Group Policy analytics (preview) made a bit easier with PowerShell
31-05-2023 8:52 PM
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
Group Policy analytics (preview) – Export linked and enabled GPOs.
It has almost been a year since I wrote our original blog post about Group Policy analytics (preview) in Microsoft Endpoint Manager. Since then, several improvements have been added to the tool, but there are still a few areas lagging some attention, in my opinion! So, at our Modern Endpoint Management Summit 2022, I presented a live demo about how to export linked and enabled GPOs on-prem and perform a cleanup (bulk deletion) of the imported GPOs in Group Policy analytics after you have completed the analysis and transition to Intune. Note. The Group Policy analytics migration to device configuration profile feature was not generally available at our Modern Endpoint Management Summit, so I could unfortunately not demo that feature. Instead, I will be writing a blog post about that feature soon. Read about the prerequisites and requirements for Group Policy analytics (preview) and how to use the tool in our original blog post here – Analyze on-premises GPOs with MEM Group Policy analytics (preview).
Let’s dive right into it. But first, you’ll need to download the PowerShell script from my GitHub repository. Download the GPO export script from the GitHub repository here Next, connect to your domain controller and copy the GPO export script to a folder (For example, C:Temp) From the Start Menu, search for PowerShell ISE and select it in the list.
Open the GPO export script and fill in the following variables:
- OURoot – Specify an Active Directory path.
- OUName – Specify a specific OU or add * for all OUs.
- GPOName – Optional – Use this variable to export GPOs containing a particular keyword.
- ExportPath – Specify a path where to save the exported GPOs.
Hit F5 or click on the Run Script button.
Go to your export folder, and you should see that all the GPOs linked and enabled on a specific OU or all OUs were exported and ready for import to Group Policy analytics in Intune.
I have created this small GIF to show you the entire export process.
Once we have completed the GPO to Intune transition, we would probably like to clean up at some point in time. And as for now, the only option within Microsoft Endpoint Manager web portal is to delete each imported GPO manually. So, I’ve gathered some inspiration from our amazing community (Thank you, Damien Van Robaeys) and came up with a few small scripts samples that will perform a bulk deletion based on a keyword or just delete everything. Download the cleanup script from the GitHub repository here First, let’s go to https://intune.microsoft.com Click Devices | Group Policy analytics (preview) Okay, we have completed the GPO to Intune transition and now want to clean up in Microsoft Endpoint Manager. But as you can see from the below screenshot, we can only delete each imported GPO manually! That’s not a big deal if it’s only a few GPOs, but what if you have imported several hundred policies? Then it would turn out to be a much more cumbersome task to complete, Right?
Save the cleanup script somewhere on your local device (For example, C:Temp) Open the script in an elevated PowerShell ISE session. If this is your first time working with Microsoft Graph, you need to install and import the module before connecting to Microsoft Graph. – Read more about Microsoft Graph at What is Microsoft Graph. Mark the first three lines of the script and hit F8 or click on the Run Selection button.
You will be prompt for authentication.
If the authentication is a success, you should see your UPN and Tenant ID, and we are ready to run our samples.
Mark a sample in the script. – I chose the sample that deletes every imported GPO in Group Policy analytics. Hit F8 or click on the Run Selection button. You can see from the PowerShell output that all three GPOs are listed.
Let’s switch back to Microsoft Endpoint Manager and see if the imported GPOs have been deleted. – Success, they are all gone!
I have created this small GIF to show you the cleanup process.
In this article, you learned how to export GPOs from Group Policy management on-prem using PowerShell and do a proper cleanup with Microsoft Graph after you have completed your GPO to Intune transition. – That’s it, folks. Happy testing! If you have any questions regarding this topic, please feel free to reach out to us.