What is MMAT and how does it help with Group Policy to Intune Transition?
Migrating from the on prem domain world to the MDM world is a transformational experience (hence the phrase, digital transformation). Some things will never be the same once you migrate. You gain a number of things such as greater security and agility, but you also give up a number of things too such as group policy settings. So how can you see what you group policy abilities you are actually giving up and which ones can be migrated along with your devices?
Well, there is a fairly easy way to do this because Microsoft provides a free downloadable tool called MMAT. That stands for MDM Migration Analysis Tool. Basically what it does is examine what group policies you have and alerts you to which ones can be migrated up to your MDM (wherever that may be). You can download the MMAT from here.
This is actually a little more to this than you might think. Remember, Windows 10 is continually evolving with the release of each new version release (1703, 1009, 1803, etc.). Each version brings forth new settings that can be managed by either Group Policy or MDM. You don’t have to worry about this in that Microsoft regularly updates MMAT, but you do have to run the tool each time a new version is released. For this reason, you should run MMAT using the most up to date Windows 10 version, even if you are behind a release or two in your production branch because eventually you’ll be there.
Once you download MMAT you need to install it on a machine that has RSAT and GPMC on it. Then pick out a representative machine to analyze it remotely. This can either be a template machine or one in production. All you are doing is getting a 10,000 ft. view of the GPOs targeting that machine. From your RSAT machine, simply run MMAT using the following PowerShell commands as shown below.
This will create an output file called MDMMigrationAnalysis.html that you can then view in any browser. The output is split into a Computer and User side. MDM supported settings are in green while unsupported settings are in red. It also shows you a list of all of the discovered GPOs at the end of the report. An output sample is shown below.
Don’t be alarmed just because a setting appears in Red. Not every Red GPO is needed. Some targeted GPOs may apply only to Windows 7 for instance and have no bearing on Windows 10. Other settings may be applicable but are outdated to your current user environment. But yes, there will be some red settings that you will want to have, but won’t be able to because they are currently unavailable in MDM as curated settings. Once you have the information from MMAT, you can strategize your next move.
Comments (0)