Migrate Group Policy to Microsoft Intune

Group Policy Objects (GPOs) have been the preferred way to manage some settings on your device for years. If you want to manage a setting on the majority of your devices, you would create a Group Policy and apply it to an OU or Active Directory group. Today, with everything moving to the cloud and Intune, you can import your GPOs and create an Intune policy. This Intune policy can then be deployed to the users and devices managed by your tenant.

Group Policy Analytics allows importing your GPOs in an XML form. It then analyzes the imported GPOs and shows which settings are available in Microsoft Intune. For the available settings, you can migrate them and deploy it to your managed devices.

This blog post explains how to migrate your Group Policy to Intune using the Group Policy Analytics function.

Migrate Group Policy Intune Prerequisites

• Only Windows 10 and Windows 11 group policies can be migrated to Intune
• Intune administrator credentials or Intune administrator or with a role that has the Security baselines and the Device Configuration permission
• The desired GPO (Group Policy Objects) as an .XML File  

Export GPO in XML

The first step is to export the desired GPO to an XML file, which can be used in Intune.

• Open the Group Policy Management console console (GPMC.msc)

• Expand Group Policy Objects to see all the available GPOs.
• Right-click the GPO to migrate and choose Save report

• In Save as type, select XML File
• Save this file in an accessible folder

Intune Group Policy Analytics

We will now import the file into Intune Group Policy Analytics. This tool will analyze our policy and tell which policies can be migrated.

• In the Intune console
• Select Devices / Group Policy analytics

• At the top, select Import, and select your saved XML file. You can select multiple files if needed.

• In Scope tags, select the existing scope tag you want to apply to the imported GPO and complete the wizard.

Once imported you’ll see your GPO listed and Intune will analyze it. At the top there’s a Group policy migration readiness summary

Next, we will check which policy can be migrated and which cannot. We can see that our Policy is 36% MDM Supported, which means only 36% of settings in the GPO can be migrated to CSP. If you’re seeing 100%, all your policies can be migrated to the Intune model.

Let’s click on the percentage to have details on the policy that can be migrated. The important column to check is MDM Support. (It checks if the setting is available in the Intune Setting Catalog)

• Yes means there’s a matching setting available in Intune
• No means there isn’t a matching setting available in Intune
• Other values: Older settings that aren’t supported anymore

You can also use the Filter function at the top to show only the desired one.

Migration Process

We will now migrate the desired settings from your GPO to Intune

• Let’s click on Migrate at the top

• You’ll be presented with a screen with all the available settings. You can select the one that is MDM Support = Yes.
• Select the settings that you want to migrate to your Intune Tenant
• Click on Next

• In the Configuration pane, you’ll see an overview of which settings will be applied and their values.
• If everything is fine, click Next

• In the Profile Info pane, add a name and description of your new policy
• Click Next

• In the Scope tag pane, select the desired scope tag. Admins only see the imported GPOs if they have one of the same scope tags selected during the import.
• Click Next

• In the Assignment tab, select the group you want to deploy the policy.

Be careful and always test your new policy first on a test group

• Click on Next

• On the Review + Deploy pane, Review your settings and click on Deploy once you’re ready

• On a device member of the group, validate that the policy applied and the results are right.

Monitoring

If you want to monitor it from the Intune side, your policy will be saved under

• Device \ Windows \ Configuration Profile

It can also be found under :

• Device \ Configuration

As you can see the process is straight forward but testing is the key. Make sure to always test your policy first before a large deployment.