On-premises to cloud native in Intune: expert tips and key considerations

To expand on Chad's statement that GPO Analytics has a lot to be desired we have experienced areas where it falls short of expectations. Here are some examples: Settings from custom ADMX files that have been imported into Intune are not reported on or converted by GPO analytics; GPO analytics does not account for all settings that might be available in CSPs (We got 0% conversion for Chrome GPOs even though many of those settings are in native CSPs); The GPO Analyzer does not look at GPP settings; Deprecated or unknown settings don't factor into the conversion calculation (We had some GPOs report 100% conversion even though there were deprecated or unknown settings). Given this it seems that GPO Analytics is one tool in a tool set to get you started on the road to moving towards cloud-based management. If you are looking to simply lift and shift GPOs to CSPs it is not going to get you there. Perhaps that is why the guidance is to start over and ask what the requirements are today and build CSPs from the ground up.

Hi Chad, I’m curious what you are exactly looking for and maybe somebody from the community can share his/ her experience on it. We have used Group Policy Analytics only for checking if Intune had all the settings from our Windows, M365 and Edge baseline (this was already a few years ago). We made an overview what GP Analytics showed as not available and checked Settings Catalog if the settings which were shown as not available, if these could be managed with SC. We found out that we could build our security baselines with Intune, even completely in Setting Catalog. For all the other settings, we only moved the settings from which we knew it could cause issues for our end users if we didn’t manage these. For all the others, we used this move to the cloud as a cleanup for our GPO settings. For example the firewall rules, we started completely greenfield in Intune. And guess what, we only have a handful left. It turned most of the settings were not needed anymore.

I have found some policies that GPO Analytics says are not supported but I am still able to upload the ADMX files to Intune and use them just fine. Making me feel like the report is inaccurate.

I second what Chad is looking for as far as information on how to handle the move to cloud management. My org is in the same boat, we are a multi-domain enterprise looking to migrate settings management to Intune but what seems to be lacking is any information on how to do that well, especially in the case of settings that done currently exist in Intune, does there non-existence mean they're not actually supported or that they were just missed when the Intune config was created? If needed I can provide specific examples of these settings.