To clear up some of the confusion on Windows 10 Home @ 42 minutes in... You can enroll a Windows 10 device in to Intune. You can do this manually or via Workplace Join by signing in to an AAD Account licensed for AADP P1/Intune and in scope for MDM Enrollment (MAM enrollment disabled) in AAD and provided you haven't disabled personal device enrollment in device restrictions. You can Azure AD Register a Home device (WPJ does this) - you can't AADJ a Home device. You can apply a WIP policy to Home on an unenrolled device (pls don't). The WIP policy is removed when you enroll. You can't have both on Home (pls don't do it all).
Thank you for this video. As you were discussing at 24:00 minutes, It is still however unclear to me whether moving forward we should try to use Settings Catalog or ADMX templates ? What does Microsoft suggest ? will admx be maintained and as such populated with new setting or is it on the way out? thank you
I'm thankful for this series. I think Microsoft could be better about providing some best-practices for this stuff since there's multiple places and ways of implementing settings.
So great that "Settings Catalog" is here BUT... To start I'm in Ben's camp of creating small profiles and naming them instead of 1 big list with all of them smashed in, sorry Adam. I've had some issue's that when I created a small profile and set one (1) option but it disabled other settings from a different profile because of the way "not configured" works... That should be fixed now since I can click them away... That's a big plus! I'm also glad you guys brought up Policy sets, I have a feeling that this is a feature the Intune team doesn't give much about because maybe its not that widely used? I still have quite a few "custom" settings that could be set with "Administrative Templates" and now with "Settings Catalog" but these CAN NOT be selected in "policy sets" under device management. Same goes for the Win32 apps under Application management (MSI line of business does work there though) but that's not in this scope. The reason behind this: We are moving to Intune in small steps (school by school) so I could create a group and assign all the existing policies to that group. Instead now I need to open all my profiles and add the group. Thanks!
This is a great video, good discussion, and good things to be expected for the future of this. One thing that I hope makes it somewhere in roadmap is modifying or creating any registry key like we can do with GPO, outside of doing a Powershell script. I know I can do some fancy custom ADMX ingestion and then use OMA URI, but would be nice to put a user friendly UI for things like that. Then if there isn’t a direct Policy CSP, settings can still be toggled or influenced without scripting
If you have feature requests, you should create User Voice entries for them to get them to the product group. microsoftintune.uservoice.com/forums/291681-ideas.
Thanks! This one i mention is listed in multiple suggestions, but I think this one has most votes. I already voted against it ;) microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37167010-ability-to-set-deploy-hklm-hkcu-registry-keys
Geart session as always. But what bothers me most is that there isnt anything equivalent to rsop.msc. This can be a bit frustrating if you have a lot of profiles and want to know which profil blocks a specific setting.
Can drivers be managed, pushed, patched with intune ? If so how. Also can I push outlook to Android and have it configure automatically and be ready for user, SSO or however ?
Hi, I am in the process of configuring a Windows Security Baseline and have a couple of questions. Firstly, is it best practice to assign the security baselines to user groups or device groups? We are swaying more towards user groups, but not sure if that's the best practice and if it would have complications further down the line? Also, It is best practice to create a new group for each new profile that is created or is it ok to have one main production group and assign each new profile to that one group. In, short one production group for all Windows device profiles and Windows Update Rings?
You’re on the right track. Generally user based is best, but it depends still. As for unique groups, that’s really an org decision. Less is more until you need to start breaking out targeting to various groups for things. But overall, we don’t recommend using single groups per single policy.
@@IntuneTraining Thank you for the quick response, that answers my question perfectly. I have another query. I have noticed in Security Baselines that there are ADMX-based polices and according to Microsoft documentation these polices require a special SyncML format to enable/disable the settings. Does this mean that any ADMX-based policy in the Security Baseline has to be setup manually and not just enabled? It's slightly confusing because when I push out the Baseline it shows in Endpoint manager that each setting has been deployed successfully. It probably doesn't help that Microsoft's documentation is over 2 years old...
This could be quite helpful. I'm currently in the mode of condensing and consolidating policies where I can. ...sidenote: I'm looking to control whether "high contrast" settings can be toggled and disabling changing of cursors...in a school environment.
Have you looked at Intune for Education? There's a whole separate Intune Portal for it that helps with school management. As for the setting you want to change - if they aren't in the settings catalog, they may be in the Administrative Templates or in a custom CSP.
@@samrix5793 The only difference is related to whether you deploy them to users or devices. They are the same settings, just available in different places in the console.
Great session guys, loads of useful content
+1
To clear up some of the confusion on Windows 10 Home @ 42 minutes in...
You can enroll a Windows 10 device in to Intune. You can do this manually or via Workplace Join by signing in to an AAD Account licensed for AADP P1/Intune and in scope for MDM Enrollment (MAM enrollment disabled) in AAD and provided you haven't disabled personal device enrollment in device restrictions.
You can Azure AD Register a Home device (WPJ does this) - you can't AADJ a Home device.
