Create a Settings Catalog policy using your imported GPOs in Microsoft Intune (public preview)
You can import your on-premises Group Policy Objects (GPOs), and create an Intune policy using these imported settings. This policy can be deployed to users and devices managed by your organization.
With Group Policy Analytics, you import your on-premises GPOs. It analyzes your imported GPOs, and shows the settings that are also available in Microsoft Intune. For the settings that are available, you can create a Settings Catalog policy, and then deploy the policy to your managed devices.
This feature applies to:
- Windows 11
- Windows 10
This article shows you how to create the policy from your imported GPOs. For more information and an overview on Group Policy Analytics, go to Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Intune.
Before you begin
In the Microsoft Intune admin center, sign in as:
The Intune administrator
A role that has the Security baselines permission and the Device configurations/Create permission
Import your on-premises GPOs, and review the results.
For the specific steps, go to Import and analyze your on-premises GPOs using Group Policy analytics in Intune.
Only admins scoped to the GPO can create a settings catalog policy from that imported GPO. Scope tags are first applied during import of the GPO and can be edited. If a scope tag isn't or wasn't selected during the GPO import, then the Default scope tag is automatically used.
This feature is in public preview. For more information on what that means, go to Public preview in Microsoft Intune.
Review and migrate your GPOs to a Settings Catalog policy
After you import your GPOs, review the settings that can be migrated. Remember, some settings don't make sense on cloud native endpoints, like Windows 10/11 devices. After you review them, you can migrate the settings to a Settings Catalog policy.
In the Microsoft Intune admin center, select Devices > Group Policy analytics.
In the list, your imported GPOs are shown. Next to the GPO you want in your Settings Catalog profile, select the Migrate checkbox. You can select one GPO or many GPOs:
To see all the settings in your imported GPO, select Migrate:
In the Settings to migrate tab, select the Migrate column for the settings you want to include in your Settings Catalog profile:
To help you pick the settings, you can use the built-in features:
Select all on this page: Select this option if you want all settings on the existing page to be included in your Settings Catalog profile.
Search by setting name: Enter the setting name to find the settings you want:
Sort: Sort your settings using the column names:
If you haven't already, review your Group Policy settings. It's possible some settings don't apply to cloud-based policy management or don't apply to cloud native endpoints, like Windows 10/11 devices. It's not recommended to include all your Group Policy settings without reviewing them.
In Configuration, your settings and their values are shown. The values are the same values in the on-premises Group Policy. Review these settings and their values.
After you create the Settings Catalog policy, you can change any values.
In Profile info, enter the following settings:
- Name: Enter a descriptive name for the Setting Catalog profile. Name your profiles so you can easily identify them later. For example, a good profile name is Windows 10/11: Imported Microsoft Edge GPOs.
- Description: Enter a description for the profile. This setting is optional, but recommended.
In Scope tags, optionally assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC roles and scope tags for distributed IT.
In Assignments, select the user or groups that will receive your profile. For more information on assigning profiles, including advice and guidance, go to Assign user and device profiles in Intune.
In Review + deploy, review your settings.
When you select Create, your changes are saved, and the profile is assigned. The policy is shown in the Devices > Configuration profiles list.
The next time any device within your assigned groups checks for configuration updates, the settings you configured are applied.
Conflicting settings are detected early
It's possible you have multiple GPOs that include the same setting, and that the setting is set to different values. When you're creating a policy, and selecting your settings in the Settings to migrate tab, any conflicting settings show the following error:
Conflicts are detected for the following settings: <setting name>. Select only one version with the value you prefer in order to continue.
To resolve the conflict, uncheck a conflicting setting, and continue the migration.
What you need to know
The Migrate feature takes the parsed data from the imported Group Policy object (GPO) and translates it to a relevant setting in the Settings Catalog, if the setting exists.
Migrate is best effort.
When you create the Settings Catalog profile, any settings that can be included in the profile are included. There can be some differences with the imported settings and the settings in Settings Catalog.
Some settings have a better configuration experience in Endpoint Security
If you import AppLocker settings or Firewall rule settings, then the Migrate option is disabled and grayed out. Instead, configure these settings using the Endpoint Security workload in the Intune admin center.
For more information, go to:
- Firewall policy in Endpoint Security
- Endpoint security firewall rule migration tool overview
- Application control policy in Endpoint Security.
If you have GPOs that focus on endpoint security, then you should look at the features available in Endpoint Security, including security baselines and mobile threat defense.
Some settings don't migrate exactly, and may use a different setting
In some scenarios, some GPO settings don't migrate to the exact same setting in the Settings Catalog. Intune shows an alternate setting that has a similar effect.
You can see this behavior if you import GPOs that include older Office Administrative Template settings or older Google Chrome settings. In the following image, an older Office setting isn't supported. So, Intune suggests migrating to a supported version:
Some settings fail to migrate
It's possible some errors can happen when the settings are migrating. When the profile is being created, settings that return an error are shown in Notifications:
Some common reasons a setting might show an error include:
- The setting value is in an unexpected format.
- A child setting is missing from the imported GPO and is required to configure the parent setting.