Automate your Microsoft Intune tenant configuration with best-practice defaults
Installation • Quick Start • Configuration • Safety Features • Troubleshooting
The Intune Hydration Kit is a PowerShell module that bootstraps Microsoft Intune tenants with practical baseline configurations. It includes vetted OpenIntuneBaseline policies, bundled CIS benchmark-derived policies from IntuneBaselines, compliance policies, dynamic groups, and more, turning hours of manual setup into a single command.
Note: This kit uses a maintained fork of the original OpenIntuneBaseline repository. OpenIntuneBaseline and CIS baseline content from IntuneBaselines are bundled with the module and periodically refreshed only after validation and testing, which prevents unplanned upstream changes from affecting your deployments.
These counts reflect the bundled template set at the time of the latest validated release and may change as templates are added or revised.
| Category | Count | Description |
|---|---|---|
| Dynamic Groups | 50 | Device and user targeting groups (OS, manufacturer, Autopilot, ownership, VMs, license-based) |
| Static Groups | 5 | Update ring groups (Pilot, UAT) and Autopilot device preparation group |
| Device Filters | 24 | Platform, manufacturer, and VM-based filters (Windows, macOS, iOS, Android) |
| OpenIntuneBaseline | 99 | OpenIntuneBaseline policies (Windows, macOS, iOS, Android) - bundled, no download required |
| CIS Baselines | 728 | Bundled IntuneBaselines CIS benchmark-derived policies across Windows, macOS, iOS, Android, Edge, Chrome, and related administrative template workloads |
| Compliance Policies | 10 | Multi-platform compliance (Windows, macOS, iOS, Android, Linux) |
| App Protection | 8 | MAM policies following Microsoft's App Protection Framework (Level 1-3 for iOS and Android) |
| Mobile Apps | 8 | Bundled legacy mobile app templates (macOS Edge, macOS M365 Apps, Windows M365 Apps, plus Windows Store templates for Adobe Acrobat Reader DC, Company Portal, PowerShell, Spotify, and WhatsApp) |
| WinGet Win32 Apps | 28 | Bundled Windows WinGet app catalog packaged as Intune Win32 apps |
| Notification Templates | 1 | Notification message templates for compliance and enrollment |
| Enrollment Profiles | 4 | Autopilot deployment profiles, Enrollment Status Page, and Autopilot device preparation |
| Conditional Access | 21 | Starter pack policy templates (created disabled) |
⚠️ READ BEFORE USE
- Creates objects in your Intune tenant (policies, groups, filters)
- Can delete objects when run with delete mode enabled
- Modifies Conditional Access policies (though always created disabled)
- Test in a non-production tenant first - Use a dev/test tenant before running against production
- Always preview changes first - Use
-WhatIfin parameter or settings mode - Review enabled targets - Start with specific import switches before using
-All - Have a rollback plan - Know how to remove configurations if needed
When using delete mode (-Delete parameter or "delete": true in settings), the kit will only delete objects that it created:
- Objects are identified by the
"Imported by Intune Hydration Kit"marker; some resource types also use the[IHD]name prefix - Conditional Access policies must also be in
disabledstate to be deleted - Manually created objects with the same names will NOT be deleted
[IHD]Name Markers - Most imported objects are prefixed with[IHD]; mobile apps and WinGet apps append- [IHD]and also rely on hydration markers for ownership- Batch API Operations - Groups, policies, filters, and apps use batched Graph API calls (up to 10 per batch) for ~61% faster execution
- Retry-After Throttle Handling - Automatic retry with
Retry-Afterheader support on 429/503 Graph API responses - Bundled Baselines - OpenIntuneBaseline and CIS baseline templates are included in the module (no external download required)
- Idempotent - Safe to run multiple times; skips existing configurations
- Dry-Run Mode - Preview changes with PowerShell
-WhatIfbefore applying - Safe Deletion - Only removes objects created by this kit (identified by the hydration marker, with prefixes used where applicable)
- Multi-Platform - Supports Windows, macOS, iOS, Android, and Linux
- Platform Filtering - Import resources for specific platforms only (e.g.,
-Platform Windows,macOS) - Detailed Logging - Full audit trail of all operations
- Elapsed Time Tracking - Final summary output and reports include total hydration time
- Summary Reports - Markdown and JSON reports of all changes
- WinGet Win32 Apps - Windows app hydration backed by bundled WinGet templates and packaged into Intune Win32 apps without requiring
IntuneWinAppUtil.exe
- PowerShell 7.0 or later
Install-Module Microsoft.Graph.Authentication -Scope CurrentUserNote: This module uses
Invoke-MgGraphRequestfor all Graph API calls, so only the Authentication module is required.
For interactive runs, use a Global Administrator account. Intune Graph APIs can reject PIM-elevated or non-Global Administrator accounts even when Graph consent is present.
Why: Microsoft documents that Intune Graph access requires both Graph permission scopes and user role permissions. Microsoft also documents that after PIM activates a role, downstream application access can lag or remain cached depending on the application architecture. In practice, Intune's Graph backend can return 401/403 for PIM-elevated Global Administrator sessions while a permanently assigned Global Administrator works.
