I’ve had a lot of folks ask for Intune Baselines in JSON format, and every time, it sparks another round of conversations about migrating Group Policy Objects (GPOs) to Intune. So, I figured it was time to share my approach.

Before we go any further yes, I actually enjoy GPO migrations. Strange? Maybe, but there’s something satisfying about cleaning up old policies that a guy named Bill (no offense to any Bills out there) set up 12 years ago. Nobody really knows why that setting is there, but hey, here we are.

The Approach That Works for Me

Everyone has their own way of doing things, but after migrating thousands of GPOs, I’ve found a method that keeps me sane and ensures no setting is left behind, unless it should be. Not everything needs to make the trip to Intune, so let’s not drag unnecessary baggage into the cloud.

Step 1: Group Policy Analytics – Your New Best Friend

First things first, I ask customers to import their GPO xml files into the Group Policy Analytics Tool in Intune. If you haven’t used this tool, it’s a lifesaver. It won’t change anything on your devices, but it will show you what percentage of your existing policies can be supported in Intune.

Once the GPOs are imported, you’ll see a percentage. Now, don’t panic if that number looks depressingly low. It’s just a number! Click on it for a breakdown of all the settings in that GPO.

Step 2: Export and Organize

Next, export the policy. This will give you a CSV file containing all the settings. Rename it to match the GPO name trust me, this will save you some headaches later.

Once you have all the exports, copy and paste them into a spreadsheet. To make life easier, I’ve uploaded a template to my repo that helps keep everything organized.

Here’s how it works:

  • Column A: A simple Y/N. Do we really need this policy in Intune?
  • Column B: If it’s a Yes, what’s the corresponding Intune setting?
  • Color Coding:
    • Blue: This policy needs to be migrated, but there’s no direct Intune equivalent (yet).
    • Red: This policy is staying behind. Say your goodbyes.
    • Green: Successfully migrated and mapped to an Intune policy.

By the end of this process, your spreadsheet should be a beautiful mix of green and red every setting accounted for, nothing left floating in the unknown (my OCD thanks you!).

Bonus Tip: Dealing with Registry Settings

The migration tool does not handle registry values set in GPOs very well. If you see RegistrySettings… in the Setting Name column with a cryptic value, don’t worry. Here’s what I do:

  1. Find a domain-joined PC where that GPO is applied.
  2. Check if there’s an equivalent Settings Catalog or CSP setting in Intune.
  3. If there isn’t, export the registry key as a .reg file.
  4. Convert that .reg file to PowerShell using the Registry to PowerShell Converter (Thanks Roger Zander | LinkedIn)
  5. Use the PowerShell script as a remediation script in Intune.

Oh, and if you go this route, make sure your detection script includes an Exit 1 code otherwise, the remediation won’t trigger properly.

Wrapping Up

And that’s it! Hopefully, this guide helps make your GPO migrations a little smoother (and maybe even a little fun?). If nothing else, at least we’re finally cleaning up those legacy settings that have been lurking in the shadows for years.

Author Dustin

You Might Also Like

This Is Not Just Another LAPS Post…Promise!

How to Tame Your M365 Baselines Without Losing Your Mind!

The Jedi’s Guide to Automating Onboarding with Lifecycle Workflows