Public/Get-IntuneAllPolicies.ps1
|
function Get-IntuneAllPolicies { [CmdletBinding()] param ( [Parameter()] [switch]$ExportToCSV, [Parameter()] [string]$ExportPath, [Parameter()] [string]$ScopeTagFilter ) Write-Host "Fetching all policies and their assignments..." -ForegroundColor Green $exportData = [System.Collections.ArrayList]::new() # Function to process and display policy assignments function Invoke-PolicyAssignments { param ( [Parameter(Mandatory = $false)] [object[]]$Policies, [Parameter(Mandatory = $true)] [string]$DisplayName ) if ($null -eq $Policies -or $Policies.Count -eq 0) { Write-Host "`n------- $DisplayName -------" -ForegroundColor Cyan Write-Host "No policies found for this category." -ForegroundColor Gray Write-Host "" return } Write-Host "`n------- $DisplayName -------" -ForegroundColor Cyan foreach ($policy in $Policies) { $policyName = if (-not [string]::IsNullOrWhiteSpace($policy.displayName)) { $policy.displayName } elseif (-not [string]::IsNullOrWhiteSpace($policy.name)) { $policy.name } else { "Unnamed Profile" } Write-Host "Policy Name: $policyName" -ForegroundColor White Write-Host "Policy ID: $($policy.id)" -ForegroundColor Gray if ($policy.AssignmentSummary) { Write-Host "Assignments: $($policy.AssignmentSummary)" -ForegroundColor Gray } else { Write-Host "No assignments found" -ForegroundColor Yellow } Write-Host "" } } $categories = Get-IntuneCategoryDefinition -Audience 'AllPolicies' $processEntity = { param($ctx) $entity = $ctx.Entity $bucketKey = $ctx.Category.BucketKeys[0] if ($ctx.Category.Id -eq 'AppProtectionPolicies') { # Historical App Protection summary: group names for assignments and # exclusions, no filter suffix, All Devices targets not listed, and # policies without any listed assignment are dropped from the output. $summaryLines = foreach ($assignment in $ctx.Assignments) { switch ($assignment.Reason) { 'All Users' { 'All Users' } 'Group Assignment' { "Group Assignment - $((Get-GroupInfo -GroupId $assignment.GroupId).DisplayName)" } 'Group Exclusion' { "Group Exclusion - $((Get-GroupInfo -GroupId $assignment.GroupId).DisplayName)" } } } if (-not $summaryLines) { return } $entity | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($summaryLines -join '; ') -Force $ctx.Buckets[$bucketKey].Add($entity) return } $summaryLines = if ($ctx.Category.Id -in @('DeploymentProfiles', 'ESPProfiles', 'CloudPCProvisioningPolicies', 'CloudPCUserSettings')) { # Historical summary for these categories: group name appended only for # inclusions, exclusions stay reason-only, no filter suffix. foreach ($assignment in $ctx.Assignments) { if ($assignment.Reason -eq 'Group Assignment') { $groupInfo = Get-GroupInfo -GroupId $assignment.GroupId "$($assignment.Reason) - $($groupInfo.DisplayName)" } else { $assignment.Reason } } } elseif ($ctx.Category.Kind -eq 'EndpointSecurity' -and $null -ne $ctx.RawAssignments) { # Legacy intent-based ES policies keep their historical wording # ("Group: X" / "Exclude Group: X" / "Unknown") with filter suffix. foreach ($assignment in $ctx.RawAssignments) { $reasonText = switch ($assignment.target.'@odata.type') { '#microsoft.graph.allLicensedUsersAssignmentTarget' { "All Users" } '#microsoft.graph.allDevicesAssignmentTarget' { "All Devices" } '#microsoft.graph.groupAssignmentTarget' { "Group: " + (Get-GroupInfo -GroupId $assignment.target.groupId).DisplayName } '#microsoft.graph.exclusionGroupAssignmentTarget' { "Exclude Group: " + (Get-GroupInfo -GroupId $assignment.target.groupId).DisplayName } default { "Unknown" } } $suffix = Format-AssignmentFilter -FilterId $assignment.target.deviceAndAppManagementAssignmentFilterId -FilterType $assignment.target.deviceAndAppManagementAssignmentFilterType "$reasonText$suffix" } } else { foreach ($assignment in $ctx.Assignments) { Format-AssignmentSummaryLine -Assignment $assignment } } $entity | Add-Member -NotePropertyName 'AssignmentSummary' -NotePropertyValue ($summaryLines -join '; ') -Force $ctx.Buckets[$bucketKey].Add($entity) } $scanResult = Invoke-IntuneCategoryScan -Categories $categories -ProcessEntity $processEntity -ShowProgress $allPolicies = $scanResult.Buckets # Apply scope tag filter if specified if ($ScopeTagFilter) { foreach ($key in @($allPolicies.Keys)) { $allPolicies[$key] = @(Filter-ByScopeTag -Items $allPolicies[$key] -FilterTag $ScopeTagFilter -ScopeTagLookup $script:ScopeTagLookup) } } # Display all policies and their assignments Invoke-PolicyAssignments -Policies $allPolicies.DeviceConfigs -DisplayName "Device Configurations" Invoke-PolicyAssignments -Policies $allPolicies.SettingsCatalog -DisplayName "Settings Catalog Policies" Invoke-PolicyAssignments -Policies $allPolicies.CompliancePolicies -DisplayName "Compliance Policies" Invoke-PolicyAssignments -Policies $allPolicies.AppProtectionPolicies -DisplayName "App Protection Policies" Invoke-PolicyAssignments -Policies $allPolicies.AppConfigurationPolicies -DisplayName "App Configuration Policies" Invoke-PolicyAssignments -Policies $allPolicies.PlatformScripts -DisplayName "Platform Scripts" Invoke-PolicyAssignments -Policies $allPolicies.HealthScripts -DisplayName "Proactive Remediation Scripts" Invoke-PolicyAssignments -Policies $allPolicies.DeploymentProfiles -DisplayName "Autopilot Deployment Profiles" Invoke-PolicyAssignments -Policies $allPolicies.ESPProfiles -DisplayName "Enrollment Status Page Profiles" Invoke-PolicyAssignments -Policies $allPolicies.CloudPCProvisioningPolicies -DisplayName "Windows 365 Cloud PC Provisioning Policies" Invoke-PolicyAssignments -Policies $allPolicies.CloudPCUserSettings -DisplayName "Windows 365 Cloud PC User Settings" Invoke-PolicyAssignments -Policies $allPolicies.AntivirusProfiles -DisplayName "Endpoint Security - Antivirus Profiles" Invoke-PolicyAssignments -Policies $allPolicies.DiskEncryptionProfiles -DisplayName "Endpoint Security - Disk Encryption Profiles" Invoke-PolicyAssignments -Policies $allPolicies.FirewallProfiles -DisplayName "Endpoint Security - Firewall Profiles" Invoke-PolicyAssignments -Policies $allPolicies.EndpointDetectionProfiles -DisplayName "Endpoint Security - EDR Profiles" Invoke-PolicyAssignments -Policies $allPolicies.AttackSurfaceProfiles -DisplayName "Endpoint Security - ASR Profiles" Invoke-PolicyAssignments -Policies $allPolicies.AccountProtectionProfiles -DisplayName "Endpoint Security - Account Protection Profiles" # Add to export data Add-CategoryExportData -ExportData $exportData -Categories $categories -Buckets $allPolicies -AssignmentReason { param($item) $item.AssignmentSummary } # Export results if requested Export-ResultsIfRequested -ExportData $exportData -DefaultFileName "IntuneAllPolicies.csv" -ForceExport:$ExportToCSV -CustomExportPath $ExportPath -ExportToCSV:$ExportToCSV -ParameterMode:$parameterMode } |