PatchDayAlert
Field Note · 10 min read · 2,012 words By Colten Anderson

Audit your GPO sprawl before you commit to an Intune migration date

The blocker on a GPO-to-Intune migration isn't the cloud mechanics. It's the hundreds of undocumented policies you've been running on autopilot. Here's how to size the real work before you pick a date.

Audit your GPO sprawl before you commit to an Intune migration date

You open gpmc.msc the week before an Intune migration kickoff, expecting to eyeball a couple dozen policies. Instead you’re staring at hundreds of Group Policy Objects, half of them named things like SEC-Baseline-v2-FINAL, linked to OUs that were reorganized two admins ago. Nobody currently on the team can tell you what most of them do or whether anything breaks if they’re removed.

That backlog, not the cloud enrollment, is what stalls the project. Group Policy environments grow in one direction. Every new app, security requirement, or compliance mandate adds a GPO; almost none get retired when the need goes away. JumpCloud’s February 2025 analysis of AD policy bloat describes five-year-old policies sitting in production next to current ones, undocumented, doing nothing but consuming processing time. The practical scale is not theoretical: an administrator in an April 2025 Microsoft Q&A thread asked how to clean up 2,000 GPOs, and got a routine PowerShell answer.

This runbook covers how to find out what you actually have and route each setting to the right place, before you commit to a timeline.

Who this affects

Anyone running on-premises Active Directory Group Policy and planning a move to Intune MDM. The pain scales with two things: how many GPOs you’ve accumulated, and how much of your configuration lives in Group Policy Preferences (drive maps, printers, scheduled tasks) rather than Administrative Templates. Dense GPP usage is the worst case, and I’ll show you why below.

One deadline already passed. Advanced Group Policy Management, the change-control and versioning layer most hybrid shops used for their GPO estate, reached end of extended support on April 14, 2026, with no announced successor. If AGPM was your only record of who changed what and why, you’re now making migration decisions without it.

How to check what you have

Microsoft ships a free tool for exactly this inside the Intune admin center. It produces a per-setting migration readiness map, which is far more accurate than any estimate made without it.

  1. Open the Intune admin center and go to Devices > Manage devices > Group Policy analytics.
  2. On-premises, open Group Policy Management Console (gpmc.msc), right-click each GPO, and export it as an XML file. Keep each file under the 4 MB per-GPO cap; larger GPOs must be split manually.
  3. Import the XML into the tool. Intune parses it automatically per Microsoft’s Group Policy Analytics documentation.

Each imported GPO comes back with an MDM Support percentage (share of settings with a direct Intune equivalent), an Unknown Settings count, a Targeted in AD flag (whether it’s linked to an OU), and a last-import date. Drill into any GPO for a per-setting table: setting name, category, MDM support (Yes / No / deprecated), imported value, scope, minimum Windows build, CSP name, and the full OMA-URI path. That OMA-URI column matters; a setting marked “No” can still deploy through a custom profile if a CSP path exists.

Then pull the Migration Readiness report under Reports > Device management > Group policy analytics. It buckets everything into Ready for migration, Not supported, and Deprecated, and exports as CSV. Give it about 20 minutes to update after you add or remove GPOs.

Three limits to know before you plan import volume, per Microsoft’s known-issues list: the tool only supports non-ADMX settings in English (non-English settings produce an inaccurate percentage with no warning), the 4 MB per-GPO file cap, and that ~20-minute report refresh.

Do not treat a high MDM Support percentage as a green light. Recast Software’s migration walkthrough shows a password policy that came back at 14% MDM support; most of its settings had no cloud equivalent. And even a high percentage can miss the one business-critical setting you needed most.

What to do with each setting

There is no direct GPO-to-Intune import. Every setting is an individual decision, which is why Craig Camacho’s November 2025 walkthrough calls the manual version “weeks of manual, error-prone research.” The three-way readiness verdict is your starting gate, but the real routing depends on the setting’s layer.

Per-setting routing from Group Policy Analytics A setting marked Ready goes to Settings Catalog via the Migrate button; AppLocker and Firewall rules route to Endpoint Security; third-party ADMX settings need ADMX ingestion; settings with no CSP have no equivalent and require a script or rearchitecture. setting in Group Policy Analytics Ready greyed out vendor ADMX no CSP Settings Catalog via Migrate button AppLocker / Firewall: Endpoint Security 3rd-party ADMX: ingest .admx + OMA-URI no equivalent: script or rearchitect
Routing follows the setting's layer, not just its readiness verdict. AppLocker, Firewall, and third-party ADMX settings need work even when the percentage looks high.

In prose, the four paths are:

  • Ready → Settings Catalog. Use the Migrate button; it produces a Settings Catalog policy directly. Built-in Windows ADMX policies are now ingested into the Settings Catalog, so the Migrate button produces a native policy rather than an OMA-URI workaround. But Microsoft’s migrate documentation warns against selecting all settings without review; some “don’t make sense on cloud native endpoints” even at a high percentage.
  • AppLocker and Firewall → Endpoint Security. Both show the Migrate button greyed out. Rebuild those rules in the Endpoint Security workload.
  • Third-party ADMX (Chrome, Firefox, Zoom) → ADMX ingestion. Vendor settings never reach the Settings Catalog because only built-in Windows ADMXs are ingested. Upload the .admx via a custom profile and reference each setting through a hand-built OMA-URI. SDM Software calls ingestion “a bridge, not a destination”: no graphical editor, no validation, and troubleshooting means reading raw MDM sync logs. The caps are tight: 20 files, 1 MB each, English only, no combo-box setting type.
  • No CSP → no equivalent. Printers, drive maps, and scheduled tasks fall here.

Use this table to route by category before you touch the tool. It splits cleanly at the layer boundary: Administrative Templates carry, Group Policy Preferences mostly don’t.

GPO categoryWhat it controlsIntune equivalentMigratability
Administrative Templates — Windows built-in ADMXOS, browser, and feature settings (Windows Update, Edge, Defender)Settings Catalog (built-in; Policy CSP)Straightforward — maps 1:1; Migrate button produces a Settings Catalog policy
Administrative Templates — 3rd-party ADMX (Chrome, Firefox, Zoom)App-specific registry settings via vendor ADMXSettings Catalog via ADMX ingestion (max 20 files, 1 MB, en-US, no combo-box)Requires work — each ADMX imported manually; no validation
Security Settings — Account PoliciesPassword complexity, lockout, Kerberos ticket lifetimesSettings Catalog (DeviceLock, PassportForWork CSPs) + Security BaselinesRequires work — Kerberos DC-scoped policies excluded; cloud PIN model differs
Security Settings — Local Policies / Security OptionsUser rights, security options, audit policySettings Catalog (Security Options, Audit Policy CSPs) + BaselinesRequires work — coverage partial; not all nodes have a CSP
Windows Defender FirewallInbound/outbound and per-profile rulesEndpoint Security > Firewall (Firewall CSP)Requires work — Migrate button greyed out; rebuild in Endpoint Security
AppLocker / Software Restriction PoliciesApplication allowlists by publisher, path, or hashEndpoint Security > App Control for BusinessRequires work — Migrate button greyed out; WDAC recommended for new deployments
BitLocker Drive EncryptionFull-disk encryption, TPM, recovery escrowEndpoint Security > Disk Encryption (BitLocker CSP)Requires work — silent encryption needs specific CSP sequencing
Windows Settings — Scripts (Startup/Shutdown, Logon/Logoff)Scripts at lifecycle eventsIntune Management Extension (PowerShell)Requires work — convert to PS1; no shutdown-script equivalent
Windows Settings — Software InstallationMSI deploymentWin32 app (.intunewin) or StoreRequires work — must repackage; no MSI-via-GPO equivalent
Windows Settings — Folder RedirectionRedirect Desktop, Documents to a shareOneDrive Known Folder Move (cloud only)No equivalent (on-prem) — architectural shift to OneDrive KFM
GPP — Drive MapsMap network drives at logonPowerShell via IME (runs once per enrollment, not per logon)No equivalent — flagged Not supported / Unknown
GPP — PrintersNetwork printer connections at logonUniversal Print policy (Settings Catalog)No equivalent for legacy printers — requires Universal Print
GPP — Local Users and GroupsLocal users; local Administrators membershipSettings Catalog (LocalUsersAndGroups CSP)Straightforward
GPP — Scheduled TasksCreate/modify scheduled tasksPowerShell or Win32 app onlyNo equivalent
GPP — RegistryArbitrary registry values with item-level targetingOMA-URI custom profile for known valuesRequires work — point values only; no item-level targeting
GPP — Environment VariablesSystem or user environment variablesPowerShell via IMENo equivalent

Two structural notes the table can’t hold. Compliance requirements (OS minimums, BitLocker as a conditional-access gate) belong in Compliance Policies, not device configuration profiles; conflating them produces orphaned policies that never generate a compliance state. And GPOs target OUs while Intune targets Entra ID groups, so the organizational logic baked into years of OU structure has to be rebuilt as a group hierarchy before you can assign a single policy. That rebuild is the line item migration plans undercount most.

How to verify

After a migration, don’t trust “it deployed.” Check each moved GPO’s setting count against the new policy’s setting count; a mismatch means something silently dropped. Settings with unexpected value formats or missing required child settings fail during migration and surface only in the Notifications pane, and there’s no pre-flight validation pass. Confirm target devices show the policy as applied under Device configuration, not just assigned. For ADMX-ingested settings with no UI validation, verify the registry value landed on a test endpoint rather than assuming the sync took.

When to escalate

Stop treating it as a routine setting-by-setting migration and pull in planning when any of these show up: a GPO you can’t map to a current business requirement (retire it, don’t port it); a percentage that looks migratable but hides a setting no one can afford to lose; or a GPP-heavy estate where drive maps, printers, and scheduled tasks make up the bulk of what users depend on. That last case is a re-architecture (Universal Print, OneDrive KFM, IME scripting), not a migration, and it deserves its own project line rather than a checkbox in the Intune cutover.

Sources

Share

Related field notes

Get the free CVE triage cheat sheet

Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.

Subscribe