Table of Contents
Overview
In the ever-evolving landscape of Microsoft Graph PowerShell Modules, it can be difficult to decide on what tool to use when bulk managing or configuring objects in Intune. In hybrid environments, it’s common for technologists to use Group Policy Objects and Configuration profiles concurrently. Although profiles are making signifcicant progress with ADMX templates and the settings catalog, GPOs still allow for more granular configurations and preferences. That’s why it’s important to analyze a GPOs compatibility using Intune’s Group Policy Analytics feature.
Heading Toward the Cloud with Intune Configuration Profiles
Configuration profiles enable you to add, configure settings, and subsequently push these configurations to devices within your organization as long as they are managed in Intune. Like group policies that have been around for decades, this is a cloud-based solution to configure and manage your devices.
Intune Group Policy Analytics
The Group Policy Analytics feature allows you to generate a GPO report and upload the Group Policy Object XML File. This Microsoft Article discusses in-depth how to import an XML file and generate a report that tells you if the GPO can be converted to a configuration profile.
PowerShell Script to Import All GPOs into Group Policy Analytics
I was tasked with this issue and referenced a great blog post written by Damien Van Robaeys. I decided to add to the code and generate reports for my domain forest and use the formatted JSON and graph endpoint to complete my task. Let’s take a look at the script.
Import Required Modules and Connect to MSGraph
Import-module GroupPolicy
Import-Module ActiveDirectory
Import-module Microsoft.Graph.Intune
try{
Get-IntuneManagedDevice -Top 1 | out-null
}catch{
write-host "Please connect to Microsoft Graph Intune" -ForegroundColor Yellow
Connect-MSGraph
}
We import the modules and use Connect-MSGraph to interact with Intune.
Generate GPO XML Reports
function Add-Xmlreports{
param(
[string] $path
)
if( -not (test-path $path)){
New-Item -ItemType Directory -Path $path
}
foreach($gpo in (get-gpo -Domain (Get-ADDomain).DNSRoot -All)){
Get-GPOReport -Name $gpo.DisplayName -ReportType Xml | Out-File (join-path $path "$($gpo.DisplayName -replace " ","-").xml") -Force
}
}I created a function to loop through the domain and generate XML reports using the Get-GPOReport Cmdlet and place all the XML files in a directory.
Using Graph to Create the Migration Report
$reportsDir = "xmlReports"
$uri = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/createMigrationReport"
if( -not (test-path $reportsDir)){
Add-Xmlreports -path $reportsDir
}
foreach($reportName in (Get-ChildItem $reportsDir -Name)) {
$base64ReportContent = [convert]::ToBase64String((Get-Content (Join-Path $reportsDir $reportName) -Encoding byte))
Write-Output $reportName
$json = @"
{
"groupPolicyObjectFile": {
"ouDistinguishedName": "$reportName",
"content": "$base64ReportContent"
}
}
"@
Invoke-MSGraphRequest -Url $uri -HttpMethod POST -Content $json -ErrorAction Stop
}We need to make a POST request to the Graph API Endpoint “https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/createMigrationReport” I wouldn’t have found it if it weren’t for the blog post from Syst and Deploy. We define the URL and path we want to store our xml reports from the Add-XMLReports function. We then loop through the directory we created containing the XML files, converting the contents of the XML file as a byte array to a base64 string for the Graph API to use. We then create a JSON object containing the base64 string and the report name using a Here-String. Just a note, you can also create a hash table and then pipe it to ConvertTo-JSON. Finally, we use the Invoke-MSGraphRequest with the URL and Json content, make a POST request to create new analytics reports.
Completed Script
Import-module GroupPolicy
Import-Module ActiveDirectory
Import-module Microsoft.Graph.Intune
try{
Get-IntuneManagedDevice -Top 1 | out-null
}catch{
write-host "Please connect to Microsoft Graph Intune" -ForegroundColor Yellow
Connect-MSGraph
}
function Add-Xmlreports{
param(
[string] $path
)
if( -not (test-path $path)){
New-Item -ItemType Directory -Path $path
}
foreach($gpo in (get-gpo -Domain (Get-ADDomain).DNSRoot -All)){
Get-GPOReport -Name $gpo.DisplayName -ReportType Xml | Out-File (join-path $path "$($gpo.DisplayName -replace " ","-").xml") -Force
}
}
$reportsDir = "xmlReports"
$uri = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyMigrationReports/createMigrationReport"
if( -not (test-path $reportsDir)){
Add-Xmlreports -path $reportsDir
}
foreach($reportName in (Get-ChildItem $reportsDir -Name)) {
$base64ReportContent = [convert]::ToBase64String((Get-Content (Join-Path $reportsDir $reportName) -Encoding byte))
Write-Output $reportName
$json = @"
{
"groupPolicyObjectFile": {
"ouDistinguishedName": "$reportName",
"content": "$base64ReportContent"
}
}
"@
Invoke-MSGraphRequest -Url $uri -HttpMethod POST -Content $json -ErrorAction Stop
}Conclusion
As I dive deeper into my PowerShell journey, using Graph will be critical to operations and efficiency. There are new tools coming out daily, including added support for the Microsoft.Graph.Beta Modules that can achieve this. I hope you learned a few new tools that can assist you in your SysOps journey. If you have any questions or advice, please drop a comment below or Contact me.
Now loading...