Latest posts by Joseph Moody (see all)
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
- SmartDeploy: Easy software and OS deployment - Tue, Oct 1 2019
You might wish for an easy way to pin apps to the Start screen or taskbar. Or you might want a way to let standard users securely self-elevate certain user account control (UAC) prompts. Personally, I would love to deploy Always On VPN user profiles with Group Policy.
When I first started working with PolicyPak, I kept discovering feature after feature—ones I didn't even know were possible. These include simple things like ItemLlevel Targeting on administrative template settings to centralized remote approval for UAC prompts. Before we get too far ahead into this review of PolicyPak Group Policy Edition, let's look at the evolution of Group Policy and how it fits into our current world of "modern" management.
What Group Policy can't do ^
To manage a Windows 10 environment completely, Microsoft would like for you to use System Center Configuration Manager (SCCM) or Intune along with native settings available through Group Policy. Other than security fixes, Microsoft treats Group Policy as a featured finished product. This has created an atmosphere that exclusively supports some newer features on newer management tools even though a tool like Group Policy could handle it. A perfect case of this concerns the deployment options for Always-On VPN user profiles. Group Policy doesn’t have this feature. Not having key features in Group Policy is shortsighted by Microsoft, and it pushes customers to figure out what to do by themselves.
Along with new features, Windows 10 has introduced problems not fully solvable with the current toolset. This is true even if you have the additional management features available via SCCM or Intune. For example, you might have to hack together a way to manage file associations or Start screen groups in a way that just band-aids over the problem.
Sometimes, it can even feel like Microsoft releases new client features without providing the ability to manage them. Personally, I've dealt with this when configuring some of the new Defender and file content features. These pain points highlight the modern world of Windows management. Completely managing your clients requires an upgrade to Group Policy, and that upgrade is PolicyPak.
What can PolicyPak do for you? ^
As I stated in the introduction, it can do a lot! You can think of PolicyPak in two ways. First, it is the third leg of Group Policy that sits alongside or extends the existing policies and preferences components. It fills in the management gaps discussed in the prior section. Second, it is a new management suite because it provides an incredible number of new capabilities.
Deploying PolicyPak is dead simple—it provides an MSI file to expand the Group Policy Management Console and install the additional client-side extensions. When editing a Group Policy Object (GPO), you'll see a new PolicyPak section. Expand it to see that PolicyPak actually includes close to a dozen components. The next sections will focus on those I found most useful.
Lock down any application ^
PolicyPak's original component and its most notable feature is the PolicyPak Applications Settings Manager. This component is an easy-to-use mixture of Group Policy administrative templates control (with what feels like PowerShell Desired State Configuration.)
With it, you can take virtually any application and control it with Group Policy. It eliminates the clunkier methods to control application settings, such as custom registry entries or editing an MSI. A Pak controls each application, and PolicyPak's repository holds an impressive set of free preconfigured Paks.
If you've ever wanted to push policies for Firefox, Java, or even some of the unmanageable settings in IE or Skype, you'll want to start with the PolicyPak Application Manager component. Unlike pushing a registry key or INI file, this component can perform your changes as actual policies.
This means end users can't edit them. For a full list of preconfigured application Paks, see this link. If you have a custom app or don't see an application listed on that page, you can use the included DesignStudio tool to map settings into a new Pak.
Flexible privileges and permissions ^
The Least Privilege Manager component might be the coolest feature in this entire suite. It removes the rigidity of UAC and provides a customizable way to secure your computers. As with all the other features in PolicyPak, you configure and deploy the settings with Group Policy.
The first use I love about Least Privilege Manager is the ability to "override UAC" and perform promptless access to core Windows components. Currently, standard users can't manage things like network settings or run some built-in troubleshooting tools. As your organization's admin, you can selectively enable certain components without providing administrative access to the whole machine. Now your mobile users can configure network settings on their laptops or staff can run the audio diagnostics troubleshooting wizard if their speakers stop working.
Least Privilege Manager can also selectively and silently elevate certain applications for standard users. Essentially, you can use Group Policy to whitelist certain applications or processes to self-elevate so they bypass UAC.
Following Microsoft's best practice, I am a standard user on my machine.Because of this, UAC constantly prompts me when using basic tools (VSCode, Sysinternals tools, Orca, etc.). Least Privilege Manager can tell my computer to trust and elevate these specific tools while keeping my machine secure (with me running with standard user rights.). To see this in action, jump to the two-minute mark in this video to see Process Monitor running as a standard user.
By using an Admin Approval policy, you can also replace UAC when an elevation request occurs. With this upgraded UAC prompt, you can do things like remotely approve elevation requests. This is true even for off-premise machines. I can see this feature being very useful for remote workers or when staff are at a conference.
Fixing Windows 10 management ^
The final components I want to highlight are the additional management features PolicyPak makes available for Windows 10. These include:
- Managing the Start screen
- Managing the taskbar
- Configuring file associations
Each extension includes an intuitive wizard that gives you complete control over that area of Windows 10. For example, you can pin a single app to the Start screen or create a group for the Start screen. Each action can either append or replace existing items.
Optional tools also allow you to take a preconfigured golden machine and output its configuration for use in a policy. This is so much more powerful than generating something like a Start screen XML because you get granular control of specific pinnings or groups.
As a bonus, you can use Item-Level Targeting (ILT) to control exactly upon what condition to process each policy. If you manage any number of Windows 10 machines, these three features alone should make the PolicyPak suite worth it to you!
Final thoughts on PolicyPak ^
Personally, I believe Microsoft should buy PolicyPak and integrate it as they did with DesktopStandard’s Group Policy Preferences. Build it into the next version of Windows 10 and say, "Voilà, we've now updated Group Policy to do all of these awesome things!"
Until then, PolicyPak is both the solution and evolution for Windows client management. There is a lot to love about PolicyPak Group Policy Edition! The product is mature and feature rich. The support is top-notch. Nearly every feature has a how-to video and detailed instructions in the manual.
Oh, and Always-On VPN profiles via Group Policy? PolicyPak says that’s coming soon.