Is Intune Hydration Kit free?

Yes, Intune Hydration Kit is completely free to use. It is an open-source tool available to the Intune community.

PowerShell ModuleAutomation

Intune Hydration Kit

A PowerShell module that automates Microsoft Intune tenant setup by deploying 70+ security baselines, 43 dynamic groups, 24 device filters, compliance policies, app protection policies, and Conditional Access policies in a single command. Integrates OpenIntuneBaseline and supports multi-cloud environments.

Works with

WindowsGraph APISecurity BaselinesConfig ProfilesComplianceConditional AccessDevice FiltersApp Protection

Created by

Jorge Suarez

View on GitHubGitHub Download Visit Website

Security Analysis

6of 6

All Checks Passed

45 files scanned on Jan 8, 2026

No Obfuscated Code

No Remote Execution

No Credential Theft

No Data Exfiltration

No Malicious Patterns

No Hardcoded Secrets

AI Analysis

High risk: remote repository download without verification; potential RCE risk if the downloaded baseline is malicious. Moderate risk: bypass of WhatIf for destructive actions could cause data loss. Moderate risk: logging of sensitive Data to logs if misused. No embedded hardcoded secrets or obvious credential harvesting. The tool appears to be legitimate administrative tooling for Intune hydration, but must enforce code-signing, artifact verification, and safer logging.

Screenshots

PS Script

IntuneComplianceMaintainer

IntuneComplianceMaintainer is a PowerShell automation script that keeps Microsoft Intune compliance and app-protection policies up to date with the latest supported OS minimums across iOS, iPadOS, macOS, Android, and Windows. It uses endoflife.date and the Graph Windows Update Catalog to drive cadence-based updates, with flexible authentication (Managed Identity, App Registration with certificate or secret, plus Key Vault integration) and safety features like dry-run and downgrade protection. It provides comprehensive logging and built-in retry logic for resilience.

James Robinson

Web App

OIB Deployer

OIB Deployer automates the deployment of OpenIntuneBaseline configurations within Microsoft Intune, enabling rapid, repeatable rollouts of baseline security policies and device configurations. It supports policy templating, script deployment, and integration with community-provided baseline content, with built-in logging and error reporting for auditability. Ideal for IT admins seeking consistent, scalable endpoint security across devices.

James Robinson

Web App

TenuVault

TenuVault is a safe backup and restore solution for Microsoft Intune configurations. It backs up Intune policies to JSON files, detects configuration drift, and restores by creating new policies with a [Restored] prefix - never overwriting existing ones. It supports multiple export formats (JSON, CSV, HTML), full audit logs, and a read-only backup model with preview mode to ensure non-destructive changes.

Ugur Koc

PowerShell Module

Entra ID Device Trust

Entra ID Device Trust enables binding Function Apps to Entra ID joined devices by validating requests originate from trusted devices via the device certificate enrolled during device registration. It combines client-side data gathering (signature hash, device CN, public key, thumbprint) with server-side validation, and can be embedded as a module in your Function App or installed as a dependency. The solution supports embedding EntraIDDeviceTrust.Client on clients and EntraIDDeviceTrust.FunctionApp in Function Apps for seamless, enhanced request security.

Nickolaj Andersen