Are you ready to move Group Policy management to Intune?

by | Apr 13, 2021 | Collaboration

With the modern workforce becoming increasingly remote, many enterprises are looking to transition device management provided by group policy to a cloud solution. Active Directory Group Policy contains tens of thousands of settings providing very granular control when managing and securing Windows clients and applications. The problem is there are no group policies in Azure AD. The good news is Microsoft Intune has configuration profiles with built-in Administrative Templates and settings that may contain the group policy settings you require.

How do I know if my Group Policy settings can be deployed by Intune? 

Microsoft Endpoint Manager (aka Intune) can evaluate your group policies to determine if they can be translated to the cloud:

  • Export your GPO settings from your group policy management console. Right click a GPO and select “Save Report…” as XML file type

  • Go to your Microsoft Endpoint Management console: Devices > Group Policy analytics (preview) >  Import

  • Import the XML files you exported from the GPAC. 

Now you can view which GPO settings can be translated into Intune configuration profiles.  Click the MDM Support percentage value to view the specific settings that can or cannot be translated.

Some group policy settings have ADMX support and can be configured using Intune.

Not all group policy settings are supported, but Intune may have cloud appropriate settings for the same component.

Intune contains many settings that can be configured right out of the box

Administrative Templates are built into Intune, and don’t require any customizations, including using OMA-URI. As part of your mobile device management (MDM) solution, use these template settings as a one-stop shop to manage your Windows 10 devices.

The Settings catalog is in preview and lists the settings you can configure, all in one place. This feature simplifies how you create a profile, and how you see all the available settings. Use the settings catalog as part of your mobile device management (MDM) solution to manage and secure devices in your organization.

For example, we can create a Windows 10 Firewall profile:
Go to Microsoft Endpoint Management console
Devices > Configuration profiles > + Create profile
Platform – Windows 10 and later
Profile type – Settings catalog (preview)

Basics > Name – Windows 10 Firewall

Next: Configuration settings > +Add settings

Select the Firewall category and enable the desired settings

 

Intune can also deploy group policy settings that are not included out of the box, using a procedure called ADMX file ingestion. 

For example, if we want to replicate the GPO setting “Prevent Microsoft Teams from starting automatically after installation” with Intune:

Go to the Microsoft Endpoint Management console and create a Configuration profile
Devices > Configuration profiles > + Create profile
Platform – Windows 10 and later
Profile type – Templates
Template name – Custom
Next

Basics > Name – Disable Teams Autostart

Next – Download the teams ADMX file from Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016
Download Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 from Official Microsoft Download Center

Open teams16.admx with a text editor such as notepad++

To ingest an ADMX file, we must use the following OMA-URI format:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}
OMA-URI stands for Open Mobile Alliance Uniform Resource Identifier
AppName – This should be the name of the application “Teams16”
SettingType – This will be “Policy” when doing ADMX ingestion
ADMXFileName – Can be anything, such as “Teams16ADMX”, but the meaning should be obvious to your peers

From the Microsoft Endpoint Management console go to:
Devices > Configuration profiles > + Create Profile
Platform: Windows 10 and later
Profile type: Templates > Custom
Basics – Name: Teams
Configuration settings > Add
Name: Teams ADMX Ingestion
OMA-URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Teams16/Policy/Teams16ADMX
Data type: String
Value: paste in the text of the teams16.admx file you opened with your text editor

Now let’s build the setting OMA-URI for our custom profile:
The settings OMA-URI must use the following format:
./User|Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX}

We can fill in the some of the variables from information found in the ADMX file.
The class is “User” and is found in the ADMX file
The AppName “Teams16” will be the same name we used in our ADMX ingestion OMA-URI
The setting type “Policy” is the same as used in our ADMX ingestion OMA-URI
The category “L Teams” is found in the ADMX file
The value will be “<enabled/>”
The complete setting OMA-URI will look like this:
./User/Vendor/MSFT/Policy/Config/ Teams16~ Policy ~L_Teams/ Teams_PreventFirstLaunchAfterInstall_Policy

Teams16.admx:
<?xml version=”1.0″ encoding=”utf-16″?>
<policyDefinitions revision=”1.0″ schemaVersion=”1.0″>
<policyNamespaces>
<target prefix=”Teams” namespace=”Teams.Office.Microsoft.Policies.Windows” />
<using prefix=”windows” namespace=”Microsoft.Policies.Windows” />
</policyNamespaces>
<resources minRequiredRevision=”1.0″ />
<categories>
<category name=”L_Teams” displayName=”$(string.L_Teams)” />
</categories>
<policies>
<policy name=”Teams_PreventFirstLaunchAfterInstall_Policy” class=”User”
displayName=”$(string.String_Teams_PreventFirstLaunchAfterInstall_Policy)”
explainText=”$(string.String_Explain_Teams_PreventFirstLaunchAfterInstall_Policy)”
key=”software\policies\microsoft\office\16.0\teams”
valueName=”preventfirstlaunchafterinstall”>
<parentCategory ref=”L_Teams” />
<supportedOn ref=”windows:SUPPORTED_Windows7″ />
<enabledValue>
<decimal value=”1″ />
</enabledValue>
<disabledValue>
<decimal value=”0″ />
</disabledValue>
</policy>
<policy name=”String_Teams_SignInRestriction_Policy” class=”User”
displayName=”$(string.String_Teams_SignInRestriction_Policy)”
explainText=”$(string.String_Explain_Teams_SignInRestriction_Policy)”
presentation=”$(presentation.Teams_SignInRestriction_Policy)”
key=”software\policies\microsoft\office\16.0\teams”>
<parentCategory ref=”L_Teams” />
<supportedOn ref=”windows:SUPPORTED_Windows7″ />
<elements>
<text id=”RestrictTeamsSignInToAccountsFromTenantList”
valueName=”restrictteamssignintoaccountsfromtenantlist” required=”true” />
</elements>
</policy>
</policies>
</policyDefinitions>

So, putting it all together…
Add a configuration setting to our “Disable Teams Autostart” profile
Name: Teams-preventfirstlaunchafterinstall
OMI-URI:
./User/Vendor/MSFT/Policy/Config/Teams16~Policy~L_Teams/Teams_PreventFirstLaunchAfterInstall_Policy
Data type: String
Value: <enabled/>

After the profile is assigned, test and verify the setting is correctly applied in the registry.

Windows 10 cloud only management is becoming a reality with Microsoft Endpoint Manager. Need more information? Email info@peters.com. We are happy to help.