Group Policy analytics (preview) – Export linked and enabled GPOs.
Introduction
It has almost been a year since I wrote our original blog post about Group Policy analytics (preview) in Microsoft Endpoint Manager. Since then, several improvements have been added to the tool, but there are still a few areas lagging some attention, in my opinion! So, at our Modern Endpoint Management Summit 2022, I presented a live demo about how to export linked and enabled GPOs on-prem and perform a cleanup (bulk deletion) of the imported GPOs in Group Policy analytics after you have completed the analysis and transition to Intune.
Note. The Group Policy analytics migration to device configuration profile feature was not generally available at our Modern Endpoint Management Summit, so I could unfortunately not demo that feature. Instead, I will be writing a blog post about that feature soon.
Read about the prerequisites and requirements for Group Policy analytics (preview) and how to use the tool in our original blog post here – Analyze on-premises GPOs with MEM Group Policy analytics (preview).
Prerequisites and Requirements
- Access to Microsoft Graph
- PowerShell scripts (download)
Export linked and enabled GPOs as XML files
Let’s dive right into it. But first, you’ll need to download the PowerShell script from my GitHub repository.
Download the GPO export script from the GitHub repository here
Next, connect to your domain controller and copy the GPO export script to a folder (For example, C:Temp)
From the Start Menu, search for PowerShell ISE and select it in the list.
Open the GPO export script and fill in the following variables:
- OURoot – Specify an Active Directory path.
- OUName – Specify a specific OU or add * for all OUs.
- GPOName – Optional – Use this variable to export GPOs containing a particular keyword.
- ExportPath – Specify a path where to save the exported GPOs.
Hit F5 or click on the Run Script button.
Go to your export folder, and you should see that all the GPOs linked and enabled on a specific OU or all OUs were exported and ready for import to Group Policy analytics in Intune.
I have created this small GIF to show you the entire export process.
Perform a cleanup (bulk deletion) with Microsoft Graph
Once we have completed the GPO to Intune transition, we would probably like to clean up at some point in time. And as for now, the only option within Microsoft Endpoint Manager web portal is to delete each imported GPO manually. So, I’ve gathered some inspiration from our amazing community (Thank you, Damien Van Robaeys) and came up with a few small scripts samples that will perform a bulk deletion based on a keyword or just delete everything.
Download the cleanup script from the GitHub repository here
First, let’s go to https://endpoint.microsoft.com
Click Devices | Group Policy analytics (preview)
Okay, we have completed the GPO to Intune transition and now want to clean up in Microsoft Endpoint Manager. But as you can see from the below screenshot, we can only delete each imported GPO manually! That’s not a big deal if it’s only a few GPOs, but what if you have imported several hundred policies? Then it would turn out to be a much more cumbersome task to complete, Right?
Save the cleanup script somewhere on your local device (For example, C:Temp)
Open the script in an elevated PowerShell ISE session.
If this is your first time working with Microsoft Graph, you need to install and import the module before connecting to Microsoft Graph. – Read more about Microsoft Graph at What is Microsoft Graph.
Mark the first three lines of the script and hit F8 or click on the Run Selection button.
You will be prompt for authentication.
If the authentication is a success, you should see your UPN and Tenant ID, and we are ready to run our samples.
Mark a sample in the script. – I chose the sample that deletes every imported GPO in Group Policy analytics.
Hit F8 or click on the Run Selection button.
You can see from the PowerShell output that all three GPOs are listed.
Let’s switch back to Microsoft Endpoint Manager and see if the imported GPOs have been deleted. – Success, they are all gone!
I have created this small GIF to show you the cleanup process.
Summary
In this article, you learned how to export GPOs from Group Policy management on-prem using PowerShell and do a proper cleanup with Microsoft Graph after you have completed your GPO to Intune transition. – That’s it, folks. Happy testing!
If you have any questions regarding this topic, please feel free to reach out to us.
Sune Thomsen is based in Denmark, and he is a dedicated IT Consultant at Mindcore with over 19 years of experience in the IT industry. He has spent at least a decade specializing in client management via Microsoft Configuration Manager and Intune.
His key areas:
- Microsoft Intune (i.e., Autopilot, Windows 365, Endpoint Security, etc.)
- Client Management in general
- Application Management
- Cloud transitioning and building solutions toward the cloud
He's a Windows 365 and Windows MVP, an Official Contributor in a LinkedIn group with 41.500 members, and a Microsoft 365 Enterprise Administrator Expert.
Sune is passionate about community work and enjoys sharing his knowledge and experience and inspiring others via our blog. Besides blogging, he also writes newsletters on behalf of the Windows 365 community, does technical reviews for book publishers, and speaks at tech events.
Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/