Group Policy Analytics Framework
Published Feb 22 2023 02:20 AM 4,833 Views
Microsoft

 

If we talk about pre-covid times, people were working in offices, data was monitored\controlled using proxy servers and firewalls etc in place. End users were keeping files using roaming profile or folder redirection. File sharing was allowed over SMB. Authentication and authorization were there using Kerberos in Active Directory. In some organizations, USB Stick\Hard Disk was not allowed in office or might be the USB port itself was blocked and such configurations were endless.

 

And then COVID-19 came, halting all our day-to-day activities. 

 

This unprecedented situation pushed users along with IT Admins to start working from home forcing administrators to change their way of managing organizational devices. 

 

Earlier, users, devices and data were limited to office premises, in a controlled environment. Work from home scenario brought everything onto the open internet. Moreover, admins still need to manage users, devices, and data. 

 

Bindusar_0-1677059689811.png

 

With this shift, admins are in state of either: 

  1. Staying in Hybrid Mode or 
  2. Starting everything from scratch in cloud 

In hybrid mode, admins are trying to make use of existing solutions work on internet-based machines using VPN. And then, user forget to connect to VPN, or they don’t care about it at all. 

 

If I would say, start from scratch in cloud world, that will be injustice. Let’s take an example of Group Policies for now. Our admins spent more than 20 years in configuring these group policy settings. There must be settings coming from network team, security team, update compliance team, server team and the list goes on and on… year by year. Do I need to recreate them? 

 

On other side, I can treat this as an opportunity to clean-up those settings which were configured long time back, but they are not required\applicable\relevant\better solution available at present. Just because it was configured, it’s not fair to keep it forever. It’s an opportunity to talk to respective team and check if they still need it. 

 

Is it not fair to plan something in between? Like migrate group policy settings using some tools. 

 

Luckily, Intune Product Group team came up with a solution called Group Policy Analytics. 

 

It is a tool in Microsoft Intune that: 

  • Analyze your on-premises GPOs. 
  • Shows any deprecated settings, or settings not available. 
  • Can migrate your imported GPOs to a settings catalog policy that can be deployed to your devices. 

Some older settings aren’t supported, or don’t apply to cloud native Windows devices. After you analyse your GPOs, you’ll know which settings might still be valid. 

 

Mobile Device Management solution has an advantage over group policies from on-prem. The following table can provide more information to it. 

 

Group Policy 

Mobile Device Management 

Changes require connectivity to your corporate network or VPN​ 

Changes can be updated over the Internet​ 

High impact on boot-time and performance 

Lightweight policy management ​ 

Configuration drift is common and hard to predict 

Configuration issues and conflicts are detected​ 

Assumed results and enforcement​ 

Reporting and monitoring from the MEM Admin Center​ 

 

GPO vs MDM comparison

 

If we need to frame it, below phases can be considered. 
1. Discover 
2. Assess 
3. Migrate 

 

Discover 

  1. Discussion with internal teams managing policies for device management. Include device management, security, business, and other stakeholder teams​. 
  2. Gather all the policies in environment. 
  3. Also, don’t forget to list down policies from Security Solutions, Firewall, Data Loss Prevention, Network Access and Proxy and other management tools. 

Assess 

  1. Identify policy usage and targets​. 
    a. Determine what the policy configures and the users or devices it targets​. 
    b. Categorize policies by type or purpose:​ 
            (i). Security and Compliance​ 
            (ii). Device, Operating System, or App Configuration​ 
            (iii). Defaults and Preferences​ 
  2. Identify policy ownership​. 
    a. Assign ownership of the policy and its objective 
  3. Identify policy lifecycle​. 
    a. Document the process for maintaining and measuring success of the policy. 

 

With Modern Management, where most the solutions are taking advantage of cloud world, we may want to re-think on existing solutions. Group Policy Object is one such configuration with thousands of settings available in it. Looking for new Modern Management scenarios, lots of settings does not fit well and may need a new solution to explore. 

While designing the new solution following things are considered: 

  1. User Centric 
  2. Open to Public Internet 
  3. Always available and Update to date 
  4. Ease of Deployment and Manage 
  5. Proactive Insights 
  6. Intelligent security Built-in 

 

When we think of Group Policies, they should also be aligned with points mentioned above. 

 

It is not necessary to deploy every single setting from Intune. However, at the end, device should be secure enough keeping security compliance of any organization in mind. 

 

We can follow the flowchart mentioned below to align the existing GPO model with new solutions available. 

 

Bindusar_1-1677059689812.png

 

 

 

During the assessment process, we should ask following questions to ourselves: 

  1. Do we need that GPO setting? 
  2. If yes, is there any new cloud ready solution available to fulfil that requirement? 

If there is a new cloud ready solution available, we it’s better to explore that option instead. New cloud ready solution is build keeping new operational challenges in mind. Existing GPO based solution may not fit for current requirement. 

 

Migrate 

Fresh policies are recommended to start from Intune directly. However, when we talk about migrating existing policies, a decision-making flow chart is needed. Below is one such flow chart to refer. 

Bindusar_2-1677059689815.png

 

 

 

Once we confirm that we are going with existing GPO by migrating to Intune, we need to make use of group policy analytics from Intune Portal. 

 

We can further talk about the following points on how to achieve following line items.  

  1. Using PowerShell Script to change Registry. Step by Step can be found here. 
  2. Using Endpoint Analytics. A step by step of Proactive Remediation can be found here and Script used in it can be found here. 
  3. Using Win32 Apps. A step by step on how to configure Win32 app can be found here. 
    1. Script to deploy registry settings. 
    2. Use a custom detection Script to detect the presence of existing Registry settings. Steps can be found here. 

 

Hope this helps. 

 

Thanks

Bindusar Kushwaha

Co-Authors
Version history
Last update:
‎Feb 22 2023 11:34 AM
Updated by: