Microsoft Releases Group Policy Analytics Tool for Assessing MDM Migrations
The tool assesses mobile device management prospects for Windows 10 and Windows 11 devices.
Microsoft on Tuesday announced the release of a Group Policy analytics tool that's designed to show which on-premises policies for Windows 10 and Windows 11 clients will have support when using mobile device management (MDM) tools.
The Group Policy analytics tool is "now generally available with the Microsoft Intune 2308 release," the announcement indicated. The "general availability" term signals that Microsoft deems this tool to be ready for use in production environments by organizations.
Help for MDM Switching
While the tool works with Microsoft Intune, Microsoft's MDM service, it'll also show Group Policy mappings with other MDM tools. The Group Policy analytics tool "shows the settings that cloud-based MDM providers support, including Microsoft Intune," Microsoft explained, in this document.
IT pros can use the Group Policy analytics tool to remove Windows client dependencies on "on-premises AD" and switch to Intune management, the document added. It also characterized Windows 10 and Windows 11 as "cloud native" operating systems:
If your organization uses on-premises GPOs to manage Windows 10/11 devices, then Group Policy analytics can help. With Group Policy analytics, it's possible Intune can replace your on-premises GPOs. Windows 10/11 devices are inherently cloud native. So, depending on your configuration, these devices might not require access to an on-premises Active Directory.
The Group Policy analytics tool will produce a report showing which Group Policy Objects (GPOs) could have conflicts with Intune policies, as well as when Intune lacks a similar policy to the GPO. The report will tell if a GPO is ready for migration, not supported or "deprecated."
This tool isn't the one to use if organizations just want to analyze on-premises GPOs. In such cases, organizations should use the Microsoft Security Compliance Toolkit, the document explained.
The Group Policy analytics tool also includes a "migration wizard," which can be used to move the supported settings to MDM tools. It's possible to migrate "multiple GPOs to a Settings catalog policy," the document explained.
The tool just has a "best effort" migration capability, though, Microsoft's announcement admitted:
Given the many thousands of configurable settings in Windows and the vast possibilities for values that may be parsed from the imported GPO, the Migrate functionality is considered best effort. Any settings that successfully migrate will be included in the new Settings catalog profile. For those that don’t migrate successfully (possibly due to a missing parent/child setting or an unexpected format), the process will report an error in the Notifications field on the Group Policy analytics page.
Getting the report involves going through a bunch of manual steps to first export the GPOs into an XML file, and then using the Group Policy Analytics function in the Microsoft Intune Admin Center portal to see the details. There are limits to this import process. For instance, if a GPO is larger than 4MB, its import will fail.
Organizations using this tool agree to share aggregated information with Microsoft, which "might be used to make business decisions within Microsoft." Right now, the tool "only supports non-ADMX settings in the English language," per the document.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.