Home > IT-Pro Speaker Training > Jeremy Moskowitz > Group Policy & MDM Master Class

Course information

Group Policy & MDM Master Class

Send a mail to sales@pds-site.com for more information

What is Group Policy, and why does it matter?
Group Policy is what you do with Active Directory — you control and manage your clients and servers with the nearly limitless power it offers.
However, with power comes responsibility. The power of Group Policy is in the way you can make a “wish” from a central location and your clients’ systems can embrace that wish. However, if it’s implemented incorrectly or carelessly, unexpected and costly consequences will most certainly occur.

The best time to learn how to use the power of Group Policy is right now! Make sure the people in charge of Active Directory operations have a firm grasp on the concepts of Group Policy to avoid costly mistakes and downtime.

What is MDM, and why does it matter?
MDM stands for Mobile Device Management, and it’s a “cousin” to in-box Group Policy. MDM is a cloud-based way to get “Group Policy-like directives” to your MDM enrolled machines. There are many MDM vendors, like Microsoft Intune, MobileIron, and Airwatch to name a few. But this class is MDM-vendor “agnostic” and will explain what is possible (and not possible) with the in-box MDM services inside Windows 10 that all vendors must adhere to.

Master Class Course Breakdown:
Two day Group Policy + MDM Masterclass Workshop:
- Win 7 and Windows 10
- Windows Server 2003, 2008 & R2, 2012 & R2 and Server 2016/2019 specifics
-Troubleshooting Security, Special Group Policy operations, All the Group Policy Preferences, Advanced Group Policy and MDM Troubleshooting, and TONS more.
- MDM: Essentials, working together with Group Policy, migration, and capabilities.
-Free and 3rd Party Tools Group Policy and MDM tools.

Here is the technical content breakdown:
- 80% Group Policy “In the box” from Microsoft.
- 10% MDM “In the box” from Microsoft.
- 10% Other desktop and server management “Must Dos” and tips

Here is the breakdown of how the classes work:
- 33% Lecture/knowledge transfer
- 33% Demonstration of concepts
- 33% Hands-on lab time—turning concepts into practice
- 1% Time to catch your breath!
This training approach helps students understand the material on multiple levels and reinforces the concepts
before they put their knowledge into practice in production.

Who Should Take this Hands-On class?

Active Directory Architects:
This type of administrator needs to know which sections of Group Policy should be addressed for their rollout, and which should be avoided.
End-User Computing / Desktop Design Engineers:
Craft the desktop; don’t leave it up to end-users to walk all over you. Use the power of Group Policy and MDM to be in charge; not your users.
Domain Administrators, Server Operators, and Server Administrators:
These professionals want to plan and manage their Group Policy design the right way, the first time! Or, maybe a second time if you have a Group Policy mess.
Security Administrators:
Group Policy touches every single aspect of Active Directory security. If these administrators have a firm foundation in Group Policy, they can ensure that security directives are accurately implemented and enforced.
OU Administrators:
These key administrators need to understand how to create and manage Group Policy just as much as Domain Administrators do.
Desktop Administrators:
If Group Policy or MDM stops functioning, the Desktop Administrator will need the skills to troubleshoot and assist the server administrators.
MDM Administrators:
Got MDM? If you have MDM for phones and want to understand how you could start to use it for desktops, and want to know how Group Policy is involved, this is the class for you.

Group Policy Master Class - Outline
Note: We are constantly improving and updating. Your actual course outline may differ slightly from the details shown here.

Group Policy Overview

Talk & Demo - Group Policy functions
- Group Policy processing basics
- Group Policy levels and precedence
- Discussion of where GPOs live (the swimming pool concept)
- Where does Group Policy apply?
- When does Group Policy apply (Win 7 – Win 10 1, Windows Server 2003- Server 2016)
- The GPMC—quick tour
- Why your IT machine MUST be Windows 10 in the future to get maximum benefits of Group Policy.
Labs - Working with the GPMC
- Creating and deleting GPOs
- Creating GPOs that are linked to sites


Group Policy Basics

Talk & Demo - Linking a GPO to multiple levels in AD
- Link enabled vs. disabled
- Delete vs. unlink
- Enforced (No Override)
- Block inheritance
- Priority
- Security filtering by Group
- Security filtering by advanced properties
- Dealing with MS16-072 Patch which changes Group Policy Processing
Labs - Creating and linking GPOs to specific OUs
- Block inheritance
- Security filtering
- Modifying Group Policy Objects for MS16-072 patch


Group Policy Processing

Talk & Demo - All about Backup & Restore
- What happens when you log on (and after you log on)
- What’s happening under the hood and “Status”
- Manual Policy Processing
- Dialling Up / VPN and slow-links
- Resultant Set of Policy
Labs - Backup and restore GPOs
- Remote GP update
- RsOP calculations


Security Implementation with Group Policy

Talk & Demo - Delegating responsibility for GPO creation and management
- Under the hood of Group Policy security
- The special default GPOs (Default Domain Policy GPO and Default Domain Controller Policy GPO)
- Multiple Password Policy / FGPP
- Restoring Default GPOs back to their original settings if necessary
- Changing Default Permissions upon all GPOs which are created (to work around MS16-072)
- Windows Applocker application security
- How to automatically rotate local admin passwords on endpoint with “LAPS”
Labs - Delegating responsibility for GPO creation and management
- Windows AppLocker
- Changing Default Permissions upon all GPOs which are created (to work around MS16-072)
- LAPS: Local Admin Password Solution


Special Group Policy Processing

Talk - WMI Filters
- Loopback Processing
Labs - WMI Filters toolkits
- Making WMI Filters
- Managing Loopback