You can apply a WIP policy to Home on an unenrolled device (pls don't). The WIP policy is removed when you enroll. You can't have both on Home (pls don't do it all).
Thank you for this video. As you were discussing at 24:00 minutes, It is still however unclear to me whether moving forward we should try to use Settings Catalog or ADMX templates ? What does Microsoft suggest ? will admx be maintained and as such populated with new setting or is it on the way out? thank you
I'm thankful for this series. I think Microsoft could be better about providing some best-practices for this stuff since there's multiple places and ways of implementing settings.
So great that "Settings Catalog" is here BUT...
To start I'm in Ben's camp of creating small profiles and naming them instead of 1 big list with all of them smashed in, sorry Adam.
I've had some issue's that when I created a small profile and set one (1) option but it disabled other settings from a different profile because of the way "not configured" works... That should be fixed now since I can click them away...
That's a big plus! I'm also glad you guys brought up Policy sets, I have a feeling that this is a feature the Intune team doesn't give much about because maybe its not that widely used?
I still have quite a few "custom" settings that could be set with "Administrative Templates" and now with "Settings Catalog" but these CAN NOT be selected in "policy sets" under device management. Same goes for the Win32 apps under Application management (MSI line of business does work there though) but that's not in this scope.
The reason behind this: We are moving to Intune in small steps (school by school) so I could create a group and assign all the existing policies to that group. Instead now I need to open all my profiles and add the group.
Thanks!
This is a great video, good discussion, and good things to be expected for the future of this.
One thing that I hope makes it somewhere in roadmap is modifying or creating any registry key like we can do with GPO, outside of doing a Powershell script. I know I can do some fancy custom ADMX ingestion and then use OMA URI, but would be nice to put a user friendly UI for things like that. Then if there isn’t a direct Policy CSP, settings can still be toggled or influenced without scripting
If you have feature requests, you should create User Voice entries for them to get them to the product group. microsoftintune.uservoice.com/forums/291681-ideas.
Thanks! This one i mention is listed in multiple suggestions, but I think this one has most votes. I already voted against it ;)
microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37167010-ability-to-set-deploy-hklm-hkcu-registry-keys
Geart session as always. But what bothers me most is that there isnt anything equivalent to rsop.msc. This can be a bit frustrating if you have a lot of profiles and want to know which profil blocks a specific setting.
We agree!
Can drivers be managed, pushed, patched with intune ? If so how. Also can I push outlook to Android and have it configure automatically and be ready for user, SSO or however ?
Yes to all. Check the other videos on this channel. We cover Windows Update for Business plus have a comprehensive Android management video.
Hi, I am in the process of configuring a Windows Security Baseline and have a couple of questions.
Firstly, is it best practice to assign the security baselines to user groups or device groups? We are swaying more towards user groups, but not sure if that's the best practice and if it would have complications further down the line?
Also, It is best practice to create a new group for each new profile that is created or is it ok to have one main production group and assign each new profile to that one group. In, short one production group for all Windows device profiles and Windows Update Rings?
You’re on the right track. Generally user based is best, but it depends still.
As for unique groups, that’s really an org decision. Less is more until you need to start breaking out targeting to various groups for things. But overall, we don’t recommend using single groups per single policy.
@@IntuneTraining Thank you for the quick response, that answers my question perfectly.
I have another query. I have noticed in Security Baselines that there are ADMX-based polices and according to Microsoft documentation these polices require a special SyncML format to enable/disable the settings.
Does this mean that any ADMX-based policy in the Security Baseline has to be setup manually and not just enabled?
It's slightly confusing because when I push out the Baseline it shows in Endpoint manager that each setting has been deployed successfully. It probably doesn't help that Microsoft's documentation is over 2 years old...
This could be quite helpful. I'm currently in the mode of condensing and consolidating policies where I can. ...sidenote: I'm looking to control whether "high contrast" settings can be toggled and disabling changing of cursors...in a school environment.
Have you looked at Intune for Education? There's a whole separate Intune Portal for it that helps with school management. As for the setting you want to change - if they aren't in the settings catalog, they may be in the Administrative Templates or in a custom CSP.
WIll the Settings Catalog support importing 3rd party ADMX (ie.. Chrome)
Perhaps. I don't know that we have any info on that yet though you can still continue to do that using a CSP today.
which would be a better route Configuration profile or attack service reduction?
They do the same thing. Just use what suits your needs.
@@IntuneTraining any difference which applies during esp?
@@samrix5793 The only difference is related to whether you deploy them to users or devices. They are the same settings, just available in different places in the console.
Can u share the intune pros and cons doc
Not sure what you’re referring to. Can you provide some context?
Been waiting on this in my tenant.. did you guys get it flighted or something? Sorry i ask questions before i watch the video fully.. lol.
Nope. Should be in all tenants as of Wednesday Feb 16.
Heh, spent the last month building up a InTune policy set from scratch, service catalogue would have been great! lol.