Transitioning from PolicyPak using Group Policy or SCCM method to PolicyPak Cloud is very straightforward.
Remember, once PolicyPak settings are created, they are transferable to XML, which can be used with ANY method: Group Policy, Intune, SCCM, or PolicyPak Cloud.
This document will assume you will have policies in the Group Policy editor and want to transfer them to PolicyPak Cloud. The actual current delivery method you’re starting from doesn’t matter. You can start from Group Policy, SCCM, or an MDM service like Intune and transfer over to PolicyPak Cloud.
Here is an overview of the steps involved to transition an existing investment in PolicyPak with Group Policy or SCCM method over to PolicyPak Cloud:
- Pre-testing that PolicyPak Cloud is working at all with the built-in policies.
- Exporting existing PolicyPak settings within Group Policy to XML and importing them into PolicyPak Cloud.
- Optional: Backup and Restore entire GPO to PolicyPak cloud.
- Use In-Cloud Editors to create and update rules.
- Using PolicyPak Cloud to create company groups and/or use PolicyPak Cloud to Azure connector.
- Linking PolicyPak Cloud XML to PolicyPak Cloud Company Groups or Azure Groups.
- Deploying the PolicyPak Cloud Client and/or CSE to endpoints.
- Removing existing Group Policy, SCCM or Intune based PolicyPak setting settings from machines
- Report using PolicyPak Cloud to verify expected settings are achieved.
- Keeping PolicyPak Cloud computers up to date with client software using PolicyPak Cloud Groups.
Pre-testing that PolicyPak Cloud is working at all with the built-in policies.
Start by verifying that your PolicyPak Cloud account is generally working by using the steps in this Video: https://kb.policypak.com/kb/article/471-policypak-cloud-quickstart/
You will be verifying that your PolicyPak Cloud account is licensed, operational and working as expected.
Exporting existing PolicyPak settings within Group Policy to XML and importing them into PolicyPak Cloud.
Continue to export your existing invested PolicyPak settings into XML format.
You can export one setting at a time like this…
You can export a Collection like this…
Or you can export a whole category like this.
Or you can export settings en-mass across multiple GPOs using the PolicyPak Exporter Utility. The steps to do that are here: https://kb.policypak.com/kb/article/565-deploying-policypak-directives-without-group-policy-policypak-exporter-utility/
Then you can upload them straight into PolicyPak cloud using the “Upload and link a new XML here…”. Or you can go to the XML Settings tab (not shown) and also upload them there for later use.
You may also view the XML in notepad and copy/paste the XML straight into PolicyPak cloud using the same setting, “Upload and link a new XML here…” as seen around the 5 minute and 20 second mark continuing onward.
Optional: Backup and Restore entire GPO to PolicyPak cloud.
You might also have a GPO with a lot of settings, which contain Microsoft and/or PolicyPak settings. You can transfer the whole contents of that GPO with a GPO Backup and PolicyPak Cloud Import.
The result will be a de-constructed GPO with all relevant parts as XML; available to re-link later to Company or Azure groups.
The full procedure for this can be seen here: https://kb.policypak.com/kb/article/982-how-to-import-gpos-to-policypak-cloud/
Use In-Cloud Editors to create and update rules (for most policies)
Now that all your rules are lifted and shifted from GPO Editor to XML to Cloud, you can now use the in-cloud editors to perform most new policy types and edit existing policies.
Here’s an example of how to use the PolicyPak Cloud in-cloud editors to create and edit PolicyPak Least Privilege Manager items.
Tip: You are advised to maintain a Windows based MMC editing station for testing because not every editing function may be available in the PolicyPak Cloud editors. Most items are; a few aren’t. Details about PolicyPak Cloud and Test Lab Best Practices are here: https://kb.policypak.com/kb/section/360/
Using PolicyPak Cloud to create company groups and/or use the PolicyPak Cloud to Azure connector
Now you can craft your Company Group assignment in anticipation of placing computers into them.
More on Working with Groups in the PolicyPak Cloud Guide here: https://helpcenter.netwrix.com/bundle/PolicyPak_AppendixE/page/Working_with_Groups.html#navPoint_40
An example of crafting your own Company groups, linking existing XMLs, creating new policies and Adding/Removing computers from these Company Groups can be seen here.
Another option is the ability to mate your PolicyPak Cloud instance with your Azure Instance and use Azure Groups as well. You can establish a connection between PolicyPak Cloud and Azure using these steps.
Then Azure groups will appear at the same level as Company Groups and you can link XML to those Azure groups.
Provided the PolicyPak Cloud Client is on the machine (one of the next steps) the computer will pick up the policies in either the Computer Group or Azure Group. (PPCLOUD /sync
will show these details.)
Linking PolicyPak Cloud XML to PolicyPak Cloud Company Groups or Azure Groups
Because your XML policies are now uploaded to PolicyPak Cloud you are ready to link them over to the Company Group or Azure Group of your choice. Remember that PolicyPak Cloud acts nearly exactly like on-prem GPO with the following attributes:
- Groups are like OUs, though a computer may be in two PolicyPak Cloud Groups (where in onprem AD it may only be in one.)
- Block Inheritance is available
- Enforced is available
- Precedence is available
Consult the PolicyPak Cloud guide for more details on Groups: https://helpcenter.netwrix.com/bundle/PolicyPak_AppendixE/page/Working_with_Groups.html#navPoint_40
Deploying the PolicyPak Cloud Client and/or CSE to endpoints
Now you’re ready to deliver the PolicyPak Cloud client to your machines which will join the machines to PolicyPak Cloud.
Tip: If the machines already have the PolicyPak CSE installed; there is no need to un-install the PolicyPak CSE. It is permitted to pre-install the CSE on the machine before the PolicyPak Cloud client and could actually save you a lot of time during PolicyPak Cloud client rollout !
There are a myriad of ways to install the PolicyPak Cloud client; as it’s just an MSI. When the Cloud Client is installed it will automatically install the PolicyPak CSE if it is not present on the machine like what’s seen here.
Note the machine may also upgrade to a later CSE if a PolicyPak Cloud group dictates a later CSE; but the CSE will never downgrade. (See the last section in this guide for more detail.s)
Additionally, you may wish to investigate the idea of having computers automatically join the PolicyPak Cloud group of your choice with the Jointoken property. Two videos on that topic are:
- https://kb.policypak.com/kb/article/911policypak-cloud-automatically-join-groups-with-jointoken/
- https://kb.policypak.com/kb/article/1064policypak-cloud-mdm-services-install-cloud-client-automatically-join-ppc-groups-and-get-policy/
Note: There are some other KB articles about advanced scenarios about installing the PolicyPak Cloud client for Azure Virtual Desktops, VDI and other scenarios. If you have trouble locating those articles, please open a support ticket (https://www.netwrix.com/sign_in.html?rf=tickets.html#/open-a-ticket).
Tip: Here’s some command line examples to help install the PolicyPak Cloud client silently, for example if you use SCCM or Intune: https://kb.policypak.com/kb/article/951-how-do-i-deploy-the-policypak-cloud-client-via-command-line-silently/
Removing existing settings to machines (GPO and Non-GPO method).
Now you’re ready to remove existing policy from machines. This will vary depending on the source method of deploying policy.
- For GPO, we recommend unlinking the GPO(s) which have PolicyPak / now transferred settings. Then run
GPupdate /force
thenGPresult /h out1.html
and ensure the settings you want are now absent from the Group Policy Results. - For SCCM and MDM/Intune, perform an uninstall of the wrapped up XMLs / MSIs. You can also verify the XML settings are removed from your endpoint from the USERS or GROUPS or COMPUTER folder with this KB: https://kb.policypak.com/kb/article/1086what-is-the-processing-order-of-all-policies-and-how-are-conflicts-resolved-and-how-can-i-see-the-final-rsop-of-those-policies-between-gpo-cloud-xml-etc/
Report using PolicyPak Cloud to verify expected settings are achieved
There are two ways to determine if your endpoint(s) got the policies you expected.
On the client:
Method one is akin to GPupdate and you simply run PPCLOUD /sync
(performs a SYNC then displays) or PolicyPak Cloud /status (no sync, just displays) and you can see any specific machines’ current state and policies.
See this guide for additional examples: https://helpcenter.netwrix.com/en-US/bundle/PolicyPak_AppendixE/page/Manually_Syncing_with_PolicyPak_Cloud.html
On the server:
Additionally, you may mass report upon machines using the PolicyPak Cloud reporting mechanism.
Details on that system are here: https://kb.policypak.com/kb/article/475-policypak-cloud-reporting-demo/
Either method will inform you if the settings you lifted and shifted to PolicyPak Cloud are now on the endpoint.
Keeping PolicyPak Cloud Client and PolicyPak CSE up to date
Finally, it is important to keep the PolicyPak Cloud Client and the PolicyPak CSE up to date. PolicyPak Company Groups control the versions of the PolicyPak Cloud Client and PolicyPak CSE.
You should always do small scale testing of upgrades of the PolicyPak CSE and PolicyPak Cloud Client version to ensure safety before you roll it out to everyone via the All group.
More details on the Microsoft Ring methodology, which aligns to PolicyPak best practices here.
A video on how to perform small scale testing before large scale upgrades can be found here.