Migrating Group Policy Objects (GPOs) to Microsoft Intune Without Breaking Endpoints

Indicators

• Endpoints receiving conflicting or duplicate settings from both GPO and Intune during hybrid management
• Policy settings not applying correctly after MDM enrollment
• Unknown or unsupported policy settings flagged during Group Policy Analytics import
• Devices behaving inconsistently or reverting settings after migration from GPO to Intune
• Settings Catalog missing equivalent configurations for existing GPO entries
• Devices continuing to apply deprecated or legacy GPO settings after Intune enrollment
• Intune Device Configuration report showing assignment failures on migrated profiles

Likely causes

• GPO settings that have no direct equivalent in the Intune Settings Catalog
• Hybrid Azure AD joined devices receiving policies from both AD GPO and Intune simultaneously without co-management workload separation
• Incorrect MDM enrollment scope excluding targeted devices from Intune policy delivery
• Unsupported or legacy ADMX-based GPO settings not recognized by Group Policy Analytics
• Policy precedence conflicts between GPO and Intune on co-managed devices
• Incomplete GPO export missing linked, inherited, or WMI-filtered policies

Diagnostic steps

1. Open Group Policy Management Console (GPMC) on a domain controller or admin workstation. Right-click each target GPO and select 'Save Report' to export as XML. Alternatively, run: Get-GPOReport -Name 'PolicyName' -ReportType Xml -Path 'C:\GPOExports\PolicyName.xml' — repeat for all GPOs in scope, including inherited and linked policies.
2. In the Microsoft Intune admin center (intune.microsoft.com), navigate to Devices > Group Policy Analytics, then click 'Import' and upload each exported GPO XML file.
3. Review the Group Policy Analytics compatibility report for each imported GPO. Note the percentage of settings supported in Intune, unsupported settings, deprecated settings, and the MDM CSP equivalent mapping for each entry.
4. For GPO settings marked as supported, use the 'Migrate' option within Group Policy Analytics to automatically generate a draft configuration profile in the Intune Settings Catalog.
5. Navigate to Devices > Configuration Profiles in Intune, open each migrated draft profile, review every setting for accuracy against the original GPO intent, correct any mismatches, and assign the profile to the appropriate Azure AD device or user groups.
6. For settings flagged as unsupported by Group Policy Analytics, determine whether a custom ADMX import, OMA-URI entry, or a PowerShell remediation script deployed via Intune can replicate the required behaviour. Create these as separate profiles or scripts in Intune.
7. For hybrid Azure AD joined or co-managed devices, navigate to Tenant Administration > Connectors and tokens > Configuration Manager connectors in Intune. Adjust co-management workload sliders (e.g., Device Configuration, Compliance Policies) from ConfigMgr/GPO authority to Intune to eliminate dual-policy conflicts.
8. On a pilot endpoint, run 'gpresult /h C:\GPOReport.html' to confirm which GPOs remain active, and check Intune policy delivery via Settings > Accounts > Access work or school > Info > Sync. Cross-reference the resultant set of policy with expected Intune profile assignments.
9. Monitor Intune device configuration reports at Devices > Monitor > Assignment failures and Devices > Monitor > Device configuration to identify settings that failed to apply. Cross-reference failures against the Group Policy Analytics unsupported list and remediate accordingly.

Resolution path

• Inventory all target GPOs and their linked OUs before beginning any migration activity
• Export all target GPOs from GPMC as XML files using Save Report or Get-GPOReport PowerShell cmdlet
• Import XML files into Intune Group Policy Analytics and review the full compatibility report for each GPO
• Use the Migrate function in Group Policy Analytics to auto-generate Settings Catalog draft profiles from supported GPO settings
• Review and validate each migrated profile in Intune for accuracy before assignment
• Manually recreate unsupported GPO settings using custom ADMX imports, OMA-URI entries, or PowerShell remediation scripts deployed via Intune
• Assign all migrated configuration profiles to appropriate Azure AD device or user groups in Intune
• For hybrid-joined or co-managed devices, shift co-management workloads to Intune authority to eliminate simultaneous GPO and Intune policy conflicts
• Deploy migrated profiles to a pilot group first and validate using gpresult and Intune device sync reports before broad rollout
• Decommission or unlink original GPOs only after confirming full Intune policy parity and stability across the pilot population

Prevention

• Maintain an up-to-date inventory of all GPOs, their linked OUs, and WMI filters before beginning migration
• Run Group Policy Analytics regularly to monitor Intune Settings Catalog coverage as new MDM-equivalent settings are released by Microsoft
• Implement a phased migration using clearly defined pilot groups before broad deployment to production
• Avoid applying both GPO and Intune settings for the same policy area on hybrid-joined devices at any point during migration
• Document all unsupported GPO settings at the outset and proactively create equivalent Intune scripts, OMA-URI profiles, or custom ADMX imports
• Use Intune assignment filters to precisely target devices during staged rollouts and limit blast radius
• Establish a rollback plan by keeping original GPOs linked but disabled until Intune policy is confirmed stable and fully equivalent
• Test migrated profiles in a lab or dev tenant before applying to production Azure AD groups

Tools

• Group Policy Management Console (GPMC)
• Get-GPOReport (PowerShell cmdlet)
• Microsoft Intune Admin Center (intune.microsoft.com)
• Group Policy Analytics (Intune built-in tool)
• Intune Settings Catalog
• gpresult.exe
• Microsoft Endpoint Configuration Manager (for co-management workload control)
• Azure AD Admin Center

References

• Analyze GPOs using Group Policy Analytics in Microsoft Intune
• Use the Settings Catalog to configure settings in Microsoft Intune
• Co-management for Windows devices
• Migrate Group Policy to Intune Without Breaking Endpoints (Adam the Automator)