Using PowerShell to create Windows 10 Custom Device Policy from the output of Endpoint Manager Group Policy Analytics

In 2020 Microsoft released the Endpoint Manager Group Policy Analytics (still in Preview).

This can be very useful to determine your level of modern management support. At this point Group Policy analytics only provides you with the MDM Supported values in CSP mappings and do not provide any further options to create the policies. As such I have put together a PowerShell script to assist in streamlining the process. The script will run from C:\IntunePS, so make sure you create this directory and save all exported csv files her.

The blog from systemcenterdudes covers the steps required to import the on-prem GPOs into Endpoint Manager Group Policy Analytics.

How to use Endpoint Manager Group Policy analytics (

PowerShell Script

Once you have imported your on-prem GPOs and are happy to continue with the creation of the Intune policy you can follow the steps below:

Note. The script will only convert policy setting that has MDM Support

  1. Download the PowerShell Script and save it to C:\IntunePS
  2. Click on the percentage under MDM Support to open the policy you would like to “convert”
    Graphical user interface, text, application, email

Description automatically generated
  3. Click on Export and save the file to C:\IntunePS.
    Graphical user interface, text, application, email

Description automatically generated
  4. Rename the exported csv file to the name you would like the Intune Policy to be.
  5. Run the PowerShell script.
  6. Enter the Azure credentials for authentication.
  7. Once the script completes you can verify the Policy/Policies in the Endpoint Manager Portal by navigating to Devices > Windows > Configuration Profiles
    Graphical user interface, application

Description automatically generated
  8. The next step will be to deploy the policy (It would be recommended to utilize test machines to ensure the policy applies as expected).