Over the past couple of months I have been fortunate to play with a new feature coming in Intune, which I am glad to be able to share with you here in this post.
Modern Management Blockers
Over the past number of years there have been some areas within the Intune product set that enterprise admins and consultants alike have complained about, none more so than the lack of ability to fully control application behavior though something similar to the traditional group policy.
The ability to apply group policy settings has always been top of the list as it brings a comfort factor that everything is manageable, without this some organisations have looked at Intune for set area’s within their business. It has been argued that simply porting the tens of thousands of policy settings was overboard, Intune policies were of course about locking down the key area’s of the OS by design.
I would have to agree that porting legacy into modern is not always the best approach, however there needs to be flexibility to allow for a mixture of both worlds. There are of course work around methods for deploying application policy settings, custom XML via OMA URI or PowerShell scripts, however these methods tend to be a lot of manual work.
Microsoft Ignite Announcement
Announced at Microsoft Ignite in Paul Mayfield and Mayunk Jain‘s BRK3036 session (https://myignite.techcommunity.microsoft.com/sessions/64592) is a preview of a coming feature, this being the ability to set ADMX policy settings via Microsoft Intune. I’d urge you to take time to watch over the session as it really does encapsulate everything that the team have worked hard on to deliver to the product over the past few months.
So let’s step through this new exciting / blocker removing feature on the path to modern management;
Group Policy In The Cloud (Sort Of)
So aside from the regular Intune policies there is a new Administrative Templates section coming. Contained within here is the ability to set a whole range of commonly used ADMX settings which can then be applied to targeted groups of users and/or devices. This brings the power of your traditional group policy object management to Intune, which is something in my own opinion will be a game changing event for those considering to make the move to modern management of Windows.
Below you can see the setting in my tenant, which should be noted is a preview feature and no time scales for the release are defined at present.
Creating An Administrative Template
Creating a new list of ADMX policies could not be simpler, click on Intune blade, then Device Configuration, Administrative Templates and click on the +Create button;
You are now presented with a list of supported policy settings that can be applied, which includes;
- Internet Explorer
- Office 2016
- Windows 10 core functions – Event Viewer settings, Printing, Remote Assistance etc.
At the time of writing I counted a total of 277 settings but I am sure this will increase as this feature gets closer to becoming available.
Settings are listed alphabetically by default which can make the list non-uniform in nature when you are looking for a particular setting, however simply specifying a filter quickly sorts this out for you. Below is an example of a filtered via using “Internet Explorer” as the keywords;
These settings will all be very familiar for you working with group policy;
Editing each of the settings will give you a slightly different UI depending on the options, just as it would in group policy. Below are two examples of this;
Troubleshooting Settings Deployment
We all know how to troubleshoot group policy settings being applied to your machine after making a change to a GPO (or should all know if you are reading this post) , but how is this done in the modern world using the new Administrative Templates method?
Those of you familiar with troubleshooting Intune deployments should be aware of the presence of the following log in event viewer;
Event Log : Applications and Services Logs\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin
This of course is the place to view changes to the ADMX policy settings being pushed down to the device (Event ID 831);
Drilling into each of these entries, you will quickly identify the individual settings being applied;
In this example where the Office update branch is set to Insider, you will also then see the setting reflected in the application(s);
The potentials for this feature are wide ranging, a couple of things I personally would like to see are;
- Security Baselines – Originally on my list when creating this blog post, but as you will see from the before mentioned Ignite session, this is going to be catered for
- ADMX Import Facility – To allow for third party ADMX settings to be deployed
- Improved Settings View – The list of settings can be spanned over several pages and for those coming from a systems administration background and being used to GPO’s, the formatting could be improved upon. Perhaps a tree view or a blade style view might prove more navigable
Win32 Apps in Intune, Autopilot UI improvements, self-deploying deploying mode and now the ability to manage applications in greater depth out of the box through this new feature. It’s exciting times ahead for modern management.
Thanks for reading.
Maurice has been working in the IT industry for the past 18 years and currently working in the role of Principal Consultant with TrueSec. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017.