For organizations still running Active Directory alongside Microsoft 365, the question of when to move device configuration from Group Policy Objects to Microsoft Intune has shifted from “if” to “how.” The tooling has matured enough that most organizations managing workloads up to several thousand seats can realistically complete this transition today, at least for client devices.
The migration path typically starts not with Intune at all, but with an honest audit of what GPOs actually exist. Organizations that have run Active Directory for 15 or 20 years tend to accumulate GPOs the way attics accumulate boxes: things get added, rarely removed, and nobody quite remembers what half of it does. Exporting GPOs to XML and running them through a structured review with stakeholders from desktop, application, and server teams often reveals that a significant portion of policies target deprecated applications, were created for testing and never cleaned up, or simply aren’t linked to anything in AD. Getting from 150 GPOs to 60 in a first-pass review is not unusual.
Once the rationalization is complete, Intune’s Group Policy Analytics tool provides the bridge. You export GPO XML from AD and import it directly into the analyzer, which maps each policy against MDM policy CSPs and reports what percentage of each GPO’s settings can be translated to Intune configuration policies. The tool also flags deprecated settings, unknown settings, and those with no MDM equivalent.
That compatibility percentage deserves some skepticism, though. A GPO that sets registry keys directly or runs logon scripts may show as fully supported because the analyzer doesn’t flag those constructs as unsupported, even though there’s no direct Intune equivalent for arbitrary registry writes or script execution. Manual review remains essential, particularly for any policy the tool marks as 100% compatible.
For settings that genuinely have no configuration policy equivalent in the Settings Catalog, remediation scripts in Intune fill the gap reasonably well. A remediation script can check for a specific registry path and write it if absent, functioning similarly to how a GPO enforces a setting on a recurring basis.
The cleanest migration strategy avoids trying to surgically disable individual GPOs while simultaneously pushing equivalent configuration policies to hybrid-joined devices. Instead, standing up fresh Microsoft Entra ID-only joined devices, with no GPO inheritance at all, lets you validate that configuration policies are doing what you expect before touching existing machines. Disabling a GPO does not revert settings it already applied, so legacy configurations can linger on existing devices even after the policy is turned off.
Servers remain the complication. Retiring Active Directory entirely for workstations is within reach for many organizations today. For servers, particularly those running legacy applications with physical hardware dependencies or unusual licensing constraints, that transition is further off.
