Skip to main content

GPO-to-Intune Migration — Structured Policy Buildout

Organizations managing Windows devices through Active Directory Group Policy accumulate GPO estates over years. By the time a modern endpoint management initiative begins, the typical environment has hundreds of GPOs — many obsolete, many overlapping, most without documentation. Migrating them one-to-one into Intune imports the technical debt wholesale.

This chapter describes a top-down, Intune-first approach that treats the existing GPO estate as a source of requirements rather than a migration target. The goal is not to reproduce Group Policy in Intune — it is to build a mature, well-structured Intune policy framework and validate it against what Group Policy was actually enforcing.

The Top-Down Approach

The one-to-one migration instinct is understandable but wrong. Each GPO that gets mapped to an Intune configuration profile carries forward its original context, naming, and scope — which was almost never designed with Intune in mind. The result is the same organic mess in a different tool.

The alternative:

  1. Define the target state first. Use the Open Intune Baseline (OIB) as the structural foundation. Determine what a well-organized Intune policy set looks like before touching the existing GPOs.
  2. Treat GPO settings as requirements. Export a Group Policy Analytics report. Use it to validate that your target Intune policies cover the settings that GPOs were enforcing. Fill gaps; discard settings that are obsolete or no longer applicable.
  3. Build clean, consolidated policies. Fewer policies with clear names and documented purpose are easier to audit, easier to troubleshoot, and easier to hand off.
  4. Retire the ad-hoc layer. Disable existing organically grown Intune policies as the structured framework subsumes them.

This approach produces a policy set that is defensible in an audit, maintainable over time, and smaller than the original GPO estate.

Group Policy Analytics

Group Policy Analytics is built into the Intune portal (Devices > Windows > Group Policy Analytics). It ingests a GPO XML export and classifies each setting:

ClassificationMeaning
MDM supportedA direct CSP equivalent exists in Intune — setting can be migrated as-is
DeprecatedSetting targets an obsolete OS feature; do not migrate
MDM parityEquivalent control exists but the implementation path differs — requires manual mapping
Not supportedNo MDM equivalent; requires a Platform Script, Remediation, or no action

The MDM readiness percentage shown per GPO is the fraction of its settings that fall in the MDM supported category. A GPO at 100% can be mechanically migrated; a GPO at 0% requires a different workstream entirely (scripts, Win32 apps, or accepted risk).

Running the Analysis

  1. Export GPOs to XML: On a domain controller or management workstation with the Group Policy Management Console (GPMC) installed, run: 
    # Export a single GPO
    Get-GPO -Name "PolicyName" | Get-GPOReport -ReportType XML -Path ".\GPOName.xml"

    # Export all GPOs in the domain
    Get-GPO -All | ForEach-Object {
        Get-GPOReport -Guid $_.Id -ReportType XML -Path ".\GPOExports\$($_.DisplayName).xml"
    }
  2. Upload to Intune: Devices > Windows > Group Policy Analytics > Import — upload individual XML files or a ZIP containing multiple exports.
  3. Review the report: Filter by MDM support percentage. Sort to identify high-readiness GPOs (quick wins) and zero-readiness GPOs (alternate workstreams).
  4. Export the settings-level detail: The summary view shows per-GPO readiness; the drill-down shows per-setting CSP mappings. Export the settings-level CSV for use during policy buildout — this is the primary working artifact. Each row is one setting from one GPO: setting name, CSP path, MDM support state, and the source GPO. Sort by MDM support state and functional category to build your policy map.
Prioritize by function, not by GPO

A single GPO may contain settings that belong in three different target Intune policies. Work from the settings-level export, organized by functional category, not from the GPO list. In large estates, 60–80% of settings across specialized-environment GPOs are duplicates of each other — identifying the shared base before building per-environment supplements dramatically reduces the policy count.

