MDM & GP Tips Blog

Mar 2019
05

The Original Co-Management Model of SCCM and Intune Hybrid

Long, long ago, well, actually not so long ago, there were two worlds.  There was the on-prem world and the mobile world, and the two would never become one, until of course they did one day.  Up until Windows 10 version 1607, a device could either be on premise AD or Azure AD.  This made sense at the time.  Back then, MDM enrolled machines was pretty much restricted to mobile devices as administrators wanted the extensive management control that Group Policy or SCCM provided them for enterprise desktops. Mobile devices were better served in the cloud and outside of device resets and remote wipe capabilities, there wasn’t much you could do with MDM early on.

It wasn’t thought a good idea at the time to have settings delivered from multiple sources.  In order to prevent that from happening, devices were blocked from the ability to simultaneously register with SCCM and Intune at the same time.  In fact, the activation of the SCCM client on a Windows device automatically disabled any built-in MDM capabilities.  Devices were segregated to one or the other.

If your company’s IT staff had separated SCCM administrators and mobile device administrators, then everything was fine.  But if you had to manage both desktops and tablets, you had to switch back and forth between the Configuration Manager console and the MDM console.  So Microsoft set about to integrate Configuration Manager with Intune with what was called “hybrid configuration” so that both on-prem and mobile devices could be managed from the same console.  Co-management between the two was born.  Note that Intune was the only MDM supported in this scenario.  The merging of these two platforms is illustrated below.

But as in everything, things change.  Microsoft put more focus into MDM as time went on, and as a result, more setting capabilities and features were built into Intune.  Organizations also started recognizing the value of migrating more computers to the cloud than just mobile devices.  Microsoft also began figuring out that it was in their interest to encourage customers to move to the cloud.  Because of these and other factors, the usefulness of allowing devices to co-exist in both on-prem AD and Azure AD was realized.  Starting with 1607, computers could be a part of both at the same time.  Then came 1709 in which the SCCM client could now run on a device without its MDM capabilities being disabled.  This made it possible for a computer to receive setting input from both sources.  This signaled the end of Hybrid MDM.  In August of 2018, Hybrid MDM became a deprecated feature and Microsoft began blocking the registering of new Hybrid MDM customers in November of the same year. 

Jan 2019
25

Creating ADMX-backed policies is hard in Intune. Here's some guides to help you.

I have to admit... making a simple registry change in Intune can be ... difficult. 

The Administrative Templates function is nice, for those (under 300 settings) that support them. 

But for the rest of the simple settings ... you might have hand-create custom OMA-URIs and usin ADMX backed policies to do it.

Here are some others' great guides to help you "follow the leaders" and convert your ADMX and/or use an ADMX-backed policy:

Those resources, show how to tear into an ADMX and ADML file and create a more complex ADMX-backed policy:

  • https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
  • https://docs.microsoft.com/en-us/windows/client-management/mdm/enable-admx-backed-policies-in-mdm
  • https://www.petervanderwoude.nl/post/allow-users-to-connect-remotely-to-this-computer-via-windows-10-mdm-admx-style/
  • https://www.petervanderwoude.nl/post/deep-dive-configuring-windows-10-admx-backed-policies/
  • http://carlbarrett.uk/admx-backed-policies-quickish-reference-guide
  • http://thesccm.com/use-intune-policy-csp-manage-windows-10-settings-internet-explorer-site-to-zone-assignment-list/

 

Jan 2019
22

Office 2016 ADMX templates, seemingly broken for Outlook ADMX

I got a tip from Pat DiPersia at www.dipersiatech.com and Susan Bradley, MVP about this one.

In short, I tested it myself, but the latest Office 2016 ADMX files seem to have got a messed up XML tag, rendering the Outlook policy useless. I tested both the 32 and 64 bit templates. They both have problems with Outlook.

I've reached out to report this issue.

At least now you know if you're trying it yourself... you're not crazy !

The error when adding to your Policy store looks like this after you click on Admin Templates.

TIP:

The issue is the /policies closing tag is before the final /policy closing tag.  Looks like someone added a policy after the fact, and didn’t put it in the right spot.  The /policies tag on line 6285, should be on line 6296 (Followed by /policydefinitions.) See screenshot below.

Jan 2019
17

Intune’s new ADMX and Admin Template Support

This week an Intune feature I have been playing with for a while has finally gone live for Preview.
It’s called “Administrative Templates” and … oh wow, that sounds a lot like Group Policy Administrative Templates, and, oh yes. You’re right… mostly.

