Intune: Bulk Rename and Re-describe Every Profile in Minutes

G’day!

If you’ve ever inherited an Intune tenant, you’ll know the feeling. You open Configuration profiles, and there it is ‘Win10 – Bitlocker v2’, ‘BitLocker Policy (NEW)’, ‘Copy of Copy of Defender’, a SCEP profile someone named after themselves in 2021, and forty others with no description between them. It’s a mess, and it makes everything harder: reporting, handovers, audits, finding the right policy at 4 pm on a Friday.

So you go to fix it. And that’s when you hit the wall: Intune has no bulk rename. You’re renaming one policy at a time. In the portal, click by click by click. Change the name, save, wait for the blade to reload, back out, next one. Do that across compliance policies, scripts, filters, app protection, update rings… and an afternoon disappears.

I got a little fed up with it, so I built a little tool to do the whole lot in one go. It’s free, open source, and it’s called the Intune Profile Bulk Renamer Tool. This post walks through what it does and how to use it.

The problem (and why the portal can’t help)

Renaming in Intune is a per-object, manual job. There’s no multi-select, no find and replace, no “apply this naming convention to everything”. The Graph API can do it, but rolling your own script brings its own headaches:

  • Every content type sits at a different Graph endpoint with different property names. Settings Catalog uses ‘name’, almost everything else uses ‘displayName’.
  • The legacy template profiles (VPN, Wi-Fi, certificates and so on) need the right derived ‘@odata.type’ in the PATCH body or it falls over.
  • A lot of the good stuff only shows up on the beta endpoint, so a v1.0 script quietly misses your certificate and health monitoring profiles.
  • And you really don’t want a typo in a loop blasting every policy in your tenant with the wrong name.

I wanted something safer and quicker than scripting it each time. A proper GUI where I can see everything, edit it like a spreadsheet, export, edit and import the changes, preview the changes, and only then commit. So that’s what this is.

What it is

A self-contained PowerShell 7 and Windows Forms desktop tool that connects to Microsoft Graph and bulk-edits the display name and description of Intune objects.

The golden rule: it only ever touches the name and description. It doesn’t change settings, assignments, scope tags, platforms, or anything else about a policy. If a name or description hasn’t changed, the tool won’t even send a request for it.

It covers around twenty content types (all via Graph beta, so every derived template shows up):

  • Settings Catalog and Device Configuration (every template, so device restrictions, domain join, Wi-Fi, VPN, SCEP/PKCS/trusted certs, health monitoring, kiosk, custom OMA-URI and the rest)
  • Administrative Templates, and Templates/security baselines (intents)
  • Compliance policies
  • App protection (iOS and Android) and app configuration (managed apps and managed devices)
  • PowerShell, remediation and macOS shell scripts
  • Assignment filters, Autopilot profiles and device categories
  • Driver, feature and quality update profiles, and quality update policies
  • Entra ID groups (opt-in, more on that below)

The Intune Profile Bulk Renamer Tool main window, showing Intune policies loaded in an editable grid with Current Name, New Name, Current Description and New Description columns.

Where it really earns its keep: naming conventions

Here’s the bit I actually built it for. If you run a proper naming convention, where everything is prefixed or postfixed to show its environment or purpose (think ‘PROD -‘, ‘DEV -‘, ‘UAT -‘, or a trailing version like ‘v1.0, V.1.1’), keeping that tidy by hand is a slog. Someone forgets the prefix. A policy gets cloned and keeps the wrong one. The version bumps and nobody updates the name. Over time the convention drifts and stops being useful.

This tool turns that into a two-minute job and gives you a bit of change control over your naming, which is something Intune just doesn’t offer out of the box. A few examples I use it for:

  • Promoting a batch of test policies from ‘DEV -‘ to ‘PROD -‘ as they go live. Find and replace, done.
  • Pulling a load of inconsistent names back onto the convention. Export to CSV, fix them in Excel, import back.
  • Stripping old version numbers off the end before re-tagging. There’s a preset for that (more below).

If your naming is your source of truth for what a policy is and where it applies, this keeps it honest.

Getting it

It’s published to the PowerShell Gallery, so install is a one-liner. You only need the Graph authentication module as a prerequisite:

# Prerequisite (one-off)
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser

# Install the tool
Install-Script -Name Invoke-IntuneProfileManager -Scope CurrentUser

# Run it (PowerShell 7)
Invoke-IntuneProfileManager.ps1
PowerShell

Source, docs and issues are on GitHub:

How it works

The workflow is straightforward. Connect, choose what you want, pull it in, edit, preview, apply.

1. Connect

Click Connect to Intune and sign in. It uses delegated sign-in and asks for the scopes it needs across all the content types. An Intune Administrator role does the job nicely, so you don’t need Global Admin.

If you only consent to some of those scopes, that’s fine. The content types you can’t touch are simply skipped and logged, rather than the whole thing falling over.

2. Pick your content types

This is the bit I use most. Click Content Types and you get a checklist of everything the tool understands, with a Select all toggle. Tick what you care about, maybe just Settings Catalog and Compliance today, and leave the rest out.

The Content Types picker in the tool, a checklist of Intune content types (Settings Catalog, Device Configuration, Compliance, scripts, filters, Autopilot and more) with a Select all option, used to choose what to pull.

3. Pull

Hit Pull and it loads everything you selected into an editable grid. For Device Configuration profiles, the Type column even tells you the specific template kind in brackets, like ‘Device Configuration (VPN)’, ‘(SCEP certificate)’ or ‘(Domain join)’, so you’re not left guessing what’s what.

4. Edit, three ways

You’ve got options here:

Inline. Type straight into the *New Name* and *New Description* columns. Changed cells light up amber so you can see exactly what you’ve touched.

Excel. Click Export to drop the lot into a CSV, edit it in Excel (filter, fill-down, the usual), then Import it back in.

Export:

Open in Excel, make your changes:

Then import and apply (maybe do a dry run first to see what impact it’ll have):

Find and Replace. The quickest way to apply a convention across the board.

5. Find and Replace

This is where the time really gets saved. It’s a proper find and replace across the New Name and New Description columns, literal or regex, case-sensitive or not, all rows or just the ones you’ve selected. Leave the replace box empty to delete the matched text entirely.

My favourite use is stripping those trailing version numbers. You know the ones, ‘Defender Config v1.0’, ‘Wi-Fi Corp 1.1’, ‘BitLocker-2.8’. There’s a one-click Strip trailing version preset that fills in the regex for you:

[\s_\-]*[vV]?\d+(\.\d+)+\s*$
Plaintext

Click it, hit Preview to see how many it’ll change, and the version suffixes are gone. Want ‘PROD’ swapped for ‘DEV’ across everything? A couple of seconds.

The Find and Replace dialog in the tool, with options for regular expressions, case sensitivity, target columns, row scope, and a one-click Strip trailing version preset.

6. Preview, then apply

Before you commit anything, tick Dry run and hit Apply. It logs exactly what would change without sending a single request to Graph. Happy with it? Untick Dry run and Apply for real. Only the rows where the name or description actually changed get PATCHed, and every result, success or failure, lands in the activity log (and a daily log file next to the script).

Safety, because it writes to your live tenant

I built this to be careful, because it is editing production.

  • Automatic backup. Before every real apply, it writes a JSON snapshot of the current names and descriptions to a Backups folder. If you change your mind, Restore reads that snapshot and puts everything back.
  • Manual backup. There’s a Backup button too, for taking a snapshot whenever you like.
  • Dry run. Preview everything first.
  • It never blanks a name. Rows with an empty New Name are skipped.

A note on permissions

It requests these delegated Graph scopes at sign-in:

An admin consents to these once. Partial consent is fine, anything you haven’t granted just gets skipped.

Wrapping up

That’s the tool. It scratched a real itch for me, and hopefully it saves you an afternoon too. It’s free and open source, so grab it from the PowerShell Gallery, have a poke around the code on GitHub, and feel free to adapt it for your environment.

If you hit a bug or there’s a content type you’d like added, raise an issue on the GitHub repo. The type catalogue is data-driven, so adding a new one is usually a one-liner.

Provided without warranty of any kind. It edits live data in your tenant, so use it at your own risk and test first.

Happy renaming!

Leave a Reply...

Scroll to Top