Best Configuration Tools for Microsoft Intune

A PowerShell-based customization tool packaged as an Intune Win32 app for configuring Windows 10/11 devices during Autopilot deployment. Customizes start menu layout, background/theme, time zone, removes built-in apps, installs OneDrive, configures language packs, and manages Windows features.

A lightweight user environment manager for Intune-managed devices. Manages drive mappings, printer mappings, registry settings, file actions, application launcher, Start Menu and desktop shortcuts, with on-demand refresh and centralized JSON-based configuration.

Intune Baselines provides curated JSON Intune profiles that implement CIS, compliance, and security baselines across Windows, macOS, iOS/iPadOS, Android, and enterprise apps. Built from best practices, Zero Trust concepts, and official CIS benchmarks, these profiles are designed for rapid import into Intune (via Micke-K's IntuneManagement tool). Regularly updated, they support scalable Modern Workplace deployments and testing in diverse environments.

FixMyADMX is a script-based tool that automatically repairs ADMX/ADML templates for Intune administrative templates. It replaces unsupported controls (comboBox) with textBox, injects explainText attributes for policies, and attempts to remove or report on Windows.admx references to improve import reliability. It builds on the approach used in Citrix ADMX cleanup and aims to streamline ADMX ingestion for Intune deployments.

Feature Update Controller is a remediation package for Microsoft Intune that centralizes Windows feature upgrades with configurable setup, scripts, and custom actions. It generates and manages SetupConfig.ini, prestages Script Modules, and configures Custom Actions to tailor upgrade behavior, including post-install and rollback steps. The solution downloads and applies a manifest.json, stages scripts and actions, and supports updating or removing configurations on devices for a consistent upgrade experience.

IntuneFirewallMigration is a public-preview tool that migrates Group Policy and local firewall rules into Intune as Settings Catalog policies. It supports selecting specific firewall profiles (Domain, Private, Public) and importing only inbound or outbound rules, using Microsoft.Graph.Authentication with Invoke-MgGraphRequest. The script disables telemetry, requires Graph permissions (DeviceManagementConfiguration.ReadWrite.All), and works with PowerShell 5 or 7 to modernize firewall management in Intune.

WinPEAP is a WinPE-based workflow to transition devices to Entra Joined and auto-enroll them into Intune via Windows Autopilot. It uses OSDCloud to build a customized WinPE ISO, injects the 4kAutopilotHashUpload.ps1 script and oa3tool-based hardware hash capture, and uploads the Autopilot hash to Intune during WinPE. Automation spans OS deployment, driver injection, hash registration, and enrollment, with support for user-driven Autopilot profiles and VM testing considerations.

A PowerShell utility for capturing, comparing, and exporting Windows Defender firewall rules for Microsoft Intune deployment. Captures baseline rules, compares post-install changes, and exports to JSON for Intune or CSV formats with interactive menu and CLI modes.

InToolz is a management tool for Microsoft Intune designed to simplify cross-tenant migrations and bulk configuration tasks. It enables tenant-to-tenant copy of Intune content, bulk assignment deployment and removal between groups, profiles, and applications, and mass updates to description fields. Note that the project is a work in progress, with several features planned for future releases.

PowerShell ADMX Wizard creates custom ADMX/ADML templates from a CSV of registry keys, enabling Windows policies via Intune. It generates GUID-based templates, adds registry entries (STRING, DWORD, BINARY), and logs progress. After creation, upload the ADM/ADML to Intune as Imported ADMX to apply through a configuration profile.

Professional-grade PowerShell script that automates deploying Windows 365 Cloud PC environments in Azure and Microsoft Entra ID. It creates or reuses security groups, applies user/admin settings policies, and provisions Cloud PCs regionally with intelligent Enterprise assignment preservation. It uses a lightweight Microsoft Graph authentication module and includes robust error handling, scalable naming conventions, and license-driven provisioning.

A Microsoft Intune wrapper that enables deploying a custom wallpaper to Microsoft Teams Rooms devices via a PowerShell installer. It packages a wallpaper into an .INTUNEWIN package, supports install and uninstall commands, and uses registry-based detection to verify the deployed version. It also generates logs under the Intune Management Extension folder for troubleshooting, with a configurable company name for branding.

A comprehensive web tool for browsing and exploring Apple device management policies across iOS, macOS, tvOS, watchOS, and visionOS. Provides detailed documentation for MDM and DDM (Declarative Device Management) policies.

A web-based tool for creating and managing Windows AppLocker policies. Create application control rules through an intuitive interface and export them as valid AppLocker XML files for use with Windows Group Policy or Microsoft Intune.

Edge Favorites Builder is a web-based tool that creates and manages Microsoft Edge bookmarks configurations for enterprise deployment. It offers a visual drag-and-drop interface, supports nested folders, and provides real-time previews. It exports to Windows Intune JSON and macOS mobileconfig for deployment via Intune or other MDMs; it runs offline with zero dependencies and requires no backend, and it can import existing configurations for quick updates.

An AI-powered tool for IT administrators that generates exact Microsoft Intune configuration profiles from plain English descriptions.

Intune Registry Builder is a browser-based tool to create, validate, and export Intune-ready PowerShell scripts for Windows registry changes. It supports Proactive Remediations and Win32 apps, allows direct deployment to Intune, and processes everything locally in the browser. No data or credentials are stored or sent to any server.

This is a faster way to see what's in the Intune settings catalog, with an additional page to track changes made by Microsoft.

A powerful, free tool for comparing Microsoft Intune policies and analyzing configuration differences. Features real-time policy access via Microsoft Graph API, JSON import for offline comparison, device comparison against security baselines, settings search, and full Settings Catalog support.

A web-based tool for building Windows kiosk deployments by generating Assigned Access XML configurations. Supports Single-App, Multi-App, and Restricted User modes with customizable Start menu, taskbar, auto-launch, idle timeout, and breakout keys. Exports for Intune OMA-URI, PowerShell, or provisioning packages.

NameTune is a purpose-built Intune companion that helps teams design, apply, and document consistent naming standards across real-world Microsoft Intune environments.

PPPC Builder for macOS is a lightweight web-based tool that generates macOS PPPC (.mobileconfig) profiles tailored for Microsoft Intune deployments. You can select an app (or upload its Info.plist), choose required privacy permissions (Screen Recording, Full Disk Access, Camera, Microphone, Accessibility), and download a ready-to-deploy .mobileconfig for Intune. No Jamf dependency; simple, fast, Intune-focused.

Windows Media Creation CLI is a PowerShell-based tool that automates building Windows installation media on a USB drive. It supports Windows 11 (22H2-25H2) and Windows 10, with customizable architecture, language, region and edition, enabling fully automated media creation. It also supports OEM driver injection via AUTOUNATTEND or DISM, single or multi-driver packs, and can generate an installwimdrivers.csv catalog to track installed drivers.

Windows Recovery Partition Editor resizes the local Windows Recovery Partition to 984MB and injects CAB files to enable optional features and language support. It deploys via a PowerShell script, placing architecture-specific CABs under tools\amd64 or tools\arm64cpu and matching language packs, with an optional backup of OEM images. Detection uses the registry key HKLM:\SOFTWARE\YourCompanyNameHere\Client-Recovery with value 1.0.0.