Policy Framework and Naming Convention

The OIB naming convention provides a consistent structure for every Intune policy in the environment. All policies — whether they are direct OIB imports or organization-specific additions — should follow this schema:

Win - [OIB|ORG] - [ES|SC|U] - [Function] - [D|U] - [Description] - v[Version]
TokenValuesMeaning
WinWin, iOS, macOS, AndroidPlatform
OIB or ORGOIB = Open Intune Baseline standard; org prefix for org-specific policiesPolicy source/ownership
ES / SC / UES = Endpoint Security; SC = Security Compliance / Configuration; U = User-levelPolicy category
FunctionAttack Surface Reduction, Browser, Firewall, etc.Functional area
D / UD = Device scope; U = User scopeAssignment scope
DescriptionShort descriptorDistinguishes policies in the same function
Versionv1.0, v1.1Change tracking

Example: Win - OIB - ES - Attack Surface Reduction - D - ASR Rules - v1.0

Organization-specific policies that extend or deviate from OIB defaults use the org prefix instead of OIB:

Example: Win - COC - SC - Browser - D - Microsoft Edge - v1.0 (City of Cleveland-specific Edge configuration)

This naming convention makes the policy list self-documenting: scope, ownership, and function are visible without opening the policy.

Policy Taxonomy by Tier

Organize the build and deployment sequence into five tiers, ordered by security impact and risk.

Tier 1 — Security Foundation

Deploy first. These policies establish the security posture for all managed Windows devices and produce the most significant compliance and security improvement per unit of effort.

Policy AreaOIB EquivalentWhat It Covers
Attack Surface ReductionWin - OIB - ES - Attack Surface Reduction - D - ASR RulesASR rules, exploit mitigations
Exploit ProtectionWin - OIB - ES - Attack Surface Reduction - D - Exploit ProtectionSystem-wide DEP, ASLR, SEHOP
Defender AntivirusWin - OIB - ES - Defender Antivirus - D - AV ConfigurationReal-time protection, cloud protection, scan schedule
Defender Security ExperienceWin - OIB - ES - Defender Antivirus - D - Security ExperienceNotification management, tamper protection UI
EDR OnboardingWin - OIB - ES - Defender for Endpoint - D - EDRAutomated onboarding to Microsoft Defender for Endpoint
BitLockerWin - OIB - ES - Encryption - D - BitLocker (OS Disk)XTS-AES 256-bit encryption, recovery key escrow to Entra ID
Windows FirewallWin - OIB - ES - Firewall - D - Firewall RulesDomain, private, and public profiles
Windows LAPSWin - OIB - ES - Windows LAPS - D - LAPS ConfigurationLocal admin password rotation and escrow
Removable Media ControlWin - OIB - ES - Attack Surface Reduction - D - Device ControlUSB and removable storage allowlist
Validate against existing Intune policies before deploying Tier 1

Most environments with a GPO estate also have organically built Intune policies covering some of these areas. Diff the existing Intune policy settings against the OIB equivalents before enabling the OIB version. Specific settings (ASR rule exclusions, AV exclusions, LAPS account names) are often customized in the existing policies and must be carried forward.

Tier 2 — Identity and Compliance

Policy AreaOIB EquivalentWhat It Covers
Windows Hello for BusinessWin - OIB - ES - Windows Hello for Business - D - WHfB ConfigurationPasswordless authentication, biometrics
Cloud Kerberos TrustWin - OIB - ES - Windows Hello for Business - D - Cloud Kerberos TrustSSO to on-premises resources for Hybrid environments
Local Security PoliciesWin - OIB - SC - Device Security - D - Local Security PoliciesAccount lockout, audit policies, user rights assignments
Compliance PolicyWin - [ORG] - Compliance - D - Windows WorkstationBitLocker required, Secure Boot, minimum OS version, firewall and AV state, MDE risk score — drives Conditional Access enforcement

The compliance policy is the enforcement layer. Tier 1 policies establish the security controls; the compliance policy verifies they are in place and signals Conditional Access whether to permit or block device access.

