Intune Platform scripts (Devices > Scripts and remediations > Platform scripts) are commonly used to configure settings that are not available in the Settings Catalog, to copy files, create registry keys, or run one-time configuration tasks on Windows devices. Microsoft Intune does not provide a “download script” button in the Intune admin center UI after a script is uploaded, which can be an issue if the original script source is lost.
The good news is that if the platform script object still exists in Intune, you can retrieve the script content reliably by exporting it from Microsoft Graph. As a fallback, you can also recover the script from a managed device while it is being executed by the Intune Management Extension (IME).
Contents
When You Might Need Script Retrieval
You may need to retrieve an Intune script when:
You are auditing an inherited tenant and need to review what a platform script actually does.
The script was uploaded by someone else, and the original file is missing.
The script exists in Intune but is not stored anywhere in your organization’s source control.
Method 1: Retrieve PowerShell Scripts Directly from Intune using Microsoft Graph
Intune stores platform scripts as deviceManagementScript objects, with the script content saved as Base64 in the scriptContent property. When using Microsoft Graph to retrieve PowerShell scripts from Intune, you have two options.
The first option (Option A) is to use Microsoft Graph Explorer, which is ideal for downloading one or two scripts individually by specifying the deviceManagementScriptId. The second option (Option B) uses Microsoft Graph PowerShell to download all PowerShell scripts from Intune in a single operation. Both methods can be used to download script files. Use option A if you only need to retrieve a few scripts, and option B if you want to download all uploaded PowerShell scripts from Intune at once. Let’s walk through the steps for both options.
Option A: Download PowerShell Scripts using Microsoft Graph Explorer
To download PowerShell scripts using Microsoft Graph Explorer, follow the steps below.
Open Microsoft Graph Explorer and sign in with an account that has the required Intune Graph permissions or can provide admin consent for the required permissions (DeviceManagementScripts.Read.All).
Use below command to list the information about all platform scripts uploaded in Intune:
If you do not have the required permissions to run the graph query, the command will fail. Go to the Modify permissions tab, click Open the permissions panel, and search for the DeviceManagementScripts.Read.All permission. Click Consent, sign in with an administrator account that can grant consent, such as a Global Administrator, and then click Accept. After providing consent, rerun the query.
The screenshot below shows the execution of the Graph query https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts, which returns information about all PowerShell scripts uploaded in Intune. To retrieve the content of a specific PowerShell script, you will need the script ID. Copy the script ID for the script you want to download, as it will be used in the next command to retrieve the script contents.
Now use below graph query to retrieve the scriptContent. Replace the {deviceManagementScriptId} value with the script ID of the PowerShell script you want to download. After you run the query, it will output the scriptContent value. Copy the value of scriptContent (Base64 string) and paste it into Notepad, as it will be required to extract the actual PowerShell script content.
Decode Base64 to recover PowerShell script (.ps1) content. You can decode locally using below PowerShell code:
Decode Base64 string
# Paste the Base64 value from scriptContent
$b64 = "<scriptContent from Graph>"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($b64)) |
Out-File -FilePath "C:\Temp\Recovered-IntuneScript.ps1" -Encoding utf8
Example
# Paste the Base64 value from scriptContent
$b64 = "KEdldC1BcHB4UHJvdmlzaW9uZWRQYWNrYWdlIC1PbmxpbmUgfCBXaGVyZS1PYmplY3QgeyAkXy5EaXNwbGF5TmFtZSAtbGlrZSAiKlRlYW1zKiIgfSkgfCANCiAgICBGb3JFYWNoLU9iamVjdCB7IA0KICAgICAgICBXcml0ZS1PdXRwdXQgIlJlbW92aW5nIHByb3Zpc2lvbmVkIHBhY2thZ2U6ICQoJF8uUGFja2FnZU5hbWUpIiANCiAgICAgICAgUmVtb3ZlLUFwcHhQcm92aXNpb25lZFBhY2thZ2UgLU9ubGluZSAtUGFja2FnZU5hbWUgJF8uUGFja2FnZU5hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgDQogICAgfQ0KDQokaW5zdGFsbGVkVGVhbXMgPSBHZXQtQXBweFBhY2thZ2UgLUFsbFVzZXJzIHwgV2hlcmUtT2JqZWN0IHsgJF8uTmFtZSAtbGlrZSAiKlRlYW1zKiIgfQ0KaWYgKCRpbnN0YWxsZWRUZWFtcykgew0KICAgICRpbnN0YWxsZWRUZWFtcyB8IEZvckVhY2gtT2JqZWN0IHsgDQogICAgICAgIFdyaXRlLU91dHB1dCAiUmVtb3ZpbmcgaW5zdGFsbGVkIHBhY2thZ2U6ICQoJF8uUGFja2FnZUZ1bGxOYW1lKSIgDQogICAgICAgIFJlbW92ZS1BcHB4UGFja2FnZSAtUGFja2FnZSAkXy5QYWNrYWdlRnVsbE5hbWUgLUFsbFVzZXJzIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlIA0KICAgIH0NCn0gZWxzZSB7DQogICAgV3JpdGUtT3V0cHV0ICJObyBpbnN0YWxsZWQgcGFja2FnZSBmb3IgTWljcm9zb2Z0IFRlYW1zIGZvdW5kLiINCn0NCg0KV3JpdGUtT3V0cHV0ICJNaWNyb3NvZnQgVGVhbXMgcmVtb3ZhbCBwcm9jZXNzIGNvbXBsZXRlZC4i"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($b64)) | Out-File -FilePath "C:\Temp\Recovered-IntuneScript.ps1" -Encoding utf8
Below screenshot demonstrates the decoding of Base64 string to recover the PowerShell script content.
Based on the command, the recovered PowerShell file is created in the C:\Temp folder with the name Recovered-IntuneScript.ps1. Repeat the process to recover the contents of other PowerShell scripts uploaded in Intune. In the next steps, I will show Option B, which uses Microsoft Graph PowerShell to download all PowerShell scripts from Intune in one go.
Option B: Export All Platform Scripts using Microsoft Graph
Microsoft Graph Explorer is ideal when you want to download one or two scripts. However, it becomes tedious when you need to download hundreds of platform scripts from Intune. In such cases, you can use Microsoft Graph PowerShell to export or download all PowerShell scripts quickly by running a single script. Let’s review the steps:
Install the Microsoft Graph PowerShell module on your device. Use below command to install the module. If you encounter any issues during installation or are looking for alternative installation methods, refer to the guide, How to Install Microsoft Graph PowerShell Module.
Connect to Microsoft Graph with the required scopes using the Connect-MgGraph cmdlet. For more information about the Connect-MgGraph cmdlet, refer to the guide: How to Use Connect-MgGraph PowerShell Cmdlet.
Once the script is executed successfully, it will create a folder called IntunePlatformScripts under C:\temp with all your platform scripts downloaded from Intune.
Method 2: Retrieve Scripts from Device before IME Deletes It
You can also get back or retrieve your uploaded PowerShell scripts from Intune by assigning the script to a test device and retrieving it from the device. When you assign a PowerShell script to a device using Intune admin center > Devices > Scriptsand remediations > Platform scripts, the script is downloaded/cached on the device first before execution. IME caches the PowerShell scripts at below location:
To ensure successful recovery of the PowerShell script, follow below steps:
Assign the Intune deployment of the PowerShell script to a test device.
On the test device, sign in with local admin rights and open the C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts location.
As soon as the script file is there, copy it to a safe location (for example, C:\Temp\RecoveredScripts\) because IME may remove the file shortly after the script completes.
If nothing appears in the Scripts folder, use the logs to verify whether the script actually targeted the device and executed successfully. Also note that if you are trying to recover a script from a device where it was already assigned and executed, this process may not work. Intune might not download the script again to the same device unless there are changes to the script. For this reason, use a fresh test device where the script has never been assigned.
Method 3: Recover Script Content from IME Logs
If you miss the cache window, you can try again, or the next best option is to use Intune Management Extension (IME) logs to reconstruct what was executed. This is not the best way to recover scripts, but if none of the previous methods are available, it is another option you can use. Let’s review the steps:
Go to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs location.
Open the IntuneManagementExtension.log file. For best readability of log files, use CMTrace tool.
Search for the script name, policy ID, or execution entries.
If the log includes the script body or sufficient fragments, reconstruct and save it as a .ps1.
Troubleshooting
I hope that by using one of the methods above, you can retrieve your PowerShell scripts uploaded to Intune. If you encounter any issues, follow the troubleshooting guidance below:
IME folders or logs are missing: IME installs automatically only when qualifying workloads are assigned (PowerShell scripts, Win32 apps, etc.) and can be removed when no longer required.
Script does not run when you reassign it: Platform scripts have specific run and retry behavior, including retry limits after failures, and they do not run at every sign-in by default.
32-bit vs. 64-bit PowerShell confusion: Intune’s “Run script in 64-bit PowerShell host” behavior differs for new vs. existing scripts and depends on client architecture. Confirm this setting if the script relies on 64-bit paths or modules.
Best Practices (So You Never Need Recovery Again)
Store all scripts in source control (Git/Azure DevOps) and treat Intune as a deployment channel.
Add a header block in every script (version, author, Git commit, change log).
Write operational logs to a known path (for example, C:\ProgramData\<Org>\Logs) so auditing is easier.
