In this post I am going to show you how we can migrate group policies to Intune. When we have on-premises infrastructure with domain controller, we use group policies to enforce specific settings, all these group policies can be exported and then imported to Intune and further can be migrated for modern management.
Why Migrate Group policy to Intune
We need to migrate the group policies if we wanted to get rid of the on-premises infrastructure or we stop the usage of group policy and start using Intune for enforcing the policies.
How Intune target policies?
Though Intune as MDM can be used to enforce certain policies to devices and users like group policy, but the way Intune handles it is quite different from group policy.
Intune uses Policy CSP, where CSP stands for Configuration service provider. The CSP format for deploying it through Intune is bit different. Intune uses following format to target for following scopes:
User scope: ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName
Device scope: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName
This might looks complex, hence let me give you one example.
A group policy for “Specify source service for specific classes of Windows Updates” under group policy can be found under Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service, with 4 settings to define for:
- Feature Updates
- Quality Updates
- Driver Updates
- Other Updates
We can either use Windows Update or Windows Server Update Services through drop down to change these value. So easy to define using GPO which we understand how simple to manage.
If we interpret the same setting for Intune, it requires following CSP:
./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates
We can define value 0 or 1, where
- 0 is for Windows Update
- 1 is for WSUS
In-depth explanation can be found under Policy CSP – Update. Though there is a very wonderful document available for these settings, it requires a greater learning curve to understand how these CSP works.
Some times CSP’s are available in form of settings catalog or Administrative templates in Intune, but if not available we have to create custom settings. Hence, we need a better approach on how to create these policies on Intune when we already have group policies setup.
Luckily, we have the feature available on Intune now with the name Group Policy analytics which is in public preview where Microsoft is still working on it to introduce more features.
Export Group policies from on-premises Infrastructure
Login to one of the domain controller with Group Policy Management installed. Right click one of the GPO you want to export and select Save Report.
Under Save GPO Report dialog box, make sure to select type as XML File, don’t go with HTML File, and save the Group policy.
We are ready with 1 Group Policy exported. Same way we can do it for other group policies as well.
You can use following script to export all group policies under c:\GPOExport folder:
#Saves the exported GPO (in xml format) under c:\GPOExport
$GPONames = Get-GPO -All | Select-Object DisplayName,Id
ForEach ($GPOName in $GPONames) {
$Filename = $GPOName.DisplayName
$Filepath="c:\GPOExport\"+"$Filename"+".xml"
Get-GPOReport -ReportType Xml -Guid $GPOName.Id -Path $Filepath
Write-Host "Saving Group POlicy: $filename" -ForegroundColor Green
}
You can find the script with the name ExportGPO on my Github account as well.
Group Policy analytics – Import and migrate group policy
Login to Microsoft Intune admin center and navigate to Devices > Group Policy analytics (preview)
Click on Import to initiate the process.
Under GPO file upload, select one or more GPO files to be imported.
I can select multiple GPO’s as well through this option.
Select next under scope tags and complete the process.
We can see now multiple policies as I imported policies, there are several settings such as:
Migrate: we are ready to migrate this policy
Group policy name
MDM support: 100% means all policies are supported while lesser number means few of them aren’t or not atll supported with 0 %
Targeted in AD: Shows whether this policy was targeted in AD or not, this gives a good indication whether to migrate if it wasn’t targeted in AD.
Note: Don’t migrate all group policies all together, this is the good time to verify what we wanted to migrate and what not.
Let’s go to report to analyse the Group policy migration readiness.
Navigate to Reports > Group policy analytics (preview) and click on Group policy migration readiness.
Click on Generate to get list of all settings whether it is supported or not. It will show you
Device configuration:All – which is an indication of supported policies
It is highly recommended to export the policy by clicking on export to get a file in csv format and review it.
Come back Devices > Group Policy analytics (preview), we can now see Group policy migration readiness graph as well along with the numbers on which one can be migrated and which one can’t be.
As the policies are ready to be migrated, click on Migrate while selecting 3 policies which I wanted to migrate.
This will take you to Settings to migrate page, showing list of available options.
The policies which can be migrated can only be selected here which will further show you MDM support as Yes or No, along with Min OS version, and also the value for each policy. CSP mapping can also be seen. This is the real benefit of migrating the policy as somewhat complex CSP mapping can be avoided using migrating feature.
Under Configuration page, we can see the settings which are going to be migrated, as I selected 4 options to migrate.
Under Profile info, specify the name and description of the policy and click next.
Skip the scope tags, and under Assignments we can selected groups, devices or users to target this policy.
Once done, we can see the policy created under Devices > Configuration profiles. The Profile type of this policy is Settings catalog which makes it flexible to further modify add or edit.
We also have Import ADMX feature available which is again a good option for those admx files which are still not available on Intune and can be imported directly, this topic I will cover separately.
Hope this content was insightful.
Important Links
Migrate your imported group policy to a policy in Microsoft Intune | Microsoft Learn
Use group policy analytics to import and analyze GPOs in Microsoft Intune | Microsoft Learn