Tier 3 — Device Configuration

Policy AreaCoverage
Login and lock screenScreen timeout, lock behavior, inactivity policy
Windows Update for BusinessDiagnostic data, update compliance reporting (separate from Update Rings — see Tier 4)
Browser configurationHomepage, security zones, enterprise site lists, cache settings
OneDrive KFMKnown Folder Move silent configuration, sync settings
Productivity appsOffice licensing, modern auth, PST disable
Remote accessRemote Desktop, Remote Assistance settings
Time synchronizationNTP configuration — often 5-10 GPOs consolidated into one Intune policy
Network and proxyProxy settings per environment or department group

Tier 4 — Windows Update Rings

Replace all Windows Update GPOs with a structured Windows Update for Business (WUfB) deployment. The standard ring structure:

RingTypical TargetQuality DeferralFeature Deferral
IT / DevIT staff, administrators0 days0 days
PilotEarly adopters3 days0 days
GeneralStandard workforce7–10 days0 days
Critical OpsMission-critical devices (dispatch, emergency services, production control)14 daysUse Feature Update policy

Critical Ops devices — those running dispatch, emergency services, or production control software — require extended quality deferrals and thorough validation before feature updates are applied. Rather than setting a long feature deferral period on the update ring (which is hard to manage over time), target a specific Windows version using a separate Feature Update policy and update the target annually. Maintain Group Policy as a fallback for these devices during the WUfB transition.

Retire update-blocking GPOs immediately

GPOs that disable Windows Update entirely (Disable Windows Updates x64, Disable Windows Updates x86, or similar) represent an active security risk — they prevent devices from receiving security patches. These must be retired immediately, before the WUfB migration is complete, by assigning affected devices to the Critical Ops ring as an interim measure.

Tier 5 — Specialized Environments

These are higher-risk migrations requiring extended piloting. Before building any Tier 5 policy, audit the settings-level export for cross-environment overlap — in most organizations with specialized devices, 60–80% of settings across environment-specific GPOs are identical. Build a Base Lockdown policy containing shared settings first, then layer environment-specific supplements on top.

Layered architecture pattern:

Base Lockdown Policy (~80 shared settings)
  → Assigned to: all restricted / specialized device groups

  + MDT Supplement        (~25 unique settings)  → MDT/CAD devices
  + Dispatch Supplement   (~15 unique settings)  → Dispatch terminals
  + Kiosk Supplement      (~15 unique settings)  → Shared kiosk devices
  + VDI Supplement        (~30 unique settings)  → Virtual desktops
  + App Supplement        (~33 unique settings)  → Per-application policy

Typical shared settings that belong in the base policy: Start Menu restrictions, desktop lockdown, File Explorer restrictions, command prompt and registry editor blocking, screensaver enforcement, Task Manager removal, Lock Computer removal.

Environment types:

  • Mission-critical / operational devices — CAD systems, dispatch terminals, vehicle-mounted computers. Cannot tolerate unplanned reboots or feature changes. Extended pilot with a dedicated device group; maintain GP as fallback throughout.
  • Kiosk and shared devices — Single-app and multi-app kiosk configurations; power management; LAPS for shared local admin accounts.
  • VDI / virtual clients — Virtual machine optimization settings for AVD or W365 session hosts. Verify whether any Defender or system-restore settings in existing VDI GPOs were intentionally disabled for non-persistent images.
  • Application-specific policies — Settings that exist to support a specific line-of-business application. Validate that the application is still in active use before building a policy around it; many 0%-MDM-ready app GPOs target decommissioned applications.

What to Exclude from Intune

Not everything in a GPO estate should be migrated. Attempting to migrate out-of-scope GPOs wastes effort and produces policies that will never work correctly in Intune.

Server GPOs

GPOs targeting server OUs remain in Group Policy. They are not in scope for Intune. For hybrid server management at scale, evaluate Azure Arc + Azure Policy as a separate initiative.

Drive Mapping GPOs

Drive mapping has zero MDM support. This is not a policy migration question — it is a file share modernization initiative (SharePoint Online, Azure Files, or OneDrive Known Folder Move). When the organization is ready, a single Intune Platform Script can replace dozens of drive mapping GPOs.

Software Deployment GPOs

GPOs that deploy MSI packages belong in Intune as Win32 app deployments, not configuration policies. This is a separate app packaging and deployment workstream.

Infrastructure and Network GPOs

Certificate deployment, Wi-Fi profiles, VPN configurations, and device enrollment bootstrapping GPOs have Intune equivalents but belong in dedicated workstreams: Certificate Connector, Wi-Fi profiles, VPN profiles, and enrollment restrictions. They should not be migrated as configuration policies.

