PolicyPak Security Settings Manager: Deploy GP Security settings using SCCM, Intune, or your own management software
Hi. This is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can take a garden-variety Group Policy Object with security settings in it and deploy those security settings without using Group Policy. If you want to use SCCM, Intune or your own systems management software, this is how you would do it.
I’m going to create a “Test GPO with Security setting” in it to get started here. This GPO actually doesn’t have to be live; in terms of it doesn’t have to be linked anywhere. It also can be a fake test lab. It doesn’t have to be real live domain anywhere because you’re going to take the settings that you have here and export them.
To get started, on the computer side, “Policies/Windows Settings” you’re going to dive down under “Security Settings.” Most of these security settings are supported by PolicyPak. I’m not going to go over all of them. I’m just going to show you a quick example.
I’m going to start off with “Password Policy.” Maybe I want to “Enforce password history,” and I’ll keep “5” passwords remembered or something like that. If I go to “Audit Policy” here or “User Rights Assignment,” like maybe I want to “Deny log on locally,” I’ll just pick something innocuous just for the sake of this. I’ll pick maybe “guests” or something like that.
Now that “Guests” is chosen here under “User Rights Assignment,” and of course there are all these zillions of important settings here, I’m not trying to show something super important. I’m trying to show you the power here. Maybe, speaking of guests, why don’t we “Rename guest account” and we’ll call this “policyPakTestGuest” for “Security Options” here.
All these settings here – all these important “Local” settings, “Account” settings, “Password settings, “Event Log” settings, “Restricted Groups” – most of these things are supported. Once you’ve crafted your Group Policy Object with the security configuration, you’re then going to use the “PolicyPak” node and you’re going to go to the “Security Manager.”
We have just one selection in there, which is “Export this GPO’s Computer-Side Security Settings for PolicyPak Exporter and PolicyPak Cloud.” We’re going to go ahead and do that. The point is, it’s going to take this GPO’s security settings – and you can see what’s “not supported” there – and we’ll click “Next” and it’s going to export them as an XML.”
What do we do with that XML? We’re going to show you what we do next. We’ll go ahead and see what we have inside here. We have some “Privilege Rights,” “Registry Values” and “System Access.” Great. We’ll click “Next.”
Here is where you have the ability to make this gaggle of settings only affect specific machines. It’s completely optional, but if you wanted to, for instance, have this set of security settings only hit when “the operating system is Windows 7” or Windows 8 or whatever, you could do that. You could also have a filter maybe for when “the NetBIOS computer name is ‘training’” or “lab” or school or whatever.
Long story short is you can put in your criteria for when these computers are going to get these settings. I’m not going to do that here, so I’m going to turn off the “Targeting filters.” I’ll click “Next” and I’ll save this out to my “Desktop” here. I’ll call this “pp-sec-export1.” We’ll go ahead and create it and click “Next,” and now I have my XML file.
Now that I have that XML file, we’re kind of done with Group Policy at this point. The next thing we’re going to do is run the “PolicyPak Exporter Tool.” The goal of the PolicyPak Exporter utility, well the start is to “Create a new MSI installer,” which you’re then going to deploy using SCCM, Intune, KACE or whatever you use.
We’re going to import, “Add Existing Files,” the one we created 10 seconds ago. Our “pp-sec-export1” demo is right here. It’s going to hit the “Computer.” We didn’t have the targeting set up but if we did, we would see “ILT” would be Yes. That’s it. You can also “Add Existing Files” from the other supported types, for instance, PolicyPak Application Manager, Admin Templates Manager and also Group Policy Preferences files. We’re not going to do that here. We’ll just click “Next.”
We’ll go ahead and give this a name here, and the name I want to use (I’m going to put it right in “c:share”) is “PolicyPak-Exports-Demo1.” I’m actually going to overwrite this existing file I have from a previous demonstration. Click “OK” and that’s it. I have “PolicyPak-Exports-Demo1.msi.” It has my Group Policy security settings in it.
Here’s where you have to use your imagination. Here you can see I have SCCM 2012, and I’m simply making a new application. I’m picking the MSI, and I’m installing it as system. It’s as simple as that. If you’re using Windows Intune, it’s pretty similar. You simply upload the file to Windows Intune, point to it as “Managed Software” and you’re ready to go. In both cases, SCCM and Windows Intune, after that you simply target the right computers and you’re off to the races.
Here’s the MSI hanging out in a “SHARE.” Instead of going through the motions of using SCCM or Intune or whatever, I’m actually just going to run the MSI, which will simulate the idea of it being transported using SCCM, Intune or your own management utility.
I’m going to go to command prompt (“cmd”) here, do a “net use * \dcshare.” What I’m after is the “msi” that I just created. Now, I’m going to show it to you twice. I’m going to show it to you first interactively, which would never happen when you use SCCM or Intune. Again, it’s going to run silently. But just for the purposes of this, I’m going to show you what would happen if you decided to run it manually which, again, I know you never would. Then after I’m done with this, I’m going to show you it completely silently.
You just run the MSI, go ahead and say “Yes” and that’s it. All the magic has already occurred. If I go over to the second target machine and I do the same thing, “net use * \dcshare,” let’s do it silently now. That would be “msiexec /i z:PolicyPak-Exports-Demo1.msi /qn.” There we go. If I use this syntax “msiexec /i” against the file name “/qn,” that’s completely quiet.
Let me show you exactly how much output and how much this takes. Nothing happens at all. That’s the best part. Again, it’s completely silent. This is what would happen if you deployed this MSI file using your systems management software. Again, a whole lot of nothing happened.
Now that that’s done, if we go ahead and run “gpedit.msc” here locally, let’s take a look and see if we can find our results here. If I head over to computer side, “Windows Settings/Security Settings,” we’re looking for the first one we did which was “Rename guest account.” You can see that the guest account has been renamed and it’s blocked out, so that’s pretty powerful stuff right there. That’s locked out. The other stuff that I did was “Deny log on locally” to “Guests.” You can see that has been addressed and adjusted for and it’s not changeable. “Password Policy,” there we go, “Enforce password history.”
Let’s close this out. Let’s see if we got the same results on our Windows 8 machine. If I run “gpedit.msc” over here, if we go to “Windows Settings/Security Settings” and we go to “Account Policy/Password Policy,” there’s that one set by PolicyPak. If we go to “Local Policies/User Rights Assignment,” there we go. “Deny log on locally” is set and “Security Options” “Rename guest account.” All of these items are set correctly without using Group Policy.”
Let’s recap. If we go back to our management station over here, we had a GPO that had security settings in it already. We could define it on-the-fly or have an existing one. We then used the PolicyPak node and Security Manager. We exported those settings as an XML. We then used the PolicyPak Exporter utility to create an MSI to then deploy using SCCM or our own systems management software.
I hope you enjoyed this video. For other videos, for instance if you want to see how to take this and export it for use with PolicyPak Cloud, we also have those on our website, and you can do all this amazing stuff through the Internet as well.
Thank so much for watching, and if you’re looking to get started, reach out and we’ll get in touch and you can get started soon. Thanks. Bye-bye.