Troubleshooting – GPO Migration Tool

Migrate-GPO-Airwatch.ps1 does not run - Warning: LGPO.exe does not exist within ‘%directory%’!

  1. The GPO Migration Tool uses LGPO.exe – however, LGPO.exe cannot be packaged with the GPO Migration Tool. The PowerShell output provides a direct download link for LGPO.exe: (
  2. After downloading, place the LGPO.exe file in the root of your AirWatch GPO Migration Tool folder.
  3. Re-run the script.

Migrate-GPO-Airwatch.ps1 Initialization Fails - WARNING: Unable to connect to the AirWatch API and validate the Organization Group ID '%ID%'! Error Response:: {…}

  1. Validate the parameters that you provided to connect to the AirWatch APIs to confirm these values are correct.
    1. awServer:  You should be able to append ‘/api/help’ to this URL and view the AirWatch REST API Help page.  If not, review the Endpoints in the AW Console under Groups & Settings >  All Settings > System > Advanced > Site URLs.
    2. awUsername and awPassword:  Confirm you can successfully authenticate to the AirWatch Console using this admin account. Also, ensure the admin account has a Role that allows API access and that the API Authenticate for the account is set to Basic.
    3. awTenantAPIKey:  Validate that this key is enabled and valid at the Organization Group you are attempting to connect to in the AirWatch Console under Groups & Settings > All Settings > System > Advanced > API > REST API.  Check that the API Key is an Admin AccountType and that the API Access is not disabled at this Organization Group.
    4. awGroupID:  Provide the numerical group ID value for the organization group.  This is NOT the Group ID listed in Groups & Settings > Groups > Organization Groups > Organization Group Details > Group ID.  From the Organization Group Details page, the Group ID is the numerical value within the URL (, so 7 in this example.

Migrate-GPO-Airwatch.ps1 Upload GPO to AirWatch Fails - Save-App : Saving GPO Package to AirWatch (https://%awServer%/api/mam/apps/internal/begininstall) Failed! Exception :: The remote server returned an error: (400) Bad Request.

  1. If you are targeting an AirWatch environment running 9.2 FP2 or earlier, the APIs will fail to upload the GPO package due to errors with the APIs that were resolved in 9.2 FP3 and later.
    1. In this scenario, you will need to upload the package manually in the AirWatch console. The manual procedure is described in the next section.
  2. Review the error response returned from the server to see if there are any indications of why the response failed.
    1. Run Migrate-GPO-Airwatch.ps1 with the -Verbose flag to retrieve additional details.

Manually Uploading GPOs to AirWatch (9.2 FP2 and earlier)


  1. Launch the PowerShell ISE and run the tool: .\
  2. Select Option 3 to upload GPOs to AirWatch.  
  3. Enter the following information to authenticate with the APIs:
    1. awServer: Console URL for the AirWatch APIs.  In the AirWatch Console, navigate to Groups & Settings > All Settings > System > Advanced > Site URLs > Console URL.
    2. awUsername:  The username of an AirWatch admin account being used for the target AirWatch server.  This admin user must have a role that allows API access.
    3. awPassword:  The password for the AirWatch admin account specified by awUsername.
    4. awTenantAPIKey:  This is the REST API Key used to authenticate API requests and is generated in the AirWatch Console under Groups & Settings > All Settings > System > Advanced > API > REST API.  You need the API Key for a Service that has the Admin account type, the default is AirWatchAPI.
    5. awGroupID: This is the Organization Group numerical ID, not to be confused with the Group ID field listed in Groups & Settings > Groups > Organization Groups > Organization Group Details > Group ID.  Instead, navigate to the listed Organization Group Details page and inspect the URL, the numerical ID contained is the value you want to provide (ex: For URL of, you would provide 7 as the awGroupID).
  4. A dialog box appears with a list of available GPO Backups to upload.  
    1. If you upload multiple GPOs in a single package, note that the GPOs are applied to enrolled devices in the order of selection in this UI. If GPO-order is important for your deployment, ensure you select them in the intended order (for example, press shift + click or ctrl + click).
  5. The output displays an error showing a 400 Bad Request response to the endpoint api/mam/apps/internal/begininstall.  Due to API limitations, the GPO package can not be automatically uploaded to the console and needs to be manually uploaded.
  6. Navigate to the AirWatch GPO Migration folder and open the GPO Uploads folder.  You can see a list of GPO .zip packages that have been attempted to upload to the AirWatch console.  The next steps detail how to specify a .ZIP package in the AirWatch Console.

Manually Uploading GPOs to AirWatch (9.2 FP2 and earlier) Part 2


  1. Navigate to the AirWatch Console ( and log in.
    1. Username:  VLP Email Address
    2. Password: VMware1!
  2. Navigate to Apps & Books > Applications > Native.  Click Add Application.
  3. For the Application File, click Upload.  Navigate to the AirWatch GPO Migration/GPO Uploads folder and select a .zip package. Click Save.
  4. Keep the default value for Is this a dependency app? as No and click Continue.
  5. In the Details tab:
    1. Supported Processor Architecture: 64-bit
  6. In the Files tab:
    1. Uninstall Command: LGPO.exe
  7. In the Deployment Options tab:
    1. Disk Space Required: 1000 KB
    2. Device Power Required: 0
    3. RAM Required: 1 MB
    4. Install Context: Device
    5. Install Command: powershell -executionpolicy bypass -File DeployPackage.ps1
    6. Admin Privileges: Yes
    7. Device Restart: Do Not Restart
    8. Retry Count: 3
    9. Retry Interval: 5
    10. Install Timeout: 30
    11. Installer Reboot Exit Code: 0
    12. Installer Success Exit Code: 0
    13. Identify Application By: Using Custom Script
    14. Script Type: PowerShell
    15. Command to Run the Script: powershell -executionpolicy bypass -File LGPOConfirmPackageInstall.ps1
    16. Custom Script File: Upload > Select the file: AirWatch GPO Migration\Supporting Files\LGPOConfirmPackageInstall.ps1 > Save.
    17. Success Exit Code: 0
  8. Click Save & Publish > Publish.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.