Analyze on-premises GPOs with MEM Group Policy Analytics (preview)
08-29-2021 4:46 PM
Last updated
Was this helpful?
08-29-2021 4:46 PM
Last updated
Was this helpful?
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should the mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
In this blog post I will be looking at Group Policy Analytics (preview) in Microsoft Endpoint Manager. Organizations have been using group policy objects (GPOs) for decades to configure user and computer settings on devices in their environment. But in these modern days, where many organizations are embracing cloud solutions and they want to move workloads to Microsoft Endpoint Manager, we need a way to review and analyze the on-premises GPOs to determine which settings can be moved to the cloud, this is where Group Policy Analytics in Microsoft Endpoint Manager will be handy. Group Policy Analytics is a feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. It helps you determine how your GPOs translate in the cloud. The output shows which settings are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers. Source: Note. This is a preview feature – but don't worry, public previews are fully supported by Microsoft - Source:
On-premises Computer / Domain Controller
Policies applicable for Windows 10 and later
Microsoft Endpoint Manager
A MEM Role that has the Security Baselines permissions or one of the following permissions in AAD
Global Administrator
Intune Administrator
So, first we'll need to export the GPOs in order to analyze them in Group Policy Analytics. Note. Make sure that the file is less than 4 MB. If the exported file is greater than 4 MB, then include fewer GPOs when you save your report from the Group Policy Management. Group Policy Analytics will check the sizes of your individual GPO XML files. A single GPO can't be bigger than 4 MB though. The import will fail if the GPO XML file is larger than 4 MB. Source: Open “Group Policy Management” from a on-premises computer ** or domain controller. Expand to “Group Policy Objects” and right-click on a GPO and select either “Back Up…” or “Save Report…”
** Requires that the optional feature RSAT is installed.
If you selected “Back Up…” – Set location, add description (optional), click “Back Up” and click “OK”
If you selected “Save Report…” – Navigate to the correct location, add file name and type. Click “Save”
This is of course also possible from PowerShell, just edit and run this command from an elevated PowerShell session on a DC.
I ran all three methods just for the sake of this blog post – the results should look something like this
Select your exported GPO – once the status is “import completed” you can close this page by clicking on the X.
Microsoft Endpoint Manager will analyze the GPO and determine which settings in this policy has MDM support. The GPO will be listed with the following information:
Column Name
Description
Group Policy name
The name is automatically generated using information in the GPO.
Active Directory Target
The target is automatically generated using the organizational unit (OU) target information in the GPO.
MDM Support
Shows the percentage of group policy settings in the GPO that have the same setting in Intune.
Unknown Settings
This is new and doesn't seem to be documented yet – but I'll guess it could be custom settings (e.g. Registry settings) or unsupported settings.
Targeted in AD
Yes means the GPO is linked to an OU in on-premises group policy. No means the GPO isn't linked to an on-premises OU.
Last imported
Shows the date of the last import.
In my example - 84% of the settings in my GPO will be MDM supported. Click on the percentage for your policy.
The GPO settings will be listed with the following information:
Column Name
Description
Setting Name
The name is automatically generated using information in the GPO setting.
Group Policy Setting Category
Shows the setting category for ADMX settings, such as Internet Explorer and Microsoft Edge. Not all settings have a setting category.
ADMX Support
Yes means there's an ADMX template for this setting. No means there isn't an ADMX template for the specific setting.
MDM Support
Yes means there's a matching setting available in Endpoint Manager. You can configure this setting in a device configuration profile. Settings in device configuration profiles are mapped to Windows CSPs. No means there isn't a matching setting available to MDM providers, including Intune.
Value
Shows the value imported from the GPO. It shows different values, such true, 900, enabled, false, and so on.
Min OS Version
Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show 18362 (1903), 17130 (1803), and other Windows 10 versions.
Scope
Shows if the imported GPO targets users or targets devices.
CSP Name
A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting. For example, you may see Policy, BitLocker, PassportforWork, and so on.
CSP Mapping
Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a custom device configuration profile.
