Migrating GPOs from SCCM

Migrating GPOs from SCCM


This exercise helps you to migrate your Group Policy Objects (GPOs) to Workspace ONE UEM and assign those GPOs to users and devices.

This exercise contains the following procedures:

  • Download and Run AirWatch GPO Migration Tool
  • Upload GPOs to Workspace ONE UEM
  • Assign and Test GPO App Package
  • Enroll Windows 10 Device
  • Verify GPO App Package Installation


In addition to the previous requirements, you must also satisfy the following:

  • Windows 10 domain-joined device
  • PowerShell with admin rights
  • API Key
  • Workspace ONE UEM Console
  • AirWatch admin account

Mapping GPOs to Custom Settings Profiles

The MDM Migration Analysis Tool (MMAT) determines which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies. MMAT then generates both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents.

Use the MDM Migration Analysis Tool (MMAT) to determine which Group Policies in your current environment have a MDM equivalent.

To watch a video demonstrating this procedure, click GPOs & Custom Settings Profiles using MMAT and Workspace ONE, or click the video itself.

Deploying the GPO Migration Tool

Most of this exercise is performed on the SCCM Server, where we download the AirWatch GPO Migration Tool and deploy our modified local policies to other devices.

1. Download the AirWatch GPO Migration Tool

  1. Enter https://code.vmware.com/samples/3527/airwatch-gpo-migration-tool in the navigation bar and press Enter.
  2. Click Download.

1.1. Extract ZIP Contents

Wait for the AirWatch-samples-master.zip download to complete.

  1. Select the drop-down arrow for the AirWatch-samples-master.zip item on the download bar.
  2. Select Show in folder.

1.2. Extract the ZIP Contents

  1. Right-click the AirWatch-samples-master.zip file.
  2. Select Extract All... from the menu.

1.3. Select ZIP Contents Extraction Location

  1. Enable Show extracted files when complete.
  2. Click Browse.

1.4. Set the Extraction Location to the Desktop

  1. Select Desktop.
  2. Click OK.

1.5. Extract the ZIP Contents to the Desktop

Click Extract.

2. Run the AirWatch GPO Migration Tool

  1. Click the PowerShell icon in the task bar.
  2. Enter the below command and then press Enter to change directory to the AirWatch GPO Migration folder:
cd "C:\Users\administrator.CORP\Desktop\AirWatch-samples-master\Windows-Samples\Tools & Utilities\AirWatch GPO Migration"

Note: Right-click to paste the copied path in PowerShell from the previous step, or click and drag the above command into your PowerShell window.

2.1. Run the AirWatch GPO Migration Tool

  1. Enter .\Migrate-GPO-AirWatch.ps1 and press Enter.
  2. Notice that we receive a warning that the tool requires the Microsoft Security Compliance Toolkit.  Click and drag to highlight the link, and then hit enter to copy the text.

4. Run the AirWatch GPO Migration Tool after Setup

  1. Click the PowerShell icon from the Task bar to return to your PowerShell terminal.
  2. Run the tool again by entering .\Migrate-GPO-AirWatch.ps1 and pressing Enter.
    Note: You can press the Up Arrow on the keyboard to quickly re-enter your previous commands rather than re-typing the command.
  3. Confirm that the PowerShell console output shows that the Initialization check completed successfully and is presenting you with the Task dialog.

5. Modify Local GPO Settings

Before proceeding, modify the local GPO so that we can capture and distribute these changes to other devices to confirm that our deploy was successful.

  1. Right-click the Windows icon.
  2. Click Run.

5.1. Launch Local Group Policy Editor

To launch the Local Group Policy Editor, enter gpedit.msc and click OK.

5.3. Select Active Power Plan

  1. Select Enabled.
  2. Select High Performance as the Active Power Plan.
  3. Click OK.

Use this local GPO as a reference on our enrolled devices to ensure that our captured policies applied correctly.

6. Capture GPO Backups

  1. Return to the PowerShell Terminal by clicking PowerShell icon on the taskbar.
  2. At the Task prompt, enter 2 and press enter.
    Note: If the PowerShell script is no longer running, start it again by entering .\Migrate-GPO-AirWatch.ps1 and pressing enter first.
  3. Confirm that the output shows that the local GPO was captured after task finishes.

7. View GPO Backups

From the PowerShell prompt, enter 1 and press return to view the list of GPO backups.

Note: If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press return.

7.1. Confirm Captured GPO Backup Displays

  1. Any captured or copied GPO backups placed in the expected directory (/GPO Backups) are displayed.  Notice that the GPO backup we just created is available in this list.
  2. Click OK to close the window.

8. Using External GPO Backups

If you have previously captured GPO backups that you want to use with this tool, you can include these in the /GPO Backups folder of the tool directory. Any GPO backups available in the /GPO Backups folder display as selectable GPOs for Option 1 (Viewing GPOs) and option 3 (Uploading GPOs to AirWatch).

8.2. Paste the Security GPO Backups in the GPO Backups folder

  1. Select AirWatch-samples-master.
  2. Select Windows-Samples.
  3. Select Tools & Utilities.
  4. Select AirWatch GPO Migration.
  5. Select GPO Backups.
  6. Right-click within the GPO Backups folder.
  7. Select Paste to insert the Security GPO Backup folders that were previously copied.

