Long before I got into the software business, and even during that time, I was first and foremost, an IT guy. I have spent nearly 20 years of my 30+ years in technology in IT–mostly in large organizations. Much of that time, I worked as an infrastructure architect, focusing on how to maintain and improve systems, networks or capabilities to meet the growing needs of the business, and to track technology trends that were coming from industry and vendors. A key part of this was to look at where vendors like Microsoft were taking their technology, and figure out how (or if) we could take advantage of it.
What We Know
I tell you all this as an introduction to the topic of this blog post. Namely, how should you think about the future of Group Policy in your environment, as an IT professional–architect or systems administrator–who has responsibility for advising management about how to manage your systems going forward? This is a really interesting question, given the future of Group Policy as we know it. Here are some facts about GP in the typical enterprise:
- It is the de-facto, free, in-the-box technology for managing configuration on Windows desktops and, to some degree, servers.
- Almost every IT shop that has AD and runs Windows, probably uses some Group Policy.
- Group Policy usage is actually increasing, not decreasing, if the results of a Group Policy Usage Survey we did recently are any indication (84% expected their GP usage to increase over time)
- Microsoft is *NOT* investing in Group Policy anymore. No new features are coming. New versions of Windows and their features are not guaranteed to be manageable via GP. This won’t change…ever. [I will say that Microsoft continues to rev their ADMX files as new versions of Windows 10 come out, in an attempt to policy-enable new Windows 10 features. I don’t know how long this will continue, but so far, so good.]
- Microsoft *IS* pushing their cloud-based solution, Intune, as an alternative to GP, even for domain joined systems (e.g. you can join current versions of Windows 10 to both on-prem AD and Azure AD, and have them essentially managed by both GP and Intune, or by one or the other). Intune is not free… 🙂
- The world is moving to the cloud, like it or not. So are endpoints. So is Active Directory. This will take a ton of time for many organizations, but it’s inevitable. And Microsoft will do everything they can to accelerate that trend.
Given these “truths”, how should you think about endpoint configuration management within your enterprise? I think the answer to that all depends upon where you are in your own business, with respect to cloud adoption and endpoint technology. If most of your users are moving to mobile devices, work-from-home systems or generally unmanaged, non-domain-joined PCs, then technologies like Intune, or other MDM solutions are probably the right thing to be looking at. That’s no great revelation frankly, and if you’re in that boat, you’re probably already going down that road. One thing to keep in mind however–if you are used to the 10,000 knobs and switches that Group Policy provides to tweak Windows configuration, you generally won’t find that in solutions like Intune. According to those solutions, “modern management” means not having so many knobs and switches to turn. Frankly, I think that’s a good thing and should be considered progress (more on that in a second) in the world of configuration management, as long as the things you really do need to configure (see below) are there. That’s not universally true in these solutions today, btw.
Preparing For A “Group Policy-less” Future
One day, the end of Group Policy will come. It probably won’t arrive in my IT lifetime, for better or worse. But as an IT engineer or architect, what can you do to help smooth the path to that future? You might be surprised to learn what I think, which is that you should start by doing less with Group Policy. Group Policy has always been complex. That complexity meant power, but it also meant, well…complexity. This isn’t the first time I’ve talked about doing too much with Group Policy either. I blogged three years ago about the things you should and should not configure with GP. That advice remains the same today. There is really only ONE THING (I know that’s a bold claim) you should be doing with Group Policy today. That one thing is…security configuration. I know that doesn’t sound so bold, but let’s dissect why it’s important. First, as I point in my blog post, most areas of GP (e.g. Administrative Templates) are simply performing obfuscation. That is, they hide UI elements in applications or Windows components or otherwise prevent the user from doing something in some application–they don’t protect the underlying OS, or even the app or component, from the stuff beyond what users are doing on their keyboard and mouse. Frankly, I never liked the idea of this obfuscation, even as I merrily turned every dial I could for many years, to keep users “safe from themselves”.
By changing your mindset about these obfuscations, you will soon find your GP deployments become much simpler. Yes, I know that you still probably need to map drives and printers (why ohhh why???) and do other sorts of trickery within your user population, but the single most important thing you NEED to do with Group Policy, is secure the Windows OS. Whether its local group memberships, user rights assignments, security options that tighten down the core OS features, Windows Firewall configuration, or Applocker application whitelisting, these are the things you should focus on in GP. I would argue that this is really the only thing you should focus on in GP. Doing so will have two benefits:
- It will simplify your GP deployment and cause less operational headaches in the short-to-medium term
- It will make it easier to migrate off of GP when the time inevitably comes around.
I realize that you may read this and think you couldn’t possible rip out all those Admin Template settings that you’ve carefully cultivated over the years, but I urge you to take some time to review what you’re doing in Group Policy today, and, in the words of some unknown self-help guru, “Simplify, Simplify, Simplify”. Start with that silly policy that stops users from running regedit. If your users can screw up the registry, then you’re not securing the OS the way you need to–Stop That.
Good luck and let me know if I can help.