How to Replace your old GPOs with Intune Configuration Profiles

Cloud, EMS, Intune, Microsoft 4 Minutes

Did you know that there is a hotel in Stockholm with an indoor camp fire where you can grill marshmallows while you blog about how to replace your old legacy GPOs with something a little bit more 2018? Well, there is, and I’m sitting by that camp fire right now, enjoying my fifth marshmallow tonight.

Is it really possible to replace all of your GPOs with Intune Device Configuration Profiles? Well, yes and no. You will always need your Default Domain Policy and Default Domain Controller Policy as long as you keep your legacy AD. There are also a lot of Group Policy settings not yet available in Intune, but there are ways to set them anyway and you will be able to get rid of most of your GPOs by using one, two or maybe all of the techniques in this post.

Let’s get started!

Built in Intune Configuration Profile Types

As you know, there are many built in Device Configuration Profile Types in Intune. These are the ones you use in your Configuration Profiles in the Intune user interface and your should primarily use them if you can. There is no need to complicate things when there is a solution right in front of you. For Windows 10 you can configure most of your security configuration, feature configuration and other stuff like Wi-Fi, VPN and SSL certificates.

CSP0

This list of profile types will help you cover the basics. If you are missing settings in the standard profile types, keep on reading. This is where it gets fun!

CSP (Configuration Service Providers)

CSPs has been around since Windows Mobile 5 but are not very well known. They continues to be an important part of Windows 10 management and MDM solutions like Intune.

A CSP in Windows 10 is basically an interface in the operating system that describes how to read, set, modify and delete configuration settings for a particular OS feature. They are much like traditional Group Policys in Windows and modifies registry keys and files in the same way. Also, when you use Windows Configuration Designer to build provisioning packages for Windows you are actually using CSPs behind the scenes.

Intune (and other MDM solutions) build there policy configurations and user interfaces on top of CSPs. However, some CSPs and its settings might not be exposed in the interface directly but such a setting can be set anyway by entering its OMA-URI manually. Think of an OMA-URI as sort of a registry key that you can set to make the underlying configuration setting happen.

In Intune this is called a Custom Policy.

CSP1

This is an example of a OMA-URI setting.

CSP2

You can find a list of CSPs on this link:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

If there still are configuration settings you can’t set we have to bring out the heavy artillery (my personal favorite), PowerShell!

Run PowerShell Scripts with Intune

You can run your own PowerShell scripts on Windows 10 devices with Intune. You create a PowerShell profile that will run the script the next time the device syncs with Intune (happens ones every hour). The script can be monitored from the Intune portal and you can see the run status from start to finish.

The following is required for PowerShell support:

  • Devices must be joined to Azure AD. The Intune management extension supports Azure Active Directory joined, Hybrid Domain joined and Co-Managed enrolled Windows devices.
  • Devices must run Windows 10, version 1607 or later.
  • Automatic MDM enrollment must be enabled in Azure AD, and devices must be auto-enrolled to Intune.

The Intune management extension synchronizes to Intune once every hour. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported.

Import ADMX Files in Intune

This feature was announced by Microsoft at Ignite in september this year. It will soon be available in preview and it basically makes it possible to import any ADMX file straight into Intune. This is almost like traditional Group Policy in the cloud. Keep your eyes open (or follow my blog) to get a notice when this is launched. For many people, this is the missing peace of the Intune MDM puzzle.

CSP3

When Intune Configuration Profiles Conflict with Group Policy

Last but not least… So now we have deployed a bunch of Intune configuration profiles but we forgot to get rid of our legacy GPOs. We now have configuration that both Group Policy and Intune are setting. Who will win this war?

If you run Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.

If you run Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.

You can see how this is done in this Microsoft article:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

Conclusion

There are multiple ways to configure your Windows 10 devices with Intune and I really think that most people can let go of their legacy GPOs for their Windows 10 management needs and move to a more modern approach.

If Group Policy is the last thing keeping you on legacy Active Directory, think again!

Please follow me here, on Twitter and on LinkedIn.

@DanielChronlund

Published by Daniel Chronlund

Daniel is an IT consultant at Altitude 365, specialized in Microsoft cloud infrastructure design and implementation. Daniel provides consultative services around Azure IaaS and PaaS services, Microsoft 365, EM+S and Office 365. He helps customers to work smarter, more secure and to get the most value out of the Microsoft cloud.

Published

4 thoughts on “How to Replace your old GPOs with Intune Configuration Profiles

  1. Do you know when the Import ADMX Files in Intune feature will be make available from microsoft???

  3. Daniel,
    Thanks for this good article from 2018 (it’s hard to find good info about Intune CSP etc)

    Jeffrey,

    In response to Your and Daniel’s comments from a few weeks ago.

    My read on this is that the ‘Administrative Templates’ (that is now a Device Configuration Profile Type in Intune) add’s lots of options… but Microsoft still have not delivered on an easy use interface for taking Policy Template files (ADMX) and getting a nice GUI to make changes (like old AD GPO).

    It’s not yet the ‘simple’ process that the the phrase “Import ADMX in Intune” gave hope towards (ref your pic above)

    The ADMX XML ‘Ingestion’ and OMA-URI process is far to complex and prone to little errors (straight vs curly quotes anyone :-/ )

    Maurice Daly, says something to that effect in the “WANTED: AN ADMX IMPORT FUNCTION” section at the bottom of this page https://www.scconfigmgr.com/2019/07/10/extended-administrative-templates-in-microsoft-intune/

    My IT Admin day is busy enough already, without having to ‘Ingest ADMX via pasting XML’ -> digging through those XML to get every setting -> crossing referencing with the CSP guides to understand the correct syntax for adding settings / etc.

    Here’s hoping MS continue to work on this!

    Cheers, Derek 🙂

  4. Thanks for your comment Derek!

    It’s true that the configuration experience is far from perfect and I bet that this is something that Microsoft will improve over time.

    I still think that this is a nice feature if you’re striving to remove your local AD and Group Policy management and are missing some settings in built-in Intune policys. This is a way to get the last peaces of the puzzle in place.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s