The authenticated user/app also needs these Microsoft Graph permissions:
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementServiceConfig.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.AllDeviceManagementScripts.ReadWrite.AllDeviceManagementApps.ReadWrite.AllGroup.ReadWrite.AllPolicy.Read.AllPolicy.ReadWrite.ConditionalAccessApplication.Read.AllDirectory.ReadWrite.AllLicenseAssignment.Read.AllOrganization.Read.All
Install directly from the PowerShell Gallery:
Install-Module -Name IntuneHydrationKit -Scope CurrentUserTo update to the latest version:
Update-Module -Name IntuneHydrationKitFor development or to use the latest unreleased changes:
git clone https://github.com/jorgeasaurus/IntuneHydrationKit.git
cd IntuneHydrationKit
Import-Module ./IntuneHydrationKit.psd1Start with the module and parameters first. Use settings files only when you want reusable configuration. The full command patterns live in docs/Invocation-Examples.md.
Invoke-IntuneHydration -TenantId "your-tenant-id" -Interactive -Create -All -WhatIfUse PowerShell help for the complete, always-current parameter list:
Get-Help Invoke-IntuneHydration -Detailed| Parameter | Purpose |
|---|---|
-TenantId |
Target tenant ID |
-TenantName |
Optional tenant name for display |
-Interactive |
Use interactive browser-based authentication |
-ClientId |
Service principal application ID |
-ClientSecret |
Service principal client secret |
-Environment |
Cloud environment (Global, USGov, USGovDoD, Germany, China) |
-Create |
Create configurations |
-Delete |
Delete kit-created configurations |
-Force |
Skip delete confirmation prompts |
-OpenIntuneBaseline |
Process OpenIntuneBaseline policies |
-CISBaselines |
Process bundled CIS baseline policies |
-ComplianceTemplates |
Process compliance templates |
-AppProtection |
Process app protection policies |
-NotificationTemplates |
Process notification templates |
-EnrollmentProfiles |
Process enrollment profiles |
-DynamicGroups |
Process dynamic groups |
-StaticGroups |
Process static groups |
-DeviceFilters |
Process device filters |
-ConditionalAccess |
Process Conditional Access starter pack |
-MobileApps |
Process mobile apps |
-All |
Enable all targets |
-Platform |
Filter supported resource types by platform |
-ReportOutputPath |
Write reports to a custom folder |
-ReportFormats |
Select report formats (markdown, json) |
-SettingsPath |
Use settings-file mode |
-WhatIf |
Preview changes without applying them |
-Verbose |
Emit verbose diagnostics |
Use a settings file only when you want reusable configuration. The full settings-file structure and examples live in docs/Invocation-Examples.md.
Enable only the categories you need. See docs/Invocation-Examples.md for the JSON example.
Windows mobile app hydration imports the full bundled Windows catalog by default. See docs/Invocation-Examples.md for the JSON example.
templateIdsnarrows WinGet-backed imports to specific bundled templates.remediation.enableddefaults totrueand creates/updates WinGet app update remediation scripts when supported.- Generated remediations are unassigned by design; assign after review.
- Generated scripts are saved to a temp folder and listed in the summary report.
- To add another app, open a request issue or submit a PR that adds a bundled template.
WinGet-backed Windows app hydration has a few additional prerequisites beyond Graph access:
- App Installer /
winget.exeon managed devices - The generated install and uninstall wrappers callwinget.exe. Devices need Microsoft App Installer installed sowinget.execan be resolved at runtime. - Outbound access to app sources - WinGet installs pull vendor installers defined in the WinGet manifest. Make sure devices can reach the package download locations required by your selected templates.
- No external packaging utility required - The kit builds
.intunewincontent with the repo-owned cross-platform packager, so the operator machine does not needIntuneWinAppUtil.exe.
| Display name | Publisher | Package identifier |
|---|---|---|
| 7-Zip | Igor Pavlov | 7zip.7zip |
| Cursor | Anysphere | Anysphere.Cursor |
| Claude | Anthropic, PBC | Anthropic.Claude |
| Claude Code | Anthropic PBC | Anthropic.ClaudeCode |
| Docker Desktop | Docker Inc. | Docker.DockerDesktop |
| Everything | voidtools | voidtools.Everything |
| Foxit PDF Reader | Foxit Software Inc. | Foxit.FoxitReader |
| Git for Windows | The Git Development Community | Git.Git |
| GitHub Desktop | GitHub, Inc. | GitHub.GitHubDesktop |
| Google Chrome | Google LLC | Google.Chrome |
| Greenshot | Greenshot | Greenshot.Greenshot |
| Microsoft Edge | Microsoft Corporation | Microsoft.Edge |
| PowerToys | Microsoft Corporation | Microsoft.PowerToys |
| Microsoft Teams | Microsoft Corporation | Microsoft.Teams |
| Mozilla Firefox | Mozilla | Mozilla.Firefox |
| Notepad++ | Don Ho | Notepad++.Notepad++ |
| Notion | Notion Labs Inc. | Notion.Notion |
| Power BI Desktop | Microsoft Corporation | Microsoft.PowerBI |
| PuTTY | Simon Tatham | PuTTY.PuTTY |
| ShareX | ShareX Team | ShareX.ShareX |
| Slack | Slack Technologies Inc. | SlackTechnologies.Slack |
| TreeSize Free | JAM Software | JAMSoftware.TreeSize.Free |
| Visual Studio Code | Microsoft Corporation | Microsoft.VisualStudioCode |
| VLC media player | VideoLAN | VideoLAN.VLC |
| Windows App | Microsoft Corp. | Microsoft.WindowsApp |
| Windows Terminal | Microsoft Corporation | Microsoft.WindowsTerminal |
| WinSCP | Martin Prikryl | WinSCP.WinSCP |
| Zoom Workplace | Zoom Communications, Inc. | Zoom.Zoom |
Filter imports by platform to only import resources for specific operating systems:
See docs/Invocation-Examples.md for the JSON examples and the list of affected resources.
