In this post, you will learn more about the Group Policy Analytics in Intune Portal. Group Policy analytics is a tool and feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. If your organization uses Group Policy objects (GPOs), and you want to move some workloads to Microsoft Endpoint Manager and Intune, then Group Policy analytics will help. This feature works only for Windows 10 and newer.
Let’s get started. Firstly, you will need to export a Group policy objects (GPO) as a XML file. Here’s how –
Export GPOs as an XML file
- On your on-premises computer, open the
Group Policy Managementapp (GPMC.msc).
- Expand your domain to see all the GPOs.
- Right-click on any GPO, select Save report.
- In the File menu, Select Save As and click Browse to your preferred folder or location. In the File name box you can leave it default and Save as type “XML File”. Click Save.
Note – Save the file as an XML file to an easily accessible folder. Later you will need to add this file in Endpoint Manager.
Use Group Policy Analytics in Intune Portal
- Sign in to the Microsoft Endpoint Manager admin center [https://endpoint.microsoft.com/]. Navigate to Devices > Group Policy analytics (preview). Select Import.
- Click on the Folder icon. Browse to the folder to select your saved GPO (XML) file.
- Intune automatically analyzes the GPO in the XML file. After the action completes successfully, you can see Status “Import Completed“. Once it shows import completed, click the Close (X) located at right upper corner to move in screen to see report.
The GPO you imported is listed with the following information:
- Group Policy name: The name is automatically generated using information in the GPO.
- Active Directory Target: The target is automatically generated using the organizational unit (OU) target information in the GPO.
- MDM Support: Shows the percentage of group policy settings in the GPO that have the same setting in Intune.
- Targeted in AD: Yes means the GPO is linked to an OU in on-premises group policy. No means the GPO isn’t linked to an on-premises OU.
- Last imported: Shows the date of the last imported.
- In MDM Support, it shows the percentage of supported group policy settings in the GPO that have the same setting in Intune. Click on the MDM Support percentage for a listed GPO to get more detailed information.
More detailed information about the GPO is shown:
- Setting Name: The name is automatically generated using information in the GPO setting.
- Group Policy Setting Category: Shows the setting category for GPO (ADMX) settings
- ADMX Support: Yes means there’s an ADMX template for this setting. No means there isn’t an ADMX template for the specific setting.
- MDM Support: Yes means there’s a matching setting available in Endpoint Manager. You can configure this setting in a device configuration profile. Settings in device configuration profiles are mapped to Windows CSPs. No means there isn’t a matching setting available to MDM providers, including Intune.
- Value: Shows the value imported from the GPO. It shows different values, such true, 900, Enabled, false, and so on.
- Scope: Shows if the imported GPO targets users or targets devices. Min OS Version: Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show 18362 (1903), 17130 (1803), and other Windows 10 versions.
- CSP Name: A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting.
- CSP Mapping: Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a custom device configuration profile.
You can also Export this settings to a
.csv file by clicking Export option located at the top that helps to view the complete information and use the settings.
Group Policy Migration Readiness Report
- Sign in to the Microsoft Endpoint Manager admin center [https://endpoint.microsoft.com/]. Select Reports > Group policy analytics (preview). Click on the Summary tab.
A summary of the GPO and its policies are shown. Use this information to determine the status of the policies in your GPO:
- Ready for migration: The policy has a matching setting in Intune, and is ready to be migrated to Intune.
- Not supported: The policy doesn’t have a matching setting. Typically, policy settings that show this status aren’t exposed to MDM providers, including Intune.
- Deprecated: The policy may apply to older Windows versions, and no longer used in Windows 10 and newer.
Select the Reports tab > Group policy migration readiness. In this report, you can:
- See the number of settings in your GPO that are available in a device configuration profile, if they can be in a custom profile, aren’t supported, or are deprecated.
- Filter the report output using the Migration Readiness, Profile type, and CSP Name filters.
- Select Generate report or Generate again to get current data.
- See the list of settings in your GPO.
- Use the search bar to find specific settings.
- Get a time stamp of when the report was last generated.