Hi All,

companies are more and more “cloud” based on server side, but when it comes to the desktop, they still mostly “on-prem”. This is not just regarding the location of the devixe, but also the tools they have.

The main tool that has been used for many years is the Active Directory Group Policy. any machine that is added to the domain, will get a series of policies by default and the companies can easily create and manage them.

Now, going back to the cloud, when companies have invested heavily on Group Policy configurations, moving to an environment where there is no GPO is difficult. Even when tools like Intune still able to deploy some policies, there are still lack of many policies companies uses.

When SCCM implemented the co-management, companies started looking more for cloud based active directory as they could “easily” move from a on-prem to a azure domain and the policies would be applied via SCCM…

However, even with SCCM having the ability to create and remediate registry stuff (that most of the GPOs are based), it is still have no good UI (like GPO) to create the settings, so you need to do it yourself.

Over the past few months, many customers asked me if i knew some tool that would help with this transition, however, all the solutions i found on the internet were not what i would imagine it should be, so i created one powershell script for it.

The “tool” uses a GPO powershell cmdlet (so you need to have the Group Policy Management) as well as the SCCM cmdlets (so you need to have the SCCM console installed). Once these pre-req are met, you can open the SCCM PowerShell console and copy/past the powershell functions (that you can download from my github repository.

The usage is simple, you’ll use the New-SCCMDCMfromGPO function with the parameter PolicyName that will contain the GPO and the paramter domain that will contain the domain (you can use $env:USERDNSDOMAIN if you don’t have multiple domains). parameter NoncomplianceSeverity is a string for the severity when non-compliant (default is critical), paramter groupCI is a boolean value that will group the CI based on the registry settings (default false) and finally, if you want the naming to start with something different than the policyname, use the baseCIname parameter.

The following command is an example i’ve been testing

@(‘MSFT Office 2016 – Computer’, ‘MSFT Office 2016 – User’) | foreach-Object { New-SCCMDCMfromGPO -PolicyName $_ -domain $domain -groupCI $true

PS. This is still the 1st draft, in the future it will be more “PowerShell” friendly, maybe a module!?!?…so send me your comments/feedback

Ps2. I’ve tested on a Server 2016 (SCCM & Domain) and tested with the Microsoft Security Toolkit baselines (IE, Office 2016) and it worked as far as i can tel



Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".