In this excerpt from Jeremy Moskowitz, he explains why, despite the pessimism, Group Policy is alive and well, and why IT should think twice before thinking of trying to move on. Read his whole piece here.
I cannot tell you how many times IT Admins like you have walked up to me, and with great concern on your face asked me something like:
· “A Microsoft rep told me that Group Policy is dead. What should I tell my boss?”
· “Is Intune/ MDM / PowerShell / DSC (Desired State Configuration) trying to replace Group Policy?”
· “Why do I need Group Policy if I’ve also got SCCM?”
· “Why doesn’t Azure Active Directory do Group Policy?”
With all the new management tools coming from Microsoft recently, Microsoft has been a little quiet about the status and waving the flag of Group Policy. But, here’s the good news: Group Policy is NOT dead. And, more importantly, Group Policy is more important than ever when it comes to Windows 10.
From Brad Anderson, Corporate Vice President, Enterprise and Client Mobility used his blog (https://blogs.technet.microsoft.com/in_the_cloud/2016/03/23/clear-simple-guidance-when-configmgr-and-intune-should-be-used-with-windows-10/) to point to the Windows Intune blog (https://blogs.technet.microsoft.com/microsoftintune/2016/03/23/the-path-to-modernizing-windows-management/) to, well, publically state what most IT admins already knew:
Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
And, if we look at the flowchart Microsoft provides, it’s clear as day. Let me use my red marker, and highlight the most common scenario for Windows PCs on the planet today and the foreseeable mid-term future:
Figure 1: Microsoft decision flowchart about when to use Group Policy.
This becomes a very, very simple “If domain joined, then use Group Policy” decision tree. And that represents about 99% of the Windows PC systems in the business world today. Maybe 99.5%.
Group Policy is best at managing security settings, look and feel settings and supported application settings. Basically, it’s Microsoft’s in-box way to manage almost everything about the user experience and security settings upon that PC.
Beyond Group Policy, Microsoft has a confusing “landscape” of tools out there from to manage Windows machines. And if Group Policy is the best way to manage domain-joined PCs what are the other tools “best at”? Let’s spend some time figuring that out.
Micorosft System Center Config Manager at its best
SCCM is very powerful and deployed at many organizations. That being said, SCCM is not super-terrific at everything. Indeed, SCCM is best at:
· Deploying the OS
· Deploying other software to the PC
· Performing inventory
· Patching and Windows updates for the OS
Of course, SCCM has lots of OTHER features too, but this is where SCCM is BEST.
Can SCCM deliver a registry setting or copy a file which would be similar to a Group Policy setting? Yes, but this isn’t SCCM’s strengths, and as such, it’s not trying to overtake Group Policy.
Microsoft Intune at its best
Microsoft Intune is a monthly pay-as-you-go service which enables a variety of management features. Microsoft Intune is best at:
· Managing phones (iOS, Android, Windows Phones)
· Managing some aspects of Windows PCs
· Getting you some ability to manage Non-Domain joined machines
· Letting people use their own devices to access corporate data
To be clear, Intune has two ways it can manage devices. One way is called the Intune client, which is an MSI which must be installed on real Windows PCs. But what if you don’t want to install anything at all on your endpoint (or in the case of iOS, Android, or Windows Phones)? Well, you don’t need too, and for that, you get some, but not all benefits.
Enter the MDM client (also known as the MDM platform.) MDM is a “cousin” and is similar to Group Policy. So what is MDM BEST at then? Well MDM is all XML based, which means its directives are very lightweight and can be sent and received over low bandwidth conditions like cellular networks. So, great for phones and tablets and the like, especially with slow connections.
But for a full Windows PC, especially those domain joined, if you want more granular management,then MDM isn’t the best, Group Policy is. Here are some for-instances:
· You cannot drop a shortcut on a Windows 10 desktop using MDM. You can using Group Policy.
· You cannot rename the local Administrator on a Windows 10 desktop using MDM. You can using Group Policy.
· You cannot map a printer on a Windows 10 desktop using MDM. You can using Group Policy.
· You cannot prevent access to specific control panel applets on a Windows 10 desktop using MDM. You can using Group Policy.
MDM is good for sweeping ideas (also known as Intent), but not stellar at fine-grained settings management. So settings the same password strength amongst your iOS, Android and Windows phones? MDM is the way to go.
PowerShell & DSC at its best
PowerShell is Microsoft’s modern scripting language. As such, it’s best at:
· Complex functions which require logic and error handling.
· Configuring items which require a “method” (WMI, COM, API).
· Reading one value and then consequently writing another value.
DSC (Dynamic State Configuration), a function of PowerShell and it is best at bringing up a zillion similar servers, to a set of specific specifications.
PowerShell and DSC are ludicrously powerful. But PowerShell is not meant to make ongoing configuration changes on your endpoints. And DSC isn’t meant to declare state for Windows endpoints like Windows 10. DSC is for SERVERS; and doesn’t have the ability to target computers in the same way that Group Policy does nor does it have the same function set, nor is it trying to be a GP replacement. So, said another way:
· PowerShell is the right job sometimes on clients.
· And DSC is the right job sometimes on servers.
· But DSC is never right for endpoints (clients).
Technically, you could build your own DSC resources and perform at least some of what Group Policy does on endpoints. But there is absolutely zero guidance or suggestion from Microsoft that you do this.
Therefore, as it sits today, neither PowerShell nor DSC is a sanctioned replacement for Group Policy.
Final Thoughts and Group Policy over the Internet
So now that you know that Group Policy isn’t dead, and where Microsoft’s other technologies work best, let me wrap up by answering a frequently asked question about Group Policy over the Internet and Microsoft’s Azure Active Directory.
In short: Microsoft has no cloud-based way to deliver real Group Policy settings thru Azure Active Directory. And for clarity, it is NOT a current design goal of Azure Active Directory, nor do I ever expect it to be.
If you want real Group Policy thru the Internet, there are three solutions:
- VPN, but it requires that users initiate the connection
- DirectAccess, but it requires server side setup and only works with domain joined machines with Enterprise Windows SKUs or
- A third-party solution, PolicyPak Cloud (which works for domain joined or non-domain joined machines.)
Remember: If your computers are real Windows and domain joined, then Group Policy is still the best way to manage and configure their security and look and feel settings for a very, very long time.
Jeremy Moskowitz is a 13 year Group Policy MVP. Jeremy has spoken at Microsoft TechEd, Ignite and has taught Group Policy to more IT admins than anyone else in the world. Jeremy also founded PolicyPak Software which extends Group Policy’s ability. Learn more at www.GPanswers.com and www.PolicyPak.com .