With the shift towards management through the cloud, in particular Microsoft Endpoint Manager, one thing that has come up time and time again is the comparison between Group Policy and MDM Profiles. I have covered some the mappings between these on the blog already, but one thing which I always thought would be an issue was the UI itself.
Administrative Templates – The UI Issue
The reason of course is that anyone who has been in an admin role will be familiar with group policy manager, or even the local group policy MMC snap in. We all learned how to apply settings at a computer or user level and how to drill down through the various settings within. It became second nature, to instinctively know where a setting was based on the folder structure, as it basically just made sense.
When Administrative Templates was introduced in Intune back in 2018, I was very excited as this was one of key areas that was needed in the product. When I covered the release of the feature back at Ignite in 2018 (https://www.scconfigmgr.com/2018/10/17/configure-admx-settings-with-microsoft-intune-administrative-templates/), I signed off by having the following wish list;
- Security Baselines – Originally on my list when creating this blog post, but as you will see from the before mentioned Ignite session, this is going to be catered for
- ADMX Import Facility – To allow for third party ADMX settings to be deployed
- Improved Settings View – The list of settings can be spanned over several pages and for those coming from a systems administration background and being used to GPO’s, the formatting could be improved upon. Perhaps a tree view or a blade style view might prove more navigable
Taking that last item, I felt that the UI didn’t feel like it was something that the majority of seasoned admins would warm to. Sure if you were just starting out and this was the new world order, then no issue, but for those in the game a bit longer, it felt a bit alien and non intuitive. The search feature was a good idea, no doubt, but the returned settings were not clear enough as to what was for the user or the computer for instance.
As more and more settings were introduced, the problem I fear got compounded as although the search function worked, it just never was as straight forward as what you had expected when you had been spoilt by the Group Policy Management Console (who would of thought anyone would have said that).
So as we grew from the initial 288 settings to the number of settings/pages returned grew and grew when searching..
Introducing the revamped Administrative Template UI
Today I am extremely pleased to say, a new and improved tree view settings UI went live to tenants all around the globe;
This update provides the most intuitive means for administrators transitioning from GPO’s to manage their now cloud managed devices. It provides a familiar GPO style tree view, while also including a search mechanism. So you are now getting the best of both worlds within the same UI, a GPEditV2.0 if you like.
We can also clearly identify which settings are associated with the computer or the user, just as we did before with GPO, rather than having to read the setting string for each setting;
This of course makes it also easier when planning out deployment of your Administrative Template profiles, as you can create base computer and user profiles just as you would have done in group policy. I prefer that approach compared to the one policy does all, until it breaks, or you need to make changes for subsets of users.
We still of course get settings for the products we had previously;
- Windows 10
- Office 2016
Configuration of the administrative template profile is still as it was before, within the Device Configuration \ Profiles section of the portal. For those of you unfamiliar with this, I’ll step through it here;
- Open the Microsoft Endpoint Manager portal (https://devicemanagement.portal.azure.com/)
- Click on Devices
- Click on Configuration Profiles
- Click on Create Profile
- Select Windows 10 and later as the platform
- Select Administrative Templates as the profile type
- Click Create
- Provide a Name for your profile, then click Next
- Select the settings you wish to apply, then click Next
- If you are using Scope Tags, select these (More information here – https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags)
- Select the users or devices you wish to assign the profile to. (As I suggest here you could create baseline policies which are applied to the device and users separately) and click Next;
- Click Create
At this point the portal will start reporting on compliance, once your devices have refreshed their policies.
This marks a great step forward for making the process of moving from on-premise to in-cloud easier for the admin. So hats off to those involved within Microsoft and it is amazing to see that the company listens to the community, its customers and MVP’s to help drive usability and features within their products.
Now and ADMX import button and I have all three items ticked off my initial wish list. No pressure, at all.
Maurice has been working in the IT industry for the past 18 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017.