Group Policy Migration: GPO to Intune¶

Technical guide for migrating Group Policy Objects to Microsoft Intune --- covering Group Policy Analytics, Settings Catalog, configuration profiles, compliance policies, ADMX-backed policies, and prioritization frameworks.

Overview¶

Group Policy is the configuration management backbone of Active Directory environments. A typical enterprise runs 100--500+ GPOs controlling security settings, application configurations, network settings, and user preferences. Migrating this estate to Intune is one of the most labor-intensive aspects of the AD-to-Entra-ID migration.

This guide provides a systematic approach: assess with Group Policy Analytics, prioritize by security impact, migrate using Settings Catalog and configuration profiles, and validate with Intune reporting.

1. Group Policy Analytics¶

Intune Group Policy Analytics evaluates GPO XML exports and rates each setting for Intune migration readiness.

Export GPOs for analysis¶

# Export all GPOs as XML for Intune Group Policy Analytics
$exportPath = ".\GPO_Export"
New-Item -ItemType Directory -Path $exportPath -Force

Get-GPO -All | ForEach-Object {
    $gpoName = $_.DisplayName -replace '[\\/:*?"<>|]', '_'
    $xmlPath = Join-Path $exportPath "$gpoName.xml"
    Get-GPOReport -Guid $_.Id -ReportType Xml -Path $xmlPath
    Write-Host "Exported: $($_.DisplayName) -> $xmlPath"
}

# Count total GPOs
$gpoCount = (Get-ChildItem $exportPath -Filter "*.xml").Count
Write-Host "Total GPOs exported: $gpoCount"

Upload to Group Policy Analytics¶

1. Navigate to Intune admin center > Devices > Group Policy Analytics
2. Click Import and upload the GPO XML files
3. Wait for analysis (typically 5--15 minutes for 100+ GPOs)
4. Review the migration readiness report

Interpreting results¶

2. Intune configuration mechanisms¶

Settings Catalog (recommended)¶

The Settings Catalog is the primary mechanism for device configuration in Intune. It provides a flat, searchable list of all available settings with full documentation.

Intune admin center > Devices > Configuration > Create > Settings Catalog

Configuration profiles (templates)¶

Pre-built templates for common scenarios:

Compliance policies¶

Compliance policies define the minimum device health requirements. Unlike GPOs (which configure), compliance policies assess and report.

3. Migration priority framework¶

Priority 1: Security settings (migrate first)¶

Priority 2: Device management¶

Priority 3: Application configuration¶

Priority 4: User preferences (lowest priority)¶

4. ADMX-backed policies¶

Many GPO settings are defined in ADMX template files. Intune supports importing custom ADMX files for settings not in the Settings Catalog.

Built-in ADMX support¶

Intune includes ADMX templates for:

• Windows components
• Microsoft Edge
• Microsoft Office / Microsoft 365 Apps
• OneDrive
• Microsoft Teams

Import custom ADMX files¶

# Upload custom ADMX file to Intune
# Intune admin center > Devices > Configuration > Import ADMX

# Example: Upload Chrome browser ADMX
# 1. Download Chrome ADMX from Google
# 2. Upload chrome.admx and chrome.adml (en-US) to Intune
# 3. Create configuration profile > Administrative Templates > Chrome

# Via Graph API:
$admxContent = [Convert]::ToBase64String(
    [System.IO.File]::ReadAllBytes(".\chrome.admx")
)
$admlContent = [Convert]::ToBase64String(
    [System.IO.File]::ReadAllBytes(".\en-US\chrome.adml")
)

$params = @{
    displayName = "Chrome Browser ADMX"
    description = "Custom ADMX for Chrome management"
    files = @(
        @{ fileName = "chrome.admx"; content = $admxContent }
        @{ fileName = "en-US/chrome.adml"; content = $admlContent }
    )
}

# Import via Intune Graph API
Invoke-MgGraphRequest -Method POST `
    -Uri "https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles" `
    -Body ($params | ConvertTo-Json -Depth 5)

