Deploying Group Policy Admin Templates using SCCM, Intune or your own systems management software
Hi. This is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can take Group Policy’s admin templates, the 3,000-some-odd Group Policy settings, and get them deployed using SCCM, Windows Intune or your own systems management software.
Now to get started, you will need a Group Policy management station, but it doesn’t have to be connected at all to any real domain. It could actually just live in a test lab if you want it to, or it can be associated with your real domain. But for this purpose, it doesn’t really matter. I’m going to just create a “_New GPO For Export.”
That’s the whole point. This starts off life as a real Group Policy Object. What we’re talking about is all the zillions of awesome settings here under user side, “Administrative Templates.” Things that you’ve seen before. All the “Start Menu and Taskbar” settings. All the stuff under computer side, “Policies,” Administrative Templates,” “Windows Components.” All these very important settings that make your system more secure, more functional, and all the look-and-feel settings.
There’s just really no good way to do all that stuff with Windows Intune or SCCM or many other systems management software. What I’m going to show you how to do is to use the “PolicyPak” node here. We’re going to go into the “Administrative Templates Manager,” and we’re going to make a couple of Group Policy changes, some Group Policy directives. The best part is, as you’ve seen in some other videos, you can “Add” policies from either the user side or the computer side.
For instance, if I want to change my machine settings so that the “System” will prompt me for that shutdown tracker (“Display Shutdown Event Tracker”) – actually, I’m not really a big fan of the shutdown tracker, but it makes for a pretty good demo – so I’ll go ahead and select “Enabled” for that and I’ll select “Always” prompt for the shutdown tracker.
That’s going to be on the computer side and thus affecting everybody on the computer. If I “Add” another “New Policy” here, maybe I want to just do something simple on the user side (“User Policy”). I’ll just go to “Control Panel,” “Personalization” and I want to “Prevent changing mouse pointers.” Yes, I’m a very intense guy. I don’t want people to change their mouse pointers.
Obviously, these are not super important settings. The point is to help you understand how you can take any policy setting either on the user side or the computer side.
Now what we’re going to do is right click and export this collection or these settings as an XML file to be used right around the bend (“Export Collections as XML”). Let’s go ahead. I’ll save these right to the “Desktop” here. I’ll call these settings “PolicyPak-Exports-Demo1.”
Now that I’ve got some settings in there and I’ve exported those settings, I’m going to close out the Group Policy editor. I can even close this out because we’re not really talking about Group Policy anymore. We’re kind of done with that. Now we’re going to run our utility called the “PolicyPak Exporter Tool.”
The PolicyPak Exporter utility’s job is to help you “Create a new MSI installer” from the file that you just exported from PolicyPak and Group Policy. We’re simply going to “Add Existing Files.” I’ll go ahead and pick it. I think I saved it on the “Desktop” here, and I called it “PolicyPak-Exports-Demo1.”
Those settings are locked and loaded in here. You can actually do other types of files for our other components as well. I’m not going to demo that for the purposes of this. I’m just going to make this a quick demo here and click “Next.” You can give it a name. You can call it whatever you want. I’ll leave the name.
What’s great is that this just becomes an MSI that you can then upgrade later to then do in-place upgrades if you change your mind about how you want something configured later. It’s really sweet. It just auto-upgrades existing client computers. If I click “Next” here, I’ll give it a file name here. It’s probably good if I keep a similar name like “PolicyPak-Exports-Demo1.msi.”
Now I have my MSI here. It’s sitting there right here in the Desktop ready to go. Now here is where you have to use your imagination a little bit. Here you can see I have SCCM 2012, and I’m simply making a new application. I’m picking the MSI, and I’m installing it as system. It’s as simple as that.
If you’re using Windows Intune, it’s pretty similar. You simply upload the file to Windows Intune, point to it as “Managed Software,” and you’re ready to go. In both cases, SCCM and Windows Intune, after that you simply target the right computers and you’re off to the races. But for the purposes of this, you’re going to have to use your imagination because I’m not going to do that.
Instead, I’m going to take my file here, and I’m going to just copy it over to a share that I’ve got, which is right here: “c:share.” This is on a garden-variety server, and there it is. But again, we’re using our imagination. I’m going to go ahead and log on as any user here.
Still at this point, there’s no Group Policy involved. There are no settings that have been embraced yet. You can still see I can “Change mouse pointers.” If I went to “Restart” my machine, I wouldn’t get prompted.
Let’s go ahead and get that MSI installed. If you were using SCCM, this would be done for you automatically and completely silently. We’re not. Like I said, we’re using our imagination so I’m going to go ahead and run “PolicyPak-Exports-Demo1.msi.”
This would run completely silently if you used SCCM or Intune or your own systems management software. I’m running it interactively specifically so I can demonstrate it for you. We’ll go ahead and click “Yes” here, and that’s all there is to it. There’s nothing at all that you have to do or think about or anything.
I’ll, in fact, go over to my other machine here just to show you that it can be installed fully without any prompting or interactivity. So I’ll do “net use * \dcshare.” This time, I’m going to do “msiexec /i z:PolicyPak-Exports-Demo1.msi /qn.” What this is going to do is this is going to basically do the exact same install but completely silently, no questions asked.
There you go. There was a whole lot of nothing that occurred. The whole point is that, like I said, if you decide you want to use whatever management utility you want, that’s probably how you would do it and it would install completely silently.
Let’s go back over to machine number one. Let’s see if our settings took effect if I close this out. If I right click and go to “Personalize” here, you can see I can’t change the mouse settings anymore. Those are gone. If I go to try to “Shut down” the machine, I get prompted. Normally, you would not get prompted. That prompt only happens on a server.
If I go over to my “Windows 8.1” machine here, I’ll go ahead and close this out. I’ll right click and go to “Personalize.” You can see I don’t have the mouse ability anymore. If I try to “Restart” the system, I get prompted.
Let’s recap. You did start off using a Group Policy Object, but you did it to simply create the directives that you wanted. You used PolicyPak in the Admin Templates Manager node to round up the settings you wanted. You could export them to an XML. You then used the PolicyPak Exporter utility to take that XML and make it into an MSI that you then deployed using SCCM, Intune or your own systems management software.
If you want to marry up the power of Group Policy with the process that you have already in place, either (like I said) SCCM, Intune or your own management software, PolicyPak and the PolicyPak Admin Templates Manager is the way to do it.
Thanks so much for watching. If you’re looking to get a trial, just go ahead and contact us and we’ll look forward to getting you the bits real soon.