And, oh yeah, it’s up to you to manage these situations.
So in these cases, using “out-of-the-box” Group Policy might not be the best for you. This is because Group Policy (out of the box, anyway) means you’ll need to have an on-premises domain controller and GPOs with directives for what you want to do.
Instead, if you have one of these situations you might want to check out a cloud-based way of getting Group Policy settings (or at least some Group Policy settings) out to your machines.
So in this appendix, we’ll talk about two cloud options: Microsoft Intune and PolicyPak Cloud.
These two systems have pretty different goals and don’t overlap that much.
Microsoft Intune is Microsoft’s pay-as-you-go endpoint and user management service (delivered as a cloud service). Here’s the general idea:
Microsoft Intune consists of the following management features:
Along with your purchase, you get “upgrade rights” to Windows Enterprise editions if you’ve already paid for a lower version of Windows.
My goal is to give you a super-brief overview of Microsoft Intune, and as such, we won’t be performing any advanced tasks.
Besides, Microsoft Intune is software as a service (SaaS) and there’s a shorter time between what’s out there now and what’s coming next. In other words, learn Microsoft Intune in a general sense here, but know that the actual nitty-gritty details could change quickly because of Microsoft’s faster than usual rollout schedule.
To get started with Microsoft Intune, you’ll find a free trial here:
www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspx
When you complete the signup, you’ll get an e-mail that you’ll need to confirm, and then you can log on. Once logged on, though, you’re not really in Microsoft Intune yet, as shown in Figure E-1.
You’re in the Online Services section, where you can make purchases (like Microsoft Intune or Office 365), add users and groups, or even synchronize your existing Active Directory with Microsoft’s Online Services.
You might want to synchronize with Microsoft’s Online Services because areas of Microsoft Intune are based on groups as well as users. Managing traditional Windows devices is based on groups. Managing mobile devices is based on users. So by synchronizing your Active Directory user groups with Microsoft Online Services, you can take advantage of those existing Active Directory groups and users inside Microsoft Intune without having to re-create them.
You get started with Microsoft Intune by clicking Admin Console, as seen in Figure E-1. Once you’re inside Microsoft Intune, it looks like Figure E-2.
There are two main device types that you can manage: traditional Windows devices, like desktops and laptops, as well as mobile devices, like Windows phones, Android phones, or Apple iOS phones.
To manage traditional Windows devices, you need to install an agent on each machine. The agent is a setup file that is coded specifically to your Microsoft Intune account. Every time you install it on a client machine, it makes contact with Microsoft and consumes a license that you’ve purchased.
You download the agent, as seen in Figure E-3.
Once you download the setup file, you can deploy it in many ways, including manually installing it, using scripts, using Group Policy Software Installation, using System Center Configuration Manager, or whatever else you like. The MSI file can be installed on 32-bit or 64-bit machines. Of course, you cannot use Microsoft Intune itself to deploy its own agent.
Once the Microsoft Intune setup is finished, the routine will put the Microsoft Intune agent and the Microsoft Intune Center on the machine. The agent enables updates, software deployments, and so on. The Microsoft Intune Center is a program users can run manually on their own machines to acquire applications, check for updates, start a malware scan, or request remote assistance.
You can do a lot with Microsoft Intune: way, way more than when I wrote this chapter back when Microsoft Intune was born; heck, it was called Windows Intune then.
As such I’m not going to cover, really, even a fraction of what’s possible in Microsoft Intune and instead focus my attention strictly on Intune’s policies capabilities for Windows PCs and how regular Group Policy is also dealt with at the same time.
I suggest you check out the following resource for in-depth Intune training:
www.microsoftvirtualacademy.com/training-courses/microsoft-intune-core-skills-jump-start
Additional tips and video are found at Channel 9, https://channel9.msdn.com/. Look for anything Intune related. Of course, newer information is always better than older information.
Using Microsoft Intune is about two things: setting up groups and everything else.
That is, once you have defined your groups, the rest of what you can do with Microsoft Intune (with regard to managing PCs) falls into place. Because Microsoft Intune is a big place, and we’re short on space, I’m only going to cover two items pertaining to using Microsoft Intune: setting up groups and setting policies.
Of course there is more to Microsoft Intune than that—features like malware protection, hardware and software inventory, and so on. But since this is a book on Group Policy, I want to focus specifically on where Microsoft Intune and Group Policy “touch.” And that’s in Microsoft Intune policies.
Microsoft Intune uses device groups to “round up” both users and machines into neat categories. Once they’re in groups, you are then able to dictate items like software deployment, malware settings, and firewall and policy settings and even configure the Microsoft Intune client itself.
Setting up groups is not hard at all. Simply click the Group icon on the left, shown in Figure E-4, and then click Create Group on the right.
If you haven’t synchronized to Active Directory, you can manually specify the names or set criteria to scan through computers, make a match, and add them to the group. This will autoplace computers based on names into a specific group.
If you have synchronized to Active Directory, you can do some magic tricks by specifying computers from a domain or a specific OU. In that way, you can ensure that when you get new computers in Active Directory, they’re automatically synchronized to Microsoft Intune.
Note that groups can be nested. So you could have a group called “Sales Computers” and have other groups called “East Sales Computers” and “West Sales Computers” within it.
Doing so enables you to ensure that the policies and software (which we’re just about to get to) can be generic or specific. For instance, you could deploy a common firewall setting to all the “Sales Computers” (including “East Sales Computers” and “West Sales Computers”) but also have something specific as an exception for one or the other group.
Microsoft Intune has policies for desktops and laptops, and it also has policies for mobile. I’ll only be talking about policies for desktops and laptops. You can see the Policy Overview page in Figure E-5.
Microsoft Intune policies are a very, very small subset of what we know of as Group Policy settings. Specifically, there are policy settings for firewalls, some security settings, settings for email and malware agents, some browser settings, and some others.
In Figure E-6, you can see a Microsoft Intune policy requires the network firewall to be turned on.
Once the policy is created, select the group that should accept this policy. It’s a lot like creating a GPO and linking it—except with Microsoft Intune, you create the Microsoft Intune policy and then associate it with a Microsoft Intune group.
It’s been a few years since Microsoft Intune has come out. And still, Microsoft Intune policies don’t have Group Policy or Group Policy Preferences’ power. There’s a lot of other power; I’m not knocking on Microsoft Intune. I just kind of expected them to have more Group Policy–like things baked in by now.
That being said, there is some overlap, and Microsoft Intune policies are similar to what Group Policy delivers today—there’s just not as many settings. But the policies they both deliver manipulate settings and tweak the same bells and whistles.
But what happens if you’re using Group Policy and also Microsoft Intune and you happen to manage the same setting? The Microsoft Intune team has a little introduction on this topic, and you should definitely read it here:
However, here’s the short answer: If there is a conflict between Microsoft Intune and Group Policy, then Group Policy wins. This makes sense to me, and I think Microsoft made the right decision in determining who wins.
Microsoft also has a great video here:
It shows you exactly what happens within Microsoft Intune in these conflicting situations and shows you how to go about fixing them.
Using the basics of Microsoft Intune to manage elements of a Windows PC isn’t particularly difficult—which is nice. One of the key problems Group Policy or System Center Configuration Manager has is that it does take some dedicated time to learn how to “do it” before feeling confident.
That said, Microsoft Intune is growing by leaps and bounds, and trying to be a lot of things to a lot of different people. Still, the layout is relatively intuitive, and working with it is straightforward—at least for basic PC management. For some more advanced features, like application portals and mobile device management for Windows and non-Windows phones, plus connecting it all together (if you wanted) with SCCM on-premises, it is becoming a bigger animal every day.
But I want to emphasize that Microsoft Intune isn’t yet a replacement for either Group Policy or System Center Configuration Manager.
To me, it just doesn’t look like they’re trying to bring all of Group Policy’s functionality into Microsoft Intune. They’re trying to compete with Airwatch and MobileIron—and ensure they have a great Windows phone and non-Windows phone (like iOS and Android) management experience.
But, that being said, who knows. Could Microsoft Intune be the future king and replace either Group Policy or System Center Configuration Manager? I think it’s possible, but not likely for a long time.
Remember, Microsoft Intune doesn’t do most Group Policy settings and it doesn’t do Group Policy Preferences.
So if Microsoft Intune doesn’t give you the ability to get Group Policy settings to your machines over the Internet, what are you going to do?
That, my friend, is why we have PolicyPak Cloud.
PolicyPak Cloud’s precise goal in life is to deliver Group Policy (and PolicyPak Application Manager) settings over the Internet to both domain-joined and non-domain-joined machines. So let’s revisit the list of scenarios in which you might want to get Group Policy to machines over the Internet:
And if my goal is to get them Group Policy no matter what, then PolicyPak Cloud is the only way to go. If you like what you see here and want to try PolicyPak Cloud, we simply ask that you join us for a webinar (www.PolicyPak.com/webinar) and we’ll get you started right after that.
Getting started with PolicyPak Cloud is pretty simple. A lot of concepts are similar to Microsoft Intune.
So in this way you get the full power of Group Policy over the Internet to both domain-joined and non-domain-joined machines. To get a quick feel for PolicyPak Cloud, we’ll go through the following quick tour:
For a video overview of PolicyPak Cloud, check out the Quickstart video:
www.policypak.com/video/policypak-cloud-quickstart.html
PolicyPak Cloud policies are really just pieces of existing GPOs. So, they’re not entire GPOs; they are pieces of GPOs. The following pieces of a GPO can be uploaded to PolicyPak Cloud:
The ever-so-brief idea here is that you can take an existing GPO, with existing data, and export the pieces you need. So if you have Group Policy Security settings you want to export and then apply, great! Just export those as an XML file. If you have Administrative Template favorites you want to export and apply, great! If you have Group Policy Preferences ideas you want to export and apply, super-duper!
To do this, you’ll use the PolicyPak MMC snap-in and export each type of Group Policy settings (see Figure E-7).
Once they’re exported as a file, you simply upload it to the PolicyPak Cloud service with the results seen in Figure E-8.
The directives then need to be linked to groups, which we’ll discuss next.
Like Microsoft Intune, PolicyPak Cloud uses groups. The idea is super simple: Create a group, then link an XML directive (or multiple directives) to the group.
In Figure E-9, you can see Built-in Groups and Company Groups.
You are able to create Company Groups, and in Figure E-9, I’ve created two Company Groups and linked four XML data files to the “Roaming Computers (out in the field)” group.
Now when a computer is moved into the group, it picks up the directives.
Note the Built-in Groups of “All” and “Unassigned,” which are special; so you can ensure that computers instantly get some kind of policy when they join PolicyPak Cloud.
Like Microsoft Intune, PolicyPak Cloud has an MSI installer that enables you to join the service. In Figure E-10, you can see the download ZIP (or singular MSIs) available in the Company Details tab.
Then on each machine you want to join PolicyPak Cloud, install the PolicyPak Cloud MSI. When you successfully join a computer to PolicyPak Cloud, you’ll get what’s seen in Figure E-11.
After the computer is joined, back in PolicyPak Cloud, select the group you want to move the computer to, then select “Assign Computers to Group” which appears back in Figure E-9.
If you don’t want to wait for the client to synchronize with PolicyPak Cloud, at a command prompt on the computer, simply run the command line ppcloud /sync
(not shown).
When you do, your directives from the group will be downloaded and processed by the computer (after about 10 seconds).
As with many areas of Group Policy, PolicyPak Cloud will nicely revert policies back to the way they were should an XML data file no longer apply or the computer is moved out of a group.
Also, as with Windows Intune, there can be policy conflicts with PolicyPak Cloud directives and on-premises Group Policy directives. And as with Windows Intune, in a conflict, on-premises Group Policy directives win.
A good place to see more of PolicyPak Cloud in action would be:
www.policypak.com/support-sharing/policypak-cloud-getting-started.html
If you’d like to try out PolicyPak Cloud, then join me for a webinar:
and you can try it out immediately after.So, let’s review this appendix.
Microsoft Intune does a lot of stuff: great stuff like trying to manage all devices, from Windows Phone and Windows PCs to non-Windows phones. It can deploy software, provide a company portal, help with patch management, and a whole lot more. Of course, Microsoft Intune has policies that can affect desktop machines, but it definitely doesn’t offer what’s possible using Group Policy.
On the other hand, PolicyPak Cloud isn’t trying to compete with Microsoft Intune. PolicyPak Cloud doesn’t try to manage phones or provide a company portal or deal with patch management.
PolicyPak Cloud’s job is to get the Group Policy Admin, Group Policy Preferences, and Group Policy Security settings to your Windows machines (real Windows machines). PolicyPak Cloud simply enables you to take your on-premises Group Policy directives and get them to your machines, no matter where they are and regardless of whether they’re domain-joined or non-domain-joined.
So, using each service on its own makes sense.
But can you use PolicyPak Cloud and Windows Intune together?
You bet.
A good one-two combo would be as follows:
How’s that for a better-together story?