Kaido Jarvemets - Logo

Convert Group Policies into Configuration Manager Baselines

Introduction

Group Policies are good for applying settings in your environment, but there is one key issue with Group Policies. You can roll out settings, but there is no central reporting. As an administrator, you have different options:

  • Apply settings through Group Policy and check settings using Configuration Baselines with Configuration Manager
  • Apply settings through Configuration Manager Baselines and check compliance as well

This post will show you how to convert Group Policies to Configuration Items. For me, it is super important to ensure that all devices are covered with important settings. This solution is a proof of concept – I haven’t done extensive testing.

I tested this script against three different Group Policy objects:

  • Microsoft LAPS
  • Windows Updates
  • Credential Guard

This POC aims to demonstrate that you can use automation to streamline your daily tasks.

Requirements

To implement this solution, you need the following things:

  • One server / Workstation where you have the following software
    • Configuration Manager Admin Console
    • Group Policy Management Console
  • Test Group Policy Objects
  • Read access on Group Policy Objects
  • Permission to create Configuration Items

High-level steps

  1. Download the script from my GitHub page
  2. Open the script with PowerShell ISE or Visual Studio Code
  3. Modify line 24 and enter the Group Policy Object name
  4. Run the script
  5. Check the Configuration Items from the Configuration Manager Console

Script details

The Get-GPSettings function reads the Group Policy Object and identifies the registry keys that the GPO would configure on the target machine. After identifying the necessary registry keys, you can import the Configuration Manager PowerShell Module and create the Configuration Items using the New-CMConfigurationItem command-let.

				
					<#
    =================================================================================
    DISCLAIMER:
    This script is provided "as-is" with no warranties. Usage of this script is at
    your own risk. The author is not liable for any damages or losses arising from
    using this script. Please review the full legal disclaimer at:
    https://kaidojarvemets.com/legal-disclaimer/
    =================================================================================
#>
Function Get-GPSettings {

    Param( 
        [string]$Key, 
        [string]$GPOName 
    )

        $CurrentRegKey = Get-GPRegistryValue -Name $GPOName -Key $Key

        If($CurrentRegKey -eq $null){ 
             
        } 
        Foreach ($RegKey in $CurrentRegKey) { 
            If ($RegKey.ValueName -ne $null){
                Write-Output $RegKey
            } 
            Else{
                Get-GPSettings -Key $RegKey.FullKeyPath -GPOName $GPOName
            } 
        }
            
}
################# SCRIPT ENTRY POINT ##################
$GPOName = 'Credential Guard'
#$GPOName = 'Windows Update'
#$GPOName = 'Microsoft LAPS'

$Key = 'HKLM\Software\Policies'
$Settings = Get-GPSettings -Key $Key -GPOName $GPOName
				
			

After we have identified the necessary registry keys, we can import the Configuration Manager PowerShell Module and create the Configuration Items using the New-CMConfigurationItem command-let.

				
					<#
    =================================================================================
    DISCLAIMER:
    This script is provided "as-is" with no warranties. Usage of this script is at
    your own risk. The author is not liable for any damages or losses arising from
    using this script. Please review the full legal disclaimer at:
    https://kaidojarvemets.com/legal-disclaimer/
    =================================================================================
#>
#Import Configuration Manager PowerShell Module
Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location "$($SiteCode.Name):\"

foreach($GPSetting in $Settings){
    Switch($GPSetting.Value.GetType().Name){
            'Int32'{$DataType = 'Integer'; Break}
            'String'{$DataType = 'String'; Break}
    }

    $CIProperties = @{
        SettingName = $GPSetting.ValueName;
        RuleName = $GPSetting.ValueName + " must be " + $GPSetting.Value;
        DataType = $DataType;
        Hive = 'LocalMachine';
        KeyName = $GPSetting.KeyPath;
        ValueName = $GPSetting.ValueName;
        ValueRule = $True;
        ExpressionOperator = 'IsEqual';
        ExpectedValue = $GPSetting.Value
    }

    New-CMConfigurationItem -Name "CI WRK - $GPOName - $($GPSetting.ValueName)" -CreationType WindowsOS | 
    Add-CMComplianceSettingRegistryKeyValue @CIProperties
}
				
			

Summary

As you can see from this proof of concept, you can create powerful solutions. Managing settings can be challenging, but with the right tools, we can simplify it. Remember to test the scripts in a test lab first, and if everything seems OK, then move to production.

Leave a Reply

Contact me

If you’re interested in learning about Convert Group Policies into Configuration Manager Baselines. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents