The new operating systems Windows 10 and Windows 11 are characterized by a strong cloud footprint; the concept of Modern Management is based precisely on the use of cloud-based solutions for the management of identities and devices in the company.
The new normal is characterized by the need to work outside the office and this has required changes in the methods of delivery, management and configuration of the devices; in this regard, how is it possible to apply the same configurations that are applied in the company through Group Policy to devices that occasionally connect directly to the company network?
The Group Policy Analytics solution offers, with a few simple steps, the possibility of replacing the current GPOs with configurations provided through Microsoft Intune.
Group Policy Analytics is a tool available within the Microsoft Endpoint Manager admin center console that offers the following features:
- Analyze your GPOs present in your on-premise infrastructure;
- View the configurations (Configuration Service Provider) supported by the cloud MDM authority;
- View outdated or unavailable settings on the cloud solution;
- Migrate imported GPOs to configurations via Settings Catalog;
In the next paragraphs we will deal with this last point and see how to migrate imported GPOs in configurations conveyed through Microsoft Intune; the procedure includes:
- Export GPO in XML format;
- Import XML files in Microsoft Intune;
- Analyze and remapping configurations;
- Deploy settings via CSP;
Group Policy export
The first step is to export the affected Group Policies in XML format; the file generated in this format will then be readable and can be processed by the Group Policy Analytics engine.
To export GPOs in this format, you need to follow the steps below:
- Open the Group Policy Management snap-in;
- Expand the branch related to your Active Directory domain;
- Expand the Group Policy Object folder so that all the GPOs present are correctly displayed;
- Select the policy concerned and, by right clicking on this, click on the Save Report option;
- In the new window that will be displayed, select the XML format from the Save as type drop-down menu and press the Save button;
Import in Group Policy Analytics and data analysis
Once the export process is complete, it is necessary to proceed with importing the policy on the Group Policy Analytics engine so that all settings are processed; this phase has the purpose of converting the various settings present in the imported GPO into CSP (Configuration Service Provider) configurations. The process involves:
- Log in to the Microsoft Endpoint Manager admin center console with an administrative account;
- Select the Devices item on the left ribbon;
- Within the Policy section, select the item Group Policy Analytics (preview);
- Through the Import button, you can upload the previously generated XML file;
- Verify that the upload/import process completes correctly;
At this point, returning to the Overview screen, it will be possible to check how many and which settings are compatible/supported by the Microsoft Intune platform; pressing on the percentage of supported configurations (MDM support), it will be possible to have a detailed view of the settings:
One of the most interesting news introduced in the latest releases of Microsoft Intune is the Migrate button. Starting with the April Service Release (2204), it is possible to automatically convert the imported GPO into a Configuration Profile based on the Settings Catalog; previously, it was necessary to manually create policies on the Intune side based on the output generated by Group Policy Analytics.
Once you have pressed the Migrate button (available within the GPO itself or by selecting the GPO concerned in the Overview section), you can start the migration process which includes the following steps:
- Select the settings that you want to migrate to the new platform (you can perform a selective action or select them all through the Select all on this page button);
- Press the Next button to proceed with the wizard;
- A summary screen of the settings that will be migrated will be displayed and, once the correct selection has been verified, it will be possible to proceed with the Next button;
- Indicate a name and any description of the policy that will be created;
- Press the Next button again;
- Assign the policy to a dedicated Azure AD group or to all users / devices and proceed with the Next button;
- Check the above and confirm the creation of the policy through the Deploy button;
Once the migration process is complete, the policy will be available in the Configuration profiles in the Devices section.
In the latest releases of Microsoft Intune, two new reports have been made available which respectively allow you to have an overview and detail of the configurations analyzed by Group Policy Analytics.
The Summary view allows you to view the number of policies that have been loaded and how many settings are supported, unsupported or deprecated.
The Group Policy migration readiness report allows you to view in detail the compatibility or otherwise of the settings loaded with the configurations available on Intune; the Migration readiness column allows you to determine if the configuration is supported by the CSP policies.
These reports are available in the Reports> Group Policy Analytics (preview) section.
Here are some useful references to the official documentation:
- CSP Configurations supported by Group Policy Analytics – Policy CSP
- CSP Configurations supported by Group Policy Analytics – PassportForWork CSP
- CSP Configurations supported by Group Policy Analytics – BitLocker CSP
- CSP Configurations supported by Group Policy Analytics – Firewall CSP
- CSP Configurations supported by Group Policy Analytics – AppLocker CSP
- CSP Configurations supported by Group Policy Analytics – Group Policy Preferences
In this article, the various steps necessary to convert the Group Policies present in your Active Directory infrastructure into modern configurations conveyed through the Microsoft cloud solution have been reported.
The adoption of this approach allows IT Admins to apply configurations to their devices wherever they are without the need for them to be connected to the corporate network.