Intune Hydration Kit
Automate best-practice configurations with a single command
powershell
Pwsh> Install-Module -Name IntuneHydrationKit -Scope CurrentUserPwsh> Import-Module IntuneHydrationKitPwsh> Invoke-IntuneHydration -TenantId "your-tenant-id" -Interactive -Create -All91
Security Baselines
50
Dynamic Groups
24
Device Filters
21
CA Policies
8
App Protection
17
Mobile Apps
Features
OpenIntuneBaseline Integration
Auto-downloads latest community security baselines
Multi-Platform Support
Windows, macOS, iOS, Android, Linux
Idempotent Operations
Safe to run multiple times without side effects
WhatIf Preview
Dry-run before making any changes to your tenant
Safe Deletion
Only removes kit-created objects with -Delete flag
Detailed Reporting
Markdown and JSON output for documentation
Multi-Cloud Support
Global, GCC High, DoD, and sovereign clouds
App Protection Framework
MAM policies implementing Microsoft's L1-L3 framework
What Gets Created
| Category | Count | Description |
|---|---|---|
| Dynamic Groups | 50 | Device and user targeting groups (OS, manufacturer, Autopilot, ownership, VMs, license-based) |
| Static Groups | 5 | Update ring groups (Pilot, UAT, Broad) and assignment groups |
| Device Filters | 24 | Platform, manufacturer, and VM-based filters (Windows, macOS, iOS, Android) |
| Security Baselines | 91 | OpenIntuneBaseline policies (Windows, macOS) |
| Compliance Policies | 10 | Multi-platform compliance (Windows, macOS, iOS, Android, Linux) |
| App Protection | 8 | MAM policies following Microsoft's App Protection Framework (Level 1-3 for iOS and Android) |
| Mobile Apps | 17 | Microsoft Store apps (Company Portal, Teams, Slack, Spotify, etc.) |
| Enrollment Profiles | 4 | Autopilot deployment profiles + Enrollment Status Page |
| Conditional Access | 21 | Starter pack policy templates (created disabled) |
Prerequisites
PowerShell 7+
Cross-platform PowerShell for modern scripting
Microsoft.Graph.Authentication
PowerShell module for Graph API authentication
Required Graph API Permissions
- •DeviceManagementConfiguration.ReadWrite.All
- •DeviceManagementServiceConfig.ReadWrite.All
- •DeviceManagementManagedDevices.ReadWrite.All
- •DeviceManagementScripts.ReadWrite.All
- •DeviceManagementApps.ReadWrite.All
- •Group.ReadWrite.All
- •Policy.Read.All
- •Policy.ReadWrite.ConditionalAccess
- •Application.Read.All
- •Directory.ReadWrite.All
- •LicenseAssignment.Read.All
- •Organization.Read.All