- Export-SettingsReport.py: add Platform column for Settings Catalog
(platforms field) and legacy policies (platform/platformType or
@odata.type inference)
- MSGraph.psm1: store GraphMetaData.xml in cross-platform data folder
(Get-CloudApiDataFolder) instead of literal %LOCALAPPDATA% path
- MSALAuthentication.psm1: skip TokenCacheHelperEx on non-Windows with
an info log instead of failing on missing ProtectedData.dll
- .gitignore: remove literal %LOCALAPPDATA% patterns
- AGENTS.md, CHANGELOG: document reporting and cross-platform fixes
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
Settings.json and IntuneManagement.log
- Menu entry 13 re-queries Graph /organization for every saved tenant
- Updates cached TenantName values in Settings.json
- Refreshes the active tenant display in the menu header
- Start-IntuneToolkit.ps1 now shows a tenant picker as the first step
when -TenantId is not provided.
- Lists saved tenants from Settings.json, attempting to display cached
tenant names alongside GUIDs.
- Offers '[+ Onboard new tenant]' option for entering new tenants.
- Automatically resolves unknown tenant names via Graph /organization
and caches them back to Settings.json for future use.
Settings Catalog and other Graph endpoints occasionally return 500
InternalServerError on PATCH. Retry up to 3 times with a 2s delay
to improve reliability for bulk rename operations.
Settings Catalog and other bulk-assign types do not support DELETE on
individual assignments. Removal now reloads existing assignments,
filters out selected targets, sanitizes remaining payloads, and
re-POSTs to <API>/<id>/assign. This mirrors the add flow and works
universally across all supported object types.
Replaces default 100-item page limits and =999 workarounds
with -AllPages on group queries across assignment and baseline scripts.
Enables full fzf inline search/filter for group selection.
Core enhancements:
- Expanded default export/import scope to ~45 object types including DeviceManagementIntents
- Added -AllPages pagination support across Graph queries for large tenants
- Invoke-GraphRequest now throws on 4xx/5xx instead of silently returning null
- Added macOS Keychain fallback for secret retrieval in headless auth flow
- Added NameSearchPattern/NameReplacePattern mutation support through export/import forms
New toolkit scripts:
- Bulk-AppAssignment.ps1: bulk-assign apps to groups/All Users/All Devices
- Bulk-AssignmentManager.ps1: add/remove assignments for any policy type with correct @odata.type
- Backup-Restore-Assignments.ps1: JSON backup with cross-tenant group resolution
- Export-AssignmentsToCsv.ps1: CSV/Markdown documentation output
- Bulk-RenamePolicies.ps1: regex search/replace and prefix mutations
- Bulk-DeviceOperations.ps1: delete/retire/wipe/lock/sync with -WhatIf safeguards
- Start-IntuneManagementTui.ps1: interactive terminal UI for headless operations
- Create-IntuneManagementApp.ps1: helper for app registration setup
Updated existing scripts:
- Export-Policies.ps1 / Import-Policies.ps1: wired mutation params through
- Start-HeadlessIntune.ps1: integrated TUI and new parameter forwarding
- Add Deploy-IntuneBaseline.ps1 for YAML-driven policy + assignment deployment
- Add ConvertTo-IntuneBaseline.ps1 to convert export folders to baseline manifests
- Add example OpenIntuneBaseline YAML in Baselines/
- Supports mutations, group auto-creation, idempotency, and WhatIf mode
- Unified required Microsoft Graph app roles in Initialize-IntuneAuth.ps1
- Added permission patching for existing app registrations
- Logs the change and operations for audit
Fixed issue with ADMX import and different enum format
Fixed issue with skipping Not Configured for Compliance Policies
Added support for documenting Compliance Policy V2 (Linux)
Device settings does not return next page so get top 500
Found a rare issue where Settings Catalog could return next page after all items were returned. This caused the app to crash when scrolling the list.
tomas.kracmar
Mikael Karlsson
Frank
Robert Kooistra
MrR0b3rt