A comprehensive backup and restore solution for Microsoft Intune configurations. TenuVault ensures your Intune policies are safely backed up and can be restored when needed, without ever modifying or deleting your existing configurations.

Available on PowerShell Gallery: Install with a single command Install-Script -Name TenuVault

• Overview
• Key Features
• Safety First
• Requirements
• Installation
• Quick Start
• Usage Guide
• Supported Intune Components
• Command Line Options
• Configuration
• Best Practices
• Troubleshooting
• Contributing
• License

TenuVault is a PowerShell-based tool designed to backup and restore Microsoft Intune configurations. Whether you're managing a production environment, setting up a test tenant, or need to maintain configuration history, TenuVault provides a safe and reliable way to preserve your Intune policies.

• Backs up your Intune configurations to local JSON files
• Restores configurations by creating new policies (never overwrites existing ones)
• Compares backups to detect configuration drift
• Exports configurations in multiple formats (JSON, CSV, HTML)
• Maintains a complete audit trail with comprehensive logging

• Never modifies existing policies in your tenant
• Never deletes any policies
• Never overwrites your current configuration
• Never makes unauthorized changes to your Intune environment

• Automated backup of all Intune configuration types
• Timestamped backups for version control
• Metadata tracking for easy backup management

• Creates new policies with "[Restored]" prefix
• Skip existing policies automatically
• Preview mode for dry-run testing
• No risk of overwriting production configurations

• Compare current tenant state with backups
• Identify removed or modified policies
• Selective restoration of specific policies

• JSON for data portability
• CSV for spreadsheet analysis
• HTML for visual reporting

• Detailed operation logs
• Configurable log levels
• Automatic log rotation

TenuVault is designed with safety as the primary concern:

1. Read-Only Backups: The backup operation only reads from your Intune tenant. It never modifies anything.

2. Non-Destructive Restores: Restore operations create NEW policies with a "[Restored]" prefix. Your existing policies remain untouched.

3. Preview Mode: Test any restore operation without making actual changes.

4. Explicit Confirmations: All potentially impactful operations require explicit user confirmation.

• Windows PowerShell 5.1 or PowerShell Core 7.x
• Microsoft.Graph.Authentication module (automatically installed with TenuVault)
• Administrator access to your Microsoft Intune tenant

The following Microsoft Graph permissions are required:

Delegated Permissions:

• DeviceManagementConfiguration.ReadWrite.All
• DeviceManagementApps.ReadWrite.All
• DeviceManagementServiceConfig.ReadWrite.All

Note: ReadWrite permissions are required for both backup and restore operations. The script uses read-only API calls for backup, but the Graph API requires ReadWrite scope.

# Install TenuVault from PowerShell Gallery
Install-Script -Name TenuVault

# Run TenuVault
TenuVault

On first run, TenuVault will:

1. Check for the Microsoft.Graph.Authentication module
2. Install it automatically if not present
3. Connect to Microsoft Graph with required permissions
4. Begin the interactive session

To update to the latest version from PowerShell Gallery:

# Update TenuVault to the latest version
Update-Script -Name TenuVault

# Verify the installed version
Get-InstalledScript -Name TenuVault

1. Install and launch TenuVault:

# Install from PowerShell Gallery (first time only)
Install-Script -Name TenuVault

# Run TenuVault
TenuVault

2. Select option [1] to create a backup
3. Enter a descriptive name for your backup (optional)
4. Select components to backup or choose "All"
5. Wait for the backup to complete

1. Launch TenuVault with TenuVault command
2. Select option [3] for Preview Mode (dry run)
3. Choose a backup to preview
4. Review what would be created
5. If satisfied, use option [2] to perform actual restore

Backups are stored in timestamped folders containing:

• Individual JSON files for each policy
• Metadata file with backup information
• Organized by policy type in subfolders

Example backup structure:

IntuneBackups/
├── backup-Production-2024-01-15-143022/
│   ├── metadata.json
│   ├── DeviceConfigurations/
│   │   ├── Windows_BitLocker_Policy.json
│   │   └── iOS_Email_Configuration.json
│   ├── CompliancePolicies/
│   │   └── Windows_Compliance_Baseline.json
│   └── ConfigurationPolicies/
│       └── Edge_Security_Settings.json

