New tool translates Windows 10 Group Policy Objects into MDM policies

It can be taxing to match Group Policy Objects to their corresponding MDM policies. A migration tool coming in Windows 10 aims to help companies adopt a new way to manage PCs.

IT administrators who want to manage PCs like mobile devices might be able to do so more easily with Microsoft's upcoming migration tool.

Businesses looking to manage all their mobile devices and Windows 10 PCs from one console can do so with almost any mobile device management (MDM) software today. A tough hurdle for IT departments, however, is taking the Windows 10 Group Policy Objects they've set on their desktop management software and enforcing them on smartphones and tablets. Microsoft's MDM Migration Analysis Tool (MMAT), coming in April's Windows 10 Creators Update, aims to help with that process.

"It has a security play," said Jack Gold, principal and founder of J. Gold Associates, a mobile analyst firm in Northborough, Mass. "[Organizations] want to be consistent across all devices from a security perspective, and that's through policies."

How MMAT translates Windows 10 Group Policy

MMAT examines an organization's Windows 10 Group Policy Objects (GPOs), determines if there are equivalent MDM policies and then generates a report that IT can use. For example, if IT uses Group Policy to enforce passwords of at least six characters on all PCs, MMAT will indicate if there is a corresponding MDM policy IT can use instead.

[Organizations] want to be consistent across all devices from a security perspective, and that's through policies.
Jack Goldprincipal and founder of J. Gold Associates

IT admins today have to manually identify the MDM policies they need and the equivalent GPOs on their own.

MMAT does not, however, perform the actual process of transferring GPOs to MDM policies. And it does not work with other types of Windows management technologies, either from Microsoft or third parties.

Still, transferring policies with MMAT saves time and work for IT, said Mehran Basiratmand, CTO of Florida Atlantic University in Boca Raton, Fla. The school uses VMware's AirWatch MDM specifically for the Windows 10 PCs and mobile devices at its College of Medicine. MMAT could be helpful in minimizing mistakes when assigning MDM policies to users' PCs, Basiratmand said.

"This is particularly of value for [regulated industries], such as healthcare providers or financial organizations," he said.

For example, a regulated company may have a GPO that bars users from sharing confidential files. If IT missed this policy when implementing MDM for PCs, it would be in noncompliance.

MDM policies coming to PCs eventually

Most organizations don't yet use MDM to manage all PCs and mobile devices -- an approach known as unified endpoint management (UEM) -- but nearly all MDM vendors offer this capability. Just 11% of IT professionals plan to implement UEM this year, according to TechTarget's IT Priorities Survey.

"For most companies today, they implement MDM as a stand-alone mobile solution, but have been managing PCs with whatever legacy software that they've been using forever," Gold said. "They take the approach of, 'It works, so I don't want to mess with it.'"

More organizations will eventually adopt UEM because it makes IT's job easier and improves security, so with MMAT, Microsoft is getting out ahead of a future trend, Gold said.

Ric Opal, senior director at SWC Technology Partners, a Microsoft partner in Oak Brook, Ill., agreed.

"Microsoft has collected a large amount of insight from customers to find what potential blockers people face, and they are removing a blocker," he said. "They are selling a use case for Windows 10."

Next Steps

How UEM is changing Windows desktop management

How Windows 10 became a better fit for enterprise use

Know all the new Windows 10 Group Policy settings

Dig Deeper on Windows 10