If you don’t know, Microsoft has a tool called Advanced Group Policy Management, or AGPM for short.
AGPM is a great utility to handle the workflow around Group Policy management. But, to be super clear, AGPM doesn’t add any “super powers” to your Group Policy infrastructure. You don’t suddenly get more lockdown capability on your Windows client machines.
That’s what PolicyPak does: we lock down your applications and operating systems using Group Policy.
That being said, however, PolicyPak does work with Microsoft AGPM – superbly. So, if you’ve got Microsoft’s AGPM, PolicyPak just fits right in, right at home like the Group Policy items in the box.
Watch this video (exclusively for Microsoft AGPM administrators) to see exactly how to AGPM and PolicyPak work together to provide full reporting, history and rollback capabilities.
So, if you’re invested in AGPM, PolicyPak is a very logical next step. That’s because you’ve already made the commitment to using Group Policy for your desktop lockdown. Now use PolicyPak to get the power you need.
So, AGPM doesn’t add any more super-powers to your desktop. That’s okay. That’s what PolicyPak is for.
- AGPM to manage your Group Policy Objects overall
- Use PolicyPak to more securely manage your desktops and applications
PolicyPak was designed by former Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs MDMandGPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown. In fact, feel free to download a free chapter on AGPM from Jeremy by clicking here
When you’re ready to add the desktop superpowers you need and then manage them using Group Policy and AGPM, PolicyPak is here for you.
Policypak works Microsoft AGMP video transcript
Hi, this is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. In this video, we’re going to learn a little bit about Microsoft’s AGPM or Advanced Group Policy Management tool with regards to PolicyPak.
Now first things first, we have to dispel a little myth. That myth that we’re going to dispel is that AGPM, sorry, does not bring more superpowers to your desktop machines. Even though it’s called AGPM or Advanced Group Policy Management, that’s not what it does. It doesn’t give you more stuff on the client machine.What it does do, however, is pretty cool. It gives you this “Change Control” node inside the GPMC, as you can see here.
What we’re going to do, let’s run through how AGPM and PolicyPak can work together very well. We’ll right click over the “PolicyPak Example 1” Group Policy Object that’s linked already to our “East Sales Users,” and we’ll go ahead and select “Check Out…”
We can add some “Comments1” in here. If you’re an AGPM administrator, you already know how that all works, but the idea is that as you’re checking out a Group Policy Object you’re now making an offline copy. You can see we’ve now made that offline copy of this Group Policy Object. We’ll go ahead and click “Edit…” here. Then we’ll dive down into the Group Policy Object.
You can see we haven’t left the Group Policy Editor. We can just go to “PolicyPak/Applications/New/Application/WinZip 14 and 15,” or we could pick some of our other applications as well. We’ll go ahead and click that here, and we’ll go to our “Passwords” tab. You’ve probably seen me do this in other demonstrations. I’ll go ahead and click all these checkboxes here and jack this guy up to “11.” We’ll just go ahead and click “OK” now.
The point of AGPM is that the real Group Policy Object isn’t live with this information yet. So everything I’ve done so far is in the AGPM archive. If I click “Edit…” upon the real GPO, you’ll see that there are no changes yet done on the live GPO. Everything I’ve done so far is on the offline AGPM copy.
What we’re going to do now is we’re going to “Check In…,” and now that we’re “Done with editing” the Group Policy Object, go ahead and wait for that to check in play here. Alright, that’s all finished. Now that that’s done, now that it’s checked in, we can actually “Deploy…” it. When you deploy it, you get the ability to “Restore Links.” We’re basically going to overwrite that copy that exists live now with this offline copy.
If we were to look at the live version of this now – we’ll go back,we’ll right click over the live version of this – what we’ll find is that the information that we put is right there just the way we expect. So we work perfectly as you can now see with AGPM.
But let’s go the extra mile here. Let’s say somebody right clicks and selects “Check Out…” again. I’m going to “Make some more changes” to it, which is the point of AGPM is a check-in/check-out workflow management tool. So we’re checking out this GPO.
We’ll then right click over. We’ll click “Edit…” here. We’ll make some changes here back to that same Pak that we were doing earlier. If we were to go here and uncheck these two and change this down to “5.” So we’re unchecking a couple checkboxes and changing that to 5.
Let me go ahead and “Check in…” in here and then also deploy it.One of the things that AGPM allows you to do here is to do a comparison between different editions of the Group Policy Object. Because PolicyPak is Group Policy, we just are right there available for you to see. So it’s checked in. I’m going to go ahead and “Deploy…” that as well, thus overwriting the live version.
OK, so that’s all done. Just to prove that that’s done, I can click on the GPO and look at the settings report. That’s one thing that I can do here, just look at the “Settings” report first. You can see that there are the settings. I’ve got “5” in there, and I’ve unchecked some checkboxes. I’ve got some settings that are set and some that are not set, so that’s perfect.
I can also, again, click into it and check it out as well just to prove that that’s really what we set it as. Yep, you can see that that’s all delivered just the way we expect.
Now let’s go ahead and go back to AGPM. We’ll go to the “PolicyPak Example 1,” and we’ll go to the “Differences” report. Actually, let’s look at the “History.” The “History” is probably the best way to do this. We’ll look at the “Unique Versions” and the difference between those two “Checked in” versions: the first one that I checked in, which I set one value to 11 and I checked all four checkboxes and the second one I checked in, where I only had two of them checked and I dropped it down to 5.
If I look at the “Differences” report here, Microsoft’s AGPM will show this. Now it does matter what order you check them in. I can’t remember which one I selected first or second. You’ll see that Microsoft’s AGPM will deliver a settings “Difference Report.” Let’s go ahead and see that here.
You can see right here “Minimum password length.” It was set to “11.” It’s changed to “5.” This guy was “Enabled,” and now it’s “Disabled.” We also do throw some extra registry settings in there that are for our purposes, but you can see here the point is that this guy was “Enabled.” Now it’s “Disabled.” These two were unchanged. That’s been changed, and this has also been changed. So the settings report that you get from AGPM is awesome.
Let’s go the extra mile here. Let’s do one last thing. Remember in the live Group Policy Object, we see that the “Minimum password length” is set to “5.” Let’s say somebody decided we need to roll that back. We’re going to roll that back by going to the “History” here again. We’ll find that “Checked in” version, and we will “Deploy…” – not the latest one; the one that had it set to 11. We’ll go ahead and “Deploy…” that again, thus rolling back the Group Policy Object.
Now if we check the live version of it now, if I refresh this settings report here and I take a look at it, it set it right back to “11.” I can right click and click “Edit…” and prove that that’s actually what’s occurred here.
So the point of this story, the point of this video, is that PolicyPak is Group Policy. We hook right into AGPM. The idea is that when you do your check-in/check-out and workflow management using AGPM, PolicyPak rides right along with it. If you’re using AGPM and you have a process for managing Group Policy, PolicyPak will fit perfectly inside of that, as you can here. We work with all the settings differencing reports. We do rollback. We backup and restore exactly like regular Group Policy, because we are regular Group Policy.
Thank you very much for watching this video. I hope you watch some more, and feel free to get in touch when you’re ready to try out PolicyPak yourself.
Thanks so much. Bye-bye.