Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Modern Device Management Intune Policies vs Group Policies
1.
2. ANOOP C NAIR
17+ YEARS OF EXPERIENCE IN IT
MICROSOFT MVP/VEEAM VANGUARD
@ANOOPMANNUR
WWW.ANOOPCNAIR.COM
HTTP://WWW.YOUTUBE.COM/C/ANOOPCNAIRSCCM
3. VIMAL DAS
12+ YEARS OF EXPERIENCE IN IT
PRINCIPAL CONSULTANT
HTTPS://TWITTER.COM/VIMALVMD
HTTPS://WWW.ANOOPCNAIR.COM/AUTHOR/
VIMALDAS/
4. AGENDA
• WHY MODERN MANAGEMENT
• MANAGEMENT OPTIONS
• MDM ARCHITECTURE
• GROUP POLICY DEAD?
• BLUETOOTH FILE TRANSFER
• OUT OF BOX OPTIONS
• MDM VS GP
• DEMO SCENARIO - EXAMPLE
• UNDERSTANDING KEY EVENTS
• MDM DIAGNOSTICS REPORT
• EVENT VIEWER AND REGISTRY
• CHALLENGES ?
5. WHY MODERN
MANAGEMENT ?
• WORLD IS CHANGING
• DESTRUCTIVE PHASE
• REDUCTION OF OPERATING COST
• EASY MANAGEMENT VIA INTERNET
8. INTUNE POLICY
OPTIONS
• OUT OF BOX INTUNE CONSOLE (EASY)
• CUSTOM CSP > OMA – URI (MEDIUM)
• ADMX FILES (COMPLEX)
9. GROUP POLICY DEAD?
• PARITY BETWEEN WINDOWS 10 CSP & GPO?
• GROUP POLICY ROADMAP
• LONG TERM & SHORT TERM
• SOME EXAMPLES
10. BLUETOOTH FILE TRANSFER
• NO GROUP POLICY TO PREVENT FILE TRANSFER
• POWERSHELL SCRIPT USING WMI BRIDGE
• DEPLOY THE SCRIPT VIA SCCM
• BEST OPTION?
11. INTUNE OUT OF BOX
OPTIONS
• INTUNE OUT OF BOX OPTIONS
• EASY TO IMPLEMENT?
• ADD ALLOWED BLUETOOTH SERVICES
• ASSIGN CONFIGURATION POLICY TO DEVICES
12. INTUNE POLICY
(CSP) WIN OVER GP
• BY DEFAULT, GP HAVE HIGHER PRECEDENCE
OVER CSP WHEN THERE IS A SETTING
CONFLICT
• STARTING WITH WINDOWS 10 1803, CSP
CAN OVER RIDE GP
13. DEMO 1
Out of Box Policies
– Blue tooth
Home page GPO
setup(GPO MGMT)
Home Page
config Intune
policy setup ( CSP)
MDM Wins Over
GP Intune policy
setup (CSP)
17. EVENT VIEWER AND REGISTRY
• APPLICATIONS AND SERVICES LOGS >
MICROSOFT > WINDOWS >
DEVICEMANAGEMENT-ENTERPRISE-
DIAGNOSTIC-PROVIDER
• “MDMWINSOVERGP” VALUE CHANGES FROM 0
TO 1 AFTER APPLYING THE CSP
• EXISTING GP VALUE SAVED BEFORE CSP TAKE
PRECEDENCE
21. CHALLENGES ?
• GROUP POLICY PREFERENCES
• COMPLEX TO IMPLEMENT?
• ADMX CONFIGURATION IS NOT
EASY AND TIME CONSUMING
• STEEP LEARNING CURVE
• ALL THE WINDOWS CSPS ARE
SUPPORTED BY INTUNE?
In the new world, startup companies are eating up big giants. You know stories of Airbnb and Uber. The industry is going
Adv. VM Backup through the very destructive phase. So all the organizations are trying to cut the infra and reduce the operating cost. These things leads to next level of automation.
For your organisation - there are three main pillars in the modern management workflow -It’s important to understand Management options and which is the best for the future…..
Initial provisioning (Auto Pilot) and New Configuration settings after the initial provisioning….
MDM Architecture - A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device.
MDM is the primary channel of Management for Azure AD Joined Devices
Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider
Common Device Configurator – helps devices to automatically resolve the conflicts and select the best secured policy
There are 3 ways to configure policies in modern way
There are 3 ways to configure policies in modern way
A Microsoft rep told me that Group Policy is dead. What should I tell my boss, and what should I do now?”
“Is Intune/ MDM trying to replace Group Policy?”
“Why do I need Group Policy if I’ve also got SCCM?”
“Do you think Powershell and/or DSC (Desired State Configuration) is replacing Group Policy?”
“Will Azure Active Directory be the death of Group Policy?”
https://cloudblogs.microsoft.com/enterprisemobility/2016/03/23/the-path-to-modernizing-windows-management/
We had audit issue with one of my client – we were trying to disable Bluetooth file transfer and it was easy through Intune but not easy through traditional management way…
https://blogs.technet.microsoft.com/letsdothis/2017/06/20/disable-bluetooth-in-windows-10-updated/
# Must be ran as the System account
$namespaceName = “root\cimv2\mdm\dmmap”
$className = “MDM_Policy_Config01_Bluetooth02”
# Remove policy in case of re run - avoid script errors because of existing values - Could be optimized :)
Get-CimInstance -Namespace $namespaceName -Query 'Select * from MDM_Policy_Config01_Bluetooth02' | Remove-CimInstance
# Turn off the Bluetooth toggle in the settings menu
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=”./Vendor/MSFT/Policy/Config”;InstanceID=”Bluetooth”;AllowDiscoverableMode="0"}
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=”./Vendor/MSFT/Policy/Config”;InstanceID=”Bluetooth”;ServicesAllowedList="{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}"}
Intune has an out of box option to setup Bluetooth configuration policies
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-allowprepairing
Bluetooth
Bluetooth Discoverability
Bluetooth pre-caching
Bluetooth Advertising
Bluetooth Allowed Services which will disable all the other services
Bluetooth Headsets for Voice (HFP)
BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB
UUID name
Protocol specification
UUID
HFP(Hands Free Profile)
Hands-Free Profile (HFP) *
0x111E
Footnote: * Used as both Service Class Identifier and Profile Identifier.
Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
Example used in this demo is to set home page using GPO and intune policy
This is a custom OMA URI.. anoop mentioned
Show bluetooth
Generic Access Atribute - For the LE Protocol - 0x1801
00001801-0000-1000-8000-00805F9B34FB
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-allowprepairing
Bluetooth Headsets for Voice (HFP)
BASE_UUID = 0000111E-0000-1000-8000-00805F9B34FB
Can provide any name to OMA uri name
Anoop covered OOB Intune setting as example
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below
Yes - It’s complex to implement
Understanding and implementing ADMX is another challenge
Reapplying behaviour of configuration policies?
Steep learning curve
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below
Yes - It’s complex to implement
Understanding and implementing ADMX is another challenge
Reapplying behaviour of configuration policies?
Steep learning curve
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below
Yes - It’s complex to implement
Understanding and implementing ADMX is another challenge
Reapplying behaviour of configuration policies?
Steep learning curve
SQL Always On Availability Group for site database recovery
Offload all the roles from Primary like MP, SUP, DPs, SMS provider?
SQL on remote box with SQL Always On Availability Group
Best Practice is to avoid installing IIS on primary servers to reduce the load