How to use MMAT to convert DISA STIG GPOs to Intune CSPs

MMAT, or MDM Migration Analysis Tool, is an incredible tool that you can use for converting group policy items to custom CSPs. For most organizations, the biggest pain point for moving to MDM only management is losing their decades old GPOs – so here’s the tool to fix that!

In today’s post we’re going a step further and taking a DISA STIG GPO’d device. That way we can verify that even the US Government’s group policies can be converted. Last week we used LGPO to apply DISA STIGs but unfortunately MMAT does not support local policies, so we’ll need an actual domain-joined device.

First, we’ll set up a Windows 10 1803 Pro or Enterprise device with our STIG GPOs. I’ve tried this with 1809 and 1903 without any luck – so if you can get it working, let me know how! You can run “gpresult /h filename.html” to verify that settings are applied.

GPResult showing that STIG settings are applied

Now that we know those are applied, you’ll have to download and apply the RSAT or Remote Server Administration Tools for Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520. Installing RSAT is as simple as double clicking on the .msu.

Once that’s installed you’ll have to head over to GitHub to download the tool: https://github.com/WindowsDeviceManagement/MMAT

Then open a PowerShell admin session on your target computer, and run the following:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

$VerbosePreference=”Continue”

(cd (change directory) to the extracted directory and then)
./Invoke-MdmMigrationAnalysisTool.ps1 -collectGPOReports -runAnalysisTool

And it’s done! Back in the extracted directory, you’ll find a host of new files:

Hooray! If we click on the MDMMigrationAnalysis HTML, we’ll see a spreadsheet of policies and their corresponding custom CSPs:

GPOs that can be mapped to CSPs

As always, the list of caveats:

  • MMAT does a best effort but may not capture every GPO
  • Since CSPs are updated frequently, MMAT may show a policy as missing that has since been developed
  • And most importantly, MMAT doesn’t return the xml for complex policies. We’ll have to figure out the xml string ourselves.

In my next blog post I’ll be exploring the missing policies and how to create complex xml, so stay tuned!

Further down in our MDM Migration Analysis report we’ll unfortunately find a list of unsupported policies:

GPOs that are not supported by MDM

Now, we just type in all of the custom policies into the Intune console. In Intune, open Device Configuration > Profiles > + Create Profile. I prefer to organize the policies by User & Computer, so I’ll start by creating a custom User profile.

Custom Intune Profile

Next we’ll check the user section of the MDM analysis report and notice…that there’s only one supported policy.

User Policies

Oh well! In the OMA-URI settings, we’ll click add and copy the information from the report over to the Intune portal, like so:

Custom OMA-URI

I like to copy the full name so that I can quickly find the policy for troubleshooting. For most of these policies, all we need to do is type in Data type: String and <enabled/> or <disabled/>.

After that’s done, we’ll do the same with the computer policies. There will be significantly more of these:

Custom Settings for Computer STIG policies

And that’s it! MMAT has given us a great starting point with about 60 of the required STIG polices. In the next post I’ll cover how we can get the rest of the way there!

As a bonus for reading until the end, here’s a copy of my MDMMigrationAnalysis HTML file, in case you don’t want to go through the trouble of setting up a STIG device.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *