Create a Settings Catalog policy using your imported GPOs in Microsoft Intune (public preview)

You can import your on-premises Group Policy Objects (GPOs), and create an Intune policy using these imported settings. This policy can be deployed to users and devices managed by your organization.

With Group Policy Analytics, you import your on-premises GPOs. It analyzes your imported GPOs, and shows the settings that are also available in Microsoft Intune. For the settings that are available, you can create a Settings Catalog policy, and then deploy the policy to your managed devices.

This feature applies to:

  • Windows 11
  • Windows 10

This article shows you how to create the policy from your imported GPOs. For more information and an overview on Group Policy Analytics, go to Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Intune.

Before you begin

Review and migrate your GPOs to a Settings Catalog policy

After you import your GPOs, review the settings that can be migrated. Remember, some settings don't make sense on cloud native endpoints, like Windows 10/11 devices. After you review them, you can migrate the settings to a Settings Catalog policy.

  1. In the Microsoft Intune admin center, select Devices > Group Policy analytics.

  2. In the list, your imported GPOs are shown. Next to the GPO you want in your Settings Catalog profile, select the Migrate checkbox. You can select one GPO or many GPOs:

    Screenshot that shows how to select the Migrate checkbox next to your imported GPO in Microsoft Intune.

  3. To see all the settings in your imported GPO, select Migrate:

    Screenshot that shows how to select the Migrate button to see all the settings in your imported GPO in Microsoft Intune.

  4. In the Settings to migrate tab, select the Migrate column for the settings you want to include in your Settings Catalog profile:

    Screenshot that shows the settings to migrate, and how to select the Migrate checkbox in Microsoft Intune.

    To help you pick the settings, you can use the built-in features:

    • Select all on this page: Select this option if you want all settings on the existing page to be included in your Settings Catalog profile.

      Screenshot that shows how to use the select all on this page button to include all page settings in the Group Policy Analytics migrate feature in Microsoft Intune.

    • Search by setting name: Enter the setting name to find the settings you want:

      Screenshot that shows how to search for the setting name in the Group Policy Analytics migrate feature in Microsoft Intune.

    • Sort: Sort your settings using the column names:

      Screenshot that shows how to sort the settings using the Migrate, Setting name, Group policy setting category, MDM support, value, scope, min OS version, and CSP name Group Policy Analytics migrate features in Microsoft Intune.

    Tip

    If you haven't already, review your Group Policy settings. It's possible some settings don't apply to cloud-based policy management or don't apply to cloud native endpoints, like Windows 10/11 devices. It's not recommended to include all your Group Policy settings without reviewing them.

    Select Next.

  5. In Configuration, your settings and their values are shown. The values are the same values in the on-premises Group Policy. Review these settings and their values.

    After you create the Settings Catalog policy, you can change any values.

    Select Next.

  6. In Profile info, enter the following settings:

    • Name: Enter a descriptive name for the Setting Catalog profile. Name your profiles so you can easily identify them later. For example, a good profile name is Windows 10/11: Imported Microsoft Edge GPOs.
    • Description: Enter a description for the profile. This setting is optional, but recommended.

    Select Next.

  7. In Scope tags, optionally assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC roles and scope tags for distributed IT.

  8. In Assignments, select the user or groups that will receive your profile. For more information on assigning profiles, including advice and guidance, go to Assign user and device profiles in Intune.

    Select Next.

  9. In Review + deploy, review your settings.

    When you select Create, your changes are saved, and the profile is assigned. The policy is shown in the Devices > Configuration profiles list.

The next time any device within your assigned groups checks for configuration updates, the settings you configured are applied.

Conflicting settings are detected early

It's possible you have multiple GPOs that include the same setting, and that the setting is set to different values. When you're creating a policy, and selecting your settings in the Settings to migrate tab, any conflicting settings show the following error:

Conflicts are detected for the following settings: <setting name>. Select only one version with the value you prefer in order to continue.

Screenshot that shows conflicts are detected error message with the Group Policy Analytics migrate feature in Microsoft Intune.

To resolve the conflict, uncheck a conflicting setting, and continue the migration.

What you need to know

The Migrate feature takes the parsed data from the imported Group Policy object (GPO) and translates it to a relevant setting in the Settings Catalog, if the setting exists.

Migrate is best effort.

When you create the Settings Catalog profile, any settings that can be included in the profile are included. There can be some differences with the imported settings and the settings in Settings Catalog.

  • Some settings have a better configuration experience in Endpoint Security

    If you import AppLocker settings or Firewall rule settings, then the Migrate option is disabled and grayed out. Instead, configure these settings using the Endpoint Security workload in the Intune admin center.

    For more information, go to:

    If you have GPOs that focus on endpoint security, then you should look at the features available in Endpoint Security, including security baselines and mobile threat defense.

  • Some settings don't migrate exactly, and may use a different setting

    In some scenarios, some GPO settings don't migrate to the exact same setting in the Settings Catalog. Intune shows an alternate setting that has a similar effect.

    You can see this behavior if you import GPOs that include older Office Administrative Template settings or older Google Chrome settings. In the following image, an older Office setting isn't supported. So, Intune suggests migrating to a supported version:

    Screenshot that shows older Office setting that isn't supported and suggests migrating to a supported version in Microsoft Intune.

  • Some settings fail to migrate

    It's possible some errors can happen when the settings are migrating. When the profile is being created, settings that return an error are shown in Notifications:

    Screenshot that shows notifications with additional information when the policy is being created in Microsoft Intune.

    Some common reasons a setting might show an error include:

    • The setting value is in an unexpected format.
    • A child setting is missing from the imported GPO and is required to configure the parent setting.

Next steps