By | on 08/01/2019 | 0 Comment
5 (100%) 1 vote[s]

Hi All,

companies are more and more “cloud” based on server side, but when it comes to the desktop, they still mostly “on-prem”. This is not just regarding the location of the devixe, but also the tools they have.

The main tool that has been used for many years is the Active Directory Group Policy. any machine that is added to the domain, will get a series of policies by default and the companies can easily create and manage them.

Now, going back to the cloud, when companies have invested heavily on Group Policy configurations, moving to an environment where there is no GPO is difficult. Even when tools like Intune still able to deploy some policies, there are still lack of many policies companies uses.

When SCCM implemented the co-management, companies started looking more for cloud based active directory as they could “easily” move from a on-prem to a azure domain and the policies would be applied via SCCM…

However, even with SCCM having the ability to create and remediate registry stuff (that most of the GPOs are based), it is still have no good UI (like GPO) to create the settings, so you need to do it yourself.

Over the past few months, many customers asked me if i knew some tool that would help with this transition, however, all the solutions i found on the internet were not what i would imagine it should be, so i created one powershell script for it.

The “tool” uses a GPO powershell cmdlet (so you need to have the Group Policy Management) as well as the SCCM cmdlets (so you need to have the SCCM console installed). Once these pre-req are met, you can open the SCCM PowerShell console and copy/past the powershell functions (that you can download from my github repository.

The usage is simple, you’ll use the New-SCCMDCMfromGPO function with the parameter PolicyName that will contain the GPO and the paramter domain that will contain the domain (you can use $env:USERDNSDOMAIN if you don’t have multiple domains). parameter NoncomplianceSeverity is a string for the severity when non-compliant (default is critical), paramter groupCI is a boolean value that will group the CI based on the registry settings (default false) and finally, if you want the naming to start with something different than the policyname, use the baseCIname parameter.

The following command is an example i’ve been testing

@(‘MSFT Office 2016 – Computer’, ‘MSFT Office 2016 – User’) | foreach-Object { New-SCCMDCMfromGPO -PolicyName $_ -domain $domain -groupCI $true

PS. This is still the 1st draft, in the future it will be more “PowerShell” friendly, maybe a module!?!?…so send me your comments/feedback

Ps2. I’ve tested on a Server 2016 (SCCM & Domain) and tested with the Microsoft Security Toolkit baselines (IE, Office 2016) and it worked as far as i can tel


Recent Posts

Comments are closed.
%d bloggers like this: