Introduction
Group Policies are good for applying settings in your environment, but there is one key issue with Group Policies. You can roll out settings, but there is no central reporting. As an administrator, you have different options:
- Apply settings through Group Policy and check settings using Configuration Baselines with Configuration Manager
- Apply settings through Configuration Manager Baselines and check compliance as well
This post will show you how to convert Group Policies to Configuration Items. For me, it is super important to ensure that all devices are covered with important settings. This solution is a proof of concept – I haven’t done extensive testing.
I tested this script against three different Group Policy objects:
- Microsoft LAPS
- Windows Updates
- Credential Guard
This POC aims to demonstrate that you can use automation to streamline your daily tasks.
Requirements
To implement this solution, you need the following things:
- One server / Workstation where you have the following software
- Configuration Manager Admin Console
- Group Policy Management Console
- Test Group Policy Objects
- Read access on Group Policy Objects
- Permission to create Configuration Items
High-level steps
- Download the script from my GitHub page
- Open the script with PowerShell ISE or Visual Studio Code
- Modify line 24 and enter the Group Policy Object name
- Run the script
- Check the Configuration Items from the Configuration Manager Console
Script details
The Get-GPSettings function reads the Group Policy Object and identifies the registry keys that the GPO would configure on the target machine. After identifying the necessary registry keys, you can import the Configuration Manager PowerShell Module and create the Configuration Items using the New-CMConfigurationItem command-let.
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
Function Get-GPSettings {
Param(
[string]$Key,
[string]$GPOName
)
$CurrentRegKey = Get-GPRegistryValue -Name $GPOName -Key $Key
If($CurrentRegKey -eq $null){
}
Foreach ($RegKey in $CurrentRegKey) {
If ($RegKey.ValueName -ne $null){
Write-Output $RegKey
}
Else{
Get-GPSettings -Key $RegKey.FullKeyPath -GPOName $GPOName
}
}
}
################# SCRIPT ENTRY POINT ##################
$GPOName = 'Credential Guard'
#$GPOName = 'Windows Update'
#$GPOName = 'Microsoft LAPS'
$Key = 'HKLM\Software\Policies'
$Settings = Get-GPSettings -Key $Key -GPOName $GPOName
After we have identified the necessary registry keys, we can import the Configuration Manager PowerShell Module and create the Configuration Items using the New-CMConfigurationItem command-let.
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#Import Configuration Manager PowerShell Module
Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1")
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-Location "$($SiteCode.Name):\"
foreach($GPSetting in $Settings){
Switch($GPSetting.Value.GetType().Name){
'Int32'{$DataType = 'Integer'; Break}
'String'{$DataType = 'String'; Break}
}
$CIProperties = @{
SettingName = $GPSetting.ValueName;
RuleName = $GPSetting.ValueName + " must be " + $GPSetting.Value;
DataType = $DataType;
Hive = 'LocalMachine';
KeyName = $GPSetting.KeyPath;
ValueName = $GPSetting.ValueName;
ValueRule = $True;
ExpressionOperator = 'IsEqual';
ExpectedValue = $GPSetting.Value
}
New-CMConfigurationItem -Name "CI WRK - $GPOName - $($GPSetting.ValueName)" -CreationType WindowsOS |
Add-CMComplianceSettingRegistryKeyValue @CIProperties
}
Summary
As you can see from this proof of concept, you can create powerful solutions. Managing settings can be challenging, but with the right tools, we can simplify it. Remember to test the scripts in a test lab first, and if everything seems OK, then move to production.