Group Policy Analytics can parse the following CSPs:
The above information explains each column very well and I have marked a few settings in the below screenshot that we will take a closer look at.
Settings Page Visibility/Settings Page Visibility
Column Name
Description
Setting Name
Settings Page Visibility/Settings Page Visibility
Group Policy Setting Category
Control Panel
ADMX Support
No
MDM Support
No
Value
hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting…
Min OS Version
0
Scope
Device
CSP Name
N/A
CSP Mapping
N/A
Show first sign-in animation
Column Name
Description
Setting Name
Show first sign-in animation
Group Policy Setting Category
System/Logon
ADMX Support
No
MDM Support
Yes
Value
Disabled
Min OS Version
18362 (Windows 10 build 1903)
Scope
Device
CSP Name
Policy
CSP Mapping
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ EnableFirstLogonAnimation
Show Windows Store apps on the taskbar
Column Name
Description
Setting Name
Show Windows Store apps on the taskbar
Group Policy Setting Category
Start Menu and Taskbar
ADMX Support
Yes
MDM Support
Yes
Value
Disabled
Min OS Version
15063 (Windows 10 build 1703)
Scope
User
CSP Name
Policy
CSP Mapping
./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/ ShowWindowsStoreAppsOnTaskbar
One setting is not supported (we'll get back to that one...) - two of the settings is MDM supported, which means that you can create a custom device configuration profile in Microsoft Endpoint Manager by using the OMA-URI from the CSP Mapping column – but as you can see from the above information, the “Show Windows Store apps on the taskbar” setting is also ADMX supported, which means that there is an ADMX template for this setting. Let's take a look at how to create a device configuration profile based on the above results. Creating a device configuration profile based on CSP (OMA-URI)
Creating a device configuration profile based on ADMX template.
From the summary page we can see that we have uploaded 1 GPO with 26 settings in total and 4 settings is not supported. Click on “Reports” and click on “Group policy migration readiness”
From the reports page, we can filter on Migration Readiness, Profile Type and CSP name. Once the report is generated, we can choose to export it as an CSV file.
Select “Not supported” from the migration readiness dropdown menu and click “Generate again”
And as expected we can see that the setting “Settings Page Visibility/Settings Page Visibility” is listed as “Not supported”
This is where things get weird, because I was able to find the setting in the settings catalog! If we go back to the previous migration readiness report, we can actually see that each of the four unsupported settings are listed twice (as supported and unsupported) and you won't find that information anywhere else besides in this report.
So, I will leave that hanging in the unknown – but I would say it's a bug and that's to be expected when still in preview.
Once we have exported the GPO, we must import it to Group Policy Analytics. Go to Click on “Devices” and select “Group Policy analytics (preview)” from the “Policy” section. Click “Import”
Settings catalog lists all the settings you can configure, and all in one place. There are thousands of settings to choose, including settings that haven't been available before. These settings are directly generated from the Windows configuration service providers (CSPs). You can also configure Administrative Templates (ADMX) and have more Administrative Template settings available. As Windows adds or exposes more settings to MDM providers, these settings are added quicker to Microsoft Intune for you to configure. - Source: Try out the new settings catalog (preview) I quickly found all three settings from the above examples.
As written earlier in this post, I would come back to the setting “Settings Page Visibility/Settings Page Visibility” which is unsupported and by looking at its name it doesn't seem right. So, let's see if the report for Group Policy Analytics can give us any clue on what is going on. Go to Click on “Reports” and select “Group policy analytics (preview)” from the “Device management” section.
Now you know how to analyze your on-premises GPOs with Group Policy Analytics in Microsoft Endpoint Manager and generate a readiness report. I think it's a awesome tool! Yes, it still need some work and I would like to see some kind of automation built into it. I've actually heard that they are working on a feature that will be able to create device configuration profiles automatically based on your supported GPO settings - I've tried to sign up for this feature but haven't heard back from them yet. That's it folks. Happy testing! If you have any questions regarding this topic, feel free to reach out to me. I am most active on !
