Complete Group Policy Integration
Configuration Manager should be able to configure all aspects of a workstation that can be done using other Microsoft tools. Some group policy items already exist such as folder redirection and Firewall Policies. It would be great if Firewall could be expanded to include creation of firewall exceptions. It would also be great if we could configure all group policies from within SCCM perhaps using compliance settings.
Andrew Malcolm commented
As others have stated, being able to SEE COMPLIANCE would be a huge advantage for doing all client configuration with Configuration Manager, not some in GP, some in DSC, some in 1,2,3...
Jesse Proulx commented
If this was well implemented, it would go a long way to making Azure AD a viable full replacement solution to on-prem AD. It would need to support importing ADMX/ADM files as well as having the base GPOs.
L U commented
+ Advanced Group Policy Management (AGPM) integration?
David Hannah commented
Perhaps an option to "link" your Group Policy environment with SCCM?
For instance, you might configure a source Active Directory domain. It could then read all GPOs to have some non-editable GPO CIs, and leverage the SCCM client to simply report on GPO compliance. This would satisfy organizations that might segregate SCCM and GPO administration.
You could then have an option on the GPO CIs to convert them to typical SCCM CIs. This would ease the migration process.
Nash Pherson (MVP) commented
CI's should be able to consume the Group Policy templates :-)
Charles Herrington commented
I agree that having full Group Policy functionallity within SCCM would be a huge improvement. When companies like mine are trying to obtain compliances like PCI and ISO, being able to report and confirm that compliance items are actually implemented and and are being enforced on client OS's across the organization would defiantly help the auditing process.
Dustin Hedges commented
Native integration into the Security Compliance Manager (and/or GPO Templates in general) would be a huge benefit. The individual SETTINGS (not CI's) need to be searchable however.
Right now, Compliance in SCCM has a big advantage over Group Policy: Reporting on results. Currently, and not in the foreseeable future, AFAIK, there are no plans to add such functionality to Group Policy.
Giving Compliance the ability to manage the same/more settings than GP would give admins much better insight into their environment by actually seeing the impact of changes that are deployed through reports and queries.
I think that would be an awesome addition.
Richard Archer commented
@Andrew M - The downside there would be that Configuration & Compliance would become dependant on WMF 4. That said, it does feel like there's a lot of overlap between the two functionalities that could do with some rationalisation.
Andrew Malcolm commented
Please move all aspects of configuration to powershell dsc - then make config mgr powershell dsc behind the curtains ;-)
Roman Žuravljov commented
Sometimes when you need to implement GP item/setting as Compliance Item, you have to use different tools (sometimes 3rd party tools). Which is VERY far from convenient.
Steven John Cuthill commented
Yup I would agree here ! The ability to create a "configuration iteam" that has Group Policy pres and ADM/ADMX Templates.
Jarrod Beebe commented
The idea is to be able to set any policy that can be set in group policy via sccm and possibly get compliance on it as well. The task sequence idea sounds more like a gp update /force command
Robby Moeyaert commented
Or just add a "process Group Policy" step to Task Sequence.