How to migrate GPOs using Group Policy Analytics and Intune

When you’re looking to migrate your infrastructure into the cloud they’re generally two areas of concern
that pop up time and time again, these include your applications and group policy objects (GPOs). So in this blog I’m going to look at how you collect your group policy objects, analyse them within Microsoft Intune, and deploy available settings to Windows devices. 

When examining a GPO policy within Intune, you’ll first require a GPO report file. This you can either create directly or create a backup of an existing Group Policy object and requires a report .xml file. To achieve this, launch your group policy management within your own environment (Domain) and navigate to the group policy objects. Select a specific GPO for examining and then right click that GPO to make a backup. You will need to select your destination and then take a a copy of what is the gpreport.xml file. This will then be the report file you can use to import into your Intune environment.

With your gpreport file saved Login to Microsoft Endpoint Manager admin center using an Intune administrator or  Global Admin account and navigate to: Devices Group Policy analytics.
Please note: this is currently still in preview at the time of doing this blog but i’m hoping it will become GA fairly soon (Fingers crossed). Import your GPO into Intune

​The next step is to hit the import option and select the report file you backed up previously. After you have imported the gpreport.xml file it will first show that it’s being processed and then that it has been 
imported. Go ahead and close that option after which the page will start showing details straight away. 
If we take a look at my actual imported gpreport.xml

 in more detail you will notice that basically what it has  imported is a computer GPO which has a number of settings. The setting types contained within this group policy includes things like clear text password, lockout bad count and minimum password age.


By importing the XML file we are looking to check which settings contained in the GPO are supported by Intune. Intune will parse the settings and map out those which are supported currently. Where it shows it is this means we can enable and replicate the same settings to Windows using Intune rather than a GPO. 

Back within MEM here you can see a summary of the overall results to the import which for me shows there is a 33% MDM support for imported settings. 

​By clicking this link you are presented with a further break down of the results which provides information on the setting name, Value Min OS version and CSP Mapping etc identiifying the specific settings. ​


Looking through these details gives you an indication as to which policies you may want to migrate into as your tenant and also do some planning to look at whether the others that aren’t supported are still required. It can be a good refflection ppoint and opportunity to rationise the multiple settings you are enforcing. Its worth noting that more settings are being added regulalrly so by regulalrly checking back through these Intune will parse and evaluate for the latest capability. The resulting analysis also provides a clear indication of the values that are set within the imported settings. In fact during the time I was testing this another setting became available > Network security: Do not store LAN Manager hash value on next password changeReporting

Another way of viewing the details of the GPO import is to navigate to: 
Reports>Group policy analytics (preview).
On the summary option click the refresh icon which may take a few seconds to process.

The result is another summary of the GPO just imported. Next select the ‘Reports‘ link and then ‘Group policy migration readiness‘ box. Click the ‘Generate again‘ button which will again give you a summary of all the settings in a slightly different pane and shows the readiness for importing GPO settings for modern managment. This provides a clear indication of what is available for migration and those settings that are not  or are deprecated.  If required you also have the option to carry out a backup which creates a CSV file of all the columns and rows with applied filters. This may be important to Admins who keep track of admin processes and analysis carried out.

As best practice Microsoft recommend importing GPO’s one a time to evaluate which settings you would like to migrate. If you have a good selection of GPOs to import,  then take the time to carefully carry out all the anlysis and planning to the migration as well as making sure you test the deployment of these.GPO Migration process

Next up I want to show how you go forward with migrating the available GPO settings. Naviagte back to DevicesGroup policy analytics (Preview) and at the top of the page you will see a ‘Migrate’ link. This is a fairly new option added to Intune and is a really good step forward as essentially it allows you to
take policies that can be migrated and set up a settings catlaog policy while also simplyfying the process for importing your settings and allow Admins to deploy these down to devices. This option was not previously available and meant you had to do it manulally through a CSP policy setting that you created.​

To configure the migration choose your import policy and select the ‘Migrate‘. The following pages are the steps you process to go ahead and migrate the available settings. Step 1 – Settings to Migrate – Click the ‘Select all on this page‘ button or only the individual settings you wish to proceed with then select ‘Next‘.

Step 2 – Configuration – on this page you can make adjustments to the actual setting values. The ones presented are those imported so you are more than likely going to keep them the same depending on the required configuration you require. Please ensure you have knowledge of the various settings being implmented beforehand. Then proceed with the ‘Next‘ button.

Step 3 – Profile info – Add in a name and description of the policy you are creating
Step 4 – Assignments – Assign to the user or device groups you are testing on initially. Its not advisable to mix both Device and user groups together
5 – Review and Deploy – review all your selections and select the ‘Deploy‘ button.Policy deployment and confirmation

At this point we can go ahead and test this out and confirm the the policy settings have deployed. Ill do this by showing the updates to Intune and changes to the registry on a local Windows device.
You can check the status of the policy deployment by navigating to  Devices Configuration profiles and find the name of the policy you created which will be under the Profile type of Settings Catalog. Select and open the policy then click on the ‘Generate again‘ button. Eventually you will see the results of the deployment. I have highlighted below where the policy has been deployed successfully.

​Depending on the last update the device or devices had, it can take a few hours before the status is updated. To try and speed this up you can go on to the device and carry out a manual sync using the company portal Application or select the device within Intune and perform a manual sync this way. Once the policy has been deployed we can then check out the results within the policy. Select View report then the device you want to check on.​


You will see the results of the individual settings migrated in your policy. As per above I have 3 settings:
Device Password enabled / Device Password expiration / Min Device Password Length.
If the settings failed you will be provided with an error code within the error code column.
When looking to confirm policy deployment on a Windows device is to open the Registry Editor. Depending on the policy you have deployed this will determone where you navigate to within the Registry. For my settings I go to:

 > Select DeviceLock
 > Confirm settings for MinDevicePasswordLength / DevicePasswordEnabled / DevicePasswordExpiration
 So thats one way of checking through the results on the local machine. In my case as the Minimum password length has changed I will need to create a new password to meet the set policy.

There is one more thing Id like to cover here and that is that, traditional group policy certainly within a hybrid scenario means that your domain group policy management takes precedence over Intune deployed policy settings. If there is a duplicate setting for a policy your Active directory policy rules. However since COVID and people having to work remotely and more agile it has meant that domain joined devices do not necessarily have direct line of sight and connectivity to their domain for updates. To deal with this Microsoft introduced
a new policy which can be set on devices to overcome the issue. This a ‘Settings Catalog‘ Configuration policy which you set as per below. ​


Once deployed check back on the deployment status of the policy to confirm it has been received and configured on the Windows machines.
Note: Please deploy this before importing your GPO’s and migrating your MDM policies to ensure.

That’s It for now, hopefully this was useful for your own testing and deployments. Please get in contact with any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.