Most objects created by this kit are identified by two markers:
- Name prefix:
[IHD]prepended to the display name (e.g.,[IHD] Windows - Default Compliance) - Description marker:
Imported by Intune Hydration Kit
Mobile apps and WinGet apps are the notable exceptions to prefixing: they append - [IHD] to their template display names and rely on the hydration marker (plus WinGet ownership metadata for WinGet apps) for safe cleanup.
These markers are used to:
- Identify objects created by this tool at a glance
- Prevent deletion of manually-created objects
- Enable safe cleanup operations
Conditional Access policies receive additional protection:
- Always created in
disabledstate - Never automatically enabled - Deletion requires disabled state - Cannot delete enabled CA policies
- Manual review required - You must manually enable policies after review
All operations support PowerShell -WhatIf preview mode in both parameter and settings modes:
# Parameter mode
./Invoke-IntuneHydration.ps1 -TenantId "guid" -Interactive -Create -All -WhatIf
# Settings file mode
./Invoke-IntuneHydration.ps1 -SettingsPath ./settings.json -WhatIfThe run shows real-time status (Created, Skipped, Deleted, warnings) and ends with an elapsed-time summary.
---------------- Summary ----------------
Created: 12 | Updated: 3 | Deleted: 0 | Skipped: 8 | Failed: 0
Elapsed: 00:04:27
Reports: /tmp/IntuneHydrationKit/Reports/Hydration-Summary.md
JSON: /tmp/IntuneHydrationKit/Reports/Hydration-Summary.json
----------------------------------------
Detailed logs are written to an OS-appropriate temp directory:
| OS | Log Path |
|---|---|
| Windows | $env:TEMP\IntuneHydrationKit\Logs\ |
| macOS | /var/folders/.../IntuneHydrationKit/Logs/ |
| Linux | /tmp/IntuneHydrationKit/Logs/ |
hydration-20241127-143052.log
After each run, reports are generated in the OS temp directory (same location as logs):
| OS | Reports Path |
|---|---|
| Windows | $env:TEMP\IntuneHydrationKit\Reports\ |
| macOS | /var/folders/.../IntuneHydrationKit/Reports/ |
| Linux | /tmp/IntuneHydrationKit/Reports/ |
Hydration-Summary.md- Human-readable reportHydration-Summary.json- Machine-readable report
You can specify a custom output path using the -ReportOutputPath parameter or reporting.outputPath in settings.
# Install required modules
Install-Module Microsoft.Graph.Authentication -Force- Use a Global Administrator account for Intune imports; PIM-elevated or non-Global Administrator accounts can be rejected by Intune Graph APIs
- Check that all required Graph permissions are consented
- Verify Intune licenses are assigned in the tenant
- Check for INTUNE_A, INTUNE_EDU, or EMS license
- Verify the object has the
"Imported by Intune Hydration Kit"marker; many resource types also use the[IHD]name prefix, while mobile apps and WinGet apps append- [IHD] - For CA policies, ensure the policy is in
disabledstate
├── Public/ # 19 exported functions
├── Private/ # Internal helpers
├── Templates/ # Bundled import templates
│ ├── CISBaselines/
│ ├── OpenIntuneBaseline/
│ ├── ConditionalAccess/
│ ├── DynamicGroups/
│ ├── Filters/
│ ├── StaticGroups/
│ ├── MobileApps/
│ └── Notifications/
├── Tests/ # 67 Pester test files
├── docs/ # MkDocs and PlatyPS reference docs
└── scripts/ # Maintenance and assignment helpers
See CHANGELOG.md for a detailed history of changes.
- OpenIntuneBaseline by SkipToTheEndpoint - Original community-driven Intune security baselines (this kit uses a maintained fork for stability)
- IntuneBaselines by jorgeasaurus - Source repository for the bundled CIS benchmark-derived policy content included with this kit
- Microsoft Graph PowerShell SDK team
This tool is provided "as-is" without warranty of any kind. Always test in a non-production environment first. The authors are not responsible for any unintended changes to your Intune tenant. Review all configurations before enabling in production.