Awesome Intune - Microsoft Intune Tools Directory

Ugur Koc

PowerShell ModuleMigration

Intune Device Migration

Intune Device Migration off-boards devices from one tenant and automatically joins them to a destination tenant, preserving user data during the transition. Built with PowerShell, Microsoft Graph, and Windows provisioning packages, it enables near-zero downtime cross-tenant migrations, with detailed logging, registry updates, and post-install validation to ensure provisioning packages are applied correctly.

Created by

Steve Weiner

View on GitHubGitHub

Security Analysis

4of 6

2 Issues FoundOverride

5 files scanned on Apr 22, 2026

Issues Detected

No Malicious Patterns

No known malware techniques

decryptDrive invokes Disable-BitLocker on the system drive (C:), potentially leaving data unencrypted and enabling data exposure. While intended for migration, this is a powerful operation that could be misused. Recommendation: strictly gate this behind explicit admin consent, logging, and ensure encryption is re-enabled if required.

No Hardcoded Secrets

No API keys or credentials in code

Hardcoded credential in StartMigrate.ps1 ([lines: 546](https://github.com/stevecapacity/intunemigration-v9/blob/main/StartMigrate.ps1#L546))

Passed Checks

No Obfuscated Code

No Remote Execution

No Credential Theft

No Data Exfiltration

AI Analysis

The Intune Device Migration tooling primarily uses Microsoft Graph API for device and user management, which is appropriate for Intune/Entra workflows. However, key security concerns exist: plaintext credentials in config.json for Graph authentication, a high-risk BitLocker decryption capability, and potential cleanup patterns that could obscure audit trails. Recommendations: move secrets to a secure vault or managed identity, avoid or strictly control BitLocker decryption usage, enhance auditing around task/user cleanup, and consider avoiding Beta Graph endpoints in production or implement strict versioning and fallback plans. Overall, legitimate admin tooling is present, but these security considerations should be addressed to reduce risk.

You might also like

Other

JUMP-IN

JUMP-IN is an all-in-one macOS application that simplifies migrating between MDM solutions, enabling migration to Microsoft Intune or between Intune tenants without data loss. It performs system compatibility checks, automatic MDM detection, backups, profile removal, Company Portal installation, tenant enrollment, and FileVault key rotation to maintain security; typical migration runs in about 15-20 minutes per device.

Somesh Pathak

PowerShell Module

Intune-App-Sandbox

Intune-App-Sandbox is a testing utility for PowerShell-based installers packaged with the Win32 Content Prep Tool for Intune deployments. It creates a sandbox workspace (C:\SandboxEnvironment), and adds context-menu options to pack with IntunewinUtil or run tests in a Safe sandbox. It also supports a detection-based test flow and a reusable template script to accelerate building and validating packaging for Win32 apps in Intune.

Maciej Horbacz

PowerShell Module

IntuneWinAppUtil GUI

IntuneWinAppUtil GUI is a PowerShell-based WPF wrapper for Microsoft's IntuneWinAppUtil.exe. It streamlines packaging Win32 apps for Intune with auto-download of the latest tool, input validation, path-length checks, and configuration persistence across launches. It also detects PSAppDeployToolkit usage to suggest names and sanitizes invalid filename characters.

Giovanni Solone

PowerShell Module

WinGet-PSADT-GUI-Tool

WinGet-PSADT-GUI-Tool is a Windows PowerShell WPF GUI that streamlines Win32 app packaging and Intune deployment. It integrates WinGet search, installer download, PSADT scaffolding, and GUI-driven configuration of install/uninstall/repair logic, enabling generation of .intunewin packages and direct upload to Intune via Microsoft Graph. It outputs standard PSADT/Intune artifacts and provides live monitoring of packaging and upload steps.

Dhiraj Dhote