In this post I am going to show you how we can migrate group policies to Intune. When we have on-premises infrastructure with domain controller, we use group policies to enforce specific settings, all these group policies can be exported and then imported to Intune and further can be migrated for modern management.

Why Migrate Group policy to Intune

We need to migrate the group policies if we wanted to get rid of the on-premises infrastructure or we stop the usage of group policy and start using Intune for enforcing the policies.

How Intune target policies?

Though Intune as MDM can be used to enforce certain policies to devices and users like group policy, but the way Intune handles it is quite different from group policy.

Intune uses Policy CSP, where CSP stands for Configuration service provider. The CSP format for deploying it through Intune is bit different. Intune uses following format to target for following scopes:

User scope: ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName

Device scope: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName

This might looks complex, hence let me give you one example.

A group policy for “Specify source service for specific classes of Windows Updates” under group policy can be found under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service, with 4 settings to define for:

Set group policy
  • Feature Updates
  • Quality Updates
  • Driver Updates
  • Other Updates

We can either use Windows Update or Windows Server Update Services through drop down to change these value. So easy to define using GPO which we understand how simple to manage.

If we interpret the same setting for Intune, it requires following CSP:


We can define value 0 or 1, where

  • 0 is for Windows Update
  • 1 is for WSUS

In-depth explanation can be found under Policy CSP – Update. Though there is a very wonderful document available for these settings, it requires a greater learning curve to understand how these CSP works.

Some times CSP’s are available in form of settings catalog or Administrative templates in Intune, but if not available we have to create custom settings. Hence, we need a better approach on how to create these policies on Intune when we already have group policies setup.

Luckily, we have the feature available on Intune now with the name Group Policy analytics which is in public preview where Microsoft is still working on it to introduce more features.

Export Group policies from on-premises Infrastructure

Login to one of the domain controller with Group Policy Management installed. Right click one of the GPO you want to export and select Save Report.

Save group policy xml format

Under Save GPO Report dialog box, make sure to select type as XML File, don’t go with HTML File, and save the Group policy.

Save GPO Report xml file export

We are ready with 1 Group Policy exported. Same way we can do it for other group policies as well.

You can use following script to export all group policies under c:\GPOExport folder:

#Saves the exported GPO (in xml format) under c:\GPOExport
$GPONames = Get-GPO -All | Select-Object DisplayName,Id
ForEach ($GPOName in $GPONames) {
$Filename = $GPOName.DisplayName
Get-GPOReport -ReportType Xml -Guid $GPOName.Id -Path $Filepath
Write-Host "Saving Group POlicy: $filename" -ForegroundColor Green
Export GPO script

You can find the script with the name ExportGPO on my Github account as well.

Group Policy analytics – Import and migrate group policy

Login to Microsoft Intune admin center and navigate to Devices > Group Policy analytics (preview)

Click on Import to initiate the process.

Import Group Policy Intune

Under GPO file upload, select one or more GPO files to be imported.

I can select multiple GPO’s as well through this option.

GPO file upload intune

Select next under scope tags and complete the process.

We can see now multiple policies as I imported policies, there are several settings such as:

Group Policy analytics (preview)

Migrate: we are ready to migrate this policy

Group policy name

MDM support: 100% means all policies are supported while lesser number means few of them aren’t or not atll supported with 0 %

Targeted in AD: Shows whether this policy was targeted in AD or not, this gives a good indication whether to migrate if it wasn’t targeted in AD.

Note: Don’t migrate all group policies all together, this is the good time to verify what we wanted to migrate and what not.

Let’s go to report to analyse the Group policy migration readiness.

Navigate to Reports > Group policy analytics (preview) and click on Group policy migration readiness.

Click on Generate to get list of all settings whether it is supported or not. It will show you

Report Group policy migration readiness

Device configuration:All – which is an indication of supported policies

It is highly recommended to export the policy by clicking on export to get a file in csv format and review it.

Come back Devices > Group Policy analytics (preview), we can now see Group policy migration readiness graph as well along with the numbers on which one can be migrated and which one can’t be.

As the policies are ready to be migrated, click on Migrate while selecting 3 policies which I wanted to migrate.

Group policy analytics ready for migration

This will take you to Settings to migrate page, showing list of available options.

Migrate group policy settings to the cloud

The policies which can be migrated can only be selected here which will further show you MDM support as Yes or No, along with Min OS version, and also the value for each policy. CSP mapping can also be seen. This is the real benefit of migrating the policy as somewhat complex CSP mapping can be avoided using migrating feature.

Under Configuration page, we can see the settings which are going to be migrated, as I selected 4 options to migrate.

Settings to migrate to Intune through GPO

Under Profile info, specify the name and description of the policy and click next.


Skip the scope tags, and under Assignments we can selected groups, devices or users to target this policy.


Once done, we can see the policy created under Devices > Configuration profiles. The Profile type of this policy is Settings catalog which makes it flexible to further modify add or edit.

We also have Import ADMX feature available which is again a good option for those admx files which are still not available on Intune and can be imported directly, this topic I will cover separately.


Hope this content was insightful.

Important Links

Migrate your imported group policy to a policy in Microsoft Intune | Microsoft Learn

Use group policy analytics to import and analyze GPOs in Microsoft Intune | Microsoft Learn