Translating group policy to Microsoft Endpoint Manager

Microsoft has recently released some exciting updates that make it easier than ever to migrate to cloud-only management for your endpoints. With the introduction of the migration function for Group Policy Analytics, you can now analyze your policies and quickly create profiles with the relevant settings, but is this the right approach for your business?

Background

Group policy has been around in its basic form since the release of Windows 2000, with group policy management and preferences being commonplace since the release of Windows Server 2008. Most organizations I work with have been building out policies since the general availability of the group policy management console, leading to tens if not hundreds of group policy objects being present in their environment.

Modern management

Microsoft has invested heavily in the Microsoft Endpoint Manager (previously Intune) offering. The product has reached a point of maturity now where organizations are making the move from the traditional Active Directory joined, group policy managed approach towards a full-scale cloud management strategy, reducing the need for complex and costly on-premises infrastructure.

Modern management has become increasingly popular over the last few years due to the massive shift towards remote working and a distributed workforce. It eliminates a lot of the reliance on traditional VPN connections as well as issues such as machines “falling off” the domain. By implementing modern management correctly, companies can ensure that machines adhere to their standards and security baselines regardless of if the user is in the office, at home or out for coffee.

Auto Pilot has also become a key focus for a lot of companies, with some new starters never seeing the inside of a company office. The ability to order kit and ship directly to the users’ house has massively improved the on-boarding experience for both the IT department as well as the end user.

With all that being said, a lot of companies are still taking the first steps on the journey to modern management, and that usually starts with translating their current state to the future state.

The “lift and shift”

One of the key questions I am always asked at the start of any Endpoint Management engagement is “We need all of our group policies to be migrated, how do we do that?”

With the introduction of the migrate function within Group Policy Analytics, this is now simpler than ever, you can take those policy objects, export them and upload them straight to Endpoint Manager for automated analysis.

You can see above how simple this process has been made, within a couple of minutes I have been able to back up a GPO and send it over to Endpoint Manager, which then tells me what settings are supported in the cloud.

The recent change to this system is the introduction of the migrate button. By using this I can then instantly create a device configuration profile based off the settings from my group policy object.

Once I’ve created my profile, I can then assign this out to devices that are managed by Endpoint Manager and track the deployment using the console.

This has massively simplified the approach to migrating group policy objects and removes a lot of manual work from this process. That being said, should you use it?

The problem

Contrary to everything I’ve mentioned above about this making the transition easier than ever, in 99% of cases I would never recommend this approach.

Why? Let’s start with the number one issue: Group Policy has been mainstream for well over 10 years. For some companies this means 10 years’ worth of policies that have been built up. Upon inspection most of these will have settings that are not remotely relevant anymore, or haven’t been since Windows XP. Even with modern tooling and analysis, we may be bringing over policy that isn’t even relevant anymore and generating more work for ourselves.

The term “best practice” is also used a lot when talking about group policy. This may be the case with some organizations, though, when challenged when the policies were last re-done to ensure they were still best-practice, the room can often fall silent. Thankfully this is another area where Microsoft has taken a lot of the work out of what would normally be a tiring annual review of policy. By utilizing the security baseline policies published in Endpoint Manager we can ensure that we have an up to date, best-practice configuration that is relevant to a modern endpoint estate. , Microsoft also takes over the heavy lifting by producing new versions of the baseline and publishing them to you for review before deployment.

I could list several other reasons why this is not the best approach to take, but instead let’s flip this around and say, what benefit does a fresh start give us?

A Clean Slate approach allows us to hit the reset button on our end user experience. , We start with vendor approved best practices and build policy as and when we need to. This can remove those “bugs in the system” where users are used to certain errors or issues due to legacy policy configuration, it also means all our configuration is relevant and up to date.

There are certain use cases for this tool, but in general, similar to the approach to other cloud migrations, re-architect is usually far superior to re-host.