New Zealand | Microsoft Intune Group Policy Analytics Tool

Nick Thomas - 22.02.202420240222

Microsoft Intune Group Policy Analytics Tool

New Zealand | Microsoft Intune Group Policy Analytics Tool

Introduction

Group policy objects (GPOs) have been utilised by organisations for over 20 years now. Their main function is to control what a user can or cannot do on a computer system by configuring user settings and computer or administration settings on different devices within a domain. 

These days, many companies choose to migrate to the cloud – an easier system where documents and data can be stored on a limitless infrastructure without the need for external storage devices and hard drives. Now that many organisations are looking to fully adopt these cloud solutions, tools such as Microsoft Endpoint Manager are used to manage workloads more efficiently. Microsoft has also introduced a tool that helps with the Group Policy side of things called Group Policy analytics.

MIGRATING GPO SETTINGS TO THE CLOUD

To determine which GPO settings can be successfully migrated to the cloud, a full initial review of the on-premises GPOs must be undertaken. This is to save time and to ensure that you aren’t looking for a setting that doesn’t exist. The best way to do so is to use the Group Policy Analytics functionality within Microsoft Endpoint Manager. 

Microsoft Endpoint Manager analyses your on-premises Group Policy Objects and shows you if the settings are supported in MDM providers including Microsoft Intune, within Endpoint Manager. It also informs you of any settings that have since been deprecated or are not available. 

If you think you’re ready to move to Intune for device management, taking away the dependency of on-premises Active Directory using traditional group policy objects, then this is a great first step. 

In this blog post I will explain how to use Group Policy Analytics in Microsoft Endpoint Manager.

BEFORE YOU BEGIN

Log in to the Microsoft Intune admin centre as an Intune Administrator, or as a user with a role that has the Security Baselines and the Device Configuration permissions. 

These settings are only applicable to Windows 10 or Windows 11 devices.

EXPORT GPOS AS AN XML FILES

  1. Log on to your on-premises server which has access to Group Policy, then open the Group Policy Management app (GPMC.msc)
New Zealand | Microsoft Intune Group Policy Analytics Tool
  1. Expand your domain to see all your GPOs
  2. Right click on one of your GPOs and select Save Report…
New Zealand | Microsoft Intune Group Policy Analytics Tool
  1. Save the file to an accessible folder, making sure you give it a sensible name and save it as an XLM file. You will be importing this file into Intune later
  2. Do this for every GPO that you want to migrate to Intune

IMPORT GPOS AND RUN ANALYTICS

  1. Log into the Microsoft Endpoint Manager admin centre. Select Devices > Group Policy Analytics 
  2. Click Import and select the XML file that you saved previously. You can add several files simultaneously
New Zealand | Microsoft Intune Group Policy Analytics Tool
  1. When importing, you can select existing scope tags if required
  2. After the analysis has run, the GPO you imported will be listed in the table with the following information: 
TITLE DESCRIPTION 
Group Policy Name This is populated from the information in the GPO 
Active Directory Target This is generated using the OU (organisational unit) target information in the GPO 
MDM Support This shows the percentage of group policy settings that have the same setting in Intune 
Unknown Settings Some settings cannot be analysed. The GPOs are listed here 
Targeted in AD Yes means the GPO is linked to an OU in the on-premises GPO. No means the GPO is not linked to an on-premises OU 
Last imported This is the date of the last import for that GPO 

Note: You can import all the GPOs you want to migrate to Intune. You can also export the list into a detailed CSV file

  1. At this point, you can filter the output and then export this view to a .csv file
New Zealand | Microsoft Intune Group Policy Analytics Tool
  1. Click on the MDM Support percentage for one of the policies to view more information:
TITLE DESCRIPTION 
Setting Name The name is automatically generated using information in the GPO setting 
Group Policy Setting Category This shows the setting category for GPO (ADMX) settings 
ADMX Support Yes means there’s an ADMX template for this setting. No means there isn’t an ADMX template for the specific setting 
MDM Support Yes means there’s a matching setting available in Endpoint Manager. You can configure this setting in a device configuration profile. Settings in device configuration profiles are mapped to Windows CSPs.  No means there isn’t a matching setting available to MDM providers, including Intune.  The tool might also suggest migrating to newer supported versions 
Value This shows the value imported from the GPO. It shows different values, such as true, 900, Enabled, false, and so on 
Scope This shows if the imported GPO targets users or targets devices 
Min OS Version Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show 18362 (1903), 17130 (1803) and other Windows 10 versions 
CSP Name A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting 
CSP Mapping Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a custom device configuration profile. 

GROUP POLICY MIGRATION READINESS REPORT

The Group policy migration readiness report gives you shows you a summary of your GPO settings in a graphical view. 

  1. Within Endpoint Manager, click Reports > Group policy analytics
New Zealand | Microsoft Intune Group Policy Analytics Tool
  1. In the Summary tab, a summary of your imported GPOs and their policies are shown. Use this information to determine the status of the policies in your GPOs:
TITLE DESCRIPTION 
Ready for migration The policy has a matching setting in Intune, and is ready to be migrated to Intune 
Not supported The policy doesn’t have a matching setting. Typically, policy settings that show this status aren’t exposed to MDM providers, including Intune 
Deprecated The policy may apply to older Windows versions, older Microsoft Edge versions and more policies that aren’t used anymore 
Value Shows the value imported from the GPO. It shows different values, such as true, 900, Enabled, false, and so on 

NOTE: This data will update as the Microsoft Intune product team make updates to Intune 

  1. Select the Reports tab > Group policy analytics
  1.  In this report, you can: 
    • See the number of settings in your GPO that can be configured in a device configuration profile. It also shows if the settings can be in a custom profile, aren’t supported, or are deprecated
    • Filter the report output using the Migration Readiness, Profile type and CSP Name filters
    • Select Generate report or Generate again to get current data
    • See the list of settings in your GPO
    • Use the search bar to find specific settings
    • Get a time stamp of when the report was last generated 
New Zealand | Microsoft Intune Group Policy Analytics Tool

MIGRATE

After you’ve imported your Group Policy Objects you will now notice a new column named Migrate in the Group Policy analytics section of Intune. Check the box next to the GPO you want to Migrate to Intune and click Migrate at the top of the screen:

New Zealand | Microsoft Intune Group Policy Analytics Tool

On the next screen, you will see more settings and be able to select all the individual settings within that GPO that you want. 

Again, check the boxes for the ones you want, create a name for your profile, create scope tags and configure user/device assignments before completing the wizard. 

I’m so happy that Microsoft have introduced this feature. It will save even more time than manually replicating the settings.

SUMMARY

I hope this has helped in what can be a painful area in moving your GPO settings to Endpoint Manager. I certainly find it extremely useful. Microsoft have announced that they are working on taking this one step further and implementing a tool that will also migrate your settings for you! Let’s hope this is right around the corner. 

If you’re interested in learning more about how you can leverage Intune to boost productivity, download our Ultimate Guide to Microsoft Intune. Feel free to contact us as well if you need hands-on assistance with adopting Intune in your organisation.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

New Zealand | Microsoft Intune Group Policy Analytics Tool

Unleashing the power of Microsoft Copilot

This comprehensive guide provides everything you need to get your organisation ready for and successfully deploy Copilot.

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

New Zealand | Microsoft Intune Group Policy Analytics Tool

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.