A dark-themed WPF GUI tool for searching, auditing, and navigating Microsoft Intune policies in your M365 tenant. Connects to the Microsoft Graph API with read-only delegated scopes, caches all policy types locally as JSON, then lets you full-text search across everything — including decoded PowerShell script content and base64 images — in milliseconds.
| Overview | Group Search | Settings Search |
|---|---|---|
 |
 |
 |
| Feature | Detail |
|---|---|
| Policy Types Covered | Settings Catalog, Device Configurations, Compliance Policies, Endpoint Security, Admin Templates (ADMX), Scripts, Health/Remediation Scripts, App Configurations, App Protection (MAM), Windows Update Rings, Enrollment Configurations, Autopilot Profiles |
| Group Assignment Search | Find every policy assigned to an Azure AD group by partial name, including assignment filters and remediation run schedules |
| Deep Links | Clickable links from each result that open the matching policy directly in the Intune portal |
| Script Preview | Decodes base64-encoded PowerShell script bodies and surfaces the lines surrounding your search term |
| Image Preview | Inline renders base64-encoded images (e.g. wallpapers, lock screens) embedded in Settings Catalog policies |
| Read-Only | All Graph calls are strictly read-only — no writes, no modifications, no deletes |
- Windows only. The UI is built with WPF (Windows Presentation Foundation) which is not available on Linux or macOS.
- PowerShell 7.0 or later (
pwsh) is required. - The script automatically detects PowerShell 5.1 and relaunches itself under
pwsh. However,pwshmust be installed first. - Install via winget:
Or download from the official releases page.
winget install --id Microsoft.Powershell --source winget
Microsoft.Graph.Authentication— installed automatically on first run (current user scope, no admin required). If auto-install fails, install manually:Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
- The script must be allowed to run. If your execution policy blocks it:
Or launch with the bypass flag (see Execution below).
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
-
A user account with at least read access to Intune in your tenant.
-
The following delegated Graph scopes are requested during sign-in (MFA-compatible):
Scope Used For DeviceManagementConfiguration.Read.AllSettings Catalog, Scripts, Health Scripts DeviceManagementServiceConfig.Read.AllEnrollment, Autopilot, Update Rings DeviceManagementApps.Read.AllApp Configurations, App Protection DeviceManagementManagedDevices.Read.AllDevice Compliance, Device Configurations Group.Read.AllResolving group names for assignment search -
No admin consent is required for these read-only delegated scopes in most tenants.
This script is designed to work out of the box with no mandatory changes. There are two optional configuration points noted with # [ACTION REQUIRED] comments in the script:
# [ACTION REQUIRED] -- Change this path if you want the cache stored
# somewhere other than %APPDATA%\IntuneExplorer (e.g. a network share).
$global:exportPath = "$env:APPDATA\IntuneExplorer"Default: C:\Users\<you>\AppData\Roaming\IntuneExplorer\
Change this if you want the JSON cache on a network share (so a team can share a single sync), or on a specific local path.
# [ACTION REQUIRED] -- If you need unattended/app-only auth (e.g. for
# automation or a service account), replace the delegated Connect-MgGraph
# call below with certificate or client-secret authentication.
# For interactive use, this line is ready to run as-is.
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All", ...The default is interactive delegated auth — a browser pop-up will appear on first run (and periodically when the token expires). For unattended scenarios, replace this with app-only authentication using Connect-MgGraph -ClientId ... -TenantId ... -CertificateThumbprint ....
pwsh -NoProfile -ExecutionPolicy Bypass -File ".\Intune-PolicyExplorer.ps1".\Intune-PolicyExplorer.ps1The script detects PS5.1 and silently relaunches itself under pwsh.
Right-click Intune-PolicyExplorer.ps1 → Run with PowerShell. If your execution policy blocks it, use the command line method above.
