Azure AD, Intune and Group Policy: What’s in (and not in) the box
It was roughly twenty years ago that Microsoft unveiled Group Policy. Since then it has become the “go-to” tool for managing and securing the windows desktop across the domain. Group Policy has been the way admins shore up security because Windows is not secure out of the box. Over the years, admins have used Group Policy to do things like:
- Restrict control panel access
- Change the default local administrator name
- Enforce full disk encryption
- Deploy configuration and registry settings
By leveraging the combined power of Administrative Templates and Group Policy Preferences into assigned GPOs, admins have control of more than 10,000 settings within the Windows operating system. Group Policy admins can also manage settings within Microsoft Office and Edge. Furthermore, ADMX templates are available to allow Group Policy management over third party applications such as Google Chrome. A domain administrator equipped with the Group Policy Editor has a lot of control over the desktop.
The Loss of Leverage with Azure AD
If you ask organizations why they are moving to the cloud, the typical answers include the following:
- Greater agility
- Centralized control
- Greater security
- Reduced costs
That being said, there aren’t GPOs within Azure AD.. The absence of GPOs is not indicative of their usefulness. Azure AD is comprised of different protocols than Server AD in order to manage web-based services. Azure AD architecture bases itself on user and device management for Azure and O365. Group Policy architecture is based on users and computer as objects within AD.
The irony in all of this is that when it comes to the management of configuration settings, Azure AD gives admins less control of Windows 10 settings and desktop configuration.
Less control therefore means less agility which is the opposite of what you’re going for.
Because admins now have less access to the enforcement of configuration and security settings, users and their desktops may be more vulnerable. Less admin control also means greater user access into things that can render help desk calls, which increase costs.
This is not to say that Azure is inferior to traditional AD (with its Group Policy.) It simply a different world than it was twenty years ago. It isn’t just a desktop that lives on-prem. Traditional Group Policy does only a fair job of managing mobile devices. It also isn’t a Windows only world anymore and Group Policy doesn’t help when you need to configure non-Windows devices.
There is also more to device management today than just the deployment of settings. Azure AD provides instant status information on your entire fleet of MDM joined devices as well as telemetry insights into the performance of them. Computers can be remotely reset and wiped. However, if you want an easy way to block access to the command prompt for standard users, you are currently out of luck with Intune.
PolicyPak as an MDM Supplement
Many organizations today have a mixture of Server AD-joined and Azure AD-joined devices. While MDM may not natively support utilize GPOs, there is a third party solution that brings the super admin power capabilities of Group Policy and Group Policy Preferences into your Azure AD, or any MDM environment.
It is called PolicyPak, a modern desktop management solution that empowers you to easily configure, deploy, and manage policies for on-premises, MDM, and cloud Windows environments.
PolicyPak MDM Edition lets you import group policy and group policy preference settings directly into your MDM. Designate a computer in your on prem domain environment to host the PolicyPak Admin Console. The PolicyPak Admin Console seemlessly integrates with Group Policy Editor. From there it is a matter of doing what you always do with Group Policy: create a new policy as is shown below.
Note in the outlined portion of the above screenshot we have Administrative Templates Manager, Preferences Manager and Security Settings Manager. These are three of the solution products within the PolicyPak suite. Together they allow you to configure and deploy settings such as:
- Security Settings
- 3,000+ Administrative Template settings
- Audit Policy
- User Rights Assignment
- AppLocker settings
- All of the Group Policy Preferences Settings
There are also three collections contained within the outlined portion above as well called Windows 10 Laptops, Windows 2019 Servers and Windows 10 Desktops. You create collections to organize targeted settings. In this example, we are using Administrative Templates Manager in order to utilize the rich collection of settings provided by the ADMX/ADM templates. PolicyPak Templates Manager gives the same exhaustive list of settings as Group Policy as is shown below.
PolicyPak works alongside your MDM to deliver and then finetune your GPO assignments using item-level targeting for Group Policy settings as well as Group Policy Preferences.
Whether you are creating new policies, or simply want to use existing GPOs, integrating them to your preferred MDM is easy. Simply export your real Group Policy settings using the PolicyPak Admin Console and wrap them up into a MSI file using the PolicyPak Exporter Utility. Then simply license your MDM for PolicyPak and upload the MSI file in the same manner as any MSI file you want to deploy to your MDM enrolled devices.
You can see a full video demonstration of how to deploy all Group Policy and PolicyPak settings using Intune here.
Don’t limit the potential of PolicyPak to just deploying policy settings. Every PolicyPak customer has access to our other tools as well such as PolicyPak Application Manager, which allows you to manage and deploy configuration settings for more than 500 enterprise applications. If you use it, chances are we can manage it.
We also have PolicyPak Least Privilege Manager to help you remove local admin rights plus provide “one click whielisting” to your desktop, without all of the work required by managing traditional whitelists. You can see our complete list of components here…
With PolicyPak, you do not have to sacrifice Group Policy when moving to Azure AD. We bring the two together, in order to create a combined solution in which the whole is greater than the sum of its parts.