WHAT IS GPO?
Group Policy Objects (GPOs) have been utilised by organisations for over 20 years now. Their main function is to control what a user can or cannot do on a computer system by configuring user settings and computer or administration settings on different devices within a domain.
These days, many companies choose to migrate to the cloud – an easier system where documents and data can be stores on a limitless infrastructure without the need for external storage devices and hard drives. Now that many organisations are looking to fully adopt these cloud solutions, tools such as Microsoft Endpoint Manager are used to manage workloads more efficiently and Microsoft have introduced a tool that helps with the Group Policy side of things called Group Policy Analytics.
To determine which GPO settings can be successfully migrated to the cloud, a full review of the on-premises GPOs must be undertaken initially. This is to save time and to ensure that you aren’t looking for a setting that doesn’t exist, and the best way to do so is to use the Group Policy Analytics functionality within Microsoft Endpoint Manager.
It analyses your on-premises Group Policy Objects and shows you if the settings are supported in MDM providers including Microsoft Intune, within Endpoint Manager. It also informs you of any settings that have since been deprecated or are not available.
In this blog post I will explain how to use the Group Policy Analytics in Microsoft Endpoint Manager.
BACK UP YOUR GPO
HOW TO EXPORT YOUR GROUP POLICY AS XML FILES
- Log on to your on-premises server which has access to Group Policy and open the Group Policy Management app (GPMC.msc)
- Expand your domain to see all your GPOs
- Right click on one of your GPOs and select Save Report…
- Save the file to an accessible folder, making sure you give it a sensible name and save it as an XLM file. You will be importing this file into Intune later
- Do this for every GPO that you want to migrate to Intune
HOW TO IMPORT GPOS AND RUN ANALYTICS
- Log into the Microsoft Endpoint Manager admin center
, - Click on Devices, then Group Policy Analytics (Preview)
- Click Import, and select the XML file that you saved previously
- After the analysis has run, the GPO you imported will be listed in the table with the following information:
TITLE | DESCRIPTION |
Group Policy Name | This is populated from the information in the GPO |
Active Directory Target | This is generated using the OU (organisational unit) target information in the GPO |
MDM Support | This shows the percentage of group policy settings that have the same setting in Intune |
Unknown Settings | Some settings cannot be analysed. The GPOs are listed here |
Targeted in AD | Yes means the GPO is linked to an OU in the on-premises GPO. No means the GPO is not linked to an on-premises OU |
Last imported | This is the date of the last import for that GPO |
Note: You can import all of the GPOs that you want to migrate to Intune. You can also export the list to a detailed CSV file
- Click on the MDM Support percentage for one of the policies to view more information:
TITLE | DESCRIPTION |
Setting Name | The name is automatically generated using information in the GPO setting |
Group Policy Setting Category | Shows the setting category for GPO (ADMX) settings |
ADMX Support | Yes means there’s an ADMX template for this setting. No means there isn’t an ADMX template for the specific setting |
MDM Support | Yes means there’s a setting available in Endpoint Manager that matches. A device configuration profile can be configured for this setting. No means there is not a match in the settings available to Intune |
Value | This shows the value imported from the GPO. It can show different values, such as true, false, 900, Enabled etc. |
Scope | This states if the GPO you’ve imported targets devices or users. Min OS Version displays the minimum Windows operating system version build numbers that the GPO setting applies to. It might show 18362 (1903) for example |
CSP Name | A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting |
CSP Mapping | This column displays the OMA-URI path for the on-premises policy. You can map this in a custom configuration profile for a device |
GROUP POLICY MIGRATION READINESS REPORT
The Group policy migration readiness report gives you shows you a summary of your GPO settings in a graphical view.
- Within Endpoint Manager, click Reports, then Group policy analytics (preview)
- In the Summary tab, a summary of your imported GPOs and their policies are shown. Use this information to determine the status of the policies in your GPOs:
TITLE | DESCRIPTION |
Ready for migration | The policy is ready to be migrated to Intune as it has a matching setting |
Not supported | This means the policy doesn’t have a matching setting. This normally means the policy settings aren’t exposed Intune |
Deprecated | The policy has been deprecated but might apply to older Windows versions, older Microsoft Edge versions, and more policies that aren’t used anymore |
- Next, click on the Reports tab, and then Group policy migration readiness. Within this report, you can:
- See the number of settings in your GPO that can be configured in a device configuration profile. It also shows if the settings can be in a custom profile, aren’t supported, or are deprecated
- Filter the report output using the Migration Readiness, Profile type, and CSP Name filters
- Select Generate report to get current data. (You might see Generate again)
- View the
- Find specific settings by using the search bar
- See when the report was last generated with a time stamp
Summary
I hope this has helped in what can be a painful area in moving your GPO settings to Endpoint Manager. I certainly use it and find it extremely useful. Microsoft have announced that they are working on taking this one step further and implementing a tool that will also migrate your settings for you! Let’s hope this is right around the corner.