Cloud-Based GPOs & Migration Strategies
Ever since I presented a breakout session at VMworld on Mastering the Move to Windows 10 Modern Management, I received tons of follow-up questions regarding policy migration or modernization both internally and from customers and partners. After syncing up with several of our top architects who have been helping customers with their policy modernization journeys, I wanted to capture the details in an upcoming policy modernization operational tutorial. In the meantime, here are the highlights minus the prescriptive step-by-steps with real-world examples. Every use-case is different, and the methodology discussed in this blog should serve as high-level guidelines.
Planning & Preparation
Before you begin on your journey of managing GPOs in the cloud with VMware Workspace ONE UEM, you must first determine your current GPO estate to plan your migration strategy. Below are some questions to consider and guide you on your next steps:
- Are the end-users on the managed Windows 10 devices local admins?
Enforcement of policies is top-of-mind when end-users have local admin rights on managed devices. If enforcement and compliance of policies are a concern in your use-case, consider leveraging Workspace ONE Baselines as much as possible.
- Are you currently or planning to join your Windows 10 devices to Azure Cloud?
On-premises policies require devices to be joined to the local domain. While many organizations are moving to the cloud, it’s essential to consider if you will be joining your devices to the Azure Cloud, on-premises domain, or hybrid joined. Consider moving all policies to Workspace ONE UEM if devices will no longer leverage the on-premises domain. Keep in mind that you also may have some devices in various domain states.
- Are you currently or planning to use an industry-standard baseline?
Organizations that leverage industry-standard baselines such as Windows 10 Security Baseline or CIS Benchmarks for Windows 10 can leverage the Baselines feature in Workspace ONE UEM to deploy policies from these industry-standard templates.
- Do you want to move all policies or a sub-set of policies over to Workspace ONE UEM?
Decide which policies you need to move to Workspace ONE UEM. It is helpful to obtain a full list of policies, then categorize them into groups, such as personalization, security, system, BitLocker, Defender, Internet Explorer, and Chrome. It is also good to know how these policies are currently being configured, such as MBAM, domain group policies, or ADMX templates.
- Are you ready to manage all your policies from the cloud?
Policy conflict, collisions, and order of precedence are concerns that develop during the modernization implementation phase. To avoid this topic altogether, consider having a single source of truth and manage all policies from the cloud using Workspace ONE. I will address these concerns in more detail in the upcoming operational tutorial.
Analyzing & Rationalizing
A large part of leveraging cloud-based policies starts with assessing your current policy landscape and determining if these policies need to move over to Workspace ONE UEM. If you currently do not have any group policies on your domain or just want to start fresh, then you can leverage Workspace ONE Baselines to get started using an industry-standard policy template.
- Leveraging Workspace ONE AirLift to Analyze GPOs
- Generate a report of your policies.
- For the next steps, my recommendation is to allocate time and collaborate with various teams to rationalize the policies that are still relevant for your infosec needs. There is never a better time to clean up the GPOs that you might have carried forward over the years across different OS versions. Of course, with this cleanup exercise, you will want to go line by line and mark each policy with the following:
- Category, such as personalization, security, system, BitLocker, Defender, Internet Explorer, and Chrome.
- Move to Workspace ONE or Drop this policy. Many legacy policies can be removed, and may no longer be required. Use this opportunity to do some spring cleaning and only move over what is necessary for your organization.
Note: Complementary to Workspace ONE AirLift, you can also leverage the Microsoft MDM Migration Analysis Tool (MMAT) to generate a report of which polices map to modern policies. This might be beneficial if you want to quickly run an assessment on your local domain-joined machine to get an idea of how many policies can be mapped to modern policies.
Based on the report, you will need to decide on the following:
Modernize with Workspace ONE Baselines: This option leverages the same group policy (gpedit) section of Windows 10 but is delivered and managed via the cloud. This is the preferred option for those with more initial time to modernize their policies. Leveraging Workspace ONE Baselines provides reporting and enforcement capabilities, as well as reduces the time and effort of managing the lifecycle of policies long term via the Workspace ONE console. However, there is no ability to build your own baseline from scratch. You must leverage one of the industry-standard templates: Windows 10 Security Baseline or CIS Benchmarks for Windows 10. Though, these templates can be fully customized for your use-case.
Migrate with Workspace ONE AirLift: This option converts policies to the modern configuration service provider (CSP) equivalent. This option is best for organizations wanting to quickly and easily move policies to Workspace ONE. However, this option also loses flexibility in the long term to manage individual policy settings, as a group of settings are now contained within one Custom Settings (XML) Profile in the Workspace ONE UEM console. In addition, currently, there is no enforcement of these policies on the device.
Note: For those who want enforcement capabilities, leverage Workspace ONE Baselines. There is also a VMware Fling called Policy Enforcer, which may be able to do some enforcement of these policies. However, this tool is a Fling and has not been tested thoroughly for this use-case. Policy Enforcer is used to check and remediate restriction policies on a Workspace ONE managed Windows 10 device.
Modernizing & Migrating
I will be leaving out all the detailed steps in this blog post; however, below are a few tips to consider:
- Think about the steps you will take to manage the transition, as well as the lifecycle of each policy. For example, first decide which policies will move, create, or migrate that policy/profile in Workspace ONE UEM, then un-assign from the domain, then assign the policy in Workspace ONE.
- You may consider changing your device-based organizational units (OU) to user-based, to align with assignments in Workspace ONE. Another option is to leverage your mapped Device Collections as Smart Groups in Workspace ONE or to use Sensors with automated Tags from Workspace ONE Intelligence to create device-based Smart Groups.
- Consider: How do you properly handle policy collisions? Which policies take precedence and how to ensure enforcement of policies? I will cover these topics in my upcoming operational tutorial, so stay tuned!
- Don’t forget about creating profiles for matching policies, our scripting capabilities, and to leverage VMware Policy Builder!
Validation, Compliance, & Enforcement
Again, I will be covering these topics in detail in the upcoming operational tutorial; however, I wanted to share a few helpful tips so you can get started today!
- From the command prompt on a managed Windows 10 device, run the following command to see all of the configured modern policies, block group policies, and unmanaged policies. This command validates what is configured on the device and is a great troubleshooting resource, as well.
%SystemRoot%\System32\MdmDiagnosticsTool.exe -out <Output Folder Path>
- Leverage the Policy Analyzer tool part of the Microsoft Security Compliance Toolkit (SCT) to report the local policies applied to a device, or to compare local policies to various baselines for validation or even compare various baselines to each other.
- You may find leveraging RSoP or gpresult to validate pushed policies helpful, but they may not report on all configured policies.
- As for compliance, Workspace ONE UEM 1910 introduced the ability to track the compliance of endpoints and monitor drift from the console, removing the need for 3rd-party tools to check compliance. Compliance status available for 100% compliance, 99-85% intermediate (compliance for customers adhering to the Windows 10 Security Baseline or CIS Benchmarks for Windows 10), and non-compliant. This feature allows admins to monitor and respond based on the level of compliance required by their InfoSec teams.
Hopefully, you have made it this far and are still reading! Below are a few resources to check out:
- VMware Hands-on Labs: Desktop Management with Workspace ONE UEM
- VMware Policy Builder
- Policy Enforcer Fling
I encourage you to share your feedback with me (social media profiles are on my Tech Zone user page). Let’s get the conversation started to ensure I address all of your concerns in the upcoming tutorial.