Take a second and think of something you wish you could do in Group Policy but currently can't. Whatever you thought of, I would be willing to bet that PolicyPak Group Policy Edition can handle it!

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

You might wish for an easy way to pin apps to the Start screen or taskbar. Or you might want a way to let standard users securely self-elevate certain user account control (UAC) prompts. Personally, I would love to deploy Always On VPN user profiles with Group Policy.

When I first started working with PolicyPak, I kept discovering feature after feature—ones I didn't even know were possible. These include simple things like ItemLlevel Targeting on administrative template settings  to centralized remote approval for UAC prompts. Before we get too far ahead into this review of PolicyPak Group Policy Edition, let's look at the evolution of Group Policy and how it fits into our current world of "modern" management.

What Group Policy can't do ^

To manage a Windows 10 environment completely, Microsoft would like for you to use System Center Configuration Manager (SCCM) or Intune along with native settings available through Group Policy. Other than security fixes, Microsoft treats Group Policy as a featured finished product. This has created an atmosphere that exclusively supports some newer features on newer management tools even though a tool like Group Policy could handle it. A perfect case of this concerns the deployment options for Always-On VPN user profiles. Group Policy doesn’t have this feature. Not having key features in Group Policy is shortsighted by Microsoft, and it pushes customers to figure out what to do by themselves.

Along with new features, Windows 10 has introduced problems not fully solvable with the current toolset. This is true even if you have the additional management features available via SCCM or Intune. For example, you might have to hack together a way to manage file associations or Start screen groups in a way that just band-aids over the problem.

Sometimes, it can even feel like Microsoft releases new client features without providing the ability to manage them. Personally, I've dealt with this when configuring some of the new Defender and file content features. These pain points highlight the modern world of Windows management. Completely managing your clients requires an upgrade to Group Policy, and that upgrade is PolicyPak.

What can PolicyPak do for you? ^

As I stated in the introduction, it can do a lot! You can think of PolicyPak in two ways. First, it is the third leg of Group Policy that sits alongside or extends the existing policies and preferences components. It fills in the management gaps discussed in the prior section. Second, it is a new management suite because it provides an incredible number of new capabilities.

Deploying PolicyPak is dead simple—it provides an MSI file to expand the Group Policy Management Console and install the additional client-side extensions. When editing a Group Policy Object (GPO), you'll see a new PolicyPak section. Expand it to see that PolicyPak actually includes close to a dozen components. The next sections will focus on those I found most useful.

Each PolicyPak component as seen in a GPO

Each PolicyPak component as seen in a GPO

Lock down any application ^

PolicyPak's original component and its most notable feature is the PolicyPak Applications Settings Manager. This component is an easy-to-use mixture of Group Policy administrative templates control (with what feels like PowerShell Desired State Configuration.)

With it, you can take virtually any application and control it with Group Policy. It eliminates the clunkier methods to control application settings, such as custom registry entries or editing an MSI. A Pak controls each application, and PolicyPak's repository holds an impressive set of free preconfigured Paks.

If you've ever wanted to push policies for Firefox, Java, or even some of the unmanageable settings in IE or Skype, you'll want to start with the PolicyPak Application Manager component. Unlike pushing a registry key or INI file, this component can perform your changes as actual policies.

This means end users can't edit them. For a full list of preconfigured application Paks, see this link. If you have a custom app or don't see an application listed on that page, you can use the included DesignStudio tool to map settings into a new Pak.

Flexible privileges and permissions ^

The Least Privilege Manager component might be the coolest feature in this entire suite. It removes the rigidity of UAC and provides a customizable way to secure your computers. As with all the other features in PolicyPak, you configure and deploy the settings with Group Policy.

The first use I love about Least Privilege Manager is the ability to "override UAC" and perform  promptless access to core Windows components. Currently, standard users can't manage things like network settings or run some built-in troubleshooting tools. As your organization's admin, you can selectively enable certain components without providing administrative access to the whole machine. Now your mobile users can configure network settings on their laptops or staff can run the audio diagnostics troubleshooting wizard if their speakers stop working.

Least Privilege Manager can also selectively and silently elevate certain applications for standard users. Essentially, you can use Group Policy to whitelist certain applications or processes to self-elevate so they bypass UAC.

Following Microsoft's best practice, I am a standard user on my machine.Because of this, UAC constantly prompts me when using basic tools (VSCode, Sysinternals tools, Orca, etc.). Least Privilege Manager can tell my computer to trust and elevate these specific tools while keeping my machine secure (with me running with standard user rights.). To see this in action, jump to the two-minute mark in this video to see Process Monitor running as a standard user.

By using an Admin Approval policy, you can also replace UAC when an elevation request occurs. With this upgraded UAC prompt, you can do things like remotely approve elevation requests. This is true even for off-premise machines. I can see this feature being very useful for remote workers or when staff are at a conference.

Configuring an Admin Approval policy for remote UAC elevation

Configuring an Admin Approval policy for remote UAC elevation

Fixing Windows 10 management ^

The final components I want to highlight are the additional management features PolicyPak makes available for Windows 10. These include:

  • Managing the Start screen
  • Managing the taskbar
  • Configuring file associations
Pinning 3D Viewer to the taskbar in Windows 10

Pinning 3D Viewer to the taskbar in Windows 10

Each extension includes an intuitive wizard that gives you complete control over that area of Windows 10. For example, you can pin a single app to the Start screen or create a group for the Start screen. Each action can either append or replace existing items.

Optional tools also allow you to take a preconfigured golden machine and output its configuration for use in a policy. This is so much more powerful than generating something like a Start screen XML because you get granular control of specific pinnings or groups.

As a bonus, you can use Item-Level Targeting (ILT) to control exactly upon what condition to process each policy. If you manage any number of Windows 10 machines, these three features alone should make the PolicyPak suite worth it to you!

Final thoughts on PolicyPak ^

Personally, I believe Microsoft should buy PolicyPak and integrate it as they did with DesktopStandard’s Group Policy Preferences. Build it into the next version of Windows 10 and say, "Voilà, we've now updated Group Policy to do all of these awesome things!"

Until then, PolicyPak is both the solution and evolution for Windows client management. There is a lot to love about PolicyPak Group Policy Edition! The product is mature and feature rich. The support is top-notch. Nearly every feature has a how-to video and detailed instructions in the manual.

Oh, and Always-On VPN profiles via Group Policy? PolicyPak says that’s coming soon.

You can evaluate PolicyPak here.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+
Share
4 Comments
  1. Jason Fossen 8 months ago

    I agree, PolicyPak is great, I wish Microsoft would just buy the company and build PolicyPak into Windows by default, I've been recommending it to others for years.

    0

  2. Peter 8 months ago

    How do you manage policy pack at a large scale? Is there a central management console? Does it work over WAN?

    0

  3. Jeremy Moskowitz 8 months ago

    Thanks Jason.. 🙂  Good to hear from you ol' pal ! For now, PolicyPak is a "solo artist" with no plans for Microsoft buy-out. 🙂 And Peter.. PolicyPak works at scale the same way that Group Policy works at scale..  just run the GP editor and you're off to the races. If you need to manage NON-domain joined machines, that's what PolicyPak Cloud or PolicyPak MDM is all about. Just take your on-prem directives, and you're good to export them for immediate use with PP Cloud or PP MDM.

    You can also call us at 800-883-8002 to start a trial.. would love to hear from you all. Thanks ! -Jeremy Moskowitz

    0

  4. Mark Gilbert 6 months ago

    I did the webinar and was really impressed by the product but with a 100 seat minimum, I really think they have not done enough research into the MSP business model unless they are targeting very large MSP's.  Most large companies with 100 users will most likely have a domain controller.  The cloud solution is really a great solution for the smaller companies who could benefit from a domain controller but cannot justify the cost of buying and maintaining a domain controller.  The 5-20 user companies.  Forcing an MSP to either pay the difference in used licenses or get a bunch of companies to show interest and make them wait till you hit the 100 user mak is a bad business decision.  Allowing small MSP's 1 year to hit the 100 user quantity is the better way to go and the direction many MSP/channel SAS providers are going.  

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account