Update: Migrate Button
Since first writing this blog Microsoft have introduced a great feature that they had teased us with. They said it was coming soon but we had no idea when. Thankfully, it has arrived sooner than we thought!
In the Group Policy analytics section of Intune, and after you’ve imported your Group Policy Objects you will now notice there is a new column named Migrate. Check the box next to the GPO that you want to Migrate to Intune and click Migrate at the top of the screen:
On the next screen, you will see more settings and be able to select the individual settings within that GPO that you want.
Again, select the check boxes for the ones you want, create a name for your profile, create scope tags and configure user/device assignments before completing the wizard.
I’m so happy that Microsoft have introduced this feature. It will save even more time than manually replicating the settings.
END OF UPDATE
Introduction
Group policy objects (GPOs) have been utilised by organisations for over 20 years now. Their main function is to control what a user can or cannot do on a computer system by configuring user settings and computer or administration settings on different devices within a domain.
These days, many companies choose to migrate to the cloud – an easier system where documents and data can be stores on a limitless infrastructure without the need for external storage devices and hard drives. Now that many organisations are looking to fully adopt these cloud solutions, tools such as Microsoft Endpoint Manager are used to manage workloads more efficiently and Microsoft have introduced a tool that helps with the Group Policy side of things called Group Policy analytics.
To determine which GPO settings can be successfully migrated to the cloud, a full review of the on-premises GPOs must be undertaken initially. This is to save time and to ensure that you aren’t looking for a setting that doesn’t exist, and the best way to do so is to use the Group Policy Analytics functionality within Microsoft Endpoint Manager.
It analyses your on-premises Group Policy Objects and shows you if the settings are supported in MDM providers including Microsoft Intune, within Endpoint Manager. It also informs you of any settings that have since been deprecated or are not available.
In this blog post I will explain how to use the Group Policy Analytics in Microsoft Endpoint Manager.
EXPORT GPOS AS AN XML FILES
- Log on to your on-premises server which has access to Group Policy and open the Group Policy Management app (GPMC.msc)
- Expand your domain to see all your GPOs
- Right click on one of your GPOs and select Save Report…
- Save the file to an accessible folder, making sure you give it a sensible name and save it as an XLM file. You will be importing this file into Intune later
- Do this for every GPO that you want to migrate to Intune
IMPORT GPOS AND RUN ANALYTICS
- Log into the Microsoft Endpoint Manager admin centre, Select Devices > Group Policy Analytics (Preview)
- Click Import, and select the XML file that you saved previously
- After the analysis has run, the GPO you imported will be listed in the table with the following information:
| TITLE | DESCRIPTION |
| Group Policy Name | This is populated from the information in the GPO |
| Active Directory Target | This is generated using the OU (organisational unit) target information in the GPO |
| MDM Support | This shows the percentage of group policy settings that have the same setting in Intune |
| Unknown Settings | Some settings cannot be analysed. The GPOs are listed here |
| Targeted in AD | Yes means the GPO is linked to an OU in the on-premises GPO. No means the GPO is not linked to an on-premises OU |
| Last imported | This is the date of the last import for that GPO |
Note: You can import all of the GPOs that you want to migrate to Intune. You can also export the list to a detailed CSV file
- Click on the MDM Support percentage for one of the policies to view more information:
| TITLE | DESCRIPTION |
| Setting Name | The name is automatically generated using information in the GPO setting |
| Group Policy Setting Category | Shows the setting category for GPO (ADMX) settings |
| ADMX Support | Yes means there’s an ADMX template for this setting. No means there isn’t an ADMX template for the specific setting |
| MDM Support | Yes means there’s a matching setting available in Endpoint Manager. You can configure this setting in a device configuration profile. Settings in device configuration profiles are mapped to Windows CSPs. No means there isn’t a matching setting available to MDM providers, including Intune |
| Value | Shows the value imported from the GPO. It shows different values, such true, 900, Enabled, false, and so on |
| Scope | Shows if the imported GPO targets users or targets devices. Min OS Version: Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show 18362 (1903), 17130 (1803), and other Windows 10 versions |
| CSP Name | A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting |
| CSP Mapping | Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a custom device configuration profile. |
GROUP POLICY MIGRATION READINESS REPORT
The Group policy migration readiness report gives you shows you a summary of your GPO settings in a graphical view.
- Within Endpoint Manager, click Reports > Group policy analytics (preview)
- In the Summary tab, a summary of your imported GPOs and their policies are shown. Use this information to determine the status of the policies in your GPOs:
| TITLE | DESCRIPTION |
| Ready for migration | The policy has a matching setting in Intune, and is ready to be migrated to Intune |
| Not supported | The policy doesn’t have a matching setting. Typically, policy settings that show this status aren’t exposed to MDM providers, including Intune |
| Deprecated | The policy may apply to older Windows versions, older Microsoft Edge versions, and more policies that aren’t used anymore |
| Value | Shows the value imported from the GPO. It shows different values, such true, 900, Enabled, false, and so on |
NOTE: This date will update as the Microsoft Intune product team make updates to Intune
- Select the Reports tab > Group policy migration readiness. In this report, you can:
- See the number of settings in your GPO that can be configured in a device configuration profile. It also shows if the settings can be in a custom profile, aren’t supported, or are deprecated
- Filter the report output using the Migration Readiness, Profile type, and CSP Name filters
- Select Generate report or Generate again to get current data
- See the list of settings in your GPO
- Use the search bar to find specific settings
- Get a time stamp of when the report was last generated
Summary
I hope this has helped in what can be a painful area in moving your GPO settings to Endpoint Manager. I certainly use it and find it extremely useful. Microsoft have announced that they are working on taking this one step further and implementing a tool that will also migrate your settings for you! Let’s hope this is right around the corner.
RELATED ARTICLES
How to Use Endpoint Manager Group Policy Analytics
iOS App Assignment in Microsoft Endpoint Manager
Defend At All cost – Your Endpoints Need You
Microsoft FastTrack – Zero Trust and Endpoints: Secure Them All
