Audit your GPO sprawl before you commit to an Intune migration date
The blocker on a GPO-to-Intune migration isn't the cloud mechanics. It's the hundreds of undocumented policies you've been running on autopilot. Here's how to size the real work before you pick a date.
You open gpmc.msc the week before an Intune migration kickoff, expecting to eyeball a couple dozen policies. Instead you’re staring at hundreds of Group Policy Objects, half of them named things like SEC-Baseline-v2-FINAL, linked to OUs that were reorganized two admins ago. Nobody currently on the team can tell you what most of them do or whether anything breaks if they’re removed.
That backlog, not the cloud enrollment, is what stalls the project. Group Policy environments grow in one direction. Every new app, security requirement, or compliance mandate adds a GPO; almost none get retired when the need goes away. JumpCloud’s February 2025 analysis of AD policy bloat describes five-year-old policies sitting in production next to current ones, undocumented, doing nothing but consuming processing time. The practical scale is not theoretical: an administrator in an April 2025 Microsoft Q&A thread asked how to clean up 2,000 GPOs, and got a routine PowerShell answer.
This runbook covers how to find out what you actually have and route each setting to the right place, before you commit to a timeline.
Who this affects
Anyone running on-premises Active Directory Group Policy and planning a move to Intune MDM. The pain scales with two things: how many GPOs you’ve accumulated, and how much of your configuration lives in Group Policy Preferences (drive maps, printers, scheduled tasks) rather than Administrative Templates. Dense GPP usage is the worst case, and I’ll show you why below.
One deadline already passed. Advanced Group Policy Management, the change-control and versioning layer most hybrid shops used for their GPO estate, reached end of extended support on April 14, 2026, with no announced successor. If AGPM was your only record of who changed what and why, you’re now making migration decisions without it.
How to check what you have
Microsoft ships a free tool for exactly this inside the Intune admin center. It produces a per-setting migration readiness map, which is far more accurate than any estimate made without it.
- Open the Intune admin center and go to Devices > Manage devices > Group Policy analytics.
- On-premises, open Group Policy Management Console (
gpmc.msc), right-click each GPO, and export it as an XML file. Keep each file under the 4 MB per-GPO cap; larger GPOs must be split manually. - Import the XML into the tool. Intune parses it automatically per Microsoft’s Group Policy Analytics documentation.
Each imported GPO comes back with an MDM Support percentage (share of settings with a direct Intune equivalent), an Unknown Settings count, a Targeted in AD flag (whether it’s linked to an OU), and a last-import date. Drill into any GPO for a per-setting table: setting name, category, MDM support (Yes / No / deprecated), imported value, scope, minimum Windows build, CSP name, and the full OMA-URI path. That OMA-URI column matters; a setting marked “No” can still deploy through a custom profile if a CSP path exists.
Then pull the Migration Readiness report under Reports > Device management > Group policy analytics. It buckets everything into Ready for migration, Not supported, and Deprecated, and exports as CSV. Give it about 20 minutes to update after you add or remove GPOs.
Three limits to know before you plan import volume, per Microsoft’s known-issues list: the tool only supports non-ADMX settings in English (non-English settings produce an inaccurate percentage with no warning), the 4 MB per-GPO file cap, and that ~20-minute report refresh.
Do not treat a high MDM Support percentage as a green light. Recast Software’s migration walkthrough shows a password policy that came back at 14% MDM support; most of its settings had no cloud equivalent. And even a high percentage can miss the one business-critical setting you needed most.
What to do with each setting
There is no direct GPO-to-Intune import. Every setting is an individual decision, which is why Craig Camacho’s November 2025 walkthrough calls the manual version “weeks of manual, error-prone research.” The three-way readiness verdict is your starting gate, but the real routing depends on the setting’s layer.
In prose, the four paths are:
- Ready → Settings Catalog. Use the Migrate button; it produces a Settings Catalog policy directly. Built-in Windows ADMX policies are now ingested into the Settings Catalog, so the Migrate button produces a native policy rather than an OMA-URI workaround. But Microsoft’s migrate documentation warns against selecting all settings without review; some “don’t make sense on cloud native endpoints” even at a high percentage.
- AppLocker and Firewall → Endpoint Security. Both show the Migrate button greyed out. Rebuild those rules in the Endpoint Security workload.
- Third-party ADMX (Chrome, Firefox, Zoom) → ADMX ingestion. Vendor settings never reach the Settings Catalog because only built-in Windows ADMXs are ingested. Upload the .admx via a custom profile and reference each setting through a hand-built OMA-URI. SDM Software calls ingestion “a bridge, not a destination”: no graphical editor, no validation, and troubleshooting means reading raw MDM sync logs. The caps are tight: 20 files, 1 MB each, English only, no combo-box setting type.
- No CSP → no equivalent. Printers, drive maps, and scheduled tasks fall here.
