Event banner
Event details
128 Comments
- Why is the limit for uploading 3rd party ADMX files so low? Only 10 ADMX files can be uploaded. I can imagine for a large enterprise, that is way to low.
- Mike-Danoski
Microsoft
Hi Rob, thanks for the feedback. We plan to increase it when we exit preview.
- Anything on the roadmap to replicate these Group Policy features: (1) Folder Redirection (for folders not covered by OneDrive's Known Folder Move) and (2) Group Policy Preferences?
- Mike-DanoskiThanks for the question Jay, we have some Folder redirection option available via MDM in the catalog under Administrative Templates > System > Folder Redirection. I would advise leaving folder redirection config in your GP estate and leaving it behind when moving devices to AADJ only. Preference application is currently setting by setting. I'm looking for feedback on which setting types folks are looking to apply once.
- Missing the filter option in the baseline assignment, when will those become available?
- MSFT_IntunePrgramMgr
Filters for Security Baselines is on the roadmap. You can use our in-development page to see what features are on the roadmap.
- I dont see the Baselines mentioned on the InDevelopment page,
- I'd argue against the in-built baselines as being "a great way to start", I've seen many customers having significant issues trying to back out of the baselines when they're looking to develop their own for whatever the reason.
- Mike-DanoskiThanks for the feedback James, going forward we'll look to improve this via better conflict detection.
- I would love to see a mapping/reporting of what settings are ticking what box regarding to local and international industry standards.
- This is a difficult one. You can use MDE and Vulnerability Management to "baseline" your settings against certain industry recommendations (CIS/STIG), but a lot of it comes down to tracking your own configurations, and building your own based on your requirements. Unfortunately, as a lot of CSP settings change different registry keys than traditional GPO, I've seen many pen-test tools fail a device just because they're hard-coded to look at the GPO registry value.
- Mike-DanoskiThis is fantastic advice from James. I was going to say the same for reg key and security enforcement inspection. Id also recommend looking to a benchmark that is MDM focused if you can.
- I never want configuration profiles or other policies to tattoo the registry or otherwise leave settings behind when the policies are later removed. Do the security baselines do this? It would be helpful if settings that do this would be clearly marked, or even better—don't use them.
- Hi Jay! Thanks for your question and feedback! I understand that the tattoo issue can be an incredibly frustrating experience. Unfortunately, we have heard from customers and observed that some baseline policies are experiencing the same issue, however you'll be elated to know that this is something we are actively working on and the fix for this issue will be available in one of our upcoming releases.
- Thank you, Julia, looking forward to it already!
- What is about security baselines there are some options inside that can be found also under: Antivirus or Endpoint detection and response. What is the best practicle ?
- Hi Viktor! Thanks so much for your question. So in general, we recommend admins to: 1) Start with the built-in baseline templates (Endpoint Security > Security baselines) if you are looking to use security baselines since they are curated directly from the baseline owners & security experts. 2) Then endpoint security templates (Endpoint Security > Select template area) are specifically for security related scenarios and have curated settings related to each of those areas (i.e. AV, Firewall, Bitlocker) with input from the Defender team to complete the sec admin / sec ops story. 3) Then we have settings catalog which are individual settings to complement the ones in baselines & templates plus all the windows settings available through shopping cart experience. 4) Then we have ADMX templates to fill in any gaps from what is not there in ADMX. As we build up settings catalog (which just launched earlier this year), we encourage admins to use this over the ADMX templates. There may be some overlap of settings available in the different places I mentioned but we are working to make sure that the right capabilities are available in the places if that makes sense. Hope that helps!
- It has been getting better, but not all policy profile types can be duplicated which is a huge hassle whenever we need to create an exception policy for just a few settings. It discourages creating large policy profiles but then the alternative is to have hundreds or thousands of profiles which are horrible to manage in the current interface. What are you doing to improve the interface?
- Mike-DanoskiHi William, thank you for your question. You can find "duplicate" available for Settings Catalog and recently created Endpoint security profiles. Click the ellipsis on the right of the profile's row. We'll be adding this to more profile types and templates as we move them to the unified settings platform behind settings catalog.
- Heather_Poulsen
Community Manager
Welcome to Policy management with Microsoft Intune at the Microsoft Technical Takeoff. Let's get started! Have a question? Post it here in the Comments. Subject matter experts will be answering during the session and throughout the week.
Just some feedback around policy... When applying it the first time, it works great. The large settings catalog is amazing. The GPO analytics to convert to policy saves a lot of time migrating... However, anytime you have to change applied policies or revert them, it becomes a VERY inconsistent experience. Sometimes it may undo the change, sometimes it may tattoo, sometimes a non-tattooing policy just may feel like not reverting depending on the device. The last thing I want to tell management if I ever have to revert a policy change is that MAYBE it will revert, Maybe it won't. It depends on how the device is feeling that day....
We really need a better way to identify which policy settings will actually tattoo, or even better yet have none of them tattoo so whatever is set in the policy will be set on the device. Or if there is a way to identify which will tattoo now, I would love to know.
I feel like as Intune policy gets as old as GPO, people are going to end up with a mess of random policies that were created just to overwrite tattooing settings. A web of included/excluded settings.- Mike-DanoskiHi James, thank you for the feedback. Where I've seen this is where we don't have a default for a setting, so the setting doesn't have something to fall back to. When a setting is removed from a policy or unassigned, we send a remove command for that CSP node that is acted on at a per-setting basis. Many times, the setting state stays the same, but the enforcement is removed. E.g. if a 20-digit pin is reduced to 6, we won't tell the user to change the pin but the next time they change it they can reduce it if they like. Can you please share some examples of setting types you've experienced tattooing so we can make some improvements?
- Well said, James!
- Agree with this - we've had lots of problems undoing Intune policies too
- I have had to assign the same group as an exclusion and that only works some of the time.
