Tools to help you migrate GPOs to Intune

I was recently involved in a Modern Endpoint Management project for a large financial customer. This customer has a plan to move the management of their devices from on-prem managed (Hybrid join, SCCM & GPOs) to cloud managed (Cloud join, Microsoft Intune). My role in the project was to prepare the Intune environment.

In this article I will share with you some of the tools I used to analyze and move the customers existing GPO configurations to Microsoft Intune.

Tool nr. 1: Policy Analyzer
Tool nr. 2: Group Policy Analytics

REMINDER: These tools will assist with part of the process. However, there are many additional discussions that need to take place before migrating the policies. Some examples include:

1. Intune Configurations Naming Convention
2. How to structure the configuration profiles
3. How to target the right devices with the policies

With that said, lets get into the tools and how to use them

Policy Analyzer is a great tool that can help you get a nice excel spreadsheet overview of all the Group Policies within an environment and the settings within each policy. It was originally developed as a tool to compare policies within an environment to the Microsoft Security Baseline.

Policy Analyzer is part of the Microsoft Security Compliance Toolkit 1.0.

To use the Policy Analyzer tool you’ll need to make a backup of the necessary GPOs that you would like to analyze. In our case we need to export the GPOs that are targeting our users Windows 10/11 devices.

This can be done manually for each GPO by

1. Open Group Policy Management consol
2. Browse to the GPO you would like to get the .xml file from and click Back Up…

1. Choose location
2. Repeat for each GPO

The problem with the manually method is that

1. It takes forever to do when having a lot GPOs
2. The backup folders will be named by their UniqueID instead of their name

So instead I’ve created a script to backup the GPOs within a specific OU automatically and to rename the folder names

#Set Variables
$OU=”OU=COMPUTERS,OU=CORP,DC=corp,DC=contoso,DC=com”
$BackupFolder=”C:\temp\GPOBackup”

#Get all GPO’s linked to OU
(Get-ADOrganizationalUnit -Identity $OU).LinkedGroupPolicyObjects | % {
#Get GPO details
$GPOGUID=”{” + ($_.Split(“{“)[1]).Split(“}”)[0] + “}”
$GPOName=(Get-GPO -Guid $GPOGUID).DisplayName
Write-Verbose “Processing: $GPOName”
#Create backup folder based on GPO Name
New-Item -Path $BackupFolder\$GPOName -ItemType Directory -Verbose
#Backup GPO
Backup-GPO -Guid $GPOGUID -Path $BackupFolder\$GPOName -Verbose
}

Result:

Now that we have the GPOs exported we need to import them into the Policy Analyzer tool

1. Open the Policy Analyzer tool
2. Click on the Add … button
3. Click File and then Add files from GPO(s)…
4. Browse to the root folder where you saved the GPOs from previous step (in my case (C:\temp\GPOBackup)
5. Click Import…

1. Open the Policy Analyzer tool
2. Put a checkmark on the PolicyRules files you created in previous step
3. Click View / Compare
4. Click Export -> Export all data to Excel

Now you will have a nice excel sheet overview of all your GPOs that you can use to analyze your policies.

Group Policy Analytics is a feature in Microsoft Intune designed to help organizations transition from traditional on-premises Group Policy Objects (GPOs) to modern cloud-based management. It allows you to import your existing GPOs, analyze their settings, and see how they can be mapped to Intune settings. This tool provides insights into which policies are supported in the cloud and helps streamline the migration process, making it easier to manage devices and policies in a cloud-first environment.

FYI: When you migrate a GPO to Intune using the Group Policy Analytics tool the policy type that gets created in Intune is of the Settings Catalog type.

1. Open the Group Policy Analytics panel within Intune
2. Click Import
3. Click to the blue folder icon
4. Browse to the backup folder that you downloaded in Step 1 – Backup Policies step from previously
5. Click on one of the GPO folders and select the gpreport.xml within the folder
6. Click Next
7. Click Create
8. Repeat for the remaining GPOs

Now you should be able to see the policies within the tool.

Now you will be able to see how many of the settings within a policy that can be migrated to Intune using the tool

1. From the Group Policy Analytics panel click on the percentage under MDM support on one of the policies
2. From here you can see each of the settings within a policy and whether the tool is able to migrate the settings to Intune

If a setting has the MDM support a no that doesn’t necessarily mean that the setting can’t be configured in Intune, it just means that the Group Policy Analytics tool can’t migrate it. See example below.

Instead of checking each policy 1 by 1, it would be nicer to get a report that shows us the compatibility for all the policies. This can be achived by a report

1. Open the reports view of the Group Policy Analytics
2. Click Reports
3. Click Group policy migration readiness
4. Now you will get a complete overview of all the settings within each policy that you have imported to the tool

Follow the steps below when you are ready to migrate one of the polices to Intune

1. Open the Group Policy Analytics panel
2. Put a checkmark on one or more of the policies
3. Click Migrate
4. Select the settings within the policy that you would like to migrate and click Next
5. In the configurations page click Next
6. Give the Intune Configuration Profile a name and click Next
7. On the Scope tags page click Next
8. Click Next on the Assignments page (this can be done later)

Now you have successfully migrated a Group Policy to a Configuration Profile within Microsoft Intune.

This is the end of this blog post for now. If any other tools comes to mind then I will update it.

Peace out!