Configuration profiles Visibility in Intune – Unveiling Equivalent Tools to rsop and gpresult

Introduction:

Microsoft Intune provides efficient way to deploy configuration settings across device fleets, offering reporting capabilities for successful, failed, or not applicable status for specific configuration profiles. However, understanding the applied settings on a per-device basis and identifying the governing configuration profile can be challenging.

To see a list of configuration profiles that assigned to a device, you can go to intune, search for a device, and find the list of device configuration with status but this view doesn't tell you any settings inside the configuration profile and also no searching capabilities available. This makes thigs very complicate if you want to find out a specific setting part of which configuration profile unless you document each setting and its profile name somewhere for troubleshooting purpose.

You can also use advanced Diagnostic report (using work or school account section) but it is still limited and cannot be used for this scenario.

Unlike the traditional Group Policy Objects (GPO) landscape, Intune lacks built-in tools like gpresult or rsop for easily extracting these details for troubleshooting purpose.

RSP (Resultant Set of Policy) and GPRESULT are tools used in Windows environments to provide information about Group Policy settings applied to a specific user or computer. These tools are helpful for administrators to troubleshoot and verify Group Policy settings.

As organizations transition from GPO to modern device management with Intune, the absence of a replacement tool for gpresult or rsop becomes apparent.

This gap poses a challenge, especially when security considerations require obtaining a comprehensive list of settings deployed via configuration profiles, including custom CSPs.

This blog post explores a solution using PowerShell and Microsoft Graph to extract detailed information about configuration settings and their corresponding profiles for given devices.

PowerShell Script Overview:

This PowerShell script is created to retrieve and analyze Microsoft Intune policies for a given set of devices.The focus is on device configuration policies, endpoint security, and Windows Update for Business (WUfB) update rings.

Let's break down the requirements, workflow, and summary.

Requirements: The script relies on specific PowerShell modules, such as Microsoft.Graph.Devicemanagement, Microsoft.Graph, and Microsoft.Graph.Authentication. Additionally, it requires access to Microsoft Graph with specific scopes for enterprise app "Microsoft Graph PowerShell."

1. Dependencies: The script relies on the following Powershell modules. If not installed, script installs using the Install-Module cmdlet.

• • Microsoft.Graph.Devicemanagement
  • Microsoft.Graph
  • Microsoft.Graph.Authentication

1. Access: The script requires a connection to the Microsoft Graph, and it calls the Connect-MgGraph function with specific scopes to enterprise app “Microsoft Graph PowerShell”
   • DeviceManagementConfiguration.Read.All
   • DeviceManagementManagedDevices.Read.All
2. Input: The script prompts the user to input either a device name or a filename containing multiple device names.
3. Output: The script generates CSV reports for each device in a folder named based on the execution date.

Workflow:

1. Connect to Microsoft Graph: Utilizing the ConnectToGraph function, the script checks and installs the necessary modules and connects to Microsoft Graph with the required scopes.
2. Get Device Policies: The Get-devicepolicies function retrieves device policies for a specified device ID using the Invoke-MgGraphRequest cmdlet.
3. Export Policy Details: The Export-policyDetail function processes policy data for reporting, including policy ID, type, name, and status.
4. Get Policy Settings: The Get-PolicySettingsReport function retrieves detailed settings for a specific policy, device, and user.
5. Export Policy Setting Details: The Export-policySettingDetail function formats and exports policy setting details, including name, path, status, etc.
6. Main Execution Loop: The script iterates through each device, retrieves and processes policies and settings, and generates CSV reports.

Download the Script: The PowerShell script, named "Publish-RSOP-Settings-Intune.zip," is available on the GitHub repository.

Execution and Permissions: Attempting to run the script without sufficient permissions prompt a request for admin approval. The application administrator or global administrator must grant the necessary permissions for the script to proceed.

Script Execution Screenshots: The blog post includes screenshots detailing the script execution, Screenshots cover the connection to Microsoft Graph, policy details, policy settings, and the final CSV report.

and finally the output what we are looking for with setting name, setting path, setting status and profile name along with logged user setting on that device.

Conclusion:

The script enhances visibility into configuration settings applied via Intune, addressing the challenge of extracting detailed information for troubleshooting and compliance purposes.

Feel free to comment in the comment section if you use alternate methods for retrieving the configuration profiles and their settings for given devices.

I want to express my sincere thanks to Leon Zhu, a Microsoft Support Engineer, for his invaluable assistance in the development of this PowerShell script.