IntuneAutomation
Script GeneratorBeta

AI Intune PowerShell Script Generator

Describe what you need. We'll write the PowerShell.

The IntuneAutomation Script Generator is a free, browser-based AI tool that turns plain-English requests into production-ready PowerShell scripts for Microsoft Intune and Microsoft Graph. No sign-in and no installation required. Your prompt is sent to Anthropic for processing and is never stored on our servers.

Don't paste secrets, credentials, or tenant IDs.
We scrub obvious patterns (GUIDs, tokens, keys, emails) before sending — but you're the first line of defense.
0 / 4000
Try one of these

Loading bot verification…

Describe what the script should do to enable.

Powered by Claude Haiku 4.5. Free for everyone — please use responsibly so it stays free.

No prompt storage
What it does

Built specifically for Microsoft Intune

Unlike general-purpose AI chat tools, the IntuneAutomation Script Generator is purpose-built for Microsoft Intune and Microsoft Graph. It enforces an Intune-focused system prompt, runs a PSScriptAnalyzer-style lint pass on every result with one-click fix-ups, redacts secrets before sending the prompt, and produces scripts that follow the same comment-based help conventions used by the 120+ open-source scripts in the IntuneAutomation library.

  • Plain-English prompt to PowerShell script
  • Streaming output
  • Built-in PSScriptAnalyzer-style lint pass
  • One-click Fix issues
  • Inline refinement loop
  • Automatic secret redaction (GUIDs, tokens, keys, emails)
  • No sign-in required
  • Free with daily quota
  • Powered by Claude Haiku 4.5
Quick facts

Generator at a glance

Key facts about the IntuneAutomation Script Generator
PriceFree
Sign-in requiredNo
Daily limit20 generations per IP
AI modelClaude Haiku 4.5 (Anthropic)
Output formatPowerShell (.ps1)
Prompt storageNone — not stored on our servers
Secret redactionAutomatic for GUIDs, tokens, API keys, and emails
TargetsMicrosoft Intune, Microsoft Graph, Windows, macOS
Lint passBuilt-in, with one-click Fix issues
How it works

Three steps from prompt to .ps1

  1. Describe the task in plain English

    Type what you want the script to do — for example, list all stale Intune devices that haven't checked in for 90 days and export to CSV.

  2. Generate the script

    The generator streams a production-ready PowerShell script that uses the Microsoft Graph PowerShell SDK and includes comment-based help and the required Graph permission scopes.

  3. Review, refine, and run

    Read the script, optionally use the inline Refine box to ask for changes (for example, switch to Managed Identity authentication), then copy or download the .ps1 file and run it locally with Connect-MgGraph or deploy it to Azure Automation.

Quality checks

What we verify in every script

Every generated script runs through six independent checks. The inspector panel on the right of the output streams these in real time during generation. Any warning or failure triggers an automatic fix pass at no quota cost.

  • Metadata

    The comment-based help block at the top of every script must be complete and tagged correctly.

    • All 12 required fields present: .TITLE, .SYNOPSIS, .DESCRIPTION, .TAGS, .PLATFORM, .PERMISSIONS, .AUTHOR, .VERSION, .CHANGELOG, .LASTUPDATE, .EXAMPLE, .NOTES
    • .AUTHOR is tagged AI Generated (IntuneAutomation.com) — never an impersonated person
    • .LASTUPDATE is set to today's date in YYYY-MM-DD format

  • Permissions

    Every Microsoft Graph permission scope declared in .PERMISSIONS must be a real scope, not invented.

    • Each scope is matched against the official Microsoft Graph permission list (~700 scopes refreshed weekly from merill/msgraph)
    • Unknown or misspelled scopes are flagged — common cause of Connect-MgGraph failures at runtime

  • Security

    Detects code-injection and credential-leak risks in the script body.

    • No Invoke-Expression or iex on user-controlled input
    • No hardcoded passwords, API keys, tokens, or connection strings
    • No -ExecutionPolicy Bypass without a reason
    • No hardcoded non-Microsoft external URLs (webhook URLs must be parameters)

  • Correctness

    Catches logic bugs that pass syntax check but fail at runtime against a real Graph tenant.

