Group Policy Analytics: how to migrate GPOs to Intune

The new operating systems Windows 10 and Windows 11 are characterized by a strong cloud footprint; the concept of Modern Management is based precisely on the use of cloud-based solutions for the management of identities and devices in the company.

The new normal is characterized by the need to work outside the office and this has required changes in the methods of delivery, management and configuration of the devices; in this regard, how is it possible to apply the same configurations that are applied in the company through Group Policy to devices that occasionally connect directly to the company network?

The Group Policy Analytics solution offers, with a few simple steps, the possibility of replacing the current GPOs with configurations provided through Microsoft Intune.

Overview

Group Policy Analytics is a tool available within the Microsoft Endpoint Manager admin center console that offers the following features:

  • Analyze your GPOs present in your on-premise infrastructure;
  • View the configurations (Configuration Service Provider) supported by the cloud MDM authority;
  • View outdated or unavailable settings on the cloud solution;
  • Migrate imported GPOs to configurations via Settings Catalog;

In the next paragraphs we will deal with this last point and see how to migrate imported GPOs in configurations conveyed through Microsoft Intune; the procedure includes:

  • Export GPO in XML format;
  • Import XML files in Microsoft Intune;
  • Analyze and remapping configurations;
  • Deploy settings via CSP;

Group Policy export

The first step is to export the affected Group Policies in XML format; the file generated in this format will then be readable and can be processed by the Group Policy Analytics engine.

To export GPOs in this format, you need to follow the steps below:

  • Open the Group Policy Management snap-in;
  • Expand the branch related to your Active Directory domain;
  • Expand the Group Policy Object folder so that all the GPOs present are correctly displayed;
  • Select the policy concerned and, by right clicking on this, click on the Save Report option;
Figure 1 – GPO saving from Group Policy snap-in
  • In the new window that will be displayed, select the XML format from the Save as type drop-down menu and press the Save button;
Figure 2 – Save in XML format

Import in Group Policy Analytics and data analysis

Once the export process is complete, it is necessary to proceed with importing the policy on the Group Policy Analytics engine so that all settings are processed; this phase has the purpose of converting the various settings present in the imported GPO into CSP (Configuration Service Provider) configurations. The process involves:

  • Log in to the Microsoft Endpoint Manager admin center console with an administrative account;
  • Select the Devices item on the left ribbon;
  • Within the Policy section, select the item Group Policy Analytics (preview);
  • Through the Import button, you can upload the previously generated XML file;
Figure 3 – Import GPO in Group Policy Analytics
  • Verify that the upload/import process completes correctly;
Figure 4 – Import completed without errors

At this point, returning to the Overview screen, it will be possible to check how many and which settings are compatible/supported by the Microsoft Intune platform; pressing on the percentage of supported configurations (MDM support), it will be possible to have a detailed view of the settings:

Figure 5/6 – Compatibility status of the imported GPO

One of the most interesting news introduced in the latest releases of Microsoft Intune is the Migrate button. Starting with the April Service Release (2204), it is possible to automatically convert the imported GPO into a Configuration Profile based on the Settings Catalog; previously, it was necessary to manually create policies on the Intune side based on the output generated by Group Policy Analytics.

Once you have pressed the Migrate button (available within the GPO itself or by selecting the GPO concerned in the Overview section), you can start the migration process which includes the following steps:

  • Select the settings that you want to migrate to the new platform (you can perform a selective action or select them all through the Select all on this page button);
Figure 7 – Select compatible configurations
  • Press the Next button to proceed with the wizard;
  • A summary screen of the settings that will be migrated will be displayed and, once the correct selection has been verified, it will be possible to proceed with the Next button;
  • Indicate a name and any description of the policy that will be created;
  • Press the Next button again;
  • Assign the policy to a dedicated Azure AD group or to all users / devices and proceed with the Next button;
  • Check the above and confirm the creation of the policy through the Deploy button;

Once the migration process is complete, the policy will be available in the Configuration profiles in the Devices section.

Reporting

In the latest releases of Microsoft Intune, two new reports have been made available which respectively allow you to have an overview and detail of the configurations analyzed by Group Policy Analytics.

The Summary view allows you to view the number of policies that have been loaded and how many settings are supported, unsupported or deprecated.

Figure 8 – Group Policy Analytics overview report

The Group Policy migration readiness report allows you to view in detail the compatibility or otherwise of the settings loaded with the configurations available on Intune; the Migration readiness column allows you to determine if the configuration is supported by the CSP policies.

Figure 9 – Group Policy Analytics migration readiness report

These reports are available in the Reports> Group Policy Analytics (preview) section.

References

Here are some useful references to the official documentation:

Conclusions

In this article, the various steps necessary to convert the Group Policies present in your Active Directory infrastructure into modern configurations conveyed through the Microsoft cloud solution have been reported.

The adoption of this approach allows IT Admins to apply configurations to their devices wherever they are without the need for them to be connected to the corporate network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: