Group Policy Management with Microsoft Intune

With the modern workforce becoming increasingly remote, many enterprises are looking to transition device management provided by group policy to a cloud solution. Entra ID (formerly known as Active Directory) Group Policy contains tens of thousands of settings providing very granular control when managing and securing Windows clients and applications. The problem is that there are no group policies in Entra ID. The good news is that Microsoft Intune has configuration profiles with built-in Administrative Templates and settings that may contain the group policy settings you require.

Can Intune deploy my Group Policy settings?

The likely answer is yes! We’ve helped many organizations transition and manage their group policy with our Digital Workspace Deployment solution using Intune. Microsoft Endpoint Manager (a.k.a. Intune) can evaluate your group policies to determine if they can be translated to the cloud.

You can check for yourself in 3 easy steps:

1. Export your GPO settings from your group policy management console. Right-click a GPO and select “Save Report…” as the XML file type

Intune | Export GPO Settings

2. Go to your Microsoft Endpoint Management console: Devices > Group Policy analytics (preview) > Import

Intune | Microsoft Endpoint Manager

3. Import the XML files you exported from the GPAC.

Intune | Import GPO Files

Now you can view which GPO settings can be translated into Intune configuration profiles. Click the MDM Support percentage value to view the specific settings that can or cannot be translated.

Intune | Group Policy Analytics Preview

Some group policy settings have ADMX support and can be configured using Intune.

Intune | ADMX Support

Not all group policy settings are supported, but Intune may have cloud-appropriate settings for the same component.

Intune | Cloud Settings

Intune Makes it Easy

Intune contains many settings that can be configured right out of the box. Administrative Templates are built into Intune and don’t require any customizations, including using OMA-URI.

As part of your mobile device management (MDM) solution, use these template settings as a one-stop shop to manage your Windows 10 devices.

The Settings catalog is in preview and lists the settings you can configure all in one place. This feature simplifies how you create a profile and see all the available settings. Use the settings catalog as part of your (MDM) solution to manage and secure devices in your organization.

For example, we can create a Windows 10 Firewall profile:

Go to the Microsoft Endpoint Management console:
Devices > Configuration profiles > + Create profile
Platform – Windows 10 and later
Profile type – Settings catalog (preview)

Intune | Create A Profile

Basics > Name – Windows 10 Firewall

Intune | Create Device Configuration Profile

Next: Configuration settings > +Add settings

Intune | Device Configuration Settings

Select the Firewall category and enable the desired settings

Intune | Device Settings Picker

Additional Configurations

Intune can also deploy group policy settings that are not included out-of-the-box, using a procedure called ADMX file ingestion.

For example, if we want to replicate the GPO setting “Prevent Microsoft Teams from starting automatically after installation” with Intune:

Intune | Prevent Microsoft Teams from starting automatically after installation

Go to the Microsoft Endpoint Management console and create a Configuration profile
Devices > Configuration profiles > + Create profile
Platform – Windows 10 and later
Profile type – Templates
Template name – Custom

Intune | Configure Windows 10 Profile

Basics > Name – Disable Teams Autostart

Intune | Name Custom Template

Next - Download the Teams ADMX file from Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016
Download Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 from the Official Microsoft Download Center

Open teams16.admx with a text editor such as notepad++

To ingest an ADMX file, we must use the following OMA-URI format:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}
OMA-URI stands for Open Mobile Alliance Uniform Resource Identifier
AppName – This should be the name of the application “Teams16”
SettingType – This will be “Policy” when doing ADMX ingestion
ADMXFileName – This can be anything, such as “Teams16ADMX”, but the meaning should be obvious to your peers

From the Microsoft Endpoint Management console, go to:
Devices > Configuration profiles > + Create Profile
Platform: Windows 10 and later
Profile type: Templates > Custom
Basics – Name: Teams
Configuration settings > Add
Name: Teams ADMX Ingestion
OMA-URI:

./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Teams16/Policy/Teams16ADMX
Data type: String
Value: paste in the text of the teams16.admx file you opened with your text editor

Intune | Add Row

Now let’s build the setting OMA-URI for our custom profile:
The settings OMA-URI must use the following format:
./User|Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX}

We can fill in some of the variables from the information found in the ADMX file.
The class is “User” and is found in the ADMX file.
The AppName “Teams16” will be the same name we used in our ADMX ingestion OMA-URI
The setting type “Policy” is the same as used in our ADMX ingestion OMA-URI
The category “L Teams” is found in the ADMX file
The value will be “<enabled/>”
The complete setting OMA-URI will look like this:
./User/Vendor/MSFT/Policy/Config/ Teams16~ Policy ~L_Teams/ Teams_PreventFirstLaunchAfterInstall_Policy

Teams16.admx:

<?xml version="1.0" encoding="utf-16"?>
<policyDefinitions revision="1.0" schemaVersion="1.0">
<policyNamespaces>
<target prefix="Teams" namespace="Teams.Office.Microsoft.Policies.Windows" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<resources minRequiredRevision="1.0" />
<categories>
<category name="L_Teams" displayName="$(string.L_Teams)" />
</categories>
<policies>
<policy name="Teams_PreventFirstLaunchAfterInstall_Policy" class="User"
displayName="$(string.String_Teams_PreventFirstLaunchAfterInstall_Policy)"
explainText="$(string.String_Explain_Teams_PreventFirstLaunchAfterInstall_Policy)"
key="software\policies\microsoft\office\16.0\teams"
valueName="preventfirstlaunchafterinstall">
<parentCategory ref="L_Teams" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="String_Teams_SignInRestriction_Policy" class="User"
displayName="$(string.String_Teams_SignInRestriction_Policy)"
explainText="$(string.String_Explain_Teams_SignInRestriction_Policy)"
presentation="$(presentation.Teams_SignInRestriction_Policy)"
key="software\policies\microsoft\office\16.0\teams">
<parentCategory ref="L_Teams" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="RestrictTeamsSignInToAccountsFromTenantList"
valueName="restrictteamssignintoaccountsfromtenantlist" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>

So, putting it all together…
Add a configuration setting to our “Disable Teams Autostart” profile
Name: Teams-preventfirstlaunchafterinstall
OMI-URI:
./User/Vendor/MSFT/Policy/Config/Teams16~Policy~L_Teams/Teams_PreventFirstLaunchAfterInstall_Policy
Data type: String
Value: <enabled/>

Intune | Teams Custom Configuration

After the profile is assigned, test and verify that the setting is correctly applied in the registry.

Intune | Verify Custom Settings

Ascend Can Help

Windows 10 cloud-only management is becoming a reality with Microsoft Endpoint Manager. Our experts have helped organizations streamline their group policy and device deployment with our Digital Workspace Deployment solution.

Need more IT help? Check out more of our IT Tips, or reach out to talk to an expert.

Tags: