Let’s learn how to create & deploy Group policy using Intune Administrative Template. We can use Intune Administrative Template for deploying the “Cloud” Group Policy for modern managed devices.
Introduction
Thousands of Group policy settings have been deployed to millions of managed (domain-joined) Windows devices for decades.
Is it better to use the existing Group Policy template admin experience for new modern management scenarios using Intune?
The new Intune Administrative Template is going to give you the same group policy creation admin experience from a modern management perspective. I think this is a good move from Microsoft to get aligned with the “old” admin experience.
As of 25th of March 2019, there are 3430 settings for user and device configuration.
753 Device Configurations
2677 User Configurations
Yes, I agree there are many other improvements, additional settings, clean-up, and parity which we are all looking for.
Let’s see a deep dive into the List Of Intune Administrative Template Settings| User | Device – List-of-intune-administrative-template-settings/
I think those are also there in the roadmap for sure. I don’t have any more information to share about that development at this point in time.
You could already notice some settings as depreciated and there are many other setting which are duplicate settings for different puposes.
Example of Depreciated Setting – [Deprecated] Don’t AutoSave files in Excel
Examples of Duplicate Setting – Access data sources across domains.
Create Intune Administrative Template
Let’s try to create a new Intune Administrative Template using the new admin experience.
- Login to Intune portal using – https://devicemanagement.microsoft.com/
Create a Configuration Profile
- Navigate to Devices -> Windows -> Configuration profiles
- Click on + Create Profile button
- From the create a profile blade – select Platform as Windows 10 and Later
- Select Administrative Template from the profile drop-down menu
- Click on CREATE button to continue
Basic Settings
- Let’s configure the Basic settings
- Enter the Name of Intune Administrative Template – “Windows 10 Device Restrictions”
- Enter the Description for Administrative template – “Test New Intune Administrative Template – Group Policy Template”
Configuration Settings
- Let’s go through the Configuration Settings page (meat of the configuration)
- There are two sections herein Configuration Settings blade
- Computer Configuration
- User Configuration
NOTE! – There is a search option to easily find the settings if you know what do want to configure. Also, there is an option to sort based on Setting Name, State, and Setting Type.
Computer Configuration – Intune Administrative Template for Group Policy
- Expand the Computer Configuration
- Following are the available configurations under Device-based configs
- All Settings – All Systems node shows all the configuration settings underneath the Computer Configuration.
- Control Panel – Control Panel related configurations
- Microsoft Edge
- Microsoft Edge – Default Settings (users can override)
- Microsoft Edge Update
- Microsoft Office 2016 (Machine)
- Microsoft PowerPoint 2016 (Machine)
- MS Security Guide – Examples: Apply UAC restrictions to local accounts on network logins and SMB configurations
- MSS (Legacy) – Example: MSS: (DisableIPSourceRouting IPv6) IP source routing protection level.
- Network
- Printers – Example config – Allow printers to be published
- Skype for Business 2016
- System
- App-V
- Credentials Delegation
- Device Installation
- Early Launch Antimalware
- Enhanced Storage Access
- Internet Communication Management
- Kerberos
- Logon
- OneDrive
- Power Management
- Remote Assistance
- Remote Procedure Call
- Service Control Manager Settings
- System Restore
- Windows Components
- ActiveX Installer Service
- App runtime
- AutoPlay Policies
- Credential User Interface
- Event Log Service
- File Explorer
- Internet Explorer
- Remote Desktop Services
- RSS Feeds
- Windows Error Reporting
- Windows Logon Options
- Windows PowerShell
- Windows Remote Management (WinRM)
- Windows Remote Shell
NOTE! – This is the initial release of out of box settings. I think there shall be more settings coming into Intune Administrative template configurations in the coming months! Stay Tuned!
Configure System Restore Policy
NOTE! – In this post, I’m going to take an example of Device-based configuration- “Computer Configuration/System/System Restore “
- Let’s expand the following folders of Administrative template – Computer Configuration -> System- > System Restore
- Select the Configuration called ” Turn off System Restore “
- Select any of the options from Turn off System Restore new blade:
- Enabled
- Disabled
- Not Configured
- Select the Enabled to Disable configuring System Restore on Windows 10 device.
- Click OK and click on NEXT to continue
NOTE! – Do NOT worry about the text available in Turn Off System Restore blade. Something similar to Supported on At least Windows Server 2008 R2 or Windows 7. I agree there should be clearer message should be there. And I’m sure Microsoft is working on this type of improvement.
Admin Experience
- Enabled – Admin Experience for New Intune Administrative Template
Scope Tags
This section is to Configure scope tags for the Teams application.
- Click on + Select Scope Tags
- Select Tags using SEARCH menu
- Click on SELECT button
- Click on NEXT button to continue
Assignments
I select Administrative Template deployment using Intune as INCLUDE (REQUIRED). So that the “Administrative Template deployment– Disable configuring System Restore”. This required settings shall get installed automatically on enrolled devices.
- Click on +Select Groups to Include – Add Group
- Select Azure AD groups using search options
- After selecting the group, click on the SELECT button to continue
- Click on NEXT button to continue
NOTE! – You have an option to EXCLUDE groups for Intune Administrative template.
Metadata Summary
Let’s see the Overview + Create of the Intune administrative template summary!
Summary Name - Windows 10 Device Restrictions Description - Test New Intune Administrative Template - Group Policy Template Configuration settings Turn off System Restore - Enabled Scope tags test Assignments Included groups - Device_Group_ACN_MDM Excluded groups
- Click on Create button to complete the creation of the Administrative template and deployment of the same.
Results
Admin Experience
The following screenshot is the admin experience after creating the Intune Administrative Template.
End-User Experience
Troubleshooting Intune Administrative Template
The troubleshooting method for administrative templates is not different from normal MDM troubleshooting explained in the previous post.
You can search the event logs – with the keyword “Restore” (Turn off System Restore – Enabled) this is the setting used in the above section.
MDM PolicyManager: Set policy string, Policy: (DisableSystemRestore), Area: (System), EnrollmentID requesting merge: (9CACAE5D-8FC2-4C1E-BA1A-A90D7F3D2C62), Current User: (Device), String: (), Enrollment Type: (0x0), Scope: (0x0). MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (0xA3BC0875, 0xD891E2A) published for Policy: (DisableSystemRestore) in Area (System).
Resources
- Use the cloud to configure group policy on Windows 10 devices with ADMX templates and Microsoft Intune
- Use Windows 10 templates to configure group policy settings in Microsoft Intune
- The new user experience when creating administrative templates on Windows devices