5. GPO settings without Intune equivalents¶

Some GPO settings have no direct Intune equivalent. Mitigation strategies:

Strategy 1: PowerShell remediation scripts¶

# Example: Map network drive (no direct Intune setting)
# Deploy as Intune Platform Script
# Intune > Devices > Scripts and remediations > Platform scripts

# Detection script
$driveLetter = "S:"
$uncPath = "\\fileserver.contoso.com\shared"

if (Test-Path $driveLetter) {
    $drive = Get-PSDrive -Name $driveLetter.TrimEnd(':') -ErrorAction SilentlyContinue
    if ($drive.Root -eq $uncPath) {
        Write-Host "Drive mapped correctly"
        exit 0
    }
}
Write-Host "Drive not mapped"
exit 1

# Remediation script
$driveLetter = "S"
$uncPath = "\\fileserver.contoso.com\shared"
New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $uncPath -Persist -Scope Global

Strategy 2: Custom OMA-URI¶

<!-- Example: Configure custom registry setting via OMA-URI -->
<!-- Intune > Devices > Configuration > Custom > OMA-URI -->
<!--
Name: Custom Security Setting
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/CustomSetting
Data type: String
Value: <enabled/>
-->

Strategy 3: Accept the gap¶

Some GPO settings are not needed in a cloud-managed environment:

6. GPO to Intune migration workflow¶

Per-GPO migration process¶

flowchart TD
    A[1. Export GPO XML] --> B[2. Upload to Group\nPolicy Analytics]
    B --> C[3. Review readiness\nreport]
    C --> D{All settings\nmigrate?}
    D -->|Yes| E[4. Create Settings\nCatalog profile]
    D -->|Partial| F[4. Create profile +\nPowerShell scripts]
    D -->|No| G[4. Evaluate: script,\nOMA-URI, or accept gap]
    E --> H[5. Assign to\npilot group]
    F --> H
    G --> H
    H --> I[6. Validate on\npilot devices]
    I --> J{Settings\napplied?}
    J -->|Yes| K[7. Expand to\nproduction group]
    J -->|No| L[Troubleshoot\nand iterate]
    L --> H

Parallel running strategy¶

During migration, GPOs and Intune policies coexist. Conflict resolution:

# Verify MDM wins over GPO on a specific device
# Check registry:
$mdmWins = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" `
    -Name "MDMWinsOverGP" -ErrorAction SilentlyContinue

if ($mdmWins.MDMWinsOverGP -eq 1) {
    Write-Host "Intune MDM policies take precedence over GPO" -ForegroundColor Green
} else {
    Write-Host "GPO may override Intune settings" -ForegroundColor Yellow
}

7. Validation and reporting¶

Intune configuration compliance¶

# Check device configuration status via Graph API
$devices = Get-MgDeviceManagementManagedDevice -All

foreach ($device in $devices) {
    $configStates = Get-MgDeviceManagementManagedDeviceDeviceConfigurationState `
        -ManagedDeviceId $device.Id

    [PSCustomObject]@{
        DeviceName = $device.DeviceName
        ComplianceState = $device.ComplianceState
        ConfigProfiles = $configStates.Count
        FailedSettings = ($configStates | Where-Object { $_.State -eq "Error" }).Count
    }
} | Format-Table -AutoSize

GPO retirement tracking¶

8. Security baselines¶

Microsoft Intune provides pre-built security baselines that replace many security-focused GPOs.

Available baselines¶

Intune admin center > Endpoint Security > Security baselines

CSA-in-a-Box integration¶

GPO migration enables cloud-managed devices to access CSA-in-a-Box services with proper security posture:

• Compliance policies gate access to Fabric and Databricks via Conditional Access
• Security baselines ensure devices meet CSA-in-a-Box security requirements
• Certificate profiles deliver certificates for Entra CBA (smart card SSO to platform services)
• Edge management configures browser security for Power BI and Fabric portal access
• Windows Hello enables passwordless SSO to all CSA-in-a-Box services

Maintainers: csa-inabox core team Last updated: 2026-04-30