In this guide, we shall discuss “AGMP extended support ends April 2026: Find alternative solution“. Microsoft BitLocker Administration and Monitoring (MBAM) and Advanced Group Policy Management (AGPM), both components of the Microsoft Desktop Optimization Pack (MDOP). Have reached their official End of Support today (14/04/2026). Please see How to extend a VM Hard Disk on VMware Workstation, and Steps to customize Windows PE boot images.
From this date forward, these tools will no longer receive security updates, bug fixes, or compatibility guarantees from Microsoft similar to what we have noticed with MDT. Please, see Unable to edit MDT XML unattended file: Could not load file, and Fix MDT Workbench Crashes when opening WinPE tab Properties.
Please, see “MBAM extended support ends April 2026: Find alternative solution“. You can learn more from the official Microsoft documentation.
What is AGPM and Why It Matters?
AGPM (Advanced Group Policy Management) extends the native Group Policy Management Console (GPMC) by adding structured change control. AGPM has long provided organizations with critical capabilities such as versioning, approval workflows, rollback, and delegation control for Group Policy Objects (GPOs).
Key capabilities of AGPM:
- GPO check-in / check-out
- Version history and rollback
- Approval workflows (four-eyes principle)
- Delegated administration
- Controlled deployment to production
Without AGPM (Advanced Group Policy Management), changes in standard GPMC are immediate. Thereby, creating risk in enterprise environments.
However, as Microsoft shifts toward cloud-first management models (Intune, Entra ID, and Configuration Manager integration for co-management). AGPM is no longer part of the strategic roadmap. Here is how to install Endpoint Configuration Manager on HyperV VM.
This change leaves many IT teams needing to rethink how they manage GPO governance, auditing, and change control.
Reason for Retirement
Microsoft has not announced a direct replacement for AGPM. Instead, the direction is:
- Cloud-first identity management via Microsoft Intune
- Policy migration toward Entra ID-based management
- Reduced investment in legacy MDOP (Microsoft Desktop Optimization Pack) tools
Please see how to deploy MBAM for BitLocker Administration, [MDOP] Microsoft Desktop Optimization Pack at a glance, and “Why GPO is not the best solution for managing Windows updates“.
End of Support Timeline for MDOP Products
Below is a table for Microsoft MDOP lifecycle documentation and enterprise analysis. Since AGPM is part of MDOP. It is now fully in maintenance mode with the unified retirement timelines depited in the table below.
The following components are part of the MDOP suite: Microsoft Application Virtualization (App-V), Microsoft User Experience Virtualization (UE-V), Microsoft Advanced Group Policy Management (AGPM), Microsoft Diagnostics & Recovery Toolset (DaRT), and Microsoft BitLocker Administration and Monitoring (MBAM).
| Component | Support Status | End of Life Date |
|---|---|---|
| AGPM (MDOP v4 SP3) | Extended support | 14 April 2026 |
| MBAM (BitLocker management) | Extended support | 14 April 2026 |
| App-V | Extended support | 14 April 2026 |
| UE-V | Extended support | 14 April 2026 |
Please see Unable to install Microsoft Bitlocker Administration: Uninstall your current version of MBAM and run setup again, and Steps to customize Windows PE boot images.
AGPM (Advanced Group Policy Management) Alternatives
There is no single Microsoft replacement, but several strategic options exist. You can also see this blogpost by “Andreas Hartig” my fellow Microsoft MVP.
Note: Microsoft is shifting from GPO-centric lifecycle control to identity-driven and endpoint-managed policy enforcement, distributing AGPMās capabilities across the modern management stack instead of replacing it with a single product.
| Solution | GPO Versioning | Approval Workflow | Rollback / Restore | Audit & Logging | Cloud Integration | Primary Strength | Key Limitation |
|---|---|---|---|---|---|---|---|
| Quest GPOADmin | Full | Yes | Yes | Strong | Partial | Closest AGPM replacement (full lifecycle control) | Commercial licensing |
| SDM Software Change Manager | Full | Yes | Yes | Strong | Intune support | Hybrid GPO + Intune governance | Complexity in large environments |
| Netwrix Auditor | No native version control | Limited | Limited | Excellent (read-only tracking) | Partial | Best for compliance & visibility | Not a true AGPM replacement |
| Microsoft Intune | No GPO versioning | Basic (via RBAC/flows) | Limited | Yes | Full | Strategic Microsoft direction (cloud-first) | Does not support GPO lifecycle control |
| Entra ID (Azure AD) | Not applicable | No | No | Identity logs | Full | Identity-driven policy foundation | Not a policy change management tool |
| PowerShell + Git (DIY DevOps model) | Via scripts | Custom only | via Git restore | Git history | Manual integration | Flexible, automation-ready, no vendor lock-in | Requires strong engineering maturity |
| Hybrid Model (Quest/SDM + Intune + Git) | Partial | Yes | Yes | Strong | Full | Balanced enterprise strategy | Requires architecture complexity |
Additional Tools and GPO Backup Strategy
In addition to the solutions outlined above, you should also evaluate complementary tools such as FullArmor Universal Policy Administrator (UPA), Cayosoft Guardian, and ManageEngine ADManager Plus (while not GPO-specific, it provides broader AD management capabilities).
