I have been using Group Policies for almost 2 decades now, since they were launched way back with Windows Server 2000. So, I would not be wrong to say that I am sort of baised towards Active Directory and the Group Policy Objects (GPO). A friend once very aptly said that ‘in all fairness Group Policy was the first true enterprise scale management solution that we had for Windows systems.‘ Now, obviously this was an advanced solution to Local Security Policies that were introduced earlier in Workgroup.
Long story short, yes I do get ‘technically emotional‘ when I see through a practical lens – yes MDM will replace GPO eventually, maybe by end of 2030 (if not sooner). Why, let discuss this a bit more in detail.
So what is Group Policy and why is it needed? In every client Windows OS like XP, 7, 8, 10 you can make changes to lot of settings like wallpaper, screensavers, password complexity etc etc. These settings are ultimately stored in something called Local Registry. Wonderful, this is great from an individual device – how do you control these settings in a large environment where you have 100s maybe 1000s of Windows devices. This is why Active Directory was introduced and Group Policy was a way of centrally managing such settings on each an every domain-joined PC. Anything that can be set in the registry, can be set through Group Policy. An administrator can completely control Windows desktops and servers through a Group Policy object. For years, GPO has been the most preferred way of configuring settings and controlling actions on PCs, however the boundary was always – PC being domain-joined.
Let’s fast forward to today, BYO is the strategic direction for most enterprises due to various reasons like employee disillusionment with IT, preference to bring their device of choice to work, cost optimization for IT as there is no need to manage images, deploy software, refresh device, provide break-fix etc. Now with BYO comes another challenge, the devices are not domain-joined. This is Intune with Mobile Device Management (MDM) capabilities, is becoming popular. MDM can be used to enforce desired configuration settings and security policies, and also deploy software applications. With MDM comes additional features like remotely wipe etc. The benefit is that for a device to be managed by let’s say Intune MDM, it need not be domain-joined, but enrolled in Intune on Azure (as an example).
With more and more users moving towards BYO, no user wants his/her device to be managed granularly. All that is needed is devices to be secure with certain configurations like password complexity, email settings etc to be acceptable by IT & Security to allow to use them for work. At the same time, many enterprises are going Cloud First and choosing to host some of their devices, users, and applications in the cloud. To top it Microsoft is heavily investing in cloud and associated technologies like Intune. While Azure AD is not something that you use for GPOs. Intune today has more features being added on a daily basis, and common Windows 10 can be managed via MDM today. Actually starting with Windows 10 1803, Microsoft has added a new configurable setting “MDMWinsOverGP”, which bascially means that if a certain setting is being forced byboth GPO and MDM, then MDM will override the GPO setting. This is a new direction of traqvel and makes us believe that Microsoft’s long term road map for Modern Device Management.
If I will were say eventually MDM will replace GPO, trust me it will hapen. GPO are still the preferred solution in largest of enterprises, however MDM is not far. To summarise – Group Policy is still the best way to granularly configure domain joined Windows PCs and tablets, but the morden devices that are not owned by the enterprises are growing in number and dont need such granular configurations, hence MDM becomes the solution of choice. However,for GPOs to die all on-premises Domain Controllers will have to be decomissioned, no domain-joined PCs or Servers….until then No GPO is not dead yet !
Lets wait and watch !