Uninstall), and pick target groups (All users, All devices, or Entra ID groups). It also supports assignment filters and, for Android/iOS, App Config profiles (COPE/BYOD). Public Preview status is noted.

A Windows GUI tool for device enrollment and Intune management. Features modules for authentication, system info, Win32 app wrapping, device management, device sync, Autopilot hash generation, and BitLocker configuration through a tabbed interface.

EasyDefenderMacOS is a collection of importable Intune policies that streamline onboarding and offboarding macOS devices to Defender for Business/Endpoint. It supports personal work-profile and corporate-owned devices, integrates Defender with Intune, and uses an onboarding package with an optional offboarding package to automate policy deployment and Defender app configuration. The solution covers setup steps from Defender portal to Intune admin center and test enrollment on macOS.

AutopilotProfileFunctions is a PowerShell toolkit for Microsoft Intune that automates the creation and management of Windows Autopilot deployment profiles via the Graph API. It enables bulk profile generation (including language, deployment mode, join type, and device type), assigns profiles to regional dynamic groups, and supports CSV-based mass provisioning with customizable device naming templates. The result is scalable, repeatable Autopilot setup across global populations with minimal manual effort.

A utility for creating and deploying desktop shortcuts through Microsoft Intune as Win32 applications. Generates .intunewin files, detection scripts, and deployment instructions automatically. Supports URL, file path, and Microsoft Store app shortcuts with custom icons.

A PowerShell script that enrolls devices into Windows Autopilot using Azure App Registration credentials. Works without hybrid Azure AD join or SCCM, enabling unattended deployment via RMM tools. Uses community hardware hash collection module for reliable device registration.

Autopilot Assistant is a modern WPF-based PowerShell tool that streamlines Windows Autopilot onboarding and device provisioning via a secure Microsoft Graph workflow. It collects hardware hash, prevents duplicates, and supports uploading to Intune Autopilot with optional group tagging and assigned user/computer name. The app offers a structured results view, a real-time log center, and local data storage for offline preparation and auditing.

Comprehensive tool designed to streamline the management of Microsoft Intune devices. This extension allows administrators to efficiently check application and configuration assignments, manage device groups, download platform scripts, and perform various other administrative tasks.

Converts Administrative Template policies to Settings Catalog — reads your existing policies and creates the equivalent Settings Catalog profiles with the same settings and values.

Reset your tenant.

OIB Deployer automates the deployment of OpenIntuneBaseline configurations within Microsoft Intune, enabling rapid, repeatable rollouts of baseline security policies and device configurations. It supports policy templating, script deployment, and integration with community-provided baseline content, with built-in logging and error reporting for auditability. Ideal for IT admins seeking consistent, scalable endpoint security across devices.

A comprehensive PowerShell module for operating system deployment with 400+ functions for WinPE and Windows. Includes OSDCloud for cloud-based deployment, disk management, Windows image operations, driver management for Dell, HP, Lenovo, and Microsoft, BIOS/firmware updates, BitLocker management, and WinPE customization.