Hi everyone. You may have heard by now that Microsoft’s venerable Advanced Group Policy Management (AGPM) tool will reach it’s end of life next April 2026. What does this mean? When software reaches end of life it generally means that the vendor will no longer provide updates or security fixes for the product. This is not a surprising turn of events, given Microsoft’s current emphasis on all things Intune. But it does leave many of you out there with some work to do if you want to migrate away from this solution by next April. And while a year seems like a long time, when you throw in things like the typical purchase cycle in most organizations, budgeting and change freezes, it’s not really all that much time to make a plan and execute on it.
The first thing to understand about AGPM is it’s role in life. As I’ve come to learn, it was originally called “GPO Vault”, and was developed by a company that Microsoft acquired–DesktopStandard–that also provided the feature we know today as Group Policy Preferences. GPO Vault’s goal was to provide change control for GPO changes. If you’ve worked in Group Policy land long enough, you know that when you edit a GPO and modify a setting, that change that you make is automatically live in your production Active Directory (AD) as soon as you press “OK”. That’s not great from a change management perspective for most organizations. Hence the need for some kind of a approval-based workflow that could be used for GPO changes. There’s also an advantage in having tight control over GPO management from a security perspective. Many of the security risks that have been well documented by our founder, Darren Mar-Elia on this blog, relate to poor delegation management on critical GPOs. So having good change control over GPO changes would seem like an important thing to do.
And indeed many shops have implemented as a way of managing this problem. Unfortunately, the product has not received a lot of love from Microsoft over the years, and has languished with well-documented problems and limitations. We were lucky if we got updates to support the newest versions of Windows Server, let alone new features in the product. Now that it’s reaching it’s end of life, what’s next for those of you who are currently using it?
Life After AGPM
Well for sure, the need for change control of your endpoint configuration management solutions does not go away when AGPM goes away. For those of you continuing to rely on Group Policy, it’s still an important need–more important than ever given the ever-growing risk of compromise of Active Directory out in the wild, and the use of GP as a way of facilitating that compromise. So what’s next? You would not be surprised to learn that SDM Software has a solution for you! Our Change Manager for Group Policy/Intune (CMGPI), which just released its latest 1.9 version, is a modern alternative to AGPM. Whereas AGPM relied on an older MMC snap-in to plug into GPMC, CMGPI provides a modern web interface, accessible from anywhere, that can provide change control for not only GPOs, but also the containers that they’re linked to and, in a nod to the new world that many organizations are now working in–Intune Configuration Profiles as well. We encourage to visit the CMGPI website–learn a bit about CMGPI and, ask us for a demo. If you are currently using AGPM and needing to transition to something more supported and modern. And ask us about how you can migrate your AGPM history data into CMGPI as you make the switch, to make the transition smoother and keep all that history you had with AGPM as you move into the modern era!