Loading...

Group Policy analytics: Use PowerShell and Graph to import on-prem GPO report to intune and find appropriate policy


In this post I will show you how tu use PowerShell and the Graph API to analyse your on-prem GPOs from Intune  in order to get the appropriate CSP for the GPO.


In my previous post I explained how to analyse (from the Intune portal) your on-prem GPOs in order to get the appropriate CSP for the GPO.

Now let's do it with PowerShell.

I will soon share a function that will allows you to:

- Export on-prem GPO from AD

- Import them on your tenant


Then I will go further and will try to import directly the appropriate CSP in Intune direcly by importing the on-prem GPO report.


Export on-prem GPO

First of all, we have to export our GPOs from our on-prem environment.

To do this, we will use the module GroupPolicy which is installed by default on your AD server.

See below the command to export a specific GPO using its name:

See below the command to export all GPOs from your domain:

Now we know how to export GPOs, let's import them in Intune.


PowerShell and Graph module

In order to import GPO report in Intune we have to use the Graph Intune module.

You can find an previous post I did about it.

We will proceed as below:

1. Install the module 

2. Connect to your tenant using the below command

3. Type your credentials and connect

OR

Connect with secure credentials:

As there is no Group Policy cmdlet for now in the module, we will use the command the cmdlet: Invoke-MSGraphRequest

Now let's see how to manage GPO report from Intune.


List GPO main report

What do we want ?

We want to access to data from the below page:


To do this we will use the following resource: groupPolicyMigrationReport 

See here more informations about it.

To get GPOs report datas we will use the GET method.

The full resoource path is the below one:

https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports


See below the full command to get GPO main report:

Now if you want to get this just for one GPO and not all, just filter on the GPO name.

In the below example, we want to get report for this WinRM GPO:


Delete a GPO report

What do we want ?

We want to delete a previous imported XML GPO report.

To do this two resources are available: 

- groupPolicyMigrationReport 

- groupPolicyObjectFiles


The method to use it: DELETE

The resource path to use is the below one:

https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports


To this path you have to add the ID of the GPO report.

Let's get it using the below command:

See below the full command to delete this GPO report:


Get GPO details

What do we want ?

We want to access to data from the below page:


To do this we will use the following resource: groupPolicyObjectFiles 

See below the full command to get GPO details:

See below the result:


Now let's get details for only the WinRM GPO:

See below the result. The GPO details is located in the Content property.


However as you may noticed, it's not formated as we want, indeed it's a base64 format.

Now let's decode it from Base64.

We will add the content in a specific variable, as below:

To decode the Base64 content, use the below code:

See below the result:



Upload a GPO XML to Intune

What do we want ?

We have exported on-prem GPO to XML format.

We want to import those XML in Intune.


Encode GPO XML report

The first step is to encode the report to base 64.

See below the code to do this:


Upload GPO XML to Intune

Now we have encoded the XML report to a Base64 content, we will be able to upload it.

The resource to use is: createMigrationReport

The full resource path is the below one:

https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/createMigrationReport


The method to use it: POST

We will first create a JSON as below:

Then we will upload the JSON using the below command:

slider 5708489086417600458

Publier un commentaire

Accueil item

Award

Mes articles en français

Author of Books

PowerShell GUI & WPF Group

PowerShell GUI & WPF Group

Join the FPSUGR

Join the FPSUGR

Stats