Create Deploy Group Policy Using Intune Administrative Template

Let’s learn how to create & deploy Group policy using Intune Administrative Template. We can use Intune Administrative Template for deploying the “Cloud” Group Policy for modern managed devices.

Introduction

Thousands of Group policy settings have been deployed to millions of managed (domain-joined) Windows devices for decades.

Is it better to use the existing Group Policy template admin experience for new modern management scenarios using Intune?

The new Intune Administrative Template is going to give you the same group policy creation admin experience from a modern management perspective. I think this is a good move from Microsoft to get aligned with the “old” admin experience.

As of 25th of March 2019, there are 3430 settings for user and device configuration.

753 Device Configurations

2677 User Configurations

Yes, I agree there are many other improvements, additional settings, clean-up, and parity which we are all looking for.

Let’s see a deep dive into the List Of Intune Administrative Template Settings| User | Device – List-of-intune-administrative-template-settings/

I think those are also there in the roadmap for sure. I don’t have any more information to share about that development at this point in time.

You could already notice some settings as depreciated and there are many other setting which are duplicate settings for different puposes.

Example of Depreciated Setting – [Deprecated] Don’t AutoSave files in Excel

Examples of Duplicate Setting – Access data sources across domains.

Create Intune Administrative Template

Let’s try to create a new Intune Administrative Template using the new admin experience.

Create a Configuration Profile

  • Navigate to Devices -> Windows -> Configuration profiles
  • Click on + Create Profile button
  • From the create a profile blade – select Platform as Windows 10 and Later
  • Select Administrative Template from the profile drop-down menu
  • Click on CREATE button to continue
Administrative Template from the profile- Intune Administrative Template for Group Policy
Administrative Template from the profile – Intune Administrative Template for Group Policy

Basic Settings

  • Let’s configure the Basic settings
    • Enter the Name of Intune Administrative Template – “Windows 10 Device Restrictions”
    • Enter the Description for Administrative template – “Test New Intune Administrative Template – Group Policy Template”
name and description - Intune Administrative Template for Group Policy
Name and Description – Intune Administrative Template for Group Policy

Configuration Settings

  • Let’s go through the Configuration Settings page (meat of the configuration)
  • There are two sections herein Configuration Settings blade
    • Computer Configuration
    • User Configuration
Configuration Settings page (meat of the configuration) -  Intune Administrative Template for Group Policy
Configuration Settings page (meat of the configuration) – Intune Administrative Template for Group Policy

NOTE! – There is a search option to easily find the settings if you know what do want to configure. Also, there is an option to sort based on Setting Name, State, and Setting Type.

Computer Configuration – Intune Administrative Template for Group Policy

  • Expand the Computer Configuration
  • Following are the available configurations under Device-based configs
  • All Settings – All Systems node shows all the configuration settings underneath the Computer Configuration.
  • Control Panel – Control Panel related configurations
  • Microsoft Edge
  • Microsoft Edge – Default Settings (users can override)
  • Microsoft Edge Update
  • Microsoft Office 2016 (Machine)
  • Microsoft PowerPoint 2016 (Machine)
  • MS Security Guide – Examples: Apply UAC restrictions to local accounts on network logins and SMB configurations
  • MSS (Legacy) – Example: MSS: (DisableIPSourceRouting IPv6) IP source routing protection level.
  • Network
  • Printers – Example config – Allow printers to be published
  • Skype for Business 2016
  • System
    • App-V
    • Credentials Delegation
    • Device Installation
    • Early Launch Antimalware
    • Enhanced Storage Access
    • Internet Communication Management
    • Kerberos
    • Logon
    • OneDrive
    • Power Management
    • Remote Assistance
    • Remote Procedure Call
    • Service Control Manager Settings
    • System Restore
  • Windows Components
    • ActiveX Installer Service
    • App runtime
    • AutoPlay Policies
    • Credential User Interface
    • Event Log Service
    • File Explorer
    • Internet Explorer
    • Remote Desktop Services
    • RSS Feeds
    • Windows Error Reporting
    • Windows Logon Options
    • Windows PowerShell
    • Windows Remote Management (WinRM)
    • Windows Remote Shell

NOTE! – This is the initial release of out of box settings. I think there shall be more settings coming into Intune Administrative template configurations in the coming months! Stay Tuned!

More settings coming into Intune Administrative - Intune Administrative Template for Group Policy
More settings coming into Intune Administrative – Intune Administrative Template for Group Policy

Configure System Restore Policy

NOTE! – In this post, I’m going to take an example of Device-based configuration- “Computer Configuration/System/System Restore

  • Let’s expand the following folders of Administrative template – Computer Configuration -> System- > System Restore
  • Select the Configuration called ” Turn off System Restore
  • Select any of the options from Turn off System Restore new blade:
    • Enabled
    • Disabled
    • Not Configured
  • Select the Enabled to Disable configuring System Restore on Windows 10 device.
  • Click OK and click on NEXT to continue

NOTE! – Do NOT worry about the text available in Turn Off System Restore blade. Something similar to Supported on At least Windows Server 2008 R2 or Windows 7. I agree there should be clearer message should be there. And I’m sure Microsoft is working on this type of improvement.

Disable configuring System Restore - Intune Administrative Template for Group Policy
Disable configuring System Restore – Intune Administrative Template for Group Policy

Admin Experience

  • EnabledAdmin Experience for New Intune Administrative Template
Enabled - Admin Experience  New Intune Administrative Template
Enabled – Admin Experience New Intune Administrative Template

Scope Tags

This section is to Configure scope tags for the Teams application.

  • Click on + Select Scope Tags
  • Select Tags using SEARCH menu
  • Click on SELECT button
  • Click on NEXT button to continue
Click on  + Select Scope Tags - Intune Administrative Template for Group Policy
Click on + Select Scope Tags – Intune Administrative Template for Group Policy

Assignments

I select Administrative Template deployment using Intune as INCLUDE (REQUIRED). So that the “Administrative Template deploymentDisable configuring System Restore”. This required settings shall get installed automatically on enrolled devices.

  • Click on +Select Groups to Include – Add Group
  • Select Azure AD groups using search options
  • After selecting the group, click on the SELECT button to continue
  • Click on NEXT button to continue

NOTE! – You have an option to EXCLUDE groups for Intune Administrative template.

Create Deploy Group Policy Using Intune Administrative Template 1
Assignment Option

Metadata Summary

Let’s see the Overview + Create of the Intune administrative template summary!

Summary
Name - Windows 10 Device Restrictions
Description - Test New Intune Administrative Template -  Group Policy Template 
Configuration settings
Turn off System Restore - Enabled
Scope tags
test
Assignments
Included groups - Device_Group_ACN_MDM
Excluded groups
  • Click on Create button to complete the creation of the Administrative template and deployment of the same.
Review + Create Intune Administrative Template for Group Policy
Review + Create – Intune Administrative Template for Group Policy

Results

Admin Experience

The following screenshot is the admin experience after creating the Intune Administrative Template.

admin experience after creating the Intune Administrative Template
admin experience after creating
Create Deploy Group Policy Using Intune Administrative Template 2
Turn off System Restore – Enabled – Success

End-User Experience

End-User Experience - Intune Administrative Template for Group Policy
End-User Experience – Intune Administrative Template for Group Policy

Troubleshooting Intune Administrative Template

The troubleshooting method for administrative templates is not different from normal MDM troubleshooting explained in the previous post.

You can search the event logs – with the keyword “Restore” (Turn off System Restore – Enabled) this is the setting used in the above section.

MDM PolicyManager: Set policy string, Policy: (DisableSystemRestore), Area: (System), EnrollmentID requesting merge: (9CACAE5D-8FC2-4C1E-BA1A-A90D7F3D2C62), Current User: (Device), String: (), Enrollment Type: (0x0), Scope: (0x0).
MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (0xA3BC0875, 0xD891E2A) published for Policy: (DisableSystemRestore) in Area (System).
Create Deploy Group Policy Using Intune Administrative Template 3
MDM PolicyManager: Set policy string, Policy

Resources

Leave a Comment