How to Migrate Group Policies to Microsoft Endpoint Manager using Group Policy Analytics

Hello again. Today I’m writing about the MEM Group Policy Analytics feature which is still in preview, and how you can inspect your local GPOs and migrate them to MEM. Why you ask? Organizations whether the are big or small, if they are managed by Active Directory domain service, chances are there are Group Policies has been setup and you must be thinking they are growing by the day.

However with Microsoft Endpoint Manager (MEM), you can manage your devices by creating policies in the cloud and next thing you need to see is, how to migrate the GPOs or create similar in MEM so you can remove the GPOs and give the full authority to cloud.

The good thing about Group Policy Analytics feature is that if the GPOs are supported by MEM, it will help you to migrate them to MEM it self in few clicks.

Before anything else, you might need to analyse which GPOs can be migrated to MEM and will not support so you can find alternatives.

This is a two part task.

  1. Get the GPO XML files from the Group Policy Management Console
  2. Upload it to MEM and Analyse them
  3. Migrate the supported GPOs to MEM

Why Planning is Important?

This needs to happen as a step towards moving your policies to cloud. As mentioned above, most of the time, GPOs are getting piled up and the admins knows they need to be monitored, cleaned an updated. In most of the Active Directory Environments the GPO structures are way too complicated, no one wants to take responsibility of the policies and most of the time they are poorly documented. However because you need to move your device management to cloud and your devices are hybrid joined (in most cases) you need a proper source of truth to manage the policies. Also those polices can’t be duplicated.

This is where you need to sit down, spend some time over the GPO console and filter them out. During this housekeeping session, you might see that you don’t require all the GPOs, some can be consolidated, some are already duplicating and some are way too old to work with the latest Server OS.

According to my experience there are 2 types of policies in most AD setups.

  • Unknown or Legacy polices that no one knows why they are there can’t be deleted
  • Active policies which have been created recently and have proper documentation

Once the proper planning is done and document what GPOs you need to remove so they can be migrated to cloud do below

Save the GPO XML File(s)

To import the data to MEM, you 1st need to save the per GPO report. To do that, go to GPMC.msc > Group Policy Objects node > Right-click on the relavent GPO and click on Save Report

This will actually Save a folder with the GPO GUID. Go to the folder and look for the file gpreport.xml

Upload the gpreport.xml to MEM

Go to Microsoft Endpoint Manager > Deices > Group Policy Analytics > Import

Import the gpreport.xml file.

Once uploaded, it will show as below

MDM Support: Shows out of the policies in that GPO, how many policies that MDM can migrate

You can further drill down by clicking on the 33% to see what policies can be moved

As you can see below, the Default Domain Policy which I uploaded has 15 policies and out of 15, 5 policies can be moved to MEM.

Unknown Settings will show you the GPO settings which hasn’t been identified by MEM

Now that we have 5 policies which can be migrated, lets see the steps to create them in MEM.

When the GPO(s) are not 100% supported by MEM, you need to find out alternative methods to create the same policy in cloud if you still want to use them.

You can always use the Administrative Templates in Configuration Profiles that has pretty much the same functionality as the standard GPOs.

Migrate GPOs to MEM

Once you clicked on the supportability (33% in this case) you can get to the policies in the GPO.

Then click in the Migrate button.

Select the polices that needs to be migrated

Press Next

Verify the configuration press Next

Assign it to the device/ user group below and press Next

Deploy the Policy

Review the Policy

If you need to go back to the created policy and check what components being added,

Go to MEM > Devices > Configuration Profiles and open the policy which we just created

Go to Configuration Settings to view the settings

Final Words

My personal view is Group Policy Analytics is a gem of a feature to inspect your GPOs before re-creating the same in MEM. Also it will help you to migrate them as well, which is a bonus!

Policy Vectors by Vecteezy


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.