This Frequently Asked Questions (FAQ) article covers information about Windows Group Policy Change Control, Microsoft Advanced Group Policy Management retirement, and SDM Software’s solutions for addressing this challenge.
Q: Is there a solution that can completely replace Microsoft Advanced Group Policy Management (AGPM)?
A: Yes, SDM Software’s Change Manager for Group Policy/Intune (CMGPI) provides all the features of AGPM for Group Policy (and Intune) change control. These include the ability to check out, edit, approve, and deploy GPO changes or GPO link changes, as well as Intune configuration profile changes. It’s a more modern approach to GPO change control than what AGPM provides, and it includes many, many features that AGPM does not. It also supports all current versions of Windows and is actively being developed, unlike AGPM and other older solutions.
Q. Is there a way I can migrate my AGPM history to the new Group Policy management solution?
A: Yes, Change Manager for Group Policy/Intune (CMGPI) includes a utility that allows you to migrate AGPM history and backups directly into CMGPI. This way, you can retain all of your previous change control information and migrate seamlessly.
Q. Does the SDM Software Group Policy change control product include role-based access control to control who can edit and approve GPO changes?
A. Yes, Change Manager for Group Policy/Intune supports both product-based and object-based roles. There are roles to manage the product, create new GPOs, Audit GPO changes (read-only), and a “break glass” role that allows you to temporarily bypass approval-based workflows to support urgent changes. Object-level roles include editor, approver, and deployer, with the option to combine approver and deployer roles if needed.
Q. Can the SDM Software Group Policy change control product rollback GPO changes or restore deleted GPOs?
A. Yes, any change to a GPO, AD container, or Intune profile can be rolled back, which itself is subject to change control. In addition, you can view the differences between the versions of objects that have changed before you select one for rollback. And, if a GPO is deleted, you can restore it — again, using an approval-based workflow.
Q: Does SDM Software’s Group Policy change control product support all policy areas that native Group Policy does?
A. Yes, Change Manager for Group Policy/Intune uses native interfaces that allow any settings that can be managed via GPMC, supported in the product.
Q: Does Change Manager for Group Policy/Intune support change control for objects other than GPOs?
A. Yes! The product supports not only GPO changes through approval-based workflow, but also GPO linking changes on AD containers, as well as Intune configuration profiles. You can manage all of them from a single web interface.
Q. Does CMGPI support single-sign on (SSO) from Entra as well as MFA support on login?
A. Yes, you can configure Change Manager for Group Policy/Intune to allow Entra users and groups to authenticate and authorize against the product, including delegating the ability for synchronized Entra users to edit GPOs.
Q: Does SDM Software’s Group Policy change control product extend the MMC like AGPM?
A. Change Manager for Group Policy/Intune was developed from the ground up as a modern, web-based application that provides all the flexibility of a web application, with the power to manage traditional Windows technologies. Our product does allow you to edit GPOs using the familiar GPO Editor MMC snap-in.