While GPOs are the cornerstone of Windows administration, they were built for domain-joined, on-premises infrastructure. In contrast, Intune Configuration Profiles provide more granular control and cross-platform support, which are crucial for scalability and efficient endpoint management.
If you’re looking to integrate Intune into your IT management framework, this guide outlines the process of migrating from on-premises GPOs to Intune Configuration Profiles.
Steps for GPO to Intune transition
Start by reviewing the following items that will be necessary to complete the migration process.
📌 Prerequisites:
- Azure AD-joined or hybrid-joined Windows 10/11 endpoints
- Microsoft Intune licenses assigned
- Administrative access to Microsoft Endpoint Manager Admin Center
- PowerShell 5.1+ or Microsoft Graph module (Verify Your PowerShell Version)
- Optional: Enable GPO analytics via the Group Policy Migration tool
💡 Note: Some steps may vary depending on existing system defaults or settings.
Step 1: Audit existing GPOs and prioritize migration
To prepare or minimize incompatibilities, check if the active policies are supported by Intune using Group Policy Analytics.
- In the Microsoft Endpoint Manager Admin Center, go to Devices → Group Policy Analytics (Preview).
- Import your GPO backup (.xml file).
- Review the support status (Supported, Not Supported, Deprecated).
- Press Win + R, type gpmc.msc, and tap OK to open Group Policy Management Console (GPMC) → Backup GPOs.
💡 Note: Identify GPOs that apply to Security settings, BitLocker policies, Windows Update settings, and App control and endpoint protection. These GPOs typically have direct Intune counterparts that can ease the migration.
Step 2: Create the equivalent Intune Configuration Profiles
Next, it’s time to create the corresponding Intune Configuration Profile for your existing policies.
- Navigate to Devices → Configuration profiles → Create profile.
- Select the platform Windows 10 and later. Then, select profile types:
- Settings catalog (recommended)
- Templates (for specialized scenarios like BitLocker, Wi-Fi, VPN)
- Custom OMA-URI (for unsupported settings)
- Map your legacy GPO settings to catalog equivalents or OMA-URI entries where needed.
Step 3: Validate and monitor policy application
At this stage, it’s important to check your progress and validate the Intune policy application.
1. Check Intune policy application via PowerShell
- Use Search 🔎 to open Terminal → PowerShell → Run as administrator.
- Confirm the active policy settings with the Get-MDMPolicyResultantSetOfPolicy | Format-List command.
Meanwhile, you can also use:
Get-ItemProperty -Path “HKLM:\SOFTWARE
\Microsoft\PolicyManager\current\device\Defender”
This is to pull the specific CSP (Configuration Service Provider) value.
2. Monitor Intune policy application via Event Viewer
- Press Win + R, type eventvwr, and tap OK to open Event Viewer.
- Navigate to Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin.
Within this log, apply the corresponding filter to quickly identify policy application status and specific events. You can also search by Event ID, like 813 or 814, which are typically logs associated with Intune policies.
3. Force Intune policy application via Command Prompt
For this step, you can also use the Command Prompt to force policy sync if needed.
- Press Win + R, type cmd, and tap OK to open the Command Prompt.
- Then, run the following command:
dsregcmd /status start ms-device-enrollment:?mode=mdm
Forcing the policy application is often unnecessary since Intune devices sync automatically at set intervals. Also, administrative privileges are typically required to run these commands.
Step 4: Use OMA-URI for unsupported or advanced settings
For settings not covered in the settings catalog (e.g., legacy policies, advanced policies), you may use custom profiles:
- Create a custom profile in Intune.
- Use known CSP documentation to apply policies. For example, disable Task Manager:
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/TaskManager/AllowTaskManager
- Data type: Integer
- Value: 0
This can be further validated by checking the corresponding registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\TaskManager.
Step 5: Apply security baselines where possible
Security baselines help replace common GPO configurations, and Intune has a few integrated ones for Microsoft Defender, Windows 10/11, and Microsoft Edge. To apply:
- Go to Endpoint Security → Security Baselines.
- Choose a baseline and assign it to the appropriate group.
These steps are recommended for supplementing Configuration Profiles and replacing some commonly used GPOs.
Step 6: Handle policy conflicts and precedence
When it comes to policy precedence, Intune policies override GPOs on Azure AD-joined devices.
- On Azure AD-joined devices, Intune policies take precedence.
- On hybrid-joined devices, conflicts may arise if both GPO and Intune manage the same setting. In these cases, the “last writer” wins.
To avoid these encounters, it’s recommended that you refrain from duplicating settings across GPO and Intune. You can use Intune Reporting → Endpoint Security → Per Setting Status to proactively identify conflicts.
Step 7: Decommission GPOs after successful migration
After migration and policy validation, or ensuring that workflow and assets are functioning as intended in the new environment, you can now start removing GPOs.
- Gradually unlink GPOs in GPMC.
- Monitor endpoints for configuration drift.
- Ensure all settings are enforced via Intune or PowerShell scripts
- Maintain GPO backup and restore protocols.
NinjaOne helps with seamless Intune migration
For IT environments, these NinjaOne services and capabilities can help with the transition:
- Detecting non-compliant settings still applied by legacy GPOs.
- Monitoring registry keys and confirming Intune policy enforcement.
- Deploying PowerShell-based scripts for custom configuration enforcement.
- Tagging endpoints based on policy profile (GPO-managed vs Intune-managed).
- Providing real-time alerts when settings drift or fail to apply properly.
For IT teams and MSPs, NinjaOne can serve as a control hub for validating and reinforcing cloud-based policy migrations. Then, at scale, NinjaOne can be a direct alternative to Intune while also providing a wide suite of enterprise-grade endpoint management services at the same central dashboard.
⚠️ Things to look out for during Intune migration
Missing something? Consider these scenarios and tips for handling errors, preventing system issues, and reinforcing policies.
| Risks | Potential Consequences | Reversals |
| Device not syncing | Intune profile not applying | Run dsregcmd /status and verify MDM enrollment |
| Hybrid join with conflicting GPOs | GPO still active | Use Group Policy Results (gpresult) to confirm policy status |
| Invalid CSP path | OMA-URI failure | Cross-reference with Microsoft CSP documentation |
| Sync schedule delay | Delayed application | Trigger manual sync from Access Work or School account panel |
Built-in tools like PowerShell, gpresult, Event Viewer, and registry can help narrow down Intune policy deployment errors. Just make sure you have access privileges and the required familiarity with the tools to diagnose and troubleshoot issues efficiently.
Best practices for Intune migration
Migrating from GPOs to Intune Configuration Profiles is a big boost for endpoint management. It offers more robust policy enforcement capabilities and customization options, perfect for organizing modern workflows.
With that in mind, IT teams and MSPs managing cloud and hybrid environments may eventually want more coverage than Microsoft’s proprietary solution. If so, an RMM like NinjaOne can provide scalable and flexible endpoint management that can complement or even replace Intune.
Ultimately, replacing one tool with another is hardly the be-all and end-all in endpoint management. More often than not, it’s about building a stack that efficiently supports the current environment and lays the foundation for growth and adaptability.
