03: PolicyPak Free Tool: Group Policy and MDM Settings Analyzer

Heading toward MDM from Group Policy, but confused which settings will and will not convert over? Then fear no more. Check out this free program from PolicyPak which will show you exactly which settings will, and will not covert over from Group Policy. Get the report in HTML or Excel format. Free to use !

Hi. This is Jeremy Moskowitz, Group Policy and Intune MVP. In this demonstration, I’m going to show you how you can use the free tool, the “PolicyPak Group Policy and MDM Settings Analyzer,” to help you understand exactly what settings are and are not in your MDM service. This is not about Intune specifically. This is about all MDM services.

What does this tool do? When you run it, which you can either download it in the full PolicyPak program or you can probably get it where you’re seeing this video which should be available on the free tools section of the website, so once you run this tool what does it do? Well, it’s going to ask you a question. Where do you want to get the reference for your Group Policy settings? There are a bunch of different angles.

One angle is to look at the “Group Policy Settings Reference Spreadsheet.” This gets updated from time to time. As of this recording it’s up to 1809, but when the next version of Windows comes out the idea is that you can tap into this. Or if we don’t update this, you can just find the ID and put the URL in here. That’s one source of truth.

Another source of truth is downloading the latest ADMX templates from Microsoft. Again, this is programmed for 1809 but if a later version comes out, you can just change the URL. You can also select a folder that maybe you’re using for ADMX. So if you want to, you can look up a particular folder where you’ve unpacked the ADMX. you could use your “Central Store” if that’s what you want to do. In fact, I’m going to do that here. And then you could also use your local machine’s Group Policy ADMX templates.

Now what is this going to do? After you click on one of these choices as your source, it’s going to go out and download Microsoft’s MMAT tool automatically in the background and look inside MMAT’s brain. MMAT is a free tool for Microsoft that will help you look in your Group Policy settings and tell you what will convert from your world, but it doesn’t give you the lay of the land of what’s possible to convert. That’s what was missing, and that’s what this tool does.

If I were to select my “Central Store” or maybe I’ll go ahead and click on downloading the ADMX templates directly from Microsoft here, then after I do that you also have a couple of different options here which are to “include in report only policies supported on Windows 10” because MDM is only a Windows 10 thing. You can also “include Security Settings in report” as well.
Let me go ahead and click on “Next” here, and it’s going to go ahead and download those files from Microsoft. This is going to take a second, so I’ll go ahead and pause the video and wait until it’s complete. Okay, that’s all there is to it.

Now that it’s done, you have a couple of different formats. We have an Excel report (“XLSX”) and an HTML report and an XML report. I’m going to look at these two. I’m going to look at the Excel report and the HTML report and click “Finish.” Here we go. You can see that they went right to the Desktop here. And the last is the Excel report.

What’s going to show up by default here is the HTML report. Now you can finally answer the question, do the settings that I know I need from Group Policy exist in MDM land? If the answer is no, the good news is you can use “PolicyPak MDM Edition” to get any of the settings that you see here over to your endpoints using the MDM solution of your choice.
Now you have the opportunity to scroll through here. These are all the computer settings. You can see there are quite a few of them that will translate over to MDM land. You can see all the Group Policy settings here that will translate and what version of Windows that they showed up in.

Then after that here’s where you start getting some Nos. So you have to ask yourself if you need some of these settings, are they there in MDM? The answer is going to be no. You can keep running this utility until maybe that shows up or if it never shows up, that’s okay. That’s what PolicyPak MDM is for.

It enables you to take these settings, the computer side settings and if we go a little bit later you’ll see the user side settings here. Let me just zip down here. Okay, there we go. We’ve got user side settings. You can see some of the user side settings are there in MDM land. And then if you keep on going, we’re going to find, there we go, a bunch of them are not.

If we see here “Hide specified Control Panel items” and “Disable the Display Control Panel” and “Prohibit access to Control Panel and PC settings” and “Password protect the screen saver,” these things are not yet available in MDM land and you can see that here in the report.

If you scroll all the way to the bottom, you’ll actually see “Security Settings” as well. So we have another section for “Security Settings.” You can see here’s a gaggle of settings that in fact have MDM policy, where they were supported since. And then this is where those settings don’t exist. Once again, every setting that you see here that says “No” should be able to transported using PolicyPak MDM to export that existing Group Policy setting and get it over to your target machines.

Let me show you the Excel file. I’m going to actually drag-and-drop this. You’re not going to see this. It’s going to be off camera here for a second. Let me go ahead and open this up in “Excel,” and let me show you what the Excel file looks like here. This is nifty because we give you a really interesting graphical view.

Based upon the method you chose, like if you downloaded the templates from Microsoft or using your central store or one of those sources to check against, you can see here in this particular case “1044” settings are available in MDM but “2920” are not available in MDM. So you can see around “70%,” “80%,” “84%” of these settings are “Exclusive in GP.”

If you wanted to get these settings over to your machines using your MDM service, again, you’re going to use PolicyPak to export those settings, wrap them up, and deliver them. Again, you can see we have these nice tabs here as well in Excel which gives you a slightly richer format than HTML. So “Computer” side, “User” side, and “Security Settings.”

Hope this tool helps you demystify what settings in fact are available in MDM and which settings are not available in MDM. Just like that, there we go, you can see for yourself. You can use the search, figure out what’s important to you, and get them over there. That’s what PolicyPak MDM is all about.

Thanks so very much. Hope this helps you out. Talk to you soon.

 

  • 789
  • 10-Mar-2020
  • 697 Views