    • Null-unsafe [DateTime]::Parse on Graph date fields like lastSyncDateTime — Parse throws on null, a post-assignment null check is dead code
    • Cmdlet confusions: Get-SecureBootUEFI used as a boolean, Get-Tpm used for BitLocker status
    • Connect-MgGraph -Identity used without an Azure Automation detection branch (interactive runs fail)
    • Every https://graph.microsoft.com/... URI is matched against the published Graph endpoint catalog (6,300+ endpoints)
    • All Graph URIs must use the /beta path, never /v1.0 — the beta surface exposes the full Intune device-management API

  • Safety

    Guards on destructive bulk operations. Different from Security — Safety is about protecting the tenant from accidental mass changes, not about code-level vulnerabilities.

    • Any call to /retire, /wipe, /delete, /reset must run inside a script declared with [CmdletBinding(SupportsShouldProcess=$true)]
    • SupportsShouldProcess gives the admin -WhatIf for safe-preview and -Confirm for explicit approval
    • Without it, a single fat-finger run can wipe hundreds of devices with no undo

  • Graph endpoints

    Each Microsoft Graph URI literal in the script is checked against the full published endpoint catalog in real time as the script streams in.

    • Unknown endpoints are flagged with up to 3 closest known matches as candidate replacements
    • Catches model hallucinations — invented paths that look plausible but don't exist
    • Skipped when the URI contains PowerShell variable interpolation in the path (final URI not knowable statically)
Examples

What people generate

Real-world Intune automation prompts the generator handles well. Use one as a starting point or paste your own.

  • List all stale Intune devices that haven't checked in for 90 days and export to CSV
  • Detection script: check if BitLocker is enabled on the system drive
  • Report all Conditional Access policies with their assignments and conditions
  • Find apps with deployment failures in the last 7 days and email a summary
  • Audit Intune compliance policy assignments and flag devices out of compliance
  • Export all Autopilot device registrations with their group tag and assigned user
  • Generate a remediation script that re-enrolls a Windows device when MDM sync fails
  • List all macOS devices missing a required configuration profile
FAQ

Frequently asked questions

What is the IntuneAutomation Script Generator?

The IntuneAutomation Script Generator is a free, browser-based AI tool that turns plain-English requests into production-ready PowerShell scripts for Microsoft Intune and Microsoft Graph. It runs entirely in your browser, requires no sign-in or installation, and is designed specifically for endpoint administrators who want to automate Intune tasks without writing the boilerplate by hand.

Is the Intune script generator free?

Yes. The generator is free for everyone, with no sign-in required. To keep the service sustainable for the community, generation is rate-limited to 20 generations per IP per day. Refinements and lint-fix passes count toward the same daily quota.

Which AI model powers the script generator?

The generator is powered by Anthropic's Claude Haiku 4.5. Haiku 4.5 is fast, code-aware, and tuned for structured output, which makes it well-suited for generating PowerShell that follows IntuneAutomation conventions including comment-based help, parameter validation, and explicit Microsoft Graph permission scopes.

Are my prompts stored or used to train AI models?

No. Prompts are sent to Anthropic for processing and are not stored on our servers. Anthropic does not use API inputs or outputs to train its models by default. Before your prompt leaves the browser the generator scrubs obvious sensitive patterns including GUIDs, tokens, API keys, and email addresses, but you should still avoid pasting real credentials, tenant IDs, or production data.

What kinds of Intune tasks can it generate scripts for?

The generator targets Microsoft Intune, Microsoft Graph, and Windows or macOS device management. Common use cases include device inventory and stale-device reports, compliance and configuration policy reporting, app deployment and failure summaries, Conditional Access auditing, BitLocker and security baseline detection scripts, Autopilot diagnostics, and remediation scripts for Intune Endpoint Analytics. Requests outside this scope are rejected.

How does this compare to writing Intune scripts with general-purpose ChatGPT?

Unlike a general-purpose chat tool, the IntuneAutomation Script Generator is purpose-built for Microsoft Intune. It enforces a system prompt focused on Intune and Microsoft Graph, runs a PSScriptAnalyzer-style lint pass on every result with one-click fix-ups, redacts secrets before sending the prompt, and outputs scripts that follow the same comment-based help conventions used by the 120+ open-source scripts in the IntuneAutomation library.

Can I refine the generated script?

Yes. After generation, use the inline Refine box to ask for changes — for example, switch to Managed Identity authentication, add CSV export, or adjust the Graph permissions. Each refinement counts as one generation against your daily quota. You can also click Fix issues to auto-resolve any lint warnings the generator detects.

Related

Looking for pre-built scripts?

The IntuneAutomation library includes 120+ open-source PowerShell scripts maintained by the community, each with one-click deployment to Azure Automation as a scheduled runbook. Browse the catalog or read the blog for guides and best practices.

Browse the script libraryRead the blog