How to use Endpoint Manager Group Policy analytics

Microsoft has released a long-awaited feature for Intune/Endpoint Manager administrators. Yet still, in “Preview”, you can start testing Endpoint Manager Group Policy Analytics now!

If you’re not familiar with Endpoint Manager… well it’s the “new” branding for Microsoft Intune, simple as that.

This feature lets you analyze your on-prem Group Policy Objects (GPO) and determine your level of modern management support.

This tool can also be extremely helpful to resolve conflicts between Group Policy Objects (GPO) and Microsoft Intune policy One of the major struggle when migrating devices to Endpoint Manager.

When you import a GPO, Endpoint Manager automatically analyzes the Group Policy and shows the policies “compliance” in Intune/Endpoint Manager. Obviously, this works only for policies applicable to Windows 10 computers.

So let’s try out the new Group Policy Analytics feature !

Backup your GPO

The first step you need to do in order to use Group Policy Analytic in Endpoint Manager is to backup the Group Policy you want to analyze.

• Open the Group Policy Manager console.
• Expand Forest / Domain / Domain Name / Group Policy Objects.
• Right-click on the appropriate GPO and select Back Up
• In the Back Up Group Policy Object window, enter the Location and Description details for the backup file.
• Click on the Back Up button to start the backup operation.

• You will see the progress in the Backup window. Click on OK when it completes the backup operation
• You’ll end up with a folder containing .xml files. The important file to keep is Gpreport.xml

Bonus Tip : You can also use Powershell to export your GPO by using the GroupPolicy module which is installed by default on an AD server.

Just change the -Name and -Path parameter to fit your needs.

Get-GPOReport -Name "GPO_Name" -ReportType XML -Path "C:\GPOName.xml"

Endpoint Manager Group Policy Analytics

Once your XML file is created, heads up to the Endpoint Manager admin center

• Browse to Devices
• Browse to Group Policy Analytics
• Click Import

• On the right, select your xml file you just imported and wait for the confirmation message

• Click on the X and come back to the main screen
• Endpoint Manager will analyze the GPO and tell if these settings in this Group policy has its “equivalent” into MDM Policies.
• In our example, only 9% of all policies have MDM Support. Let’s go ahead and click this percentage

• All settings are shown :
  • Setting name: Name of the parameter in the GPO
  • Group policy setting Category: Location on the GPO
  • MDM support: Indicates if the parameter is supported
  • Value: Parameter value
  • Min OS Version: The minimum OS version on which the setting can apply
  • Scope: Is it a computer or user GPO
  • CSP name: Name of the appropriate Intune CSP for the parameter
  • CSP Mapping : The actual CSP Mapping in Intune

• The interesting part is the CSP Mapping. Extremely useful to “convert” your GPO into Endpoint Manager policies.
  • Tip: if you need to copy the CSP Mapping to use it, you’ll have to use the Export button at the top for a more… user-friendly interface.
• For example our Show first sign-in animation setting is supported, is a Device policy and the CSP is ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
• Once you have the CSP, you can create a device policy to match this setting in Endpoint Manager

So that’s it. A simple tool but a great one that I’m sure Microsoft will continue to develop to add more features in the future. That would ease the administrative task if you’re planning an MDM migration.