Migrating GPO settings to WEM

Migrating GPO settings to WEM

A walkthrough of the new WEM capability to deliver GPO settings

Intro

A consistent challenge when beginning the adoption of WEM services into an existing environment, is the analysis and migration of existing GPP and GPO settings into the WEM way of processing. Moving policies full of printers, drive maps, logon scripts, files and folder options along with registry keys, be it single or collection based, is typically the longest part of getting WEM to really shine in an environment.

Last week marked the release of a new feature in the WEM Cloud Service which allows a direct import of a GPO backup file (or files) into the WEM service. The process is a simple one to drive, but pretty complicated behind the scenes. The basic process is as follows:

  • Backup your existing GPO or GPO objects into a single Zip File. (Make sure your backups are only one folder deep in the zip file)
  • Import the ZIP file into the WEM service using the new Migrate option
  • Choose whether the import everything or create an import file (using the standard VUEM xml format). I suggest the latter
  • Import the XML file based actions and settings
  • Assign to your AD objects

Working Example

In the below example, I am exporting two GPO objects, these contain a load of preferences and environmental settings that WEM could also process, along with folder redirection settings.

Group Policy Backup:

PolicyBackup

GPO Backup File

PolicyBackup2

Logging into to the WEM Cloud Service, I have created a new blank Configuration Set for demo purposes. Nothing has been enabled, no templates or hydration kits imported

Blank WEM Config Set

ConfigSet

You will first need to upload your ZIP file via the HTML client. This will dump the zip file in the default upload folder

Upload via HTML 5 Client

Upload

Choose Existing Archive

Upload2

The new Migrate button is available on the home ribbon next to the usual backup and restore suspects shown above. Select the Migrate button and choose your ZIP file

Select uploaded ZIP file

ImportFile

Choose the convert option and give your job a name. I cannot see a time where you would ever want to simply overwrite – I would always want to sanity check what I am pulling in

Choose Convert and specify a Name

ImportFile2

Select start Migration. If your ZIP file is in the correct format, you should have a nice clean migration with confirmation shown as per below

Conversion

You can now view a summary of what’s been imported

A few cool things have happened at this point. Note in the below screen dump, any GPP based items have been successfully pulled from my GPO backup files

GPPimportPreview

Secondly, note that any supported environmental and USV (folder redirection) settings have also been pulled

SettingsImportPreview

Looking closely, the keen eye may notice that the WEM import will convert an existing variable to a WEM hashtag value in the USV pathing. Note my GPO below uses %UserName%, WEM converts this to ##UserName##

USVtoWEMHash

You can now select finish and process to importing the configuration files you just created. Select the Restore Option and select the appropriate option for Actions (GPP) or Settings (Environmental, USV). You will need to do this one at a time due to the nature of the WEM import tools

RestoreWizard

Choose your Import Folder created when you pulled in the GPO backup files

ImportFromLab

All my settings from GPO are available for import

ImportFromLab2

Job done. All my actions are ready to go

ImportFromLab3

Import is successful

ImportFromLab4

My Drives, Printers, Registry Keys, File System Objects, Environment Variables and External Tasks are all available

Network Drives: Drives

Registry Keys: RegKeys

External Tasks: ExternalTasks

A few things of note that I was happy with here:

  1. Drives were imported with a self-healing action enabled
  2. If a network drive had a display name defined in GPP, it was imported and used on the action in WEM. If it did not, it was left blank
  3. Printers were imported with self-healing enabled
  4. Registry items were imported cleanly. If they were part of a collection, they were split cleanly into individual actions, and no (default) keys were imported
  5. I tried to trick WEM and define a binary value key which is not supported by WEM. It was smart enough to ignore the key
  6. External tasks were sucked in from areas of the Policy such as “Logon Scripts”

Nicely done. On to settings next. Select restore, this time choose settings and select your import file again

ImportFromLab5

Note this time both Environmental Settings and Microsoft USV settings are recognised and ready for import. Follow the wizard. Take note of the below warning. You want to be sure in what you are doing here

RestoreWarning

This is a new config set for me, so I am happy to overwrite

RestoreWizard2

Over into Policies and Profiles in the WEM Console, I can successfully confirm the two supported settings I had In GPO have been mirrored into WEM configurations

RestoredEnvSettings

USV (Folder Redirection) Settings have also been moved properly with the hashtag conversion complete

RestoredUSV1

RestoredUSV2

Again a few things of note that I was happy with:

  • Importing the settings didn’t automatically enabled the processing of Environmental Settings
  • Importing USV Settings didn’t automatically enable processing of them

Product vs Community

Pretty good result really. Now whilst this is an awesome feature for the WEM Service, it is not the first tool to allow this. My good friend Arjan Mensch and I spent a huge amount of time a couple of years back building a powershell module that did this, and much much more. By we, I mean mostly him, I just provided the chaos policies and a shopping list of cool things, he did the rest – and man does it rock. If you haven’t seen it, used it, or checked it out and are working in the business of implementing WEM for customers, you are shooting yourself in the foot.

In addition to the basic functionality above, Arjan’s module can do the following

  • Import all actions and relevant settings (inc USV) from existing GPO objects
  • Control the all options associated with the actions on import – self healing, descriptions, run once, state, names, prefixes etc. All of them.
  • Import Drives and Printers from a CSV file
  • Identify and export GPP based Item level targets to a CSV file
  • Import applications from an existing redirected Start Menu (old school in 2008 R2) and then mirror that configuration in WEM apps
  • Import applications from an existing folder, or set of folders by converting all executables to WEM applications
  • Convert Studio Published Apps to WEM applications via CSV export and Import

Read the blog series below for details:

This tool is one of the best community driven tools out there, and Arjan has also been working on a true end to end WEM PowerShell SDK. Go check out his work, it’s truly awesome and it can be used for both On Prem and Service based deployments of WEM.

Summary

The WEM team and Arjan have individually done awesome jobs at getting this stuff cranking, both should be provided multiple beers for the time saving toolsets they have given us. Kudos!