Migrating GPO settings to WEM

A consistent challenge when beginning the adoption of WEM services into an existing environment, is the analysis and migration of existing GPP and GPO settings into the WEM way of processing. Moving policies full of printers, drive maps, logon scripts, files and folder options along with registry keys, be it single or collection based, is typically the longest part of getting WEM to really shine in an environment.

Last week marked the release of a new feature in the WEM Cloud Service which allows a direct import of a GPO backup file (or files) into the WEM service. The process is a simple one to drive, but pretty complicated behind the scenes. The basic process is as follows:

  • Backup your existing GPO or GPO objects into a single Zip File. (Make sure your backups are only one folder deep in the zip file)
  • Import the ZIP file into the WEM service using the new Migrate option
  • Choose whether the import everything or create an import file (using the standard VUEM xml format). I suggest the latter
  • Import the XML file based actions and settings
  • Assign to your AD objects

In the below example, I am exporting two GPO objects, these contain a load of preferences and environmental settings that WEM could also process, along with folder redirection settings.

PolicyBackup
Group Policy Backup
PolicyBackup2
GPO Backup File

Once backed up, I am simply adding my two export files to a ZIP archive

PolicyArchive
GPO backup to ZIP

Logging into to the WEM Cloud Service, I have created a new blank Configuration Set for demo purposes. Nothing has been enabled, no templates or hydration kits imported

ConfigSet
Blank WEM Config Set

You will first need to upload your ZIP file via the HTML client. This will dump the zip file in the default upload folder

Upload
Upload via HTML 5 Client
Upload2
Choose Existing Archive

The new Migrate button is available on the home ribbon next to the usual backup and restore suspects shown above. Select the Migrate button and choose your ZIP file

ImportFile
Select uploaded ZIP file

Choose the convert option and give your job a name. I cannot see a time where you would ever want to simply overwrite – I would always want to sanity check what I am pulling in

ImportFile2
Choose Convert and specify a Name

Select start Migration. If your ZIP file is in the correct format, you should have a nice clean migration with confirmation shown as per below

Conversion
Successful Conversion

You can now view a summary of what’s been imported

A few cool things have happened at this point. Note in the below screen dump, any GPP based items have been successfully pulled from my GPO backup files

GPPimportPreview.png
GPP Import Overview

Secondly, note that any supported environmental and USV (folder redirection) settings have also been pulled

SettingsImportPreview
Settings and USV Overview

Looking closely, the keen eye may notice that the WEM import will convert an existing variable to a WEM hashtag value in the USV pathing. Note my GPO below uses %UserName%, WEM converts this to ##UserName##

USVtoWEMHash
Exiting Folder Redirection Paths in GPO

You can now select finish and process to importing the configuration files you just created.

Select the Restore Option and select the appropriate option for Actions (GPP) or Settings (Environmental, USV). You will need to do this one at a time due to the nature of the WEM import tools

RestoreWizard
Action Import (restore)

Choose your Import Folder created when you pulled in the GPO backup files

ImportFromLab
Choose Converted File

All my settings from GPO are available for import

ImportFromLab2
VUEM Recognised Settings

Job done. All my actions are ready to go

ImportFromLab3
Actions for Import

Import is successful

ImportFromLab4
Successful Import

My Drives, Printers, Registry Keys, File System Objects, Environment Variables and External Tasks are all available

Drives
Network Drives
RegKeys
Registry Keys
ExternalTasks
External Taks

A few things of note that I was happy with here:

  1. Drives were imported with a self-healing action enabled
  2. If a network drive had a display name defined in GPP, it was imported and used on the action in WEM. If it did not, it was left blank
  3. Printers were imported with self-healing enabled
  4. Registry items were imported cleanly. If they were part of a collection, they were split cleanly into individual actions, and no (default) keys were imported
  5. I tried to trick WEM and define a binary value key which is not supported by WEM. It was smart enough to ignore the key
  6. External tasks were sucked in from areas of the Policy such as “Logon Scripts”

Nicely done. On to settings next. Select restore, this time choose settings and select your import file again

ImportFromLab5
Environmental Settings and USV Import

Note this time both Environmental Settings and Microsoft USV settings are recognised and ready for import. Follow the wizard. Take note of the below warning. You want to be sure in what you are doing here

RestoreWarning
Overwrite Warning

This is a new config set for me, so I am happy to overwrite

RestoreWizard2
Import Success

Over into Policies and Profiles in the WEM Console, I can successfully confirm the two supported settings I had In GPO have been mirrored into WEM configurations

RestoredEnvSettings
Environmental Settings

USV (Folder Redirection) Settings have also been moved properly with the hashtag conversion complete

RestoredUSV1
USV Settings 1
RestoredUSV2
USV Settings 2

Again a few things of note that I was happy with:

  • Importing the settings didn’t automatically enabled the processing of Environmental Settings
  • Importing USV Settings didn’t automatically enable processing of them

Pretty good result really.

Now whilst this is an awesome feature for the WEM Service, it is not the first tool to allow this. My good friend Arjan Mensch and I spent a huge amount of time a couple of years back building a powershell module that did this, and much much more. By we, I mean mostly him, I just provided the chaos policies and a shopping list of cool things, he did the rest – and man does it rock. If you haven’t seen it, used it, or checked it out and are working in the business of implementing WEM for customers, you are shooting yourself in the foot.

In addition to the basic functionality above, Arjan’s module can do the following

  • Import all actions and relevant settings (inc USV) from existing GPO objects
  • Control the all options associated with the actions on import – self healing, descriptions, run once, state, names, prefixes etc. All of them.
  • Import Drives and Printers from a CSV file
  • Identify and export GPP based Item level targets to a CSV file
  • Import applications from an existing redirected Start Menu (old school in 2008 R2) and then mirror that configuration in WEM apps
  • Import applications from an existing folder, or set of folders by converting all executables to WEM applications
  • Convert Studio Published Apps to WEM applications via CSV export and Import

Read the blog series below for details:

Part 1: Application Actions

Part2: GPO Import and More

Part 3: Environmental Settings and USV Import

Part 4: Convert Studio to WEM Apps

This tool is one of the best community driven tools out there, and Arjan has also been working on a true end to end WEM PowerShell SDK. Go check out his work, it’s truly awesome and it can be used for both On Prem and Service based deployments of WEM

The WEM team and Arjan have individually done awesome jobs at getting this stuff cranking, both should be provided multiple beers for the time saving toolsets they have given us. Kudos!

12 thoughts on “Migrating GPO settings to WEM

Add yours

  1. Hi James,

    Thank you for the great writing regarding the GPP/GPO imports to WEM.

    I have two questions:

    1: What I am wondering is if your (and your friend’s) Powershell script is able to also cover everything the new Citrix cloud service is doing or if the Citrix implementation can do anything your script can’t?
    I would rather leave everything OnPrem with your scripts if this will as easily be done as with Citrix’s new cloud service…

    2: And a general question I have nowehre found to really be answered:
    I know that WEM is capable of some multitasking scheduler tweaking and stuff like that.

    But suddenly everybody is also speaking about the great replacement functionalities of WEM, but to be honest, what benefit should I have from converting and importing hundreds and maybe thousnds of GPOs into WEM?
    Apart from maybe a central place to handle everything-What is really the benefit of WEM instead of leaving the GPPs/GPOs on the Domain Controller’s Sysvol where they have always been?
    Not speaking of the potential pitfalls with WMI queries and other things that will likely not be converted and imported at all?

    And the same question goes for Citrix Profiles:
    Of course I could obviously manage them in WEM, but why? I always did exactly the same in the GPO or Citrix Policies, so what benefit should importing them into WEM bring?

    Simply having maybe a new central place to have all this in one place is not what I would see as such a big thing that I would want to do all the migrations with all the potential pitfalls.

    Or is there really much more to it than just the central management capability?

    Thank you for some general clarification on this!

    Kind regards
    Udo

    Like

    1. Hi Udo,

      Thanks for the feedback, I will try and answer below:
      1) Arjan’ scripts do far more than the current WEM import services does, but in the context of GPP/GPO import, they are pretty much identical
      2) I see no benefit in moving ADMX to WEM, in fact, I am an advocate of leaving ADMX exactly where they are. There is a huge benefit however of moving GPP into WEM due to the context in which it is applied – GPO applies GPE/CSE/Folder Redirection at logon time and waits for it to finish before logging users on, WEM processes it just after the user has reached the desktop – so it gives a much nicer experience for the user – same goes for scripts etc. Logon times are massively reduced
      3) Regarding UPM I also agree, I never drive UPM via WEM, much cleaner in GPO, however, there are some edge cases where WEM shines in that space – I have a buddy who is writing a post on it so won’t step on his toes

      Hope it helps

      Like

  2. Hi James,

    Thank you for the feedback and yes, this does very much help, as it confirms my basic understanding.

    1) Regarding the WEM implementation vs. Adrian’s script, just to confirm: This means that there is no advantage or additional functionality of the WEM implementation over Adrian’s script, correct?

    2) Regarding the background execution of the GPPs however this is a fair point, but (surely not only) my problem will be that GPPs and ADMX/GPOs are pretty much bound together in the Group Policy Management Console and nearly all our objects have GPPs and ADMX/GPOs included and therefore mixed, so separating them is what I would see as a lot of work to do.
    Or am I missing something or is there an easy way to separate GPPs?

    Thank you for the clarification again!

    Like

    1. Hi Udo

      1) yes, as far as I know, there is no extra things that the import function does vs what Arjans script can do

      2) with both solutions, you can backup multiple GPO objects and have the import tools import all of them at once, then it’s a matter of deleting GPP objects out – regardless, it’s time-consuming and you still have to re-assign everything in WEM – but the results are usually pretty awesome

      You are welcome 🙂

      Like

  3. Hi James,

    OK, will try that.

    Is there any means of separating the GPPs from the ADMX GPOs before or after the import into WEM in one go to make things at least a little easier?
    .
    By the way: What about WMI filters on GPPs/GPOs, can they also be imported with the script and/ or the WEM cloud service?
    If not, can I set them up in WEM as well? Do I have to link them all manually to the right policies again?

    And apart from WMI filters, are there other things that might need to be added back in manually after the import into WEM?

    Like

    1. All manual for all filters. Arjans script outputs a list of applied filters when defined on a GPP which is a good starting point. From there you have to assign the imported wem actions to a group in wem

      For bulk separation out of ADMX – select all – delete :/) that’s the only way I know without scripting it (backup your policies first)

      Like

    1. GPO ADMX is good, GPP can hold up the logins and isn’t very good at handling fails – wem processes post logon so users are at their desktop quicker – leave native ADMX in GPO alone for the most part is my view

      Like

      1. With domain controller on 2016/2019 server processing GPO was extremely efficient so that’s open to discussion. Thanks for prompt answer.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: