Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Mastering Microsoft Intune

You're reading from   Mastering Microsoft Intune Deploy Windows 11, Windows 365 via Microsoft Intune, Copilot and advance management via Intune Suite

Arrow left icon
Product type Paperback
Published in Mar 2024
Publisher Packt
ISBN-13 9781835468517
Length 822 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Christiaan Brinkhoff Christiaan Brinkhoff
Author Profile Icon Christiaan Brinkhoff
Christiaan Brinkhoff
Per Larsen Per Larsen
Author Profile Icon Per Larsen
Per Larsen
Arrow right icon
View More author details
Toc

Table of Contents (25) Chapters Close

Preface 1. Understanding the Basics
2. Introduction to Microsoft 365 3. Cloud-Native Endpoints 4. Requirements for Microsoft Intune 5. Windows 365
6. What Is Windows 365? 7. Deploying Windows 365 8. Mastering Microsoft Intune
9. Windows Deployment and Management 10. Windows Autopilot 11. Application Management and Delivery 12. Understanding Policy Management FREE CHAPTER 13. Advanced Policy Management 14. Intune Suite 15. Copilot/AI 16. Identity and Security Management 17. Monitoring and Endpoint Analytics 18. Universal Print 19. Troubleshooting and Community
20. Troubleshooting Microsoft Intune
21. Troubleshooting Windows 365
22. Community Help 23. Other Books You May Enjoy
24. Index

What is a CSP policy?

Some policies can only be configured at the device level, whereas other policies can be configured at the user level. This means that device-level policies will have an effect independent of the user logging in to the device, whereas user-level policies will only have an effect depending on the user logging in to the device. As an example, different users can have different homepages in Microsoft Edge, so it is appropriate to assign a policy with that setting to a user group, whereas security settings that need to be applied at the device level are appropriate to assign to device groups.

User scope is where the policy only applies to the user who logs in to the device, and the policy can vary depending on who is logging in to the device. The following is an example of what the CSP tree looks like when configuring a user policy:

  • ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName is used to configure the policy.
  • ./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName is used to get the result.

Device scope is where the policy only applies to the device itself, regardless of the user who logs in to the device. The following is an example of what the CSP tree looks like when configuring a device policy:

  • ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName is used to configure the policy.
  • ./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName is used to get the result.

The biggest difference between a GPO and a CSP policy is that a CSP policy has a result channel as well, so every setting that is configured on the device will report back to the MDM system – in this case, Microsoft Intune.

If we take a closer look at the policy structure, it looks like the Windows registry is arranged in a tree structure:

Figure 9.1: CSP policy tree

By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested by your device by using the CSP policy URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall.

The OMA-URI string needs to go into the CSP policy URI:

  • ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Applicationname/Policy/ADMXFileName.
  • ./Vendor/MSFT/Policy/Config/ remains the same for all machine-based policies that you deploy to the device.

Applicationname and ADMXFileName are user-defined. In this case, Applicationname is App1, and you can use the same name as ADMXFileName. Just remember that ADMXFileName needs to be unique, which means you cannot deploy two ADMX files with the same name on a device, as it will fail and any additional ADMX files will not be added to the device.

Here is the content of the ADMX file in my case – this could also have been Google Chrome, Microsoft Office, Internet Explorer, or others:

Figure 9.2: Registry entry for AdmxInstalled

Then, if you take a closer look at the registry, the first place where they are written is HKLM\SOFTWARE\MICROSOFT\PolicyManager\AdmxInstalled.

The policy is always declared under a GUID and with the name you gave the policy in Microsoft Intune when you created the policy.

Then, you will be able to see the naming of the policy category that you are using when creating a policy setting: HKLM\Software\Microsoft\PolicyManager\AdmxDefault

If the policy is a device policy, you will be able to see the direct results that apply to the devices in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device.

In the end, all a policy does on a Windows device is set some registry keys, and it is the same with MDM policies. All the policy settings go here: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\.

MDM policies are applied when a device syncs, either from Microsoft Intune or as part of the 8-hour schedule when a Windows device is running with MDM sync on.

For an IT admin to sync a device from Microsoft Intune, they need to start the Microsoft Intune admin center and follow these steps:

  1. Click Home | Devices | Windows | Windows devices.
  2. Search for the device you want to sync, and then select the device and click Sync. Intune will then try and reach out to the device through Windows Push Notification Service (WNS).
  3. You can read more about WNS in the next section.

Figure 9.3: Device sync

  1. In the same view, where you just selected a single device, you can also leverage Bulk Device Actions:

Figure 9.4: Bulk device actions

  1. Select Windows for OS.
  2. For Device type, select Cloud PCs or Physical devices.
  3. Select Sync as Device action:

Figure 9.5: Bulk device action – Windows

  1. Then, you can select up to 100 devices that Microsoft Intune will reach out to and perform the sync:

Figure 9.6: Bulk device action

When leveraging bulk device actions, Microsoft Intune uses WNS. In the next section, you will learn about how WNS works.

You have been reading a chapter from
Mastering Microsoft Intune - Second Edition
Published in: Mar 2024
Publisher: Packt
ISBN-13: 9781835468517
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime