Maurice DalyIn part two of this multi-series blog on managing devices with Microsoft Intune, we will look at how to apply setting using the configuration service provider (CSP).
Series Links:
Managing Windows 10 with Microsoft Intune – Part 1 (MDM Profiles)
Managing Windows 10 with Microsoft Intune – Part 2 (CSP Policies)
Managing Windows 10 with Microsoft Intune – Part 3 (Administrative Templates & Workarounds)
CSP Policies
CSP policies were originally designed to control functions of Windows Mobile 5.0 but have evolved over the years to provide direct mappings to the registry, file permissions and local user accounts. Policies are documented on Microsoft’s configuration service provider reference page (https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference), I suggest you take your time to look through the different polices available on this page, to discover the full capabilities.
Each of the built in CSP policies contains a support matrix for the various client OS and mobile OS versions, pay close attention to these, as I have seen many instances were policies have been configured but throw an error simply due to the fact they are not supported by the target device. Example;
Example AppLocker CSP
So let us take an example of applying App-Locker policies via CSP. The AppLocker CSP settings can be found here – https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp, in this example we will use the default rules created within a local group policy object and exported;
- Configure the AppLocker policies
- Export the policy into an XML file
- Now we can import the component parts of the XML and create individual OMA-URI settings
- Create a new profile
- Select “Windows 10 and Later” as the platform
- Select “Custom” as the Profile type
- Click on Settings
- Add rows for the individual Rule Collection types, example;
Name: AppLocker-AppX-Policies
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/BlockedApps01/Appx/Policy
Data Type: String
Value;<RuleCollection Type=”Appx” EnforcementMode=”NotConfigured”>
<FilePublisherRule Id=”a9e18c21-ff8f-43cf-b9fc-db40eed693ba” Name=”(Default Rule) All signed packaged apps” Description=”Allows members of the Everyone group to run packaged apps that are signed.” UserOrGroupSid=”S-1-1-0″ Action=”Allow”>
<Conditions>
<FilePublisherCondition PublisherName=”*” ProductName=”*” BinaryName=”*”>
<BinaryVersionRange LowSection=”0.0.0.0″ HighSection=”*” />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection> - Repeat adding rows until all settings are included
- Save and assign the policy
Now we can test the settings have applied to the client;
CSP Ingestion
With CSP you can also apply a wide variety of settings through ADMX file ingestion. This is process of importing the raw ADMX into Intune so you have leverage the settings contained within. Check out this blog post for a full break down of the process with the Google Chrome ADMX – https://blogs.technet.microsoft.com/ukplatforms/2018/05/30/google-chrome-gpo-via-intune/
In this example, I am going to demonstrate how to import the OneDrive ADMX file. Some of you might have already spotted that OneDrive settings are also available in the Administrative Templates preview, however, not all of the settings are currently available in the preview. So, if you are in the process of migrating to OneDrive for Business, this will be of interest for silently enabling the known folder move process.
OneDrive Sync Agent Settings
- Open the latest version folder from %LocalAppData%\Microsoft\OneDrive
- Open the ADM sub-folder and you will find the ADMX template files;
- Open the ADMX file and copy all contents of the “PolicyDefinitions” tags, e.g;
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions"> <policyNamespaces> <target prefix="OneDriveNGSC" namespace="Microsoft.Policies.OneDriveNGSC" /> <using prefix="windows" namespace="Microsoft.Policies.Windows" /> </policyNamespaces> <resources minRequiredRevision="1.0" /> <categories> <category name="OneDriveNGSC" displayName="$(string.OneDriveNGSCSettingCategory)"/> </categories> <policies> <policy name="DisablePersonalSync" class="User" displayName="$(string.DisablePersonalSync)" explainText="$(string.DisablePersonalSync_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DisablePersonalSync"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="GPOSetUpdateRing" class="Machine" displayName="$(string.GPOSetUpdateRing)" explainText="$(string.GPOSetUpdateRing_help)" presentation="$(presentation.GPOSetUpdateRing_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <enum id="GPOSetUpdateRing_Dropdown" valueName="GPOSetUpdateRing"> <item displayName="$(string.Enterprise)"> <value> <decimal value="0" /> </value> </item> <item displayName="$(string.Production)"> <value> <decimal value="5" /> </value> </item> <item displayName="$(string.Insider)"> <value> <decimal value="4" /> </value> </item> </enum> </elements> </policy> <policy name="DefaultRootDir" class="User" displayName="$(string.DefaultRootDir)" explainText="$(string.DefaultRootDir_help)" presentation="$(presentation.DefaultRootDir_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DefaultRootDir"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <list id="DefaultRootDirList" key="Software\Policies\Microsoft\OneDrive\DefaultRootDir" additive="true" expandable="true" explicitValue="true" /> </elements> </policy> <policy name="DisableCustomRoot" class="User" displayName="$(string.DisableCustomRoot)" explainText="$(string.DisableCustomRoot_help)" presentation="$(presentation.DisableCustomRoot_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DisableCustomRoot"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <list id="DisableCustomRootList" key="Software\Policies\Microsoft\OneDrive\DisableCustomRoot" additive="true" explicitValue="true"/> </elements> </policy> <policy name="EnableAllOcsiClients" class="User" displayName="$(string.EnableAllOcsiClients)" explainText="$(string.EnableAllOcsiClients_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="EnableAllOcsiClients"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="EnableHoldTheFile" class="User" displayName="$(string.EnableHoldTheFile)" explainText="$(string.EnableHoldTheFile_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="EnableHoldTheFile"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="AutomaticUploadBandwidthPercentage" class="Machine" displayName="$(string.AutomaticUploadBandwidthPercentage)" explainText="$(string.AutomaticUploadBandwidthPercentage_help)" presentation="$(presentation.AutomaticUploadBandwidthPercentage_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <decimal id="BandwidthSpinBox" valueName="AutomaticUploadBandwidthPercentage" minValue="10" maxValue="99" /> </elements> </policy> <policy name="UploadBandwidthLimit" class="User" displayName="$(string.UploadBandwidthLimit)" explainText="$(string.UploadBandwidthLimit_help)" presentation="$(presentation.UploadBandwidthLimit_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <decimal id="UploadRateValue" valueName="UploadBandwidthLimit" minValue="1" maxValue="100000" /> </elements> </policy> <policy name="DownloadBandwidthLimit" class="User" displayName="$(string.DownloadBandwidthLimit)" explainText="$(string.DownloadBandwidthLimit_help)" presentation="$(presentation.DownloadBandwidthLimit_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <decimal id="DownloadRateValue" valueName="DownloadBandwidthLimit" minValue="1" maxValue="100000" /> </elements> </policy> <policy name="RemoteAccessGPOEnabled" class="Machine" displayName="$(string.RemoteAccessGPOEnabled)" explainText="$(string.RemoteAccessGPOEnabled_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="GPOEnabled"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="PreventNetworkTrafficPreUserSignIn" class="Machine" displayName="$(string.PreventNetworkTrafficPreUserSignIn)" explainText="$(string.PreventNetworkTrafficPreUserSignIn_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="PreventNetworkTrafficPreUserSignIn"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="SilentAccountConfig" class="Machine" displayName="$(string.SilentAccountConfig)" explainText="$(string.SilentAccountConfig_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="SilentAccountConfig"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="DiskSpaceCheckThresholdMB" class="Machine" displayName="$(string.DiskSpaceCheckThresholdMB)" explainText="$(string.DiskSpaceCheckThresholdMB_help)" presentation="$(presentation.DiskSpaceCheckThresholdMB_Pres)" key="Software\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <list id="DiskSpaceCheckThresholdMBList" key="Software\Policies\Microsoft\OneDrive\DiskSpaceCheckThresholdMB" additive="true" explicitValue="true"/> </elements> </policy> <policy name="FilesOnDemandEnabled" class="Machine" displayName="$(string.FilesOnDemandEnabled)" explainText="$(string.FilesOnDemandEnabled_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="FilesOnDemandEnabled"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS3" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="DehydrateSyncedTeamSites" class="Machine" displayName="$(string.DehydrateSyncedTeamSites)" explainText="$(string.DehydrateSyncedTeamSites_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DehydrateSyncedTeamSites"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS3" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="AllowTenantList" class="Machine" displayName="$(string.AllowTenantList)" explainText="$(string.AllowTenantList_help)" presentation="$(presentation.AllowTenantList_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <list id="AllowTenantListBox" key="Software\Policies\Microsoft\OneDrive\AllowTenantList" additive="true"/> </elements> </policy> <policy name="BlockTenantList" class="Machine" displayName="$(string.BlockTenantList)" explainText="$(string.BlockTenantList_help)" presentation="$(presentation.BlockTenantList_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <list id="BlockTenantListBox" key="Software\Policies\Microsoft\OneDrive\BlockTenantList" additive="true"/> </elements> </policy> <policy name="SharePointOnPremFrontDoorUrl" class="Machine" displayName="$(string.SharePointOnPremFrontDoorUrl)" explainText="$(string.SharePointOnPremFrontDoorUrl_help)" presentation="$(presentation.SharePointOnPremFrontDoorUrl_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <text id="SharePointOnPremFrontDoorUrlBox" maxLength="2000" required="true" valueName="SharePointOnPremFrontDoorUrl"/> <text id="SharePointOnPremTenantNameBox" maxLength="2000" required="true" valueName="SharePointOnPremTenantName"/> </elements> </policy> <policy name="SharePointOnPremPrioritization" class="Machine" displayName="$(string.SharePointOnPremPrioritization)" explainText="$(string.SharePointOnPremPrioritization_help)" presentation="$(presentation.SharePointOnPremPrioritization_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <enum id="SharePointOnPremPrioritization_Dropdown" valueName="SharePointOnPremPrioritization"> <item displayName="$(string.PrioritizeSPO)"> <value> <decimal value="0" /> </value> </item> <item displayName="$(string.PrioritizeSharePointOnPrem)"> <value> <decimal value="1" /> </value> </item> </enum> </elements> </policy> <policy name="DisableFRETutorial" class="User" displayName="$(string.DisableFRETutorial)" explainText="$(string.DisableFRETutorial_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DisableTutorial"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="BlockKnownFolderMove" class="Machine" displayName="$(string.BlockKnownFolderMove)" explainText="$(string.BlockKnownFolderMove_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="KFMBlockOptIn"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="KFMOptInWithWizard" class="Machine" displayName="$(string.KFMOptInWithWizard)" explainText="$(string.KFMOptInWithWizard_help)" presentation="$(presentation.KFMOptInWithWizard_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <text id="KFMOptInWithWizard_TextBox" maxLength="2000" required="true" valueName="KFMOptInWithWizard"/> </elements> </policy> <policy name="KFMOptInNoWizard" class="Machine" displayName="$(string.KFMOptInNoWizard)" explainText="$(string.KFMOptInNoWizard_help)" presentation="$(presentation.KFMOptInNoWizard_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <text id="KFMOptInNoWizard_TextBox" maxLength="2000" required="true" valueName="KFMSilentOptIn"/> <enum id="KFMOptInNoWizard_Dropdown" valueName="KFMSilentOptInWithNotification"> <item displayName="$(string.KFMOptInNoWizardNoToast)"> <value> <decimal value="0" /> </value> </item> <item displayName="$(string.KFMOptInNoWizardToast)"> <value> <decimal value="1" /> </value> </item> </enum> </elements> </policy> <policy