Migrating your GPOs with Group Policy Analytics

Mischa Sachse
Microsoft Intune

Hello everyone!

The Group Policy analytics option is GA since Intune service release 2308. So its time to write a blog about it. Let me show you how to make use of this feature within the Microsoft Intune admin center and migrate legacy GPOs to Microsoft Intune

Prerequisites

  • Requires the Intune Admin Role or a role that has the Security Baseline permission.
  • Requires the Domain Admin role in the domain or a role that has Group Policy reader permission.
  • A domain that has GPOs configured to analyse and migrate
  • This feature only applies to Windows 10/11 (Also AVD/W365)

Group Policy analytics overview

This feature can be used for several scenario’s. When companies want to migrate to Microsoft Intune with an Entra ID/Azure AD joined endpoint, this is a good tool to analyze the environment in Active Directory and migrate the settings directly into a settings catalog profile in Microsoft Intune. This could save some time to search all the GPOs and check what settings are still relevant for cloud only endpoints. Migrating from an Hybrid domain joined AVD environment to Cloud only Windows 365? This could be a good method to start migrating settings to Microsoft Intune.

The Group Policy analytics feature also gives a lot of information about the imported GPO. When the setting is not supported, it will show you all the information in the report that is generated in the Microsoft Intune admin center

This tool is a very good method to remove the dependency of the on-premises AD. This feature is visible in the Devices tab under Policy and also visible at the Reports tab in the Microsoft Intune admin center.

 

How to export GPOs from Active Directory

First you need to export a single GPO as an XML file.

  1. On the machine that has access to the domain, start the Group Policy Management module (GPMC.msc)
  2. When the module is open, please expand the domain name.
  3. Expanding the Group Policy Objects tab should show all the available GPOs in the domain. 
  4. Right-click on the GPO that you want to analyse and import and click on Save report and select XML in the dropdown menu.
  5. Select a folder that is accessible from your browser for the import. Make sure the file directories are not too long.
Check the following images in this gallery to show every step.
Step 1
Step 2
Step 3
Step 4
Step 5

How to import the GPOs and run the analytics

Now we are going to import the XML file to run the analytics and show which settings are available to migrate.

  1. Go to the Microsoft Intune admin center to navigate to Devices and then go to Group Policy analytics.
  2. Here you can select Import to start the import wizard.
  3. First you need to select the XML file for the import. Then click on Next.
  4. In the next step you can determine the Scope tags. So the visibility of these imported objects are only visible to a certain group of users. I will choose nothing, so the Default scope tag is used. Click on Next to go to the last tab. If you want more information about Scope tagsplease check this url.
  5. In this step you finish the import and when everything is OK with the file, the import will run very quickly. When you click on Create the page goes to the main page of Group Policy Analytics and it shows the information about this imported GPO. Every imported XML only shows one item in this view. The following image shows important information about the imported objects. The most important one is MDM Support, because this represents the options that are available within Microsoft Intune in a settings catalog profile. This information will be updated automatically when new settings are available in the settings catalog of Microsoft Intune. 
  6. When you want an overview of all the imported objects, that is possible when you click on the Export button in this window. The output will be a CSV that can be imported with Excel.

Migrating your GPOs to a Settings Catalog profile

Here we are going to describe the migrate option of Group Policy Analytics. This option is the last part of the feature, but very important to handle with care and precision.

  1. First we are going to select the right GPO for the migration. It is possible to select multiple GPOs, but for this blog I will only select one and click on Migrate.
  2. In this view you will see a lot of information. It is important to check what is available for migration with the tab Migrate. These can all be selected in bulk with the blue button Select all on this page. Some other values can be useful, like the Scope for targeting a device or user. The Min OS version could be relevant when working with older versions of Windows 10/11. The CSP mapping is useful when setting these policies with a custom OMA-URI. It is important to know that you may have multiple pages to check. When selecting all the settings, you may have to go to the next page to select these settings also.
  3. When you have selected all the settings that need to be migrated. Click on Next to go to the last step of this migration. Please check why some settings are not available for the import. MDM Support shows the information. This could be a setting that is not available of deprecated. Now click on Next for the second part of the Migrate wizard.
  4. This tab shows all the settings that are configured in your imported GPO. These settings will be migrated to a settings catalog profile when possible. Click on Next when everything checks out OK.
  5. This step needs a name and description of the Profile.
  6. When you want to use scope tags you can assign them here. I will use the Default scope.
  7. This step will assign the settings catalog profile to a device group or an user group or use both. Please check your settings and assign properly. When using a device group and an user group, this will result in some errors when assigning some settings. This is only done for testing purposes.
  8. The last step will check everything and when everything check out, you can click on Deploy to create the settings catalog profile.
  9. When the deployment is complete, the page automatically go to the Configuration Profiles in the Microsoft Intune admin center. Here you see your newly created profile from the Group Policy Analytics feature! How cool is that!

Final Thoughts

This cool feature is really handy when migrating on-premise AD components to a cloud management solution like Microsoft Intune. This blog did not show any difficulties when configuring the Group Policy Analytics feature, but when you have very large GPOs, the errors will show when you want to select all the settings. Settings that are configured twice, but are located in different locations in the same GPO are not possible to migrate. This will show an error when you want to select these settings. So deselecting them will get you to the deployment of a new settings catalog profile. This feature is now GA, so this can be used in your production environment. If you have any questions, please feel free to post a comment.

Resources

The following resources are used for this blog post:

Use Microsoft Intune to import and analyze group policies | Microsoft Learn

Author

  • Mischa Sachse

    Mischa Sachse is one of the founders of the Cloud Experts Community. Would you like to join in the fun? Make sure to contact him via the mail button below or find out more about him on his personal website.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *