GPPreference items have no way of “keeping alive” if users want to work around them. And GPPreferences have no way of being deployed using SCCM, Intune, etc. Now you can fix both problems using PolicyPak Preferences Manager.
PolicyPak Preferences (On-Prem): Deploy GPPrefs using SCCM, Intune, etc.
Hi. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can enhance your existing investment in the Group Policy Preferences by:
- Keeping Group Policy Preferences alive even if the user tries to work around them and also if he tries to go off your network, and
- I’m going to show you how you can deploy Group Policy Preferences items using, well, not Group Policy. If you’re using SCCM, Intune, KACE or your own management software, I’m going to show you how you can take Group Policy Preferences items and get them deployed to your target machines without using Group Policy.
In another video, I’ll also show you how you can take Group Policy Preferences items and deploy them using PolicyPak Cloud to both domain joined and non-domain joined machines. Again, that’s another video.
To get started here, let me show you what I have. I have a “Power Plan” setting set up for my computers so when they go to “Sleep,” they’ll go to “Sleep after” “Plugged in (minutes): 15.” I also have a “Shortcuts” item on the desktop that will put an icon for PolicyPak on the desktop of all computers.
Let me go over to my target computer here, and I’m logged on as a regular guy called “EastSalesUser2.” I’m going to run “GP Update” here. Now when I do, we’re going to see two things happen: the power plan settings are going to happen and an icon on the desktop is going to happen, and there it is.
But the problem with the Group Policy Preferences – and even though I love them, I’m okay admitting that the Group Policy Preferences have a problem – which is that a user can simply work around any particular setting that they want because they are, in fact, preferences. If I type “power” here, “Edit power plan,” you can see a user can simply change your configuration. Now, if this was a compliance-based setting, they’re now out of compliance and that’s not good.
The second thing is that a user could disconnect the network cable. I’m going to do this off camera. You won’t be able to see me do but the result – there you go – you can see that I’ve now disconnected the network cables. If a user tries to run “GP Update” or even if they try to log off and log back on, nothing happens and that’s because the Group Policy Preferences has no way to maintain their settings when the computer goes offline.
PolicyPak changes all that. We’re going to show you that first, and the second thing we’re going to talk about is how you would take these Group Policy Preferences items (the “Shortcuts” and the “Power Options”) and get those deployed over to your machines without using Group Policy.
Let’s do the first thing first. What we’re going to do is we’re going to install the “PolicyPak Client-Side Extension,” and this has to live on all target machines. I’ll go ahead and install this first. You would normally deploy this any way you want. You can use Group Policy. You can use SCCM. You can prebake it into your image. There are a lot of various ways to get this deployed. I’ll go ahead and install that here.
Once the PolicyPak Client-Side Extension is installed, I’m also going to plug back in my network cables here. Once this happens and that target machine is licensed (it is pre-licensed for this demonstration), I’ll go ahead and run “GP Update” to get the latest, greatest signal. We should see the icon pop back up.
This is only going to happen normally when the computer is online and can see the domain controller, but PolicyPak brings the superpowers to the table again. Let me go ahead, right click and disconnect the network cables. Now when the user goes offline and the guy throws the icon in the trash, GP Update is not going to work because that’s Microsoft command, so we provide two ways of doing this.
You can type “ppupdate.” That will do it one way and get it back instantly. That’s choice number one. Choice number two is if you “Log off” as this user. Remember, the network cables are still unplugged. He’s offline. If he logs back on with cached credentials, PolicyPak puts them back even if the user has gone offline. That’s the first superpower we’re bringing to the table.
The second superpower is if you have a machine that is not using Group Policy for whatever reason – you’re using SCCM, LANDesk, KACE, Windows Intune or anything like that – how would you get directives over to this machine over here? if I log on as this guy over here, he doesn’t have any of those Group Policy Preferences items. How do we get those deployed?
It’s really easy. All you’re going to do is take your Group Policy Preferences items. I’ll put them into a little folder here. I’ll call them “GPPrefs Items.” You can simply drag-and-drop those items from Microsoft Group Policy into your folder. I’ll go ahead and take these two items, so now they’re in a folder. We have a utility called the “PolicyPak Exporter Tool.”
Here’s the PolicyPak Exporter Tool. What we’re going to do is “Create a new MSI installer,” and we’re going to “Add Existing Files” and add in those files that we just peeled off the MMC. We’ll go to the “GPPrefs Items,” and we’ll go ahead and pick both of them.
You can not only add in Group Policy Preferences items, but you can also “Add Existing Files” from our other components like Application Manager, Administrative Templates Manager and Security Manager. Basically, anything that PolicyPak can do in terms of managing applications and also pretty much anything else in a Group Policy Object you can import here to then make and MSI. I’ll go ahead and give it a name here. I’ll use the same file I’m using in some of my other demos: “PolicyPak-Exports-Demo1.” We’ll overwrite that and click “Finish.”
Here’s where you have to use your imagination. Here you can see I have SCCM 2012, and I’m simply making a new application and I’m picking the MSI and I’m installing it as system. It’s as simple as that. If you’re using “Windows Intune,” it’s pretty similar. You simply upload the file to Windows Intune, point to it as “Managed Software” and you’re ready to go. iIn both cases, SCCM and Windows Intune. A, after that you simply target the right computers and you’re off to the races.
Back on my server in the “SHARE” folder, this is where I have the MSI. Instead of actually using SCCM or actually using Intune or actually using KACE, we’re just going to use our imagination here. I’m going to log on as this guy here, and I’m going to open a Command prompt (“cmd”) and map a drive over to “dc\share.”
When I’m here, I’m going to pretend to install it as if I was using SCCM or Intune or any of those things. The way I’m going to do that is to do “msiexec /i y:PolicyPak-Export-Demo1.msi /qn” for totally silent. This is basically what would happen if you ran it using SCCM or Intune or LANDesk or whatever.
As soon as you run it, it installs. It’s completely silent, and there’s the icon right there. No Group Policy involved. If we take a look at the “Power Options” here and we take a look “High performance,” “Change plan settings,” you can see it has delivered “Put the computer to sleep” in “15 minutes.”
We’re using the power of the Group Policy Preferences but using the delivery mechanism of, well, whatever you want. If you like what you see here plus if you’re also interested in taking your Group Policy Preferences items and getting them delivered to computers over the Internet, we also have a way to do that using PolicyPak Cloud.
Thanks so much for watching. If you’re looking to get started, get in touch and we’ll get you the bits and you can get started real soon.
Thanks so much, and we’ll talk to you.