Skip to main content
Intune Commander supports all device configuration policy types available in Microsoft Intune, including traditional configuration profiles, modern settings catalog policies, administrative templates, and endpoint security configurations.

Device Configuration Profiles

Overview

Traditional device configuration profiles provide platform-specific settings for managing devices. Graph Endpoint: /deviceManagement/deviceConfigurations
Service: ConfigurationProfileService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all device configuration profiles
GetGetAsync(id)Retrieve a specific profile by ID
CreateCreateAsync(profile)Create a new configuration profile
UpdateUpdateAsync(id, profile)Update an existing profile
DeleteDeleteAsync(id)Delete a configuration profile
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information

Profile Types

Device configurations support multiple profile types across platforms:

Windows

  • Device restrictions
  • Endpoint protection
  • Identity protection
  • Kiosk
  • Email
  • VPN
  • Wi-Fi
  • Certificate (SCEP, PKCS, trusted certificate)
  • Custom (OMA-URI)
  • Edition upgrade
  • Delivery optimization
  • Network boundary
  • Shared multi-user device

macOS

  • Device restrictions
  • Endpoint protection
  • Extensions
  • Preference file
  • Email
  • VPN
  • Wi-Fi
  • Certificate (SCEP, PKCS, trusted certificate)
  • Custom

iOS/iPadOS

  • Device restrictions
  • Email
  • VPN
  • Wi-Fi
  • Certificate (SCEP, PKCS, trusted certificate)
  • Custom
  • Device features

Android

  • Device restrictions (device administrator)
  • Email (Samsung Knox only)
  • VPN
  • Wi-Fi
  • Certificate (SCEP, PKCS, trusted certificate)
  • Custom (OMA-URI)

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{id}
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
PATCH https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{id}
DELETE https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{id}
GET https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{id}/assignments

Export/Import

Device configurations export to: 
ExportFolder/
└── DeviceConfigurations/
    ├── Windows_DeviceRestrictions.json
    ├── macOS_Email_Profile.json
    └── iOS_WiFi_Corporate.json

Settings Catalog

Overview

The settings catalog provides a modern, unified interface for managing thousands of settings across Windows, macOS, and iOS/iPadOS. Graph Endpoint: /deviceManagement/configurationPolicies
Service: SettingsCatalogService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all settings catalog policies
GetGetAsync(id)Retrieve a specific policy by ID
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information
The Settings Catalog service uses a $top=100 page size limit due to Cosmos DB cursor stability requirements in the Graph API backend.

Platform Support

  • Windows 10/11 - 3000+ settings across all Windows subsystems
  • macOS - Device management and security settings
  • iOS/iPadOS - Device and app management settings

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$top=100
GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/{id}
GET https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/{id}/assignments

Export/Import

Settings catalog policies export to: 
ExportFolder/
└── ConfigurationPolicies/
    ├── Win11_SecurityBaseline.json
    └── macOS_SystemExtensions.json

Administrative Templates

Overview

Administrative templates provide Windows group policy (ADMX-backed) settings for domain-joined, hybrid-joined, and cloud-only devices. Graph Endpoint: /deviceManagement/groupPolicyConfigurations
Service: AdministrativeTemplateService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all administrative template policies
GetGetAsync(id)Retrieve a specific policy by ID
CreateCreateAsync(config)Create a new administrative template
UpdateUpdateAsync(id, config)Update an existing policy
DeleteDeleteAsync(id)Delete a policy
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information
AssignAssignAsync(id, assignments)Assign policy to groups

ADMX File Support

Intune Commander supports custom ADMX files uploaded to the tenant: Graph Endpoint: /deviceManagement/groupPolicyUploadedDefinitionFiles
Service: AdmxFileService
Permission: DeviceManagementConfiguration.ReadWrite.All
OperationMethod
ListListAsync()
GetGetAsync(id)
CreateCreateAsync(file)
DeleteDeleteAsync(id)

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/{id}
POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations
PATCH https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/{id}
DELETE https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/{id}
GET https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/{id}/assignments
POST https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/{id}/assign

Export/Import

Administrative templates export to: 
ExportFolder/
└── GroupPolicyConfigurations/
    ├── EdgeBrowser_Settings.json
    └── Office365_Configuration.json

Endpoint Security

Overview

Endpoint security policies provide focused security configurations organized by security area. Graph Endpoint: /deviceManagement/intents
Service: EndpointSecurityService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all endpoint security policies
GetGetAsync(id)Retrieve a specific policy by ID
CreateCreateAsync(intent)Create a new endpoint security policy
UpdateUpdateAsync(id, intent)Update an existing policy
DeleteDeleteAsync(id)Delete a policy
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information
AssignAssignAsync(id, assignments)Assign policy to groups

Policy Types

Antivirus

  • Microsoft Defender Antivirus settings
  • Exclusions and overrides
  • Real-time protection
  • Cloud-delivered protection

Disk Encryption

  • BitLocker policies (Windows)
  • FileVault policies (macOS)
  • Encryption requirements and recovery

Firewall

  • Microsoft Defender Firewall rules
  • Domain, private, and public profiles
  • Connection security rules

Endpoint Detection and Response

  • Microsoft Defender for Endpoint onboarding
  • EDR policies
  • Attack surface reduction

Attack Surface Reduction

  • ASR rules
  • Controlled folder access
  • Network protection
  • Exploit protection

Account Protection

  • Windows Hello for Business
  • Credential Guard
  • Local admin password solution (LAPS)

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/intents
GET https://graph.microsoft.com/beta/deviceManagement/intents/{id}
POST https://graph.microsoft.com/beta/deviceManagement/intents
PATCH https://graph.microsoft.com/beta/deviceManagement/intents/{id}
DELETE https://graph.microsoft.com/beta/deviceManagement/intents/{id}
GET https://graph.microsoft.com/beta/deviceManagement/intents/{id}/assignments
POST https://graph.microsoft.com/beta/deviceManagement/intents/{id}/assign

Export/Import

Endpoint security policies export to: 
ExportFolder/
└── EndpointSecurity/
    ├── Antivirus_Policy.json
    ├── BitLocker_Encryption.json
    └── ASR_Rules.json

Reusable Policy Settings

Overview

Reusable settings groups allow you to define settings once and reference them across multiple endpoint security policies. Graph Endpoint: /deviceManagement/reusablePolicySettings
Service: ReusablePolicySettingService
Permission: DeviceManagementConfiguration.ReadWrite.All

Use Cases

  • Certificate profiles referenced by multiple VPN/Wi-Fi policies
  • Common security baselines
  • Shared network configurations
  • Standard firewall rule sets

Multi-Cloud Support

All device configuration types are supported across all four cloud environments:
CloudGraph Base URLNotes
Commercialhttps://graph.microsoft.com/betaDefault endpoint
GCChttps://graph.microsoft.com/betaSame endpoint as Commercial
GCC-Highhttps://graph.microsoft.us/betaGovernment cloud endpoint
DoDhttps://dod-graph.microsoft.us/betaDoD-specific endpoint
See the cloud configuration pages for details on setting up app registrations for each environment.

Caching

Device configuration data is cached locally for 24 hours by default using an AES-encrypted LiteDB database. Cache keys are scoped by tenant ID and data type, allowing multiple tenant profiles to share the same cache database. Cache Location:
  • Windows: %LocalAppData%\Intune.Commander\cache.db
  • Linux: ~/.config/Intune.Commander/cache.db
  • macOS: ~/Library/Application Support/Intune.Commander/cache.db

Build docs developers (and LLMs) love

Get started for freeTalk to us