Windows Server 2016's Nano Server Doesn't Support Group Policy
- By Kurt Mackie
- May 11, 2016
Microsoft this week announced that its upcoming Nano Server deployment option can't be managed using Group Policy controls.
Nano Server is Microsoft's minimal-footprint option for its emerging Windows Server 2016 product, now in its fifth technical preview (TP5). The Nano Server option is about 20 times smaller than Server Core, another Windows Server deployment option. Microsoft stripped out a bunch of code to create the "headless" Nano Server option. Consequently, it can only be managed remotely via a command-line interface tool or a Web browser. Its lacks the usual graphical user interface (GUI) for management interactions.
This code removal resulted in some speed improvements for Nano Server, as well as a reduced footprint that reduces patching time and security risks. However, in removing the GUI, Microsoft also eliminated the use of Group Policy for management. Here's how Microsoft explained it:
To achieve this speed and small physical footprint, Nano Server has the absolute minimum amount of inbox components. As a result, Group Policy and the associated Group Policy Management Console (GPMC), editor (GPMC), Group Policy client and local policy editor (GPEdit) tools are not present on Nano Server. This is expected as they are graphical components and Nano Server is headless and remotely managed. Even when domain joined, Nano Server will not consume and enact Group Policy settings.
For some reason, Microsoft has been rather low-key in explaining that Group Policy won't be part of its Nano Server plans. Plenty of IT pros have a lot of time invested in using Group Policy to manage computing environments, so it might not be a welcome takeaway.
Microsoft is planning to release a series of PowerShell blog posts to explain the management options available with Nano Server. It seems that Microsoft is proposing to release some new PowerShell cmdlets for the purpose. The first of these cmdlets are called "securityCmdlets," according to the initial post of the PowerShell blog series.
In the end, though, Desired State Configuration, a PowerShell push-pull approach for maintaining server states, is seen as the future replacement for Group Policy when it comes to managing Nano Server. That idea comes not from Microsoft's announcement, but from a Twitter post by Jeffrey Snover, a Microsoft Technical Fellow and the inventor of PowerShell.
Microsoft MVP Rod Trent noted Snover's Twitter post in this WindowsITPro article.
When Snover was asked in his Twitter thread if Microsoft eventually planned to deprecate Group Policy he simply replied, "Group Policy is very well suited to client scenarios, which is why you saw a big set of new GPs for Win 10."
Windows Server 2016, scheduled to arrive in Q3 of this year, will have three deployment options. It still has an option for organizations to deploy it with the traditional GUI. That capability was added back into TP3. Also, it will have the Server Core option, which first appeared with the Windows Server 2008 product. However, Windows Server 2016 with Server Core loses the ability (as seen in Windows Server 2012) to switch between the GUI version and the non-GUI version after installation. Lastly, it will have the Nano Server option.
It's only the Nano Server option that loses Group Policy management. Windows Server 2016 is actually getting some new Group Policy controls, Microsoft's announcement explained.
At Microsoft's Build developer event last month, Snover had explained that Windows Server 2016 will have a different installation approach, too. It will follow the Windows Server Applications (.appx) model, an approach used by Windows Store apps. IT pros will install Nano Server via the declarative approach of APPX, instead of using MSI (.msi) install packages, he explained.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.