Importing Group Policy Objects into Intune
This has to be one of the most requested features for Intune - importing Group Policy Objects. It's now a feature! Currently in public preview, so should be available on most tenants. The way this works is that you export your GPOs from Group Policy Management Console, import them into the Group Policy Analytics and it will determine whether they will work as Intune configuration profiles - by trying to map the GPO settings to the corresponding Configuration Service Provier (CSP) setting, if one exists. You'll be shown a report detailing how much of your policies will be transferable, and which individual settings will or won't work.
If you have a simple environment you are trying to lift-and-shift, I guess this could work for you. However I still think it's much better to sit down, think what you are trying to achieve and plan your configuration profiles based off what is available within Intune, rather than trying to shoe-horn your old GPOs into place. Nevertheless, let's have a look at how it works.
As I mentioned earlier, it tries to convert your GPO settings to the equivalent CSP setting. At time of writing the following CSPs are supported by the group policy analytics process:
- Policy CSP
- PassportForWork CSP
- BitLocker CSP
- Firewall CSP
- AppLocker CSP
- Group Policy Preferences
Although it claims to support Group Policy Preferences, the few I tried were not supported (file and registry items).
First of all you will need to export the policies which you wish to import. From Group Policy Management Console (GPMC), select each policy and from the context menu select Save Report. Save the file as XML and make sure none of your files are greater than 4MB in size, and have unique filenames. Unfortunately you can't select multiple policies to save them in one go.
Go to the Intune Portal > Devices > Group Policy analytics (preview), select Import and upload your XML files. It will then upload and process the GPOs and determine whether they will work as configuration profiles or not.
In my example I've got one GPO called "Computer Settings", 100% of the settings are able to be converted, however there is also a setting it couldn't cope with - I'm not sure why this hasn't knocked the percentage from 100% down to 75%. Selecting the link under the Unknown Settings column will show you which settings it didn't know what to do with - in my case it was a startup script - remember startup/shutdown/logon/logoff scripts are not supported through Intune, not even through GPO import. If you instead select your percentage (under MDM Support), you'll be shown all of the settings within the policy which aren't unknown - presumably this would include known but incompatible settings here - and you'll get various detail on each setting:
- Setting Name is the name of the setting in the GPO
- Group Policy Setting Category is the category in the GPO
- MDM Support is whether it is supported through one of the various CSPs
- Value is the value of the setting, where possible it will use the same value for the CSP setting as your GPO setting dictates
- Scope is the scope, Device or User
- Min OS Version is the minimum supported OS version, this will be a Windows 10/11 build number, e.g. 15063 is Windows 10 1703, 22000 is Windows 11 21H2
- CSP Name is the name of the CSP your setting mapped to
- CSP Mapping is the actual CSP setting that the setting mapped to
You can only migrate one GPO at a time - so from the list of imported GPOs, select the MDM percentage link for the one you want, and you should see Migrate on the toolbar - select it. You'll then be asked to select which items you want to migrate - with a handy Select all on this page button in the toolbar. Once you've selected, move through the rest of the steps.
Step 2 (Configuration) can just be skipped over - at time of writing this displayed a large editable text field with a list of policy names and values - but altering any of the contents of this was just discarded. Name the new configuration profile (step 3), assign it to devices or users in the usual manner (step 4) and finally complete the process.
You should now have your new profile! Go through Devices > Configuration Profiles and click on your profile to view it. You'll notice that it is a Settings Catalog profile, as shown when the profile is edited:
There is some reporting functionality within Reports > Group policy analytics (preview) - this won't show you anything until you have imported some GPOs via the Device > Group policy analytics (preview) route as detailed earlier in this post. I think I'd rather have the ability to import the GPOs in both locations as it's a bit clunky having to go back through the device route, then come back to the reporting route to see the reports. You'll see how many settings are ready for migration, how many not supported and how many deprecated. This doesn't seem to include any settings it classes as "unknown" - in my case the computer startup script.
There's also one detailed report, which can be exported to CSV. Select Reports and then Group policy migration readiness, then finally Generate report.
I think this is a good feature, despite my previous comments about designing from scratch to get rid of years of old settings which are no longer relevant, rather than lift-and-shifting of GPOs. It's still in preview and there are some ways in which it could be improved:
- As I mentioned earlier, having to go down the two routes - via Devices and then Reporting - isn't something I like.
- The workflow for migrating settings could do with tidying up - cosmetically (the huge font size) and the Configuration step (2) needs some work.
- I'd like to see the entire row clickable when selecting an imported GPO - rather than having to select the percentage under MDM Settings. I feel this would make it a bit easier or more obvious what to do.