8.3. View GPO Backups from the Tool

  1. Return to the PowerShell Terminal by clicking PowerShell icon on the taskbar.
  2. At the Task prompt, enter 1 and press enter to view the GPO Backups.
    Note: If the PowerShell script is no longer running, start it again by entering .\Migrate-GPO-AirWatch.ps1 and pressing enter first.

8.4. Confirm the Security GPO Backups Are Listed

  1. Confirm that the four Security GPO Backups that were copied into the GPO Backups folder now display next to the local GPO capture that was taken previously for a total of five GPO Backups.
  2. Click OK to close the dialog box.

Building a GPO Package

1. (Optional) Run the Script

  1. If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press Enter.  Continue to the next step if the script is already running.
  2. Enter 4 for the Task Selection and press Enter.

2. Select the Captured Local GPO Backup

  1. Select the locally captured GPO Backup, which is named "GPO <computername> <date> <time>"
  2. Click OK.

3. Confirm the Package Built Successfully

The PowerShell script shows progress as it completes the task and opens the build folder upon completion.

  1. Note the location of GPO Uploads folder, which is where the build folder is output.  We need to access this in an upcoming exercise to upload our "GPO <computername> <date> <time>.zip" package to the Workspace ONE UEM Console.
  2. Confirm that you have both a installpath.txt file as well as the GPO Package (named "GPO <computername> <date> <time>.zip") in the output folder.

Continue to the next step.

Uploading the GPO Package

1. Return to the PowerShell Terminal

Click the PowerShell icon from the task bar.

2. Establish the API Connection

Enter 3 and press return to select Upload GPO to AirWatch.
Note: If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press return.

2.1. Enter Workspace ONE UEM API Authentication Details

Provide the following details and press the return key after each.

  1. Enter your Workspace ONE UEM hostname for the awServer parameter.
  2. Enter your username for the awUsername parameter.  This is the same username you used to log in to the Workspace ONE UEM Console in previous steps.
  3. Enter your password for the awPassword parameter.

2.2. Enter the API Key

Paste the API Key for the awTenantAPIKey parameter by right-clicking, then press Enter.

2.3. Enter the Organization Group Numerical ID

Paste the copied Organization Group Numerical ID for the awGroupID parameter by right-clicking, then press Enter.

3. Select the GPO to Upload

The Select GPO Backups for Upload dialog box appears.

  1. Select the GPO captured in the previous step. This GPO is in the format GPO<machine><name><date><time>.
  2. Click OK.

A series of loading tasks will run, noted by the progress bars at the top of the PowerShell terminal. These inform you what step the process is currently on.

4. Confirm the GPO Package App Uploaded Successfully

When the process has completed successfully, you should see the following text:

Successfully saved GPO package app to the AirWatch Console!

----- IMPORTANT -----
Be sure to navigate to the AirWatch Console and assign the `{filename}' to the appropriate users and devices!
----- IMPORTANT -----

Note: If you are uploading multiple GPOs in a single package, they will be applied to enrolled devices in the order in which they are selected in this UI. If the order of the GPOs matters for your deployment, ensure you select them in the intended order.

The app is now uploaded to the Workspace ONE UEM Console and is ready for assignment.  We will assign this to a device in an upcoming exercise.

Assigning the GPO Package

After the GPO app package is uploaded using the tool, the final step is to add assignments to deploy to the users and/or devices that you designate.

1. Navigate to Assignment Settings

  1. In the Workspace ONE UEM Console, select Apps & Books.
  2. Select Applications.
  3. Select Native.
  4. Select the GPO package uploaded in the previous exercise.
  5. Click Assign.

2. Add Assignment

Click Add Assignment.

3. Update the App Assignment Details

  1. For Select Assignment Groups, select All Devices.
  2. For App Delivery Method, select Auto.
  3. Click Add.

4. Save & Publish

Click Save & Publish.

5. Publish the GPO App Package

Click Publish.

Verifying GPO Package Installation

With the application uploaded, assigned, and enrolled, we will now verify that the GPO app package is applied successfully to our enrolled device.

1. Open Group Policy Editor

  1. In Windows Search, enter gpedit.msc.
  2. Click gpedit.msc.

1.1. Allow Microsoft Management Console to Make Changes to Device (IF NEEDED)

If you are prompted to allow the Microsoft Management Console to make changes to your device, click Yes.

If you do not see this prompt, continue to the next step.

1.3. Open the Active Power Plan Settings

Double-click Select an active power plan.

1.4. Confirm Policy Settings

Confirm that the policy is Enabled and that the Active Power Plan is set to High Performance.

2. Confirm Power and Sleep Settings

  1. In Windows Search, enter power & sleep settings.
  2. Click Power & sleep settings.

2.2. Confirm the Power Options Settings shows High Performance

  1. Confirm that the set plan is set to High Performance.
  2. You should also see a notification above the power plans stating Some settings are managed by your system administrator. Click this message to see that the settings are unavailable to change because they are being controlled by policies.

This exercise demonstrates how you can capture and export GPOs from one device and quickly apply the same settings to another device without the need to create profiles or policies manually.