Loading...

Analyze your on-prem GPOs to find the approriate Intune policies


In this post, I will show you how to analyse your on-prem GPOs from Intune in order to get the appropriate CSP for the GPO.

Microsoft has previously added an awesome new intune functionnality called Group Policy analytics.

This one looks really promising, allows you to import your on-prem GPOs (from an XML) and look if the GPO has the appropriate CSP on Intune.


Group Policy analytics 

This one is available in Preview for now.

To go to this part, proceed as below:

1. Open the Microsoft Endpoint Manager admin center

2. Go to Devices


3. Go to Group Policy analytics (Preview)


Analyze your on-prem GPO

Backup your on-prem GPO

To analyze your GPOs from your on-prem environment and see appropriates CSP on Intune, we have first to backup on-prem GPO.

1. Go to your on-prem env

2. Open Group Policy Management

3. Do a right-click on a GPO

4. Clicl on Save report

5. Choose XML format


Find the appropriate MDM policy 

Now we have saved GPOs to XML format, we have to analyze them from the portal.

1. Go to Group Policy analytics (Preview)


2. Click on Import


3. Browse to your XML GPOs

4. XML will be loaded


5. Click on the X button to close the import part

6. Your GPOs will be listed with MDM analyze


7. The part MDM support indicates the percentage of compatible GPO

8. When you click on the percentage, you will see the GPO details 


9. Different options are available

- Setting name: Name of the parameter managed in the GPO 

- Group policy setting: Location on the on-prem GPO 

- MDM support: Indicates if the parameter is supported or not

- Value: Parameter value 

- Scope: Indicates if it is a computer or user GPO

- CSP name: Name of the appropriate Intune CSP for the parameter 


GPO on-prem analyze in action

We will create really basic GPO in our on-prem environment.


The first one is called GPO_Computers_Network.

This one contains the below parameters:

- Computer configuration > Admin templates > Network > DNS Client > Turn off Multicast name resolution (Enabled)

- Computer configuration > Admin templates > Network > Wireless Display > Require PIN pairing (Enabled)


Our second is called GPO_Computers_WinRM.

This one contains the below parameters:

Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM (Enabled)


Our second is called GPO_Computers_SoftwareNotif.

This one contains the below parameters:

Windows Components > Windows Update > Turn on Software Notifications (Disabled)


After exporting tjose GPOs from on-prem env we have the below XML:

- GPO_Computers_Network.xml

- GPO_Computers_WinRM.xml

- GPO_Computers_SoftwareNotif.xml


Now let's analyze them through Intune.

After importing XML, we have the below report.



See below the result for the GPO_Computers_Network



As you may noticed, intune does not find an appropriate policy.


See below the result for the GPO_Computers_WinRM



Intune find a policy with the below CSP:

./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement


See below the result for the GPO_Computers_SoftwareNotif



As you may noticed, intune does not find an appropriate policy.

Migrate GPO 3838984093831035747

Enregistrer un commentaire

Accueil item

Award

Learn KQL in one month

Sponsors

You want to support me ?

Mes articles en français

Books in French


Stats