Empty and Container GPOs

GPOs with no active settings (OU containers, link-only GPOs, printer-only GPOs) have nothing to migrate. Document them and clean them up in AD at the AD team's discretion.

Co-Management Workload Configuration

Organizations on co-management (Intune + Configuration Manager) must explicitly transfer workload authority to Intune for each policy area as migration completes. Until the workload is transferred, Configuration Manager (and therefore Group Policy applied by it) continues to win for that area.

Transfer workloads in Intune (Tenant administration > Connectors and tokens > Microsoft Endpoint Configuration Manager > Properties):

WorkloadTransfer When
Compliance policiesPhase 2 complete — compliance policies built and validated
Device configurationPhase 3 complete — Tier 3 policies built and validated
Endpoint ProtectionPhase 1 complete — Tier 1 security policies validated
Windows Update policiesPhase 4 (WUfB rings) validated

Transfer one workload at a time. Monitor the Device Compliance and Configuration dashboard after each transfer to catch regressions before transferring the next workload.

Implementation Phases

Phase 1 — Security Foundation (Weeks 1–6)

  1. Export the full GPO estate using GPMC and upload to Group Policy Analytics
  2. Review the analytics output — identify high-readiness GPOs in security categories
  3. Import the OIB Tier 1 policies using the IntuneManagement tool
  4. Customize OIB defaults against the GPO settings export — carry forward any organization-specific exclusions, account names, and rule overrides
  5. Deploy to a pilot group (IT staff devices) for a minimum two-week validation window
  6. After validation, deploy broadly and disable superseded ad-hoc Intune policies

Phase 2 — Identity, Compliance, and Device Configuration (Weeks 6–12)

  1. Deploy WHfB and Cloud Kerberos Trust policies
  2. Build and deploy the compliance policy — coordinate with the CA team to ensure Conditional Access is ready to enforce compliance state
  3. Build Tier 3 device configuration policies from the GPO analytics settings export, organized by functional area
  4. Consolidate existing organically built Intune policies into the OIB-structured equivalents
  5. Deploy WUfB rings — transfer the Windows Update workload from Configuration Manager once rings are validated

Phase 3 — Specialized Environments (Weeks 12–20)

  1. Pilot mission-critical device policies with a small, representative device group
  2. Restructure kiosk policies under the OIB naming convention
  3. Deploy VDI optimization policies
  4. Build application-specific policies; for zero-MDM-readiness app settings, build Intune Remediations or Platform Scripts as needed

Phase 4 — Consolidation and Steady State (Weeks 20–26)

  1. Retire all superseded Intune policies — disable, then delete after a 30-day grace period
  2. Remove test, temporary, and ZZZ-prefixed deprecated policies
  3. Produce a policy registry — a living document mapping each Intune policy to its purpose, target group, version, and the GPO settings it replaced
  4. Establish a change management process: new policy requests follow the OIB naming convention and require documentation before deployment

CMMC Control Mapping

NIST SP 800-171 Rev. 2 ControlHow Structured Policy Buildout Satisfies It
CM.L2-3.4.1 — Establish and maintain baseline configurations and inventories of organizational systemsThe OIB-structured Intune policy set is the documented, maintained baseline. The policy registry (Phase 4) provides the inventory artifact required by assessors.
CM.L2-3.4.2 — Establish and enforce security configuration settings for information technology productsIntune configuration policies enforce security settings on all managed endpoints with compliance state reporting. Group Policy enforcement is replaced with managed, auditable Intune enforcement.
CM.L2-3.4.6 — Employ the principle of least functionalityGPO-to-Intune migration is an opportunity to remove settings that enabled unnecessary features or services. Tier 1 ASR rules directly restrict execution of unneeded OS capabilities.
SI.L2-3.14.1 — Identify, report, and correct information system flaws in a timely mannerWUfB rings (Tier 4) establish structured, documented patch management with defined deferral periods and ring-based validation.

A CMMC Level 2 assessor evaluating CM.L2-3.4.1 will typically request both the configuration evidence (Intune policy export) and a document showing what the policies contain and why. The policy registry produced in Phase 4 is the primary audit artifact for this control.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.