When a journey ends, a new journey will begin. My journey with the old school domain joined and GPO managed devices within my LAB ended, and I finally conquer new areas with Azure AD join and Intune controlled devices. Due to the lack of opportunities, I still waited so long, because a lot of settings were not possible to set. And some of them are still not that simple to set through Intune, but there is a solution for, I would like to say, most of the requirements.
So within this blog post, I would like to document my current knowledge of Windows 10 settings management through Intune. As today, we have the following options to configure GPO alike settings through Microsoft Intune:
Let’s have a closer look to the different options.
Intune Windows Enrollment settings
First of all, all Devices enrolled with Microsoft Intune receive enrollment settings. Here we can already configure basic settings what should happen if a Device starts to be managed via Intune. I highly recommend to check the Default settings, and also make adjustments to fulfill your requirements.
You can find the Windows Enrollment settings within the Intune blade from Azure:
Refer to this official Microsoft Article as a starting point: Set up enrollment for Windows devices
Intune Portal blade settings
The next obvious settings location for Intune managed Devices are the device settings reachable within the Intune blade of Azure. Navigate to Microsoft Intune -> Device configuration -> Profiles:
If you have reached the profiles section as shown above, you can click on “Create Profile” to check the different options for the easy-to-configure settings, beside the currently in preview ADMX-backed settings (see later in this blog). After the click on create profile you need to select Windows 10 as platform, and you can open the Dropbox for the different profile types:
My intention is not to go through all the possible settings, I would not be able to finish this blog in a reasonable time. As example, just select the endpoint protection profile type, and check how many options you do have only within this class type(!):
You may think you have seen all? No way, you are not close to it…
Intune Portal Custom CSP settings
With the custom CSP settings, you can even do more than with the settings within the Intune Blade. But it is quite more complex to configure them. The complexity also depends on the CSP, and how the values are required to be handled. You can reach the custom CSP setting on the same page as the Intune Portal blade settings:
As example, if your clients are Azure AD joined, and you are using Intune for the device management, you will be required to use a custom CSP setting, to configure the trusted sites of the Internet Explorer to support seamless SSO within IE and Edge (AllowSiteToZoneAssignmentList). See this blog post from Zeng Yinghua (Sandy) (twitter) where this process is described:
Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List
Microsoft has also released an article, how you need to handle the SyncML value for an ADMX-backed setting:
Intune: Deploying ADMX-Backed policies using Microsoft Intune
As a sidenote: I tried to disable the Option “Turn on fast startup” (or so-called “Hiberboot” or from GPO “Require use of fast startup”). With the article above from Microsoft, I found the setting within the WinInit.admx file, which lead me to search for a WinInit CSP, without success. Currently there is no manageable way to configure the fast startup via Intune, but we may can use PowerShell for this setting? Lets see…
Intune ADMX-backed administrative template settings (Preview)
This is fresh, and HOT! Those Intune ADMX-backed administrative templates helps a lot, if you need to transfer current GPO settings to Intune. With the search bar, you can check very fast, if your required setting is available within the administrative templates.
To access the ADMX-backed administrative templates, open a new profile within the device configuration, and select “Administrative Templates (Preview)”, and click on create at the bottom:
Afterwards you need to open the created profile, and click on settings, where you will find all currently available settings:
And you can easily search, as I said before:
Within this new settings console, now there are settings which can be configured in three different Intune profile types:
-Intune Portal blade
-Intune Portal custom CSP settings
-Intune administrative templates
Heads up with tracking the changes!
Last but not least, you can create a PowerShell script, which will do all the required modification on the client. But I would highly recommend to avoid PowerShell scripts as much as possible, as the settings are not really managed with this solution. It is more a Fire and Forget solution, which might be valid for some use-cases, no doubt about that. But in general, try to configure the required Windows 10 settings through the different Intune blade Options.
So as mentioned before, I will set the HiberBoot option through a PowerShell script, and I’m quite confident that it should work. I think this will be my next blog, where I can tell, if it worked or not 🙂
But see this previous blog, where I described the Application deployment with Intune and PowerShell (with the new Win32 wrapper of Intune, the process in this blog is no longer needed):
Create your own Software Deployment Repository with Azure and Intune