Policy management
Using Microsoft Intune to manage your Windows Enterprise desktops is all about standardizing and simplifying the management layer of your environment. As explained in the previous chapter, everything is centered around structuring your configuration sets (and applications) separately from the target Operating System (OS) to remove the need to create custom images that might include these things from the get-go.
Policy management within Microsoft Intune makes it possible to configure the following options from within the Devices menu:
- Compliance policies
- Conditional access
- Configuration profiles
- Settings catalog
- ADMX import
- Scripts
- Group policy analytics
- Enrollment restrictions
Group Policy management has been around for more than 20 years and is a way to configure the behavior of a group of users or computers in a domain. This is still possible with an on-premises domain today, but if you want to start modernizing your policy and settings management, you should start looking at Microsoft Intune and the feature set it provides for policy management. There are some disadvantages associated with using GPOs, one of them being that it requires a line of sight to a domain controller. Another is that GPOs are fire-and-forget, but what do we mean by this? GPOs are assigned to a specific group of users and devices, and they are applied when a device connects to a domain controller on a regular basis. There is no reporting back to the domain controller if the device receives and applies the policy correctly, if no domain controller can be contacted, or if no new or changed policies are applied.
Sometimes, due to misconfiguration, a Windows device may try to contact a domain controller far away on the internal network with very slow connectivity, which can result in very long boot and sign-in times. Many of these issues can be avoided with a purely cloud-joined and -managed device.
Microsoft Intune is a perfect match for a new way of working guided by modern management and cloud-native, as it just requires internet connectivity following the initial onboarding into Microsoft Intune.
In this chapter, we will focus on cloud-native devices, that is, Enrtra-joined and Intune-managed Windows devices, but what we learn will also apply to hybrid domain-joined devices that are managed from Microsoft Intune in a co-managed state. One important thing to note here is that GPO and Mobile Device Management (MDM) settings are on the device identity layer, where policies and configurations are either target users or devices, whereas co-management between Microsoft Intune and System Center Configuration Manager (SCCM) is on the management plane.
First, we need to look back at traditional Windows management, where all Windows devices were on-premises in the office, in production, or with end users working at home with VPNs. Modern policy management is still an option on those devices if they are hybrid-joined to Entra ID.
The best option moving forward with new devices is to go purely Entra-joined and onboarded with Windows Autopilot. What we cover in this chapter covers both scenarios. This book is dedicated to cloud management, and certain scenarios do not apply to hybrid-joined devices, which is why you need to make some decisions to go to Entra-joined devices to get the best end-user experience. Start small, start with a Proof of Concept (POC), and showcase the benefits of modern policy management. A best-practice approach is to block on-premises devices in your POC from getting GPOs from the local Active Directory instance; otherwise, you can end up in a situation where you are not 100% sure where the settings are being applied from.
A Configuration Service Provider (CSP) is an interface for reading, setting, modifying, and deleting configuration settings on a device. These settings map to registry keys or files. Some CSPs support WAP format, some support SyncML, and some support both. SyncML is only used over the air for Open Mobile Alliance Device Management (OMA DM). On the other hand, WAP can be used over the air for OMA client provisioning, or it can be included in a phone image as a .provxml file that is installed during boot.