How to Replace your old GPOs with Intune Configuration Profiles

Did you know that there is a hotel in Stockholm with an indoor camp fire where you can grill marshmallows while you blog about how to replace your old legacy GPOs with something a little bit more 2018? Well, there is, and I’m sitting by that camp fire right now, enjoying my fifth marshmallow tonight.

Is it really possible to replace all of your GPOs with Intune Device Configuration Profiles? Well, yes and no. You will always need your Default Domain Policy and Default Domain Controller Policy as long as you keep your legacy AD. There are also a lot of Group Policy settings not yet available in Intune, but there are ways to set them anyway and you will be able to get rid of most of your GPOs by using one, two or maybe all of the techniques in this post.

Let’s get started!

Built in Intune Configuration Profile Types

As you know, there are many built in Device Configuration Profile Types in Intune. These are the ones you use in your Configuration Profiles in the Intune user interface and your should primarily use them if you can. There is no need to complicate things when there is a solution right in front of you. For Windows 10 you can configure most of your security configuration, feature configuration and other stuff like Wi-Fi, VPN and SSL certificates.

CSP0

This list of profile types will help you cover the basics. If you are missing settings in the standard profile types, keep on reading. This is where it gets fun!

CSP (Configuration Service Providers)

CSPs has been around since Windows Mobile 5 but are not very well known. They continues to be an important part of Windows 10 management and MDM solutions like Intune.

A CSP in Windows 10 is basically an interface in the operating system that describes how to read, set, modify and delete configuration settings for a particular OS feature. They are much like traditional Group Policys in Windows and modifies registry keys and files in the same way. Also, when you use Windows Configuration Designer to build provisioning packages for Windows you are actually using CSPs behind the scenes.

Intune (and other MDM solutions) build there policy configurations and user interfaces on top of CSPs. However, some CSPs and its settings might not be exposed in the interface directly but such a setting can be set anyway by entering its OMA-URI manually. Think of an OMA-URI as sort of a registry key that you can set to make the underlying configuration setting happen.

In Intune this is called a Custom Policy.

CSP1

This is an example of a OMA-URI setting.

CSP2

You can find a list of CSPs on this link:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

If there still are configuration settings you can’t set we have to bring out the heavy artillery (my personal favorite), PowerShell!

Run PowerShell Scripts with Intune

You can run your own PowerShell scripts on Windows 10 devices with Intune. You create a PowerShell profile that will run the script the next time the device syncs with Intune (happens ones every hour). The script can be monitored from the Intune portal and you can see the run status from start to finish.

The following is required for PowerShell support:

  • Devices must be joined to Azure AD. The Intune management extension supports Azure Active Directory joined, Hybrid Domain joined and Co-Managed enrolled Windows devices.
  • Devices must run Windows 10, version 1607 or later.
  • Automatic MDM enrollment must be enabled in Azure AD, and devices must be auto-enrolled to Intune.

The Intune management extension synchronizes to Intune once every hour. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported.

Import ADMX Files in Intune

This feature was announced by Microsoft at Ignite in september this year. It will soon be available in preview and it basically makes it possible to import any ADMX file straight into Intune. This is almost like traditional Group Policy in the cloud. Keep your eyes open (or follow my blog) to get a notice when this is launched. For many people, this is the missing peace of the Intune MDM puzzle.

CSP3

When Intune Configuration Profiles Conflict with Group Policy

Last but not least… So now we have deployed a bunch of Intune configuration profiles but we forgot to get rid of our legacy GPOs. We now have configuration that both Group Policy and Intune are setting. Who will win this war?

If you run Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.

If you run Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.

You can see how this is done in this Microsoft article:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

Conclusion

There are multiple ways to configure your Windows 10 devices with Intune and I really think that most people can let go of their legacy GPOs for their Windows 10 management needs and move to a more modern approach.

If Group Policy is the last thing keeping you on legacy Active Directory, think again!

Please follow me here, on Twitter and on LinkedIn.

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s