Now, before you go bananas saying “Jeremy, clearly Intune now has total Group Policy support!” Or, worse, beat the old trope that “Group Policy must be dead.”

As anything new, it’s worth investigation and to ensure it does what you think it’s going to do.

Let’s talk about the good stuff first !

So, to set the stage, you have to first understand what ADMX backed settings are within Intune / MDM.
It starts with the idea that some settings which are curated by the MDM team. Now, this is weird so stick with me. Because the MDM team is not the Intune team.
You can think of the MDM team as the “receiving platform” which decides upon the settings within the platform.

You can think of the Intune team as “expressing” those settings with knobs and buttons. And this is because Intune isn’t the only MDM game in town; for instance, VMware Workspace one, MobileIron, SOTI and others.

So, these ADMX-backed settings are, as you can imagine, real Group Policy settings which are supported by the target application, say, Explorer or Office.

But these settings are curated by the MDM team as “guaranteed to work and supported as such.”

If you want to see the official docs on Administrative Templates feature you can find it here: https://docs.microsoft.com/en-us/intune/administrative-templates-windows
Here’s the best part from the docs:

These templates are similar to group policy (GPO) settings in Active Directory (AD), and are ADMX-backed settings that use XML. But, the templates in Intune are 100% cloud-based. They offer a more simple and straight-forward way to configure the settings, and find the settings you want.

This is really nice. What’s not to like? Indeed, if you wanted to achieve these ADMX-backed settings before this feature came to be, you needed to know how to perform the dark arts of custom OMA-URI (a different topic for a different day.) Now, with Administrative Templates in Intune, for all those settings, those values are just click and go. +1 for that !

If you look at the docs, you’ll see the following line:

The administrative templates include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, use a picture password or PIN to sign in, and more.

The key word here is hundreds. Why is it hundreds, and not thousands or “all”?

Well, you need to go back to something I said earlier. All settings in MDM (and by extension, Intune) are curated. Each setting must be vetted to work as expected and then guaranteed by the MDM platform.

Also, at last count the number of exposed Administrative Template settings is 237. (Note: I did not re-count it before publishing this; the number could have gone up somewhat.). As the docs state, most of the settings seem to revolve around Office, OneDrive, Internet Explorer, and a handful of system settings.

As such you will likely see this list grow over time, but my understanding is that this is not meant to overtake or subsume all existing Group Policy settings.
If you are looking for a setting which doesn’t exist in Intune.. either a native clickable one or via Administrative Templates, don’t despair or throw in the towel, yet.

If you want to make any real Group Policy, Group Policy Security and/or Group Policy Preference setting work thru Intune, you need to enhance Intune with a 3rd party tool. Here's a video for how it's done. An equallty effective option is to use this other 3rd party option, which works with MDM or whenever there is no MDM present.

Let’s talk about what’s missing, last.

If you get a chance to play with this feature, click upon Intune | Device Configuration | Profiles | Create Profile and select Administrative Templates (Preview) like what’s seen here.

Then under Settings, you will see the list of Administrative Template settings like what’s seen here.
Top of the page…

Bottom of page….

At the top of the page begins an alphabetical list of the curated ADMX policy settings and a Search (Filter) bar.
So, if you wanted to quickly search of OneDrive, you can find those settings.
But what you cannot do, like Group Policy, is see these settings hierarchical.

I can see both sides of this; this flat view reduces clutter. But my preference would be to see the settings hierarchical, so I could maybe find related settings around the primary setting I’m searching for.

Summary about Admin Templates in Intune

In summary, Administrative Templates a nice step forward in Intune. Just know that it’s not designed to attempt to take on all of Group Policy settings, but be on the lookout for increased coverage over the long haul as new interesting scenarios pop-up.

Jan 2019
07

Cortana now quiet with Windows OOBE except for Windows Home (important for Autopilot)

Starting in Windows build 18309, Cortana doesn't start talking "at you."... unless you're using Windows Home.

Why is this important? Well, check out this (hysterical) video for why not ...

https://youtu.be/Rp2rhM8YUZY

Before this you had to set a registry key. I've updated the Microsoft docs to reflect the change. :-)

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/cortana-voice-support 

Dec 2018
19

Why you can use LAPS and banish logging on as Domain Admin when doing remote help

So, okay.. you don't want to log on with your Domain Admin credentials to Mr. End User's machine.

Doing so increases the risk of Pass the Hash attacks.

My pal Aaron Margosis from Microsoft shows how you can use Group Policy to block logins from anyone EXCEPT local admins.

AND, because you're using LAPS to maintain local admin passwords, only that account can log on.

Brilliant.

Here's the blog entry to increase your security:

https://blogs.technet.microsoft.com/secguide/2018/12/10/remote-use-of-local-accounts-laps-changes-everything/

 

Dec 2018
11

What is ADMX File Ingesting in Intune?

What is ADMX File Ingesting in Intune?

 

We’ve talked about how Intune has incorporated ADMX backed policies to manage even more settings in your Windows 10 devices.  But what if you want to deliver settings that aren’t part of the “in the box” policies from Microsoft.  Well, if you are familiar with Group Policy, then you are aware that you can garner more policy setting opportunities by importing new ADM or ADMX files.  For instance, Microsoft Office has an ADMX file as does other third party applications such as Adobe Reader and to some extent, Mozilla Firefox.   Well you can import additional ADMX files for MDM as well, although its currently not as easy as there is no central store for MDM like is the case for Group Policy.  There is no way (at present) to add additional ADMX templates with a couple clicks of the mouse, but with just a little bit of trouble, you can do it.

The process of importing ADM or ADMX files into MDM is called “ingesting.”  The ingesting process goes like this:

  • We create a Custom Windows 10 policy
  • We ingest the custom ADMX through the Policy CSP
  • We apply the settings we want to enforce

So how do we ingest an ADMX file?  Well, in this case, ingesting means copy/paste.  You obtain the ADMX file you need and then open it in some type of editor such as Notepad.  For this example, I’m going to use the OneDrive.admx file.  I’m not going to show what the entire file looks like in Notepad, but here is what the first part of it looks like:


    
As discussed earlier, creating a custom policy means creating a Custom OMA-URI.  To ingest an ADMX file we must use the following format:

./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}. 

I don’t want to get into the boring details concerning the naming of these variables.  Just follow the basic guideline that you should assign the (setting type) variable as “policy” and the other two variables should be meaningful names such as the actual name of the App and the actual name of the ADMX file.  You can name them anything you want actually but its always best to use names that are intuitive for other personnel.  In the case of our OneDrive ADMX example, that would translate to this:

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDrive/Policy/OneDriveAdmx

As you mentioned, copy the entire contents of the opened ADMX file in Notepad and paste it into the value text box as shown below:

Once the new profile is created, we can then use it to deliver the new supported settings using that profile.   

Dec 2018
07

Azure and Intune Assigned Groups (and how Groups are related to Intune)

One of the principles of proper AD administration is to congregate your users into groups to make it easier to assign permissions and rights.  We use groups within Intune as well for this same reason.  In this case, Intune uses Azure AD to manage access to your company’s resources which is controlled using roles in the directory.  There are two default groups within every implementation of Intune.

  • All devices
  • All users

If you are using Intune for Education and you use School Data Sync to import you school records, you have two additional default groups.

  • All teachers
  • All users

These default groups represent a very broad scope and by themselves probably aren’t of much use.  That is why we need to create custom groups that can be tailored to the needs of our organization. There are two types of custom created groups in Intune, one being Assigned Groups.  Assigned groups are used when you want to manually add specific users or devices to a group.  You can create groups by a number of criteria such as geographic location, department, hardware characteristics, etc.  For instance, you could create one assigned group for your Windows 10 devices and one for your iPads.  You could create one for your desktop PCs and one for your mobile devices.  You can separate users into separate groups as well such as HR, Finance and Marketing.  You can then use those groups to assign policies to users or deploy apps to a set of devices.  Note that the ability to create custom groups is available in any MDM service, not just Intune.

Creating a group is easy.  Go to the Groups section of Intune and click “New Group.”  Then add the required information for that group.  In this case we would select “Assigned” as the membership type. 

Once the group is made, you can then assign users to that group.  Note that just as in domain joined AD, you can nest groups within one another.  These subgroups can be used to break down large groups into smaller more manageable sizes.  Groups have a hierarchical structure to them in Intune which allows for inheritance.  Parent groups are at the top of the hierarchy and any settings applied to these parent groups are passed down to the subgroups.  This settings inheritance feature makes it easer to apply settings to large numbers of users and devices.  Know that you can only create subgroups under assigned groups.