PRACTITIONER GUIDE | ENDPOINT MANAGEMENT
Practitioner GuideUpdated 11 min read

Intune vs Group Policy: When to Migrate, What Cannot Move, and How to Run Hybrid Management During Transition

~75% coverage
is the typical result from Group Policy Analytics -- roughly three-quarters of common GPO settings have an MDM equivalent in Intune. The remaining 25% are settings that have no MDM equivalent, settings that require ADMX ingestion, or settings that depend on on-premises infrastructure
ADMX cloud ingestion
allows Intune to deliver ADMX-backed settings (browser policies, Office policies, many third-party application policies) via MDM without joining a domain. Intune's Administrative Templates profile type supports over 4,000 ADMX-backed settings natively
Co-management
is the Microsoft-supported parallel state where ConfigMgr and Intune both manage a device simultaneously, with workloads (Windows Update, compliance policies, device configuration) split between the two. It is the migration runway -- not a permanent destination for most organizations
GPO wins on the endpoint
when the same setting is configured by both GPO and Intune MDM. GPO has higher precedence than MDM for most Windows settings. This means conflicting GPO and Intune settings produce GPO behavior, which can mask your Intune configuration. Audit and remove conflicting GPO settings before validating Intune policies

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The premise of a clean GPO-to-Intune migration is that every GPO setting has an Intune equivalent. It does not. Some settings genuinely have no MDM equivalent (certain low-level OS configuration, legacy application ADMX settings, drive mapping, logon scripts). For most enterprise environments, the practical answer is hybrid management: Intune handles cloud-delivered settings for Azure AD-joined and hybrid-joined devices, GPO handles the remainder via SYSVOL for domain-joined devices, and you progressively move workloads from GPO to Intune as you validate coverage.

Assess Your GPO Coverage with Group Policy Analytics

Before planning migration, use the Group Policy Analytics tool in Intune to identify which of your GPO settings have MDM equivalents:

Export your GPOs to XML:

# Export all GPOs to XML files
Get-GPO -All | ForEach-Object {
    $name = $_.DisplayName -replace '[^a-zA-Z0-9]', '_'
    Get-GPOReport -Name $_.DisplayName -ReportType Xml -Path "C:\GPOExports\${name}.xml"
    Write-Host "Exported: $($_.DisplayName)"
}

Import into Intune Group Policy Analytics:

  1. Go to Intune admin center: Devices > Group Policy Analytics
  2. Import the exported XML files
  3. Review the migration readiness report

Interpreting the results:

  • Supported: The setting has a direct MDM/Intune equivalent -- migrate these
  • Not supported: No MDM equivalent exists -- keep in GPO or accept the gap
  • Deprecated: Setting is no longer relevant in modern Windows -- can be removed
  • Unknown: Intune could not classify the setting -- review manually

Common categories that typically land in 'Not supported':

  • Folder Redirection (no MDM equivalent -- requires on-premises file server)
  • Drive Mapping (no MDM equivalent for persistent mapped drives)
  • Logon/Logoff scripts (partially: Intune has proactive remediation scripts but not full GPO script support)
  • Offline Files (no MDM equivalent)
  • Internet Explorer settings (IE is EOL -- migrate to Edge policies)
  • Some WMI filter-dependent policies

Settings Safe to Migrate First

Start with the categories that have high MDM coverage and low risk of conflict:

High-confidence migration categories:

  1. Windows Update settings: Intune's Windows Update for Business ring policies replace WU GPO settings. Migrate these early -- Intune WUfB gives better visibility into update compliance than GPO.

  2. BitLocker: Intune's Endpoint Security > Disk Encryption > BitLocker policy maps well to BitLocker GPO settings. Intune also provides escrow key management in Azure AD.

  3. Windows Firewall: Intune Endpoint Security > Firewall > Windows Firewall policy covers the same settings as the Windows Firewall GPO. Build your Intune firewall policy in a test group, compare behavior, then expand.

  4. Microsoft Edge policies: Intune Administrative Templates include the full Edge ADMX policy set. Edge GPO settings migrate cleanly to Intune Administrative Templates.

  5. Defender settings (Antivirus / ASR): Intune Endpoint Security profiles cover the Defender GPO settings comprehensively. The Intune profiles also add cloud-delivered protection controls that GPO lacks.

  6. Local admin rights control: Intune Local Administrator Password Solution (LAPS) and the local user/group policy type replace GPO Restricted Groups for local admin management.

Create an Intune Administrative Templates profile for ADMX-backed settings: Devices > Configuration profiles > Create profile > Windows 10 and later > Administrative Templates This ingests the built-in ADMX templates and allows configuring Office, Edge, and Windows ADMX settings via cloud.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Co-Management for the Transition Period

Co-management allows ConfigMgr (SCCM) and Intune to manage the same Windows 10/11 device simultaneously. For organizations using ConfigMgr without Intune, co-management is the on-ramp.

Prerequisites:

  • ConfigMgr 1906 or later
  • Azure AD Connect syncing AD accounts to Azure AD
  • Devices hybrid Azure AD-joined or Azure AD-joined
  • Intune license for each device (E3 + Intune add-on, E5, or standalone)

Configure co-management in ConfigMgr:

  1. ConfigMgr console: Administration > Cloud Services > Co-management
  2. Configure the co-management properties: sign in with your Azure AD admin account
  3. Set the Automatic enrollment path: Pilot (specific collection) or All (fleet-wide)
  4. Configure workload sliders:
    • Configuration Policies: Start at ConfigMgr, move to Intune when policy coverage is validated
    • Windows Update policies: Move to Intune early (WUfB is better in Intune)
    • Compliance policies: Move to Intune early (enables conditional access)
    • Client apps: Keep in ConfigMgr longer (app deployment is mature in SCCM)

For GPO-only environments (no ConfigMgr): Use the Intune auto-enrollment MDM URL via Group Policy: Computer Configuration > Administrative Templates > Windows Components > MDM

  • Enable automatic MDM enrollment using default Azure AD credentials: User Credential This triggers MDM enrollment for hybrid Azure AD-joined devices without ConfigMgr.

Resolve GPO vs Intune Conflicts

The most common migration problem: Intune policies appear to apply (show Succeeded in the Intune portal) but the device behavior reflects GPO settings. This happens because GPO wins over MDM for most settings when both are configured.

Detect conflicting GPO settings:

# On a managed endpoint, review MDM enrollment status and conflicts
# Start > Run: ms-settings:workplace OR
# Settings > Accounts > Access work or school > select enrollment > Info

# For detailed MDM diagnostic:
MdmDiagnosticsTool.exe -area DeviceEnrollment;DeviceProvisioning -zip C:\MDMDiag.zip
# Review the resulting zip for policy conflicts

# Check MDM registry for applied policies
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device'

Identify GPO settings that override Intune:

# Run gpresult to see all applied GPO policies on a device
gpresult /H C:\GPResult.html /F
# Open GPResult.html and compare applied settings to your Intune policy intent
# Settings applied via GPO that you expected to control via Intune = conflict

Resolution process:

  1. Identify the GPO containing the conflicting setting via gpresult
  2. Remove the setting from the GPO (or set it to Not Configured)
  3. Wait for Group Policy refresh (gpupdate /force or next cycle)
  4. Verify the Intune policy now controls the setting
  5. Validate the device behavior matches the Intune policy intent

The bottom line

GPO-to-Intune migration is a multi-year project for most enterprise environments, not a one-time switch. Use Group Policy Analytics to baseline your coverage, migrate low-risk settings first (WUfB, BitLocker, Defender, Edge), use co-management as the transition runway, and resolve conflicts by removing GPO settings as their Intune equivalents are validated. Accept that some GPO settings will stay in GPO permanently -- hybrid management is the destination, not a temporary state.

Frequently asked questions

Can I manage devices with both GPO and Intune at the same time?

Yes -- this is co-management or hybrid management, and it is the supported and recommended transition path. Devices can be hybrid Azure AD-joined (joined to both on-premises AD and Azure AD), receive GPO settings via domain join, and receive Intune MDM settings via Azure AD enrollment simultaneously. The key constraint: when the same setting is configured by both GPO and Intune MDM, GPO wins for most settings. Plan your migration so each setting is controlled by one system at a time -- configure Intune, then remove the GPO setting, then validate.

What happens to GPO logon scripts when migrating to Intune?

GPO logon scripts have no direct MDM equivalent in Intune. The closest alternatives are: Intune Proactive Remediation scripts (run PowerShell on a schedule or at enrollment), Intune Win32 app deployments (package the script as an app and deploy it), or Platform scripts (run once at enrollment). For scripts that map drives or configure per-user settings at login, you need to redesign the approach -- Intune scripts run in the system context by default, not the user context. If you have complex logon script dependencies, factor them into your migration timeline as a discovery and redesign task, not a simple cutover.

Does Intune support all the same ADMX templates as Group Policy?

For Microsoft-provided ADMX templates (Office, Edge, Windows), Intune's Administrative Templates profile type includes them natively -- no import required. For third-party ADMX templates (Google Chrome, Zoom, other applications), Intune supports custom ADMX ingestion: you upload the ADMX and ADML files to Intune, and they become available for configuration in the Device Configuration profile. This is called ADMX cloud ingestion and it is available for Intune in the Settings Catalog. Not every third-party ADMX will work -- some use features not supported by the MDM ADMX ingestion mechanism, but coverage for common enterprise applications is good.

How long does a typical GPO-to-Intune migration take for a mid-size enterprise?

12 to 36 months is a realistic range for a 1,000 to 10,000 device enterprise doing this properly. The time is not primarily spent on technical migration tasks -- it is spent on inventory and assessment (which GPO settings exist and why), owner identification (who owns each policy), testing and validation (does the Intune equivalent produce the same behavior), and exception handling (what to do with the GPOs that have no MDM equivalent). Organizations that rush the migration without assessment tend to break endpoint behavior and lose visibility into their configuration state. The practical approach: run parallel for 12 months, migrate in waves by setting category, keep GPO for the remainder.

What is the Microsoft Group Policy Analytics tool and how does it help with Intune migration?

Group Policy Analytics is a feature in Microsoft Intune that analyzes your exported GPOs and reports which settings can be migrated to Intune MDM and which have no equivalent. To use it: export your GPO as an XML file using Backup-GPO, upload the XML to the Intune admin center under Devices > Group Policy Analytics, and run the analysis. The tool outputs a report showing which settings have a direct MDM equivalent, which are partially supported, and which have no equivalent. For settings with MDM equivalents, it can generate a Settings Catalog profile from the GPO analysis. This significantly accelerates the assessment phase of the migration by automating what would otherwise be a manual setting-by-setting comparison.

How do I manage the gap period where a device has left domain management but Intune policy has not yet applied?

The gap period -- between when a device unjoin from domain and when Intune policies fully apply -- is a real security risk. Devices in this state may have no enforced security policy, local admin accounts with default passwords, and no EDR reporting. Minimize the gap with a staged migration approach: enroll the device in Intune and verify all critical policies (firewall, encryption, EDR, password policy) are applied and reporting compliant before removing it from domain management. Use the Intune compliance reports to confirm each device meets your security baseline before cutting over. For the coexistence period (both GPO and Intune active on hybrid-joined devices), verify that Intune policy wins where it conflicts with GPO for settings you have migrated. The practical safety net: keep a break-glass local admin account with a LAPS-managed password during the transition, so you can recover devices where the Intune policy fails to apply correctly.

Sources & references

  1. Microsoft -- Group Policy analytics in Microsoft Intune
  2. Microsoft -- What is co-management?
  3. Microsoft -- Use ADMX templates for Windows in Microsoft Intune

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.