When you restore policies:

1. Each policy gets a "[Restored]" prefix added to its name
2. If a policy with that name already exists, it's skipped
3. No existing policies are modified or deleted
4. You receive a summary of successful and skipped restorations

Always use Preview Mode first to understand what will happen:

• Shows which policies would be created
• Identifies policies that already exist
• No actual changes are made

Drift detection helps you understand how your current Intune configuration differs from a backup:

1. Removed Policies: Exist in backup but not in current tenant
2. Modified Policies: Exist in both but with differences
3. Unchanged Policies: Identical in backup and current tenant

You can selectively restore removed or modified policies.

TenuVault supports backing up and restoring the following Intune policy types:

• Device Configuration Policies - Traditional device configuration profiles for all platforms
• Compliance Policies - Device compliance rules for Windows, iOS, Android, and macOS
• Settings Catalog Policies - Modern configuration profiles using the Settings Catalog
• Administrative Templates - Group Policy settings for Windows devices
• App Protection Policies - MAM policies for iOS and Android apps
• PowerShell Scripts - Device management scripts for Windows devices

# Run in interactive mode (default)
TenuVault

# Create a backup directly
TenuVault -Backup

# Export latest backup to JSON
TenuVault -Export -ExportFormat JSON

# Import configuration from file
TenuVault -Import -ImportFile "C:\exports\config.json"

# Specify custom backup location
TenuVault -BackupLocation "D:\IntuneBackups"

# Enable verbose logging
TenuVault -Verbose -LogLevel Verbose

• Backups: .\IntuneBackups\
• Logs: .\Logs\
• Exports: .\IntuneBackups\exports\
• Reports: .\IntuneBackups\reports\

You can modify default settings at the top of the TenuVault.ps1 script:

# Backup Settings
$script:BackupLocation = ".\IntuneBackups"
$script:MaxBackupAge = 90  # Days to retain backups

# Logging Settings
$script:LoggingEnabled = $true
$script:LogLocation = ".\Logs"
$script:CurrentLogLevel = "Info"

# Component Selection
$script:Components = @(
    "DeviceConfigurations",
    "CompliancePolicies",
    "ConfigurationPolicies",
    "AppProtectionPolicies",
    "Scripts",
    "AdminTemplates"
)

• Schedule daily backups for production environments
• Create backups before major changes
• Use descriptive names for important backups

• Always use Preview Mode first
• Test restores in a development tenant
• Verify restored policies before assigning to production groups

• Regularly clean up old backups (option 10)
• Export important backups to long-term storage
• Document significant backups in your change management system

• Store backups in a secure location
• Restrict access to backup files
• Regularly audit backup access logs

• Document your backup naming convention
• Maintain a restoration runbook
• Keep track of backup retention policies

Error: Insufficient permissions to access Intune

Solution: Ensure your account has the required Graph API permissions listed in the Requirements section.

Error: Microsoft.Graph.Authentication module not found

Solution: Install the required module:

Install-Module Microsoft.Graph.Authentication -Scope CurrentUser

Or reinstall TenuVault from PowerShell Gallery:

Install-Script -Name TenuVault -Force

Error: Failed to connect to Microsoft Graph

Solution:

1. Check your internet connection
2. Verify your credentials
3. Ensure MFA requirements are met
4. Try disconnecting and reconnecting:

Disconnect-MgGraph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

Error: No backups found in location

Solution:

1. Verify the backup location path
2. Check if backups exist in the specified directory
3. Use option 11 to change backup location if needed

1. Check Logs: Review log files in the .\Logs directory
2. Enable Verbose Mode: Run with -Verbose parameter for detailed output
3. Preview First: Always use Preview Mode to understand operations
4. GitHub Issues: Report issues at https://github.com/yourusername/tenuvault/issues

We welcome contributions! Please see our Contributing Guidelines for details.

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request

TenuVault is licensed under the MIT License. See LICENSE file for details.

Note: TenuVault is a community tool and is not officially supported by Microsoft. Always test in a development environment before using in production.