Convert Group Policies into Configuration Manager Baselines
Group Policies are good for applying settings in your environment, but there is one key issue with Group Policies. You can roll out settings, but there is no central reporting. As an administrator, you have different options:
- Apply settings through Group Policy and check settings using Configuration Baselines with Configuration Manager
- Apply settings through Configuration Manager Baselines and check compliance as well
This post will show you how to convert Group Policies to Configuration Items. For me, it is super important to ensure that all devices are covered with important settings. This solution is a proof of concept - I haven't done extensive testing.
I tested this script against three different Group Policy objects:
- Microsoft LAPS
- Windows Updates
- Credential Guard
This POC aims to demonstrate that you can use automation to streamline your daily tasks.
Requirements
- One server / Workstation where you have the following software
o Configuration Manager Admin Console
o Group Policy Management Console - Test Group Policy Objects
- Read access on Group Policy Objects
- Permission to create Configuration Items
High-level steps
- Download the script from my GitHub page
a. https://github.com/Kaidja/Configuration-Manager/blob/master/ConvertGPOTO-CMConfigurationItem.ps1 - Open the script with PowerShell ISE or Visual Studio Code
- Modify line 24 and enter the Group Policy Object name
- Run the script
- Check the Configuration Items from the Configuration Manager Console
Script details
The Get-GPSettings function reads the Group Policy Object and finds the registry keys that GPO would configure on the target machine.
After we have identified the necessary registry keys, we can import the Configuration Manager PowerShell Module and create the Configuration Items using the New-CMConfigurationItem command-let
Summary
As you see from this proof of concept, you can create awesome solutions. Settings management can be challenging, but we have the tools to simplify it. Test the scripts in a test lab first and if everything seems OK, then move to production.
Member discussion