On first run, click Sync Data (or Sync ALL). A Microsoft sign-in window will appear.
| Button | Description |
|---|---|
| Sync Data | Syncs the policy types selected in the dropdown |
| Sync ALL | Syncs everything including assignments — recommended for first sync |
Sync levels (dropdown):
| Option | What Gets Synced |
|---|---|
| Policies Only | Device Configs, Compliance, Settings Catalog, Endpoint Security, Admin Templates |
| + Assignments | Adds group assignment data (required for group search) |
| + Scripts & Remediations | Adds PowerShell Scripts and Health/Remediation Scripts |
| + App Configs & MAM | Adds App Configurations and App Protection Policies |
| + Updates & Enrollment | Adds Windows Update Rings, Enrollment Configs, Autopilot Profiles |
Synced data is saved to %APPDATA%\IntuneExplorer\ as numbered JSON files. On subsequent launches the tool loads these immediately — no re-sync required unless policies have changed.
Type any search term into the Search Policies & Settings box and press Enter or click Search.
- Searches all synced JSON files simultaneously.
- Matches by setting name, GUID, value, OData type, or any other field.
- Whitespace and hyphens are normalized (
BitLockerfindsBit Locker). - Results include ±2 lines of JSON context, decoded script snippets, and clickable links.
Type a partial group name into the Search by Group Assignment box.
- Requires at least one sync with + Assignments enabled.
- Returns every policy assigned to matching groups, grouped by policy type.
- Shows assignment intent (Required/Available), filters, and schedule (for remediations).
- App Protection Policies (MAM) are excluded from assignment search, because the
managedAppPoliciesendpoint does not provide the standard assignment resolution used by this tool.
| File | Contents |
|---|---|
1_DeviceConfigurations.json |
Classic device configuration profiles |
2_DeviceCompliance.json |
Compliance policies |
3_SettingsCatalog.json |
Settings Catalog policies (with settings expanded) |
4_EndpointSecurity.json |
Endpoint Security intents |
5_Assignments.json |
Resolved group assignments (all policy types) |
6_AdminTemplates.json |
ADMX / Group Policy configurations |
7_Scripts.json |
PowerShell scripts (with decoded scriptContent) |
8_HealthScripts.json |
Health/Remediation scripts (detection + remediation content) |
9_AppConfigs.json |
Mobile app configurations |
10_AppProtection.json |
Managed app (MAM) protection policies |
11_UpdateRings.json |
Windows Update for Business rings |
12_Enrollment.json |
Device enrollment configurations |
13_Autopilot.json |
Windows Autopilot deployment profiles |
decoded scripts\ |
Per-policy decoded .ps1 exports generated from script and remediation content during sync |
To force a full re-sync, delete all JSON files and the decoded scripts folder in %APPDATA%\IntuneExplorer\, then run Sync ALL again.
Microsoft Graph beta endpoint disclaimer
This tool relies on Microsoft Graph beta endpoints for several Intune policy types (including Settings Catalog). Microsoft may change beta schemas without notice, which can temporarily break sync behavior until the script is updated.
Win32 error 1816 / WPF rendering failure
Occurs in constrained sessions (heavy RDP, low desktop heap). The script forces software rendering by default, which mitigates this. If it still occurs, close other graphics-intensive applications and retry.
Module install fails
Run PowerShell as Administrator and execute:
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
"No data found" on search
You haven't synced yet, or the cache was deleted. Click Sync ALL.
Group search returns no results
Assignments are only cached when you sync with + Assignments enabled. Re-run sync with that option.
Settings Catalog sync is slow
This is normal for large tenants. The tool fetches settings for each policy in parallel (10 threads), but a tenant with hundreds of policies will still take several minutes. Status updates are shown live in the sidebar.
Deep links open the wrong blade / 404 in Intune portal
The Intune portal SPA routes can change between service updates. If a link stops working, check the
# DEEP-LINK URL CONSTRUCTIONcomment block in the script — the URL patterns for each policy type may need updating.