You must also ensure that a robust backup and recovery strategy for Group Policy Objects (GPOs) is in place. Veeam Backup & Replication, combined with Veeam Explorer for Microsoft Active Directory, provides a reliable mechanism to locate and restore specific GPOs when required. Alternatively, you can leverage the native Group Policy Management Console (GPMC) backup and restore capabilities to support recovery scenarios.
Note: To strengthen governance and analysis, you should incorporate tools such as GPOZaurr and Microsoft Policy Analyzer, alongside auditing and security-focused solutions like Netwrix Auditor, Quest Change Auditor, PingCastle, and Purple Knight (Semperis), enabling improved visibility, compliance tracking, and risk detection across your GPO environment.
The AGPM (Advanced Group Policy Management) Migration Roadmap
1 – Assess Current AGPM Usage: Begin by understanding the current state of Group Policy management:
- Identify the total number of managed GPOs
- Classify policies into critical, operational, and legacy
- Map dependencies across domains, OUs, and security boundaries
2 – Choose a Replacement Model: Select an approach aligned with organizational maturity and long-term strategy:
- Enterprise tools: Fastest and most direct AGPM replacement
- Cloud-native approach: Aligns with Microsoftās strategic direction (Intune/Entra ID)
- Hybrid Git-based model: Advanced, automation-driven governance for mature teams
3 – Modernize GPO Architecture: Before or during migration, reduce complexity and technical debt:
- Eliminate redundant or overlapping GPOs
- Consolidate fragmented policy sets
- Align configurations with Microsoft security baselines and Zero Trust principles
4 – Introduce a Governance Layer: Replace AGPM-style control with a modern governance framework:
- Structured approval workflows (ITSM or tooling-based)
- Centralized change logging and auditability
- Role-based access control aligned with least privilege principles
The retirement of AGPM in April 2026 ends traditional Group Policy change management as a native Microsoft capability and signals a broader shift from Group Policy-centric management to identity- and cloud-driven policy governance.
Snapshots and Backups Are Critical for MBAM and AGMP Updates Post-End of Support
With Microsoft BitLocker Administration and Monitoring (MBAM) and Advanced Group Policy Management (AGPM) reaching end of support, organizations must continue operating without vendor patches, fixes, or guaranteed compatibility with future Windows Server updates. This increases the risk associated with routine maintenance activities and makes structured rollback and recovery mechanisms essential.
Taking VM snapshots before applying updates provides a fast rollback option when changes introduce service failures, database connectivity issues, or other functional issues. This is especially important in environments where MBAM manages BitLocker recovery keys, as any disruption to its services or underlying SQL database can prevent access to critical recovery information via the Self-service and Helpdesk portal across the organization.
AGMP
Similarly, AGPM plays a key role in controlled Group Policy management. Updates that introduce incompatibilities can disrupt GPO workflows, block policy deployments, or create inconsistencies in policy versioning. Since both solutions are no longer validated against newer Windows updates, silent failures become more likely, where systems appear operational but core services no longer function correctly.
While snapshots provide a valuable short-term safety net during maintenance, they are not a substitute for proper backups. Organizations must maintain application-aware backups, particularly for MBAM SQL databases and related components, to ensure consistent and reliable recovery options beyond short-term rollback scenarios. Snapshots should also remain temporary due to performance impact and storage consumption caused by delta growth and consolidation processes.
In the post support phase, snapshots and backups work together as critical operational safeguards during updates. At the same time, this state reinforces the need to transition toward supported platforms for BitLocker and Group Policy management, such as Microsoft Endpoint Configuration Manager and Microsoft Intune, to reduce long-term operational risk.
I hope you you found this guide on ‘AGMP extended support ends April 2026: Find alternative solution” very useful. Please feel free to leave a comment below.
