Microsoft released a tool on which many customers have been waiting; Group Policy Analytics.
Group Policy Analytics provides customers, who are managing their Windows devices already for many years with Group Policies (and want to make the transition to the cloud), a tool to compare their current policies with the settings we currently have available in Microsoft Intune.
Getting started with Group Policy Analytics is as simple as making a backup of the current GPO, importing the file in the Endpoint Manager admin center and you have an overview to analyze your policy settings.
Let`s have a quick look at how this new tool works and what the benefits are.
Export and import our current GPO`s
To compare the current Group Policy Objects with the settings we have available in Microsoft Intune we need to export the settings using the Group Policy Management tool and import these online in Group Policy Analytics.
I guess I don`t need to explain how we need to make a Backup of a GPO.
When the GPO`s which you want to compare are exported to your local system, open a browser.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices
- Browse to Group Policy Analytics
- Click Import
- Click the Folder icon
- Browse to the folder where the saved GPO files are located and select one of the GPReport.xml files
- The file is processing
- Import completed
- Repeat this process for all GPO files you want to analyze
Analyze the Group Policies
Back in the overview, you see all imported Group Policies with a percentage of supported settings via MDM.
Click on the percentage to get an overview of all settings in the GPO and additional information.
This Office 365 example policy set is 100% covered by the available MDM settings.
As you can see, for every setting in the policy set, a couple of details are shown. The policies are mapped to the Configuration Service Providers (CSP`s) with which we should be able to configure the policy via Intune.
Every row shows the policy name, the (current) value, scope and the minimum OS version from which the CSP is supported.
My Windows 10 policy set is not 100% covered, but in every Windows build more CSP`s are added. And in the latest Insider previews, a couple of hundred new settings are added, as you can read here.
The CSP mapping is also shown for every policy setting. The CSP mapping corresponds with the OMA-URI, when configuring the policy in Intune with a Custom Configuration profile.
From the portal we are also able to export the policy settings overview to a CSV file, to further analyze the data.
Reports
Since the latest update we now also have reports for Group Policy Analytics, we have some reports. These are fount under Reports (where else).
The first view view we get is an overview.
On the Reports tab we can create a report and have some options to set filters. With this you can for example create a report with all deprecated settings.
For a lot of companies this Group Policy Analytics tool is a welcome feature to compare the current state of managed settings, with the settings which can be managed via Intune.
It`s a good starting point to analyze the current settings and to start a clean-up of the settings which are probably already added to the policy set years ago.
Even better would be to start ‘green field’, but unfortunately that`s not possible for a lot of companies.
As this is just released in public preview, I suggest to keep an eye on this new feature. The developer team is for example working on an option to create a policy in Intune from the GPO selected in de portal.
I understood the tool comes with no extra costs, the tool is part of the Intune license!
To get some more information on every CSP found in your overview of policy settings, visit Microsoft Docs.
3 Comments
Great article.
Great, thank you! So where are a lot of policies which are not supported by MDM. Is there no possibility to add them to Endpoint Manager?
No there is no option to add them.
But for Windows 10, Microsoft is closing the gap as you can read here https://inthecloud247.com/manage-new-admx-backed-windows-10-policies-with-microsoft-intune/
And you are also able to upload ADMX files for third-party apps. An example is Google Chrome, which is described here https://inthecloud247.com/manage-google-chrome-settings-with-microsoft-intune/
Regards,
Peter