SOLVED

Management of GPOs between branches?

Brass Contributor

How does Microsoft recommend managing different or conflicting group policy settings across branches? If you setup internal rings, you may have 2-3 branches across your organizatin at any given time. Item-level targeting does not currently allow targeting of specific builds of Windows 10.

6 Replies
best response confirmed by Daniel Ratliff (Brass Contributor)
Solution

I assume you are talking about multiple releases, e.g. supporting GPOs that target Windows 10 1511, 1607, and 1703 simultaneously?  WMI filters would be an appropriate approach, targeting specific OS builds (e.g. WMI query for Win32_OperatingSystem).

Thanks Michael, that is correct. WMI filters are generally considered last resort or not recommended. Will this process improve in the future?
Also, should we stop investing in Group Policy and instead use DSC? What are the intermediate plans for GPO as a technology? It seems that with decentralized computing GPO is less of a player.

We are trying our best to make policies in new releases "additive" so that they don't affect older releases.  With that, you don't need to make them conditional.  That's not always worked with existing Windows 10 releases, but we do intend to make that better.

 

DSC is datacenter/server-focused and PowerShell-based, which puts it out of the reach of many IT pros.

 

For Windows 10 client devices, we see the move from Group Policy to MDM (e.g. Intune) as the direction.  Lightweight, scalable, and simple.

So far I never run in issues using always the latest admx for the Windows 10 GPOs. If the feature doesn't exist in an older release, the registry value created by the GPO will not harm anything.

But we branded our internal rings in a private WMI class, so we have different GPOs for Internal Insider, Early Adopters and General Availability. So we can activate features in the different rings.

1 best response

Accepted Solutions
best response confirmed by Daniel Ratliff (Brass Contributor)
Solution

I assume you are talking about multiple releases, e.g. supporting GPOs that target Windows 10 1511, 1607, and 1703 simultaneously?  WMI filters would be an appropriate approach, targeting specific OS builds (e.g. WMI query for Win32_OperatingSystem).

View solution in original post