Modern Device Management Intune Policies vs Group Policies

4. AGENDA • WHY MODERN MANAGEMENT • MANAGEMENT OPTIONS • MDM ARCHITECTURE • GROUP POLICY DEAD? • BLUETOOTH FILE TRANSFER • OUT OF BOX OPTIONS • MDM VS GP • DEMO SCENARIO - EXAMPLE • UNDERSTANDING KEY EVENTS • MDM DIAGNOSTICS REPORT • EVENT VIEWER AND REGISTRY • CHALLENGES ?

5. WHY MODERN MANAGEMENT ? • WORLD IS CHANGING • DESTRUCTIVE PHASE • REDUCTION OF OPERATING COST • EASY MANAGEMENT VIA INTERNET

6. MANAGEMENT OPTIONS IDENTITY GROUPING MANAGEMENT

7. MDM ARCHITECTURE SERVER SIDE MDM CLIENT COMMON DEVICE CONFIGURATOR MDM CSP

8. INTUNE POLICY OPTIONS • OUT OF BOX INTUNE CONSOLE (EASY) • CUSTOM CSP > OMA – URI (MEDIUM) • ADMX FILES (COMPLEX)

9. GROUP POLICY DEAD? • PARITY BETWEEN WINDOWS 10 CSP & GPO? • GROUP POLICY ROADMAP • LONG TERM & SHORT TERM • SOME EXAMPLES

10. BLUETOOTH FILE TRANSFER • NO GROUP POLICY TO PREVENT FILE TRANSFER • POWERSHELL SCRIPT USING WMI BRIDGE • DEPLOY THE SCRIPT VIA SCCM • BEST OPTION?

11. INTUNE OUT OF BOX OPTIONS • INTUNE OUT OF BOX OPTIONS • EASY TO IMPLEMENT? • ADD ALLOWED BLUETOOTH SERVICES • ASSIGN CONFIGURATION POLICY TO DEVICES

12. INTUNE POLICY (CSP) WIN OVER GP • BY DEFAULT, GP HAVE HIGHER PRECEDENCE OVER CSP WHEN THERE IS A SETTING CONFLICT • STARTING WITH WINDOWS 10 1803, CSP CAN OVER RIDE GP

13. DEMO 1 Out of Box Policies – Blue tooth Home page GPO setup(GPO MGMT) Home Page config Intune policy setup ( CSP) MDM Wins Over GP Intune policy setup (CSP)

14. DEMO SCENARIO - EXAMPLE • DEPLOYED HOME PAGE URL USING INTUNE CSP AND GP

15. UNDERSTANDING THE WORKFLOW MDM Diagnostics report Event Viewer Registry

16. MDM DIAGNOSTICS REPORT

17. EVENT VIEWER AND REGISTRY • APPLICATIONS AND SERVICES LOGS > MICROSOFT > WINDOWS > DEVICEMANAGEMENT-ENTERPRISE- DIAGNOSTIC-PROVIDER • “MDMWINSOVERGP” VALUE CHANGES FROM 0 TO 1 AFTER APPLYING THE CSP • EXISTING GP VALUE SAVED BEFORE CSP TAKE PRECEDENCE

18. CONT.........EVENT VIEWER AND REGISTRY • EXISTING GP VALUE SAVED IN REGISTRY • GP ENFORCEMENT FOR THE HOME PAGE VALUE IS BLOCKED • GP VALUE GETS DELETED

19. EVENT VIEWER AND REGISTRY • FINALLY, INTUNE CSP WINS OVER GP. • INTUNE CSP CONFIGURES “HOME PAGE” VALUE.

20. DEMO 2 MDM Diagnostics report Event ViewerRegistry

21. CHALLENGES ? • GROUP POLICY PREFERENCES • COMPLEX TO IMPLEMENT? • ADMX CONFIGURATION IS NOT EASY AND TIME CONSUMING • STEEP LEARNING CURVE • ALL THE WINDOWS CSPS ARE SUPPORTED BY INTUNE?

Notes de l'éditeur

http://www.youtube.com/c/AnoopCNairSCCM www.anoopcnair.com @anoopmannur
https://www.anoopcnair.com/newbies-intune-bible-to-learn-mobile-device-management/
In the new world, startup companies are eating up big giants. You know stories of Airbnb and Uber. The industry is going Adv. VM Backup through the very destructive phase. So all the organizations are trying to cut the infra and reduce the operating cost. These things leads to next level of automation.
For your organisation - there are three main pillars in the modern management workflow -It’s important to understand Management options and which is the best for the future….. Initial provisioning (Auto Pilot) and New Configuration settings after the initial provisioning….
MDM Architecture - A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. MDM is the primary channel of Management for Azure AD Joined Devices Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider Common Device Configurator – helps devices to automatically resolve the conflicts and select the best secured policy
There are 3 ways to configure policies in modern way
There are 3 ways to configure policies in modern way A Microsoft rep told me that Group Policy is dead. What should I tell my boss, and what should I do now?” “Is Intune/ MDM trying to replace Group Policy?” “Why do I need Group Policy if I’ve also got SCCM?” “Do you think Powershell and/or DSC (Desired State Configuration) is replacing Group Policy?” “Will Azure Active Directory be the death of Group Policy?” https://cloudblogs.microsoft.com/enterprisemobility/2016/03/23/the-path-to-modernizing-windows-management/
We had audit issue with one of my client – we were trying to disable Bluetooth file transfer and it was easy through Intune but not easy through traditional management way… https://blogs.technet.microsoft.com/letsdothis/2017/06/20/disable-bluetooth-in-windows-10-updated/ # Must be ran as the System account $namespaceName = “root\cimv2\mdm\dmmap” $className = “MDM_Policy_Config01_Bluetooth02” # Remove policy in case of re run - avoid script errors because of existing values - Could be optimized :) Get-CimInstance -Namespace $namespaceName -Query 'Select * from MDM_Policy_Config01_Bluetooth02' | Remove-CimInstance # Turn off the Bluetooth toggle in the settings menu New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=”./Vendor/MSFT/Policy/Config”;InstanceID=”Bluetooth”;AllowDiscoverableMode="0"} New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=”./Vendor/MSFT/Policy/Config”;InstanceID=”Bluetooth”;ServicesAllowedList="{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}"}
Intune has an out of box option to setup Bluetooth configuration policies https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-allowprepairing Bluetooth Bluetooth Discoverability Bluetooth pre-caching Bluetooth Advertising Bluetooth Allowed Services which will disable all the other services Bluetooth Headsets for Voice (HFP) BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB UUID name Protocol specification UUID HFP(Hands Free Profile) Hands-Free Profile (HFP) * 0x111E Footnote: * Used as both Service Class Identifier and Profile Identifier. Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB
Example used in this demo is to set home page using GPO and intune policy This is a custom OMA URI.. anoop mentioned
Show bluetooth Generic Access Atribute - For the LE Protocol - 0x1801 00001801-0000-1000-8000-00805F9B34FB https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-bluetooth#bluetooth-allowprepairing Bluetooth Headsets for Voice (HFP) BASE_UUID = 0000111E-0000-1000-8000-00805F9B34FB Can provide any name to OMA uri name Anoop covered OOB Intune setting as example
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below Yes - It’s complex to implement Understanding and implementing ADMX is another challenge Reapplying behaviour of configuration policies? Steep learning curve
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below Yes - It’s complex to implement Understanding and implementing ADMX is another challenge Reapplying behaviour of configuration policies? Steep learning curve
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP ./Vendor/MSFT/Policy/Config/Browser/Homepages
Loads of policies are already available as out of box experience for Admins. But loads of the new policies are not available as out of box. In those scenarios you need to spend loads of time doing R & D to understand how OMA – URI works. Some of the examples are given below Yes - It’s complex to implement Understanding and implementing ADMX is another challenge Reapplying behaviour of configuration policies? Steep learning curve
SQL Always On Availability Group for site database recovery Offload all the roles from Primary like MP, SUP, DPs, SMS provider? SQL on remote box with SQL Always On Availability Group Best Practice is to avoid installing IIS on primary servers to reduce the load

Modern Device Management Intune Policies vs Group Policies

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Modern Device Management Intune Policies vs Group Policies

Similaire à Modern Device Management Intune Policies vs Group Policies (20)

Plus de Anoop Nair

Plus de Anoop Nair (10)

Dernier

Dernier (20)

Modern Device Management Intune Policies vs Group Policies

Notes de l'éditeur