name="KFMBlockOptOut" class="Machine" displayName="$(string.KFMBlockOptOut)" explainText="$(string.KFMBlockOptOut_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="KFMBlockOptOut"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="AutoMountTeamSites" class="Both" displayName="$(string.AutoMountTeamSites)" explainText="$(string.AutoMountTeamSites_help)" presentation="$(presentation.AutoMountTeamSites_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS3" /> <elements> <list id="AutoMountTeamSitesListBox" key="Software\Policies\Microsoft\OneDrive\TenantAutoMount" additive="true" expandable="false" explicitValue="true" /> </elements> </policy> <policy name="DisablePauseOnBatterySaver" class="User" displayName="$(string.DisablePauseOnBatterySaver)" explainText="$(string.DisablePauseOnBatterySaver_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DisablePauseOnBatterySaver"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="DisablePauseOnMeteredNetwork" class="User" displayName="$(string.DisablePauseOnMeteredNetwork)" explainText="$(string.DisablePauseOnMeteredNetwork_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="DisablePauseOnMeteredNetwork"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="ForcedLocalMassDeleteDetection" class="Machine" displayName="$(string.ForcedLocalMassDeleteDetection)" explainText="$(string.ForcedLocalMassDeleteDetection_help)" key="SOFTWARE\Policies\Microsoft\OneDrive" valueName="ForcedLocalMassDeleteDetection"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <!-- Insert multi-tenant settings here --> <!-- See http://go.microsoft.com/fwlink/p/?LinkId=797547 for configuration instructions --> <!-- Commented out before strings finalized. <policy name="LocalMassDeleteFileDeleteThreshold" class="Machine" displayName="$(string.LocalMassDeleteFileDeleteThreshold)" explainText="$(string.LocalMassDeleteFileDeleteThreshold_help)" presentation="$(presentation.LocalMassDeleteFileDeleteThreshold_Pres)" key="SOFTWARE\Policies\Microsoft\OneDrive"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <elements> <decimal id="LMDFileDeleteThresholdBox" valueName="LocalMassDeleteFileDeleteThreshold" minValue="0" maxValue="100000" /> </elements> </policy> --> </policies> </policyDefinitions> - Now we have to create a custom policy in the Intune portal
- Go back to the Profiles section in the Device Configuration section, and click on “Create Profile“
- Select the platform as “Windows 10“
- Select the profile type as “Custom“
- Click on the Add button
- Enter the following details;
Name:OneDriveADMXDescription: OneDrive ADMX Template
OMA-URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx
Data Type: String
Value: Paste in the contents of the section copied from the ADMX template file - Click “OK“
- Now we will enter the tenant ID as part of enabling the known folder move facility
- Add another OMA-URI entry by clicking on the “Add” button
- Enter the following details;
Name:OneDriveTenantDescription: Enable silent redirection with tenant ID
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/KFMOptInNoWizard
Data Type: String
Value: <enabled/> <data id=”KFMOptInNoWizard_TextBox” value=”Your Tenant Directory ID Here”/> <data id=”KFMOptInNoWizard_Dropdown” value=”0″/> - Click on “OK“
- Add another OMA-URI entry, again by clicking on the “Add” button
- Enter the following details;
Name:OneDriveSilentConfigDescription: Silently configure OneDrive
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/SilentAccountConfig
Data Type: String
Value: </enabled> - Click on “OK“
- Add another OMA-URI entry, again by clicking on the “Add” button
- Enter the following details;
Name:OneDriveFilesOnDemandDescription: Enable the files on demand
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/FilesOnDemandEnabled
Data Type: String
Value: </enabled> - Click on “OK“
- Click on “OK” again
- Click on “Save” to save the policy
At this point we have the basic settings configured for the OneDrive sync agent for use with your Azure AD tenant, silent configuration of the known folder move feature, and use of the files on demand feature. Simple assign the policy to your test collection (as we stepped through in part 1), and you can then confirm redirection of known folders by presence of sync icons and file sync details within the OneDrive client;
Should you run into issues with KFM, review the documentation on Microsoft’s site (https://docs.microsoft.com/en-us/onedrive/redirect-known-folders), taking care to ensure that known file types and file size restrictions are adhered to.
Conclusion
In this part of this multi-part series, you should now have a basic understanding of how to deploy settings using CSP policies. In the final part of the series we will look at how to use the new ADMX templates option (preview at time of writing).
Thanks for reading.
Recast Software
Nickolaj Andersen
Sandy Zeng
Add comment