1. Group Policy in MDM: Dealing with ADMX backed policies
9/13/2018 5:39 AM
THR3073
Group Policy in MDM: Dealing with ADMX backed policies
Raymond Comvalius
IT Infrastructure Architect
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Raymond Comvalius - www.nextxpert.com
Independent trainer/architect since 1998
Most Valued Professional (MVP)
Microsoft Certified Trainer (MCT)
Author of “Windows 7 for XP Professionals”

3. What is ADMX backed policies about?
Microsoft is NOT moving away from Modern Management
Check with MMAT what you can manage with MDM

4. Why ADMX Backed Policies?
ADMX Backed Policies is to manage certain Group Policy from Mobile Device Management:
No Group Policy Objects
No Group Policy Service
With the Group Policy Template
Backed by MDM and CSP

5. MDM and CSP?
Mobile Device Management policies are executed by a Configuration Service Provider (CSP)
The Policy CSP handles ADMX backed policies
GroupPolicySvc is NOT involved
OMA URI prefix:
./Device/Vendor/MSFT/Policy/Config/
./User/Vendor/MSFT/Policy/Config/

6. What policies can you manage?
9/13/2018 5:39 AM
What policies can you manage?
Check the list here
Current total of 367 settings
A lot of Internet Explorer (251)
App-V
Remote Management
A little bit of the rest
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Configuring an ADMX backed policy in Intune

8. Policy without options
Lookup in Policy CSP
Create Custom Policy in Intune
OMA-URI
./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal
Data type
String
Value
<enabled/>

9. Policy with Options – step 1
Lookup in the Policy CSP
Take note of
GP English Name
GP Name
GP ADMX File Name
GP Path

10. Policy with options - step 2
Copy information from ADMX
Locate the policy and copy any of the following:
text id
list id
boolean id
enum id
All these become data id fields in the XML data payload

11. Create Intune Policy – step 3
OMA-URI
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
Data type
String
Value
<enabled/>
<data id="DeviceInstall_Classes_Deny_List" value="{6bdd1fc6-810f-11d0-bec be2092f}"/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="1"/>

12. XML encoding
Depending on the MDM solution in use, you may have to XML encode the Data part of the setting.
Intune does not require encoding.
XML
<enabled/>
Encoded XML
&lt;enabled/&gt;
CData
<![CDATA[<enabled/>]]>

13. Demo
ADMX Backed Policies in Intune

14. Summary
ADMX Backed policies is only available for a subset of Group Policies.
Deployment is rather complex and painful.
3rd party MDMs may require XML conversion.
This will not replace all Group Policies.
More information:
Understanding ADMX-backed policies

15. Please evaluate this session
Tech Ready 15
9/13/2018
Please evaluate this session
From your
Please expand notes window at bottom of slide and read. Then Delete this text box.
PC or tablet: visit MyIgnite
Phone: download and use the Microsoft Ignite mobile app
Your input is important!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.