Use this table to route by category before you touch the tool. It splits cleanly at the layer boundary: Administrative Templates carry, Group Policy Preferences mostly don’t.
| GPO category | What it controls | Intune equivalent | Migratability |
|---|---|---|---|
| Administrative Templates — Windows built-in ADMX | OS, browser, and feature settings (Windows Update, Edge, Defender) | Settings Catalog (built-in; Policy CSP) | Straightforward — maps 1:1; Migrate button produces a Settings Catalog policy |
| Administrative Templates — 3rd-party ADMX (Chrome, Firefox, Zoom) | App-specific registry settings via vendor ADMX | Settings Catalog via ADMX ingestion (max 20 files, 1 MB, en-US, no combo-box) | Requires work — each ADMX imported manually; no validation |
| Security Settings — Account Policies | Password complexity, lockout, Kerberos ticket lifetimes | Settings Catalog (DeviceLock, PassportForWork CSPs) + Security Baselines | Requires work — Kerberos DC-scoped policies excluded; cloud PIN model differs |
| Security Settings — Local Policies / Security Options | User rights, security options, audit policy | Settings Catalog (Security Options, Audit Policy CSPs) + Baselines | Requires work — coverage partial; not all nodes have a CSP |
| Windows Defender Firewall | Inbound/outbound and per-profile rules | Endpoint Security > Firewall (Firewall CSP) | Requires work — Migrate button greyed out; rebuild in Endpoint Security |
| AppLocker / Software Restriction Policies | Application allowlists by publisher, path, or hash | Endpoint Security > App Control for Business | Requires work — Migrate button greyed out; WDAC recommended for new deployments |
| BitLocker Drive Encryption | Full-disk encryption, TPM, recovery escrow | Endpoint Security > Disk Encryption (BitLocker CSP) | Requires work — silent encryption needs specific CSP sequencing |
| Windows Settings — Scripts (Startup/Shutdown, Logon/Logoff) | Scripts at lifecycle events | Intune Management Extension (PowerShell) | Requires work — convert to PS1; no shutdown-script equivalent |
| Windows Settings — Software Installation | MSI deployment | Win32 app (.intunewin) or Store | Requires work — must repackage; no MSI-via-GPO equivalent |
| Windows Settings — Folder Redirection | Redirect Desktop, Documents to a share | OneDrive Known Folder Move (cloud only) | No equivalent (on-prem) — architectural shift to OneDrive KFM |
| GPP — Drive Maps | Map network drives at logon | PowerShell via IME (runs once per enrollment, not per logon) | No equivalent — flagged Not supported / Unknown |
| GPP — Printers | Network printer connections at logon | Universal Print policy (Settings Catalog) | No equivalent for legacy printers — requires Universal Print |
| GPP — Local Users and Groups | Local users; local Administrators membership | Settings Catalog (LocalUsersAndGroups CSP) | Straightforward |
| GPP — Scheduled Tasks | Create/modify scheduled tasks | PowerShell or Win32 app only | No equivalent |
| GPP — Registry | Arbitrary registry values with item-level targeting | OMA-URI custom profile for known values | Requires work — point values only; no item-level targeting |
| GPP — Environment Variables | System or user environment variables | PowerShell via IME | No equivalent |
Two structural notes the table can’t hold. Compliance requirements (OS minimums, BitLocker as a conditional-access gate) belong in Compliance Policies, not device configuration profiles; conflating them produces orphaned policies that never generate a compliance state. And GPOs target OUs while Intune targets Entra ID groups, so the organizational logic baked into years of OU structure has to be rebuilt as a group hierarchy before you can assign a single policy. That rebuild is the line item migration plans undercount most.
How to verify
After a migration, don’t trust “it deployed.” Check each moved GPO’s setting count against the new policy’s setting count; a mismatch means something silently dropped. Settings with unexpected value formats or missing required child settings fail during migration and surface only in the Notifications pane, and there’s no pre-flight validation pass. Confirm target devices show the policy as applied under Device configuration, not just assigned. For ADMX-ingested settings with no UI validation, verify the registry value landed on a test endpoint rather than assuming the sync took.
When to escalate
Stop treating it as a routine setting-by-setting migration and pull in planning when any of these show up: a GPO you can’t map to a current business requirement (retire it, don’t port it); a percentage that looks migratable but hides a setting no one can afford to lose; or a GPP-heavy estate where drive maps, printers, and scheduled tasks make up the bulk of what users depend on. That last case is a re-architecture (Universal Print, OneDrive KFM, IME scripting), not a migration, and it deserves its own project line rather than a checkbox in the Intune cutover.
Sources
- Risks of AD Group Policy Bloat (And How to Clean It Up) — 2025-02-05
- Best way to clean up GPOs — 2025-04
- Advanced Group Policy Management — 2024-08
- Use Microsoft Intune to import and analyze group policies — 2026-07-01
- How to Migrate Group Policy Objects to Microsoft Intune — 2025
- How to Import Group Policy Objects to Microsoft Intune — 2024
- Group Policy Analytics: A Practical GPO to Intune Guide — 2025-11-13
- Migrate your imported group policy to a policy in Microsoft Intune — 2026-07-01
- Using Custom ADMX Files in Microsoft Intune — 2025
Share
Related field notes
-
Two profiles, one setting: how to catch the MDM overlap that makes enforcement random
When two configuration profiles set the same value on one device, macOS and Intune stop enforcing it deterministically. Here are the detection commands and reports that find the overlap before it burns you.
-
The Intune device that passes Conditional Access without ever being checked
Intune's default scores an unpoliced device as compliant, and Conditional Access opens the gate for it. Here's how to audit the gap and flip the switch without locking anyone out.
-
The Security Update Broke Production: A Rollback Runbook
A step-by-step runbook for when a security patch takes down production: pause the rollout, scope the damage, decide roll-back vs fix-forward, and keep the rolled-back host from becoming a silent unpatched asset.
-
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle. Landing it on already-encrypted devices and proving it took across the whole fleet is the actual work. Here's the enforce-and-verify runbook.
Get the free CVE triage cheat sheet
Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.
Subscribe