Forum Discussion

MCT

Dec 10, 2019

Solved

Understanding of custom policies / oma-uri / registry

Hi, i would like to understand the whole topic belonging custom policies / OMA-URI / registry a little deeper. I hope that some of you guys would like to join the disscussion to gain some new ...

gpo

Group Policy Object

Intune

mobile device management (mdm)

OMA-URI

Registry

Oliver Kieselbach
Dec 11, 2019
Hi PatrickF11,

in theory you can ingest every admx file but there are some path in the registry which are black listed (https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).

As already outlined I would focus on what is really necessary then I do not miss so much. Important are especially security settings and they are mostly all available.

For an introduction in Intune PowerShell script processing look at my blog posts here:

Deep dive Microsoft Intune Management Extension – PowerShell Scripts

Part 2, Deep dive Microsoft Intune Management Extension – PowerShell Scripts

Part 3, Deep dive Microsoft Intune Management Extension – Win32 Apps

best,

Oliver

PatrickF11

MCT

Dec 11, 2019

Hi Oliver Kieselbach & thank you for your reply.

I already know the administrative templates, but of course many options are not yet implemented.

That's why i'm asking on how to deal with this.

The potential conflicts when using admx ingest seems clear to me, but only hypothetically it is possible to ingest any admx files, not only 3rd Party, right?

Thank you for your powershell example.

At this point i 've avoided using powershell scripts with intune because a) i didn't tested it, yet / b) i didn't know how they work exactly.

Are the scripts only running once? How can i monitor settings i set via script?

Thank you in advance. 🙂

Liam Kemp

Copper Contributor

Dec 16, 2019

PatrickF11

Hey Patrick,

I believe the PowerShell scripts operate according to this logic:

If it runs successfully - It will never run again unless the policy is updated (i.e. update script, assignment etc)

If it fails, it will retry a maximum of 2 more times, and will never run again unless the policy is updated (i.e. update script, assignment etc)

You need to use Write-Error or force an exit code of 0 for Intune to detect the script as failed.

At this stage, there is no built in way to monitor the settings you configure with a script. You would need to write multiple scripts to configure individual settings.

The methodology i tend to work with is
1. Use a native configuration profile (Device restrictions etc)

2. If that's not possible, use an Administrative template

3. If it's not available there, can i do it with a custom profile

4. No? or for quick 1-offs - PowerShell Script