Group Policy in MDM: Dealing with ADMX backed policies 9/13/2018 5:39 AM THR3073 Group Policy in MDM: Dealing with ADMX backed policies Raymond Comvalius IT Infrastructure Architect © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raymond Comvalius - www.nextxpert.com Independent trainer/architect since 1998 Most Valued Professional (MVP) Microsoft Certified Trainer (MCT) Author of “Windows 7 for XP Professionals”
What is ADMX backed policies about? Microsoft is NOT moving away from Modern Management Check with MMAT what you can manage with MDM
Why ADMX Backed Policies? ADMX Backed Policies is to manage certain Group Policy from Mobile Device Management: No Group Policy Objects No Group Policy Service With the Group Policy Template Backed by MDM and CSP
MDM and CSP? Mobile Device Management policies are executed by a Configuration Service Provider (CSP) The Policy CSP handles ADMX backed policies GroupPolicySvc is NOT involved OMA URI prefix: ./Device/Vendor/MSFT/Policy/Config/ ./User/Vendor/MSFT/Policy/Config/
What policies can you manage? 9/13/2018 5:39 AM What policies can you manage? Check the list here Current total of 367 settings A lot of Internet Explorer (251) App-V Remote Management A little bit of the rest © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Configuring an ADMX backed policy in Intune
Policy without options Lookup in Policy CSP Create Custom Policy in Intune OMA-URI ./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal Data type String Value <enabled/>
Policy with Options – step 1 Lookup in the Policy CSP Take note of GP English Name GP Name GP ADMX File Name GP Path
Policy with options - step 2 Copy information from ADMX Locate the policy and copy any of the following: text id list id boolean id enum id All these become data id fields in the XML data payload
Create Intune Policy – step 3 OMA-URI ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses Data type String Value <enabled/> <data id="DeviceInstall_Classes_Deny_List" value="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"/> <data id="DeviceInstall_Classes_Deny_Retroactive" value="1"/>
XML encoding Depending on the MDM solution in use, you may have to XML encode the Data part of the setting. Intune does not require encoding. XML <enabled/> Encoded XML <enabled/> CData <![CDATA[<enabled/>]]>
Demo ADMX Backed Policies in Intune
Summary ADMX Backed policies is only available for a subset of Group Policies. Deployment is rather complex and painful. 3rd party MDMs may require XML conversion. This will not replace all Group Policies. More information: Understanding ADMX-backed policies
Please evaluate this session Tech Ready 15 9/13/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.