Group Policy Central Store

Talk & Demo - ADM and the Pre-History of ADMX Files
- Solving SYSVOL Bloat
- Creating the Central Store
- Curating the Central Store
- Using the Central Store with Microsoft Office and other ADMX files
- Migrating ADM to ADMX
Labs - Creating the central store
- Curating the central store and keeping it up to date


Group Policy Preference Extensions

Talk & Demo - Making them work with older machines like Windows XP and Windows 2003
- Don’t miss MUST DO for Win 7 / 8 / 10 before getting started
- Understanding which clients can utilize GPPrefs
- Manually delivering the update to existing clients
- Automatically delivering the update to existing clients
- Preference vs. Policy
- Understanding the 21 new categories of features
- Action modes
- Common Tab
- Circles and Lines
- Dealing with the “overlap” of original Group Policy features vs. GPPRefs
- Item-level targeting
- Group Policy Preference Extensions reporting
- Sharing your work with other administrators
- Leveraging Group Policy Preference Extensions to reduce the number of images
- Leveraging Group Policy Preference Extensions to reduce need for Logon Scripts
Labs - Group Policy Preference Extensions
- Configuring GPPrefs for Win 7/8/10
- Using GPPrefs (lots and lots of labs here)


What’s new with Group Policy and Windows 10

Talk & Demo - Windows 10 ADMX Extras: MS Edge, Trimming Settings, Pro Vs. Ent.
- Windows 10 “Guards”: DeviceGuard, Credential Guard,
- Windows 10 Start Screen Manager
- Preventing Malware
- IE 11: Enterprise and Document Modes (and working with Edge)
- “Windows as a Service” and “Windows Update for Business”
- Where do MDM and Group Policy fit together?
- Understanding Group Policy and Azure AD.
- …MORE as it gets released with additional upgrades to Windows !
Labs - Create Settings shortcuts to Win10 desktop using Group Policy Preferences
- Managing IE Enterprise and Document Modes using Group Policy
- Making “Rings” for Windows as a Service / Windows Update for Business


All about MDM, co-existence and Group Policy migration

Talk & Demo - What is MDM
- What is in-box MDM vs. Intune, Airwatch, MobileIron (hint: They’re different.)
- What scenarios is MDM BEST for, vs. Group Policy BEST for?
- What is MDM trying to do vs. what is Group Policy trying to do?
- What tools can help me consider MDM?
- MDM for non-domain joined vs. domain joined.
- What happens if Group Policy + MDM get into a fight?
- 3rd Party Tools to help with Group Policy + MDM
Labs - None


Group Policy and MDM Troubleshooting

Talk & Demo - Common troubleshooting scenarios
- What happens with multiple Domain Controllers?
- What to expect from Event Logs
- How to enhance Event Log reporting
- How to troubleshoot MDM
- How to turn up the juice on GPO output
- How to troubleshoot at the desktop
- A troubleshooting roadmap: Why won’t Group Policy apply!?
Labs - Finding and repairing a broken GPO
- Features of GPResult


Managing Applications using Group Policy
You’ve got lots of applications, but how are you going to manage their settings using Group Policy? If you’ve ever wondered how to manage applications like Adobe Acrobat, Firefox, Java JRE, Lync client, and more — you are going to learn how to do it in this lesson!

Talk & Demo - Group Policy + ADM/ ADMX files
- Group Policy + PowerShell
- Group Policy + PolicyPak Application Manager (pay 3rd Party tool)
- Learn the difference between “Red Dot” and “Blue Dot” ADM and ADMX files.
- Learn what the “proper” policies keys are.
- Learn how to convert ADM to ADMX files for applications you likely already use and own.
Labs - Office ADMX files
- Group Policy + PowerShell
- PolicyPak Application Manager test drive


Microsoft AGPM (Advanced Group Policy Management)
If you use Group Policy “out of the box” there’s no “Are You Sure” or “Oops, I didn’t mean to do that” button. AGPM brings true “change management” to Group Policy. Many companies already PAY for Microsoft AGPM, but don’t know where to start. This secret weapon ensures that your whole team works together when it comes to Group Policy management.

PS: Even if you don’t have AGPM, it’s worth understanding it anyway, because there are other 3rd party tools which are like it which can be utilized instead of AGPM and work similarly.

Talk & Demo - Learn the “moving pieces” of AGPM
- Learn how to install and configure AGPM
- Learn the common mistakes — and how to avoid them when using AGPM
- Working as team within AGPM and the GPMC.
Labs - AGPM tasks
- AGPM working with others
- Using the workflow system

Hands-on labs give you the confidence to deal with Group Policy changes in your environment, roll back if problems occur, and more quickly troubleshoot Group Policy when multiple administrators are involved.

Microsoft and 3rd Party Security Guidance
Microsoft has guidance to help get all your machines more secure. You need to be able to find and use this guidance, and then ensure you can deliver this guidance via Group Policy or MDM.
Learn about the Security Compliance Toolkit where you can download “prescriptive guidance” from Microsoft (that is, how Microsoft thinks your machines should be configured.) Then you can modify these prescriptions, and/or make your own. Learn about other guidance sources from US government and other sources you can download and use to make your machines more secure.

Talk - Learn all about Security Compliance Toolkit; be able to make your own decisions about how to use its functions to manage your desktops and servers
- Learn about the LocalGPO SCM utility: deliver and manage Group Policy settings to non domain joined machines.
- Learn about other non-Microsoft guidance to help get you more secure.
- Learn to analyze multiple GPOs and compare them for differences
Labs - Implementing Microsoft Security Baselines
- Using Microsoft PolicyAnalyzer to compare differences

Send a mail to sales@pds-site.com for more information