Use Group Policy analytics to convert GPOs to Intune Configuration Profiles

If you’re interested in reducing some of the load on your on-premises environment, transitioning GPOs (group policy objects) to CSPs (configuration service providers) is a great way to start! As a quick background – CSPs implement OMA-URI paths, and are used to configure Windows 10 devices. It’s not exactly correct, but you can think of CSPs as the mobile device management (MDM) version of GPOs.

Microsoft Endpoint Manager has a new feature called Group Policy analytics – which drastically simplifies this process. Previously we had to use MMAT (like in this blog post: How to use MMAT to convert DISA STIG GPOs to Intune CSPs – Device Advice), so this tool is a much welcome improvement.

Let’s get started! First, you’ll need to export a GPO as a XML file. This is as simple as opening Group Policy Management (GPMC.msc) on any domain-joined computer, right clicking on a GPO, and selecting Save Report…:

Make sure you select XML in the dropdown when you’re saving the report!

Next, head over to the Microsoft Endpoint Manager admin center, and select Devices > Group Policy analytics (preview) > Import

Group Policy analytics pane

Then in the fly-out window, select the GPO Report you just saved:

Import GPO files pane

This may take a few minutes depending on the size of the XML you upload. Also, file sizes are currently limited to 1MB. Once it shows import completed, click the X and you’ll see the report now shown in the analytics pane:

Policy imported into Group Policy analytics

Now, for the real fun, click the percentage under MDM Support. Here you’ll see all of the settings that can be mapped over to CSPs:

MDM support pane

And there you go! Now you can see which of your GPO settings can be mapped over to profiles in MEM. You’ll notice that a lot of the settings aren’t available as CSPs – and that can be because some settings won’t make sense for devices no longer managed by group policy (like clear text password). Now is a great time to reevaluate the GPOs your organization uses.

But how about actually using those CSPs? In the MEM admin center, go to Devices > Configuration profiles > + Create profile and select Windows 10 and later and Custom:

Create a configuration profile

After naming the profile, you’ll see a OMA-URI settings pane. Here’s where we copy the CSP Mapping and Value from the analysis pane. For example, if I wanted to migrate MaximumPasswordAge, I would click Add type in the following settings:

OMA-URI settings copied from MDM Support pane of GPO Analysis

And just like with any profile, then you can save and assign it to your users. Now you’ve successfully migrated a setting!

Intune Custom profile

Now – you’re not exactly out of the clear. Your devices will report a conflict if you have different settings deployed in MEM over Group Policy, so you’ll need to either remove duplicate settings in your GPOs or set the MDMWinsOverGP setting (although this only applies to the Policy CSP group).

Per the documentation (Policy CSP – ControlPolicyConflict – Windows Client Management | Microsoft Docs), enabling this is as simple as creating another custom profile and entering the following:

  • Name
  • ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
  • 1
MDMWinsOverGP policy

Once you’re deployed that custom setting, the MDM settings will take precedence over GPO settings. Note that this only applies to Policy CSPs, and not other categories (such as PassportForWork, BitLocker, Firewall, AppLocker, which are the other 4 categories supported by the Group Policy analytics tool).

Happy migrating! 🚚

You may also like...

1 Response

  1. Chad says:

    Just to add clarity, GPO settings for Windows Update / Windows Update for Business are not in scope for this CSP. Migrating Microsoft Updates to WUfB managed by Intune will require the GPOs be removed from the target devices.

Leave a Reply

Your email address will not be published. Required fields are marked *