If we talk about pre-covid times, people were working in offices, data was monitored\controlled using proxy servers and firewalls etc in place. End users were keeping files using roaming profile or folder redirection. File sharing was allowed over SMB. Authentication and authorization were there using Kerberos in Active Directory. In some organizations, USB Stick\Hard Disk was not allowed in office or might be the USB port itself was blocked and such configurations were endless.
And then COVID-19 came, halting all our day-to-day activities.
This unprecedented situation pushed users along with IT Admins to start working from home forcing administrators to change their way of managing organizational devices.
Earlier, users, devices and data were limited to office premises, in a controlled environment. Work from home scenario brought everything onto the open internet. Moreover, admins still need to manage users, devices, and data.
With this shift, admins are in state of either:
- Staying in Hybrid Mode or
- Starting everything from scratch in cloud
In hybrid mode, admins are trying to make use of existing solutions work on internet-based machines using VPN. And then, user forget to connect to VPN, or they don’t care about it at all.
If I would say, start from scratch in cloud world, that will be injustice. Let’s take an example of Group Policies for now. Our admins spent more than 20 years in configuring these group policy settings. There must be settings coming from network team, security team, update compliance team, server team and the list goes on and on… year by year. Do I need to recreate them?
On other side, I can treat this as an opportunity to clean-up those settings which were configured long time back, but they are not required\applicable\relevant\better solution available at present. Just because it was configured, it’s not fair to keep it forever. It’s an opportunity to talk to respective team and check if they still need it.
Is it not fair to plan something in between? Like migrate group policy settings using some tools.
Luckily, Intune Product Group team came up with a solution called Group Policy Analytics.
It is a tool in Microsoft Intune that:
- Analyze your on-premises GPOs.
- Shows any deprecated settings, or settings not available.
- Can migrate your imported GPOs to a settings catalog policy that can be deployed to your devices.
Some older settings aren’t supported, or don’t apply to cloud native Windows devices. After you analyse your GPOs, you’ll know which settings might still be valid.
Mobile Device Management solution has an advantage over group policies from on-prem. The following table can provide more information to it.
Mobile Device Management
Changes require connectivity to your corporate network or VPN
Changes can be updated over the Internet
High impact on boot-time and performance
Lightweight policy management
Configuration drift is common and hard to predict
Configuration issues and conflicts are detected
Assumed results and enforcement
Reporting and monitoring from the MEM Admin Center
GPO vs MDM comparison
If we need to frame it, below phases can be considered.
- Discussion with internal teams managing policies for device management. Include device management, security, business, and other stakeholder teams.
- Gather all the policies in environment.
- Also, don’t forget to list down policies from Security Solutions, Firewall, Data Loss Prevention, Network Access and Proxy and other management tools.
- Identify policy usage and targets.
a. Determine what the policy configures and the users or devices it targets.
b. Categorize policies by type or purpose:
(i). Security and Compliance
(ii). Device, Operating System, or App Configuration
(iii). Defaults and Preferences
- Identify policy ownership.
a. Assign ownership of the policy and its objective
- Identify policy lifecycle.
a. Document the process for maintaining and measuring success of the policy.
With Modern Management, where most the solutions are taking advantage of cloud world, we may want to re-think on existing solutions. Group Policy Object is one such configuration with thousands of settings available in it. Looking for new Modern Management scenarios, lots of settings does not fit well and may need a new solution to explore.
While designing the new solution following things are considered:
- User Centric
- Open to Public Internet
- Always available and Update to date
- Ease of Deployment and Manage
- Proactive Insights
- Intelligent security Built-in
When we think of Group Policies, they should also be aligned with points mentioned above.
It is not necessary to deploy every single setting from Intune. However, at the end, device should be secure enough keeping security compliance of any organization in mind.
We can follow the flowchart mentioned below to align the existing GPO model with new solutions available.
During the assessment process, we should ask following questions to ourselves:
- Do we need that GPO setting?
- If yes, is there any new cloud ready solution available to fulfil that requirement?
If there is a new cloud ready solution available, we it’s better to explore that option instead. New cloud ready solution is build keeping new operational challenges in mind. Existing GPO based solution may not fit for current requirement.
Fresh policies are recommended to start from Intune directly. However, when we talk about migrating existing policies, a decision-making flow chart is needed. Below is one such flow chart to refer.
Once we confirm that we are going with existing GPO by migrating to Intune, we need to make use of group policy analytics from Intune Portal.
We can further talk about the following points on how to achieve following line items.
- Using PowerShell Script to change Registry. Step by Step can be found here.
- Using Endpoint Analytics. A step by step of Proactive Remediation can be found here and Script used in it can be found here.
- Using Win32 Apps. A step by step on how to configure Win32 app can be found here.
- Script to deploy registry settings.
- Use a custom detection Script to detect the presence of existing Registry settings. Steps can be found here.
Hope this helps.