The Group Policy analytics tool is now generally available

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

By: Aasawari Navathe | Senior Product Manager - Microsoft Intune


We’re excited to announce that the Group Policy analytics tool is now generally available with the Microsoft Intune 2308 release.

Group Policy analytics helps you import your GPOs, analyze the settings through sharable reports, and migrate settings from your GPO to Intune. From here, the settings can be managed just like a standard Intune device configuration policy.

If you are managing your devices with Group Policy, some challenges you may face include:

  • Lack of visibility in the current state and impact of your Group Policy objects (GPOs).
  • Complexity and risk involved in moving from Group Policy to Intune Policy.


The Group Policy analytics tool can help you overcome these challenges by providing:

  • A detailed report for each GPO that shows you the settings, conflicts, usage, and Intune equivalent policy (if one exists).
  • A migration tool that lets you export your GPO settings to Intune policies and apply them to your devices.

How to use Group Policy analytics

You can use Group Policy analytics to import, analyze, and migrate GPOs and their settings in several ways.



Export your GPO as an XML file

To get started with Group Policy analytics, you’ll need to import your GPO. They must be exported from the Group PolicyGroup Policyconsole (GPMC.msc) and saved onto the local machine. You can import multiple GPOs at one time if the total size per import is less than 4 MB. See Remote Server Administration Tools for Windows for more information.


Supporting scope tags

We recently added support for Scope tags within the Group Policy analytics tool. This enables large organizations to better control who can analyze and migrate imported GPOs specific to their scope of responsibility. During the import process, you’ll see a prompt to select tags to apply to the GPOs being imported. Only admins with permission to see objects with the selected scope tags will be able to see and migrate the imported GPO. If no scope tags are selected, the Default scope tag is automatically used.


Supporting cloud environments

We added support for sovereign cloud environments for customers in the US Government and China to use this capability.


Supported CSPs

If your imported GPO has settings that aren't in the supported Cloud Service Providers (CSPs) and Group policies options, then the settings may be listed in the Unknown settings column on the Group Policy analytics page. Settings from the CSPs listed below may be parsed and detected by Group Policy, but that doesn’t necessarily mean they can all be migrated to Intune. See the Migrate section of this document for more details.



MDM Support

The MDM Support column is visible next to each imported Group Policy object. It shows which settings within that GPO have an equivalent setting in the Windows MDM management layer. This column may change over time if new settings are added or deprecated from MDM. Settings that are in MDM are configurable through either the Settings catalog or, for more complex settings, in Endpoint security.


A screenshot of the MDM support column in the Microsoft Intune admin center.A screenshot of the MDM support column in the Microsoft Intune admin center.


Group Policy migration readiness report

This is a useful tool if you need to share the status of any migration effort to cloud-based management. Nvigate to Reports > Group Policy analytics > Reports > Group Policy migration readiness. Select Generate report to see a cumulative list of settings across all imported GPOs, their supported MDM values, and the associated CSP name.


A screenshot of the Group policy migration readiness report in the Microsoft Intune admin center.A screenshot of the Group policy migration readiness report in the Microsoft Intune admin center.


Moving to the cloud

We recommend reviewing and rationalizing all of your Group Policy settings prior to migrating to the cloud. Some settings may not apply to cloud-based policy management or don't apply to cloud native endpoints, like Windows 10/11 devices.



Migration wizard

Once you’ve identified which settings to move to cloud management, migrate settings from a single or from multiple GPOs to a Settings catalog policy. Settings that have a checkbox enabled mean that they have a configurable setting in Settings catalog. Select the Select all on this page option if all settings on the page need to be in your new policy.


A screenshot of the Settings to migrate tab with enabled checkboxes for settings that can be migrated to a Settings catalog policy.A screenshot of the Settings to migrate tab with enabled checkboxes for settings that can be migrated to a Settings catalog policy.


Once the Settings catalog policy is created, you can manage it in Intune by editing assignments, modifying settings values, and viewing policy reporting. See Migrate your imported group policy to a policy in Microsoft Intune for more information.


Best effort migration

Given the many thousands of configurable settings in Windows and the vast possibilities for values that may be parsed from the imported GPO, the Migrate functionality is considered best effort. Any settings that successfully migrate will be included in the new Settings catalog profile. For those that don’t migrate successfully (possibly due to a missing parent/child setting or an unexpected format), the process will report an error in the Notifications field on the Group Policy analytics page. For Firewall or AppLocker settings, Endpoint security is a better configuration experience since the Settings catalog isn’t enabled here.


Group Assignment
You can assign the new policy to a group or leave it unassigned while going through the migration process. This is so that customers who are on the journey to cloud management carefully consider their grouping strategy when managing devices though Intune as compared to their on-premises solution.


Learn more

To learn more about how to use Group Policy analytics, see Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune.


We value your feedback, so share your ideas in the comments below, or reach out to us on Twitter @IntuneSuppTeam.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.