With Jeremy Moskowitz
To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at 215-391-0096 or email laura[[att]]policypak.com
To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at 215-391-0096 or email laura[[att]]policypak.com
Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!
|04 / 09 / 2019||Tampa2019||Learn More|
While we used to actively block devices from registering with Intune and SCCM or Group Policy at the same time, we more than welcome this duality of management capabilities today. Outside of cloud-only enterprises, Microsoft not only allows, but encourages the practice of allowing settings management from multiple sources. Microsoft refers to this current practice as co-management.
The advantage of Hybrid MDM was that it allowed you to manage SCCM exclusive and MDM exclusive devices from a single console. Essentially it was a a product of convenience more than anything. With co-management, the two work in cohesion. Clients can now have the Configuration Manager client installed and be enrolled in Intune. For those organizations that have a considerable investment in time and resources in SCCM, Co-management adds greater functionality to your SCCM structure by incorporating cloud functionality.
Co-management requires version 1710 or later and requires all involved Windows 10 devices to be Azure AD-joined or joined to on-premise AD and registered with Azure AD. For new Windows 10 devices, you can simply join them to Azure AD, enroll them in Intune and install the Configuration Manager client for co-management ability. When it comes to Windows 10 devices that already have the Configuration Manager client installed the path is more complex, but basically requires you to setup hybrid Azure AD and enrolling them into Intune. Whichever way you get there; the end result is that you get the best of both worlds.
Co-management is about more than just increased functionality however. It gives IT administrators the flexibility to choose which management solution works best for their organization, devices and workloads they have to manage. This facility of choice is exemplified in the screenshot below that shows the workloads tab of the SCCM admin screen. As you can see, with co-ecomanagement you can switch the authority from Configuration Manager to Intune for select workloads. This puts the SCCM admin in charge of which tool will manage what policies by simply moving the slider to the selected choice.
Note the presence of the “Pilot Intune” option. As MDM is relatively new to most admins, Pilot Intune gives you the ability to pilot things first in order to ensure everything operates as expected. Once results are confirmed, you can throw the switch all the way. Eventually, Microsoft hopes that all the siders will be moved to the right, with everything hosted and managed in the cloud. Those who are intimidated by SCCM might say that’s not a bad thing.
Surprises are great when you are engrossed in a captivating movie. A good novel always has multiple twists that you don’t see coming. For the most part though, the world prefers predictability, especially when it comes to managing corporate enterprises. The whole purpose of deploying settings is to ensure conformity to your enterprise client devices. Group Policy and MDM were made to deliver a level of certainty to the enterprise.
So what happens when Group Policy Settings and MDM settings collide with one another? Because Windows 10 can potentially be a member of an on-prem active directory domain and be MDM enrolled as well, that is a distinct possibility. Starting with the 1709 release, Microsoft unveiled a GPO setting that allows hybrid joined devices to be automatically MDM enrolled. So let’s say we have a hybrid environment of Windows 10 laptops and just for grins we disabled Cortana using an MDM policy setting and enabled it using a Group Policy Setting. Which policy do you would win out?
If you had to guess, you would probably say Group Policy since it is the elder of the two. If you did, you would be sort of wrong. You would also be sort of wrong if you said MDM.
How can you be sort of wrong you ask?
Because when MDM and GP settings conflict, we honestly have no idea which one is going to win out.
In fact, that is the default, expected behavior. Yes, the default behavior is uncertainty. Just like the stock market doesn’t like uncertainty, neither do network admins.
So in order to add some stability to these conflicting scenarios, Microsoft introduced a Policy CSP called ControlPolicyConflict/MDMWinsOverGP. It uses an integer based data type for which there are two supported values:
- 0 (default state of uncertainty)
- 1 - The MDM policy is used and the GP policy is blocked.
To enable this policy, we have to create a custom OMA-URI setting as shown in the screenshot below.
So if MDM and the same Group Policy setting are contending to assign the SAME value to the SAME setting .. then you can use MDMWinsOverGP to force the MDM to always regardless of what GP is trying to do.
If you are managing a hybrid environment with MDM and GPO, it may in fact be good practice to enable this CSP for good measure just to ensure that certainty will always prevail. In the IT world, certainty is a good thing.
Long, long ago, well, actually not so long ago, there were two worlds. There was the on-prem world and the mobile world, and the two would never become one, until of course they did one day. Up until Windows 10 version 1607, a device could either be on premise AD or Azure AD. This made sense at the time. Back then, MDM enrolled machines was pretty much restricted to mobile devices as administrators wanted the extensive management control that Group Policy or SCCM provided them for enterprise desktops. Mobile devices were better served in the cloud and outside of device resets and remote wipe capabilities, there wasn’t much you could do with MDM early on.
It wasn’t thought a good idea at the time to have settings delivered from multiple sources. In order to prevent that from happening, devices were blocked from the ability to simultaneously register with SCCM and Intune at the same time. In fact, the activation of the SCCM client on a Windows device automatically disabled any built-in MDM capabilities. Devices were segregated to one or the other.
If your company’s IT staff had separated SCCM administrators and mobile device administrators, then everything was fine. But if you had to manage both desktops and tablets, you had to switch back and forth between the Configuration Manager console and the MDM console. So Microsoft set about to integrate Configuration Manager with Intune with what was called “hybrid configuration” so that both on-prem and mobile devices could be managed from the same console. Co-management between the two was born. Note that Intune was the only MDM supported in this scenario. The merging of these two platforms is illustrated below.
But as in everything, things change. Microsoft put more focus into MDM as time went on, and as a result, more setting capabilities and features were built into Intune. Organizations also started recognizing the value of migrating more computers to the cloud than just mobile devices. Microsoft also began figuring out that it was in their interest to encourage customers to move to the cloud. Because of these and other factors, the usefulness of allowing devices to co-exist in both on-prem AD and Azure AD was realized. Starting with 1607, computers could be a part of both at the same time. Then came 1709 in which the SCCM client could now run on a device without its MDM capabilities being disabled. This made it possible for a computer to receive setting input from both sources. This signaled the end of Hybrid MDM. In August of 2018, Hybrid MDM became a deprecated feature and Microsoft began blocking the registering of new Hybrid MDM customers in November of the same year.
I have to admit... making a simple registry change in Intune can be ... difficult.
The Administrative Templates function is nice, for those (under 300 settings) that support them.
But for the rest of the simple settings ... you might have hand-create custom OMA-URIs and usin ADMX backed policies to do it.
Here are some others' great guides to help you "follow the leaders" and convert your ADMX and/or use an ADMX-backed policy:
Those resources, show how to tear into an ADMX and ADML file and create a more complex ADMX-backed policy:
After taking Jeremy’s Group Policy Class, my staff and I were able to reduce the number of help desk calls dramatically! Thank you Jeremy!
MCSE Systems Administrator, Royal Canin USA, Inc
If you want to learn everything about Group Policy, then you need to attend Jeremy’s training class, I came in as a novice and left an expert. Jeremy speaks to you, not above you.
Desktop Computing Specialist, Princeton University
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
Network Administrator, Mondial Assistance
I used the tools he demonstrated and those tools saved me a lot of time and money.
Senior Network Engineer, County of Orange, CA
After hearing Jeremy speak, I was immediately able to confidently use GPMC, and successfully deploy many GPO’s which have saved my sanity and added years to my life. Having a copy of Jeremy’s Group Policy, Profiles, and IntelliMirror book on hand has given me instant access to many of those “How does this work in the real world?” questions. Thanks Jeremy, You are awesome!
Lead Systems Administrator
After taking Jeremy’s class, I was able to create and troubleshoot Group Policy in our environment. Others tried to convince me that the “Microsoft Standard” is to have one huge policy, but troubleshooting that policy for them was a nightmare. After they saw how easy it was to create smaller, less complicated policies, troubleshooting became a piece of cake.
Server Administrator, University of Toledo
I was able to apply some of the Group Policy best practices that I had not already implemented. I am also looking forward to implementing the many new Vista/W2K8 GPOs.
Sr. Systems Administrator, Adventist Health Systems
I sincerely enjoyed the class in Boston and I learned a lot. Within two work days of coming back I had a major update to a core product piece of software that, because of your class, I knew to ask for an MSI file for the update and how to properly create a GPO to distribute to the appropriate users and make it do an install without interaction or granting them administrator rights. When they logged in this morning the update applied beautifully. This one process alone has made the whole class worth it to me. With the many other things I learned and will also put to use in the near future and I am extremely happy. Thanks again for coming to Boston.
Tech Support Specialist, Fidelity Bank
After listening to Jeremy, I felt much more confident in working with Group Policy and using it for many benefits in our Organization. The book was a great supplement, too.
Manager, IT Operations, Miller-Valentine Group
Jeremy has a way of explaining things that are down to earth. He takes a potentially dry subject and makes it more fun. These Group Policy courses are invaluable to help me in my job. As we transition to new machines and new operating systems, I can use the information and tools learned in class immediately. The pre-built virtual lab machines made it so I could focus on the labs right away. The hands-on labs are awesome! I am really glad I signed up for Jeremy’s online courses–even though I ended up taking them on my own after work. It was a really good investment.
ATK Launch Systems