Oct 01, 2021 Panu Saukko

Modern Policy Management for Windows 10 | A Microsoft MVP Review

In this latest collection of blogs, Microsoft MVP, Panu Saukko, will be reviewing our Modern Endpoint webinar series. First up, we have Modern Policy Management for Windows 10.
Modern-Management-Episode-1-blog 2x

The first episode of 1E’s The Modern Endpoint webinar series is about Windows 10 policy management. 1E’s Rob Peterscheck and Amy Collins host a discussion with two Microsoft MVPs, Dave Kawula and Emile Cabot. Dave and Emile have long experience and have seen many different environments enabling them to understand the complexities of settings management. Especially during the last two years, the work from home (WFH) environment has changed settings management.

Group Policy has been the king of settings management for almost two decades, but it has some limitations in WFH environments. Group Policy requires a connection to a DC but home users might not use a VPN so GPOs are not applied any more.

Cloud-based management or modern device management (MDM) solutions, like Microsoft Intune, don’t have a similar issue with WFH environments. As such, the market share of Intune has increased significantly. When the devices are not joined to on-prem Active Directory, organizations need to figure out what current Group Policy settings should be used on cloud devices. You don’t want to migrate all Group Policy settings, because they contain a lot of settings that don’t make sense anymore. Thus, a fresh start is usually the best option.


Dave and Emile created, along  with MVPs Cristal Kawula and Cary Sun, a comprehensive and free (with optional donations 😊) LeanPub document: Enforcing Compliant Configurations. In the document they compare four different products:

  • Microsoft Group Policy
  • Azure Automation & PowerShell DSC
  • Microsoft Configuration Manager’s Compliance settings
  • 1E Tachyon Guaranteed State

In their tests, they found that each product has some strengths and some holes. They divided the tests into five parts:

  • Policy engine
  • Delivery of custom scripts
  • Remediation
  • Administration
  • Industry support

They scored each product within the five categories. The overall winner of their comparison is Tachyon Guaranteed State.


Personally, I’m most interested about the comparison of ConfigMgr and 1E’s Tachyon Guaranteed State, and how on earth Tachyon Guaranteed State can be better than ConfigMgr!

Cross-platform support is one area where Tachyon Guaranteed State is clearly much better because it supports a wide variety of non-Windows operating systems. ConfigMgr is limited to only Windows operating systems.

How about Windows-only environments? I removed points related to cross-platform support and even after that Tachyon Guaranteed State was better than ConfigMgr. For me, that was a little bit of a surprise. There are some areas when Tachyon is clearly ahead of ConfigMgr.

If you want to force a specific configuration profile with ConfigMgr, you have two ways to do it. There is the classical way of configuration baselines (CB). Configuration baselines provide a flexible way to check and remediate specific settings. One of the issues with configuration baselines is that there are significant delays before the settings are enforced. After you have created configuration baselines and deployed them to clients, it will take a few hours before you can expect results. There are multiple cycles that must happen: first to get the new policy (default 1h), random wait before the baseline is run (0 – 4h), and report the status (every 15 min) etc.

With ConfigMgr you can enforce the settings much faster with CMPivot queries and PowerShell scripts. First you figure out the current settings using CMPivot queries and then you run an appropriate PowerShell scripts against those devices which don’t satisfy your query. These operations use fast-channel communication and the clients run the tasks almost immediately.

The problem with CMPivot and scripts is that the clients need to be online. For servers, CMPivot and PowerShell scripts is a very useful tool because servers should be online all the time. But the situation is totally different with workstations. For workstations, you still need to use configuration baselines as a safety net to cover devices that were offline while you were running CMPivot/PowerShell scripts.

1E Tachyon architecture doesn’t have the same limitation: when you define a setting, the clients will get the new setting super-fast if they are online. And, if a client is offline, they will pick up the new settings immediately when the Tachyon client is started after a reboot. Therefore, there is no need to have two different mechanisms – as with ConfigMgr – to have a fast remediation that works even with offline clients.


With Guaranteed State there are two types of objects:

  • Rules: individual settings (like Configuration Items in ConfigMgr)
  • Policies: a group of rules that you deploy to a set of devices (like Configuration baselines in ConfigMgr)

When you create a new rule, there are few things you need to define:

  • Basic name/description of the rule
  • Precondition (optional): Run the rules against a subset of devices. E.g All Windows 10 20H2 devices with Office

Panu-1

  • Trigger: When the rule needs to be checked. You can have multiple triggers. Notice that there are multiple event-based schedules like after a specific Windows Eventlog event, a file changes, a process is started etc. Or you can schedule the checking every X hours/minutes/seconds!

Panu-2

  • Check: What is the thing you want to check. By default, you have again multiple building blocks to check registry/WMI/service/process/file status without the need to do any scripting

Panu-3

  • Fix (optional): Again, you have the building blocks to use when you decide how you would like to remediate the situation

Panu-4

After you have created the rules, you create a new policy. With policies you can combine one or more rules into a single policy. Thus, it is easy to create different baselines for different issues. The policy is then deployed to a group of devices.

When you have deployed the rules to the devices, you can easily check the compliance status with built-in reports.

1E Tachyon provides a comprehensive set of actions that you can utilize in your settings management without doing scripting. For people with a ConfigMgr background, the UI is different, but you get the hang of it quickly.


Be sure to keep your eyes peeled for the next blog in this series in the upcoming weeks. In the meantime, you can learn more about 1E Tachyon Guaranteed State here.