Event banner
Event details
128 Comments
- Is there anything on the roadmap for flags like "Run Once" like in GPO? Or is there something you can recommend?
- We use PowerShell Scripts within Intune to achieve this. Although, it would be nice if there were a CSP "preferences" section that applied only once.
- Mike-Danoski
Microsoft
Hi Danea, this is a capability provided at a per-setting basis. Some settings have both options. Are there certain settings areas you'd like to see more of this? - We use Proactive Remediations for "Run Once" settings. You can schedule them to run 1 time and just set the detect script as a Powershell script to set the registry keys you need. It's not the best but it works to fill the gap.
- How frequently is the list of available settings through Settings Catalog updated? E.g. When a new version of MS Edge is released with a new set of available policies when will those be available to be configured with Settings Catalog profile? What happens when a setting is configured in SC profile and for some reason it is withdrawn in future? Will profile be automatically updated? Flagged? Break?
- Mike-DanoskiHi! We add settings with each monthly Intune release, sometime more than once 😊. We are continually working on making sure we have settings available on day 0 or earlier where we can. When a setting is deprecated or no longer supported, we have a max version applicable parameter that will mark the setting as "not applicable" for later versions of Windows, iOS, or MacOS that don't support that setting. Sometimes we will add a deprecated flag if a new version of a setting is available. Very rarely we will post communications to folks if there is an issue with a setting and it should be removed, but we [Intune] cannot remove settings from profiles automatically.
We imported ADMX templates but they won't delete (error "remove failed") on all seven we imported? MS says it's a known fault but we're only allowed to import 10....
- Mike-DanoskiHi Michelle, a fix recently went out for this. Please let me know here if you are still having issues.
- Mike - thank you! I have just been able to delete all seven with no further errors 🙂
- I had that issue and opened a case. I was using Chrome, they asked me to try with Edge, and it successfully removed when I used Edge. The support tech didn't have any other explanation for the Removed Failed error.
- Mike-DanoskiIt's the same graph call, so browser shouldn't make a difference unless something managed with the browser is preventing the call. you can also try graph explorer: https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles(' enter the item id here ')/remove List the guids with this: https://graph.microsoft.com/beta/deviceManagement/groupPolicyUploadedDefinitionFiles
- Since we are using GPO AD, I am looking for how to add as few Intune policies as possible while we figure out what is tattooed/not easily reversed. Any guidance in this area? Thanks
- Mike-DanoskiHi Jennifer, thanks for the question. If you are referring to which settings are still around from GPO, if an MDM setting interacts with the similar GPO setting, the MDM setting will overwrite it. I'd also advise using the MDM wins over GP setting to set the resolution direction for most settings. One of the challenges here is that a machine may also have reg keys and other configs set once via script or policy that don't have reporting. My advice is to start basic with a small policy and start building towards a green fields AADJ only policy landscape based on requirements from security and productivity teams. Then you can either remove GP attachments to OUs and back out slowly, or start disjoining machines from the domain, if that is the direction you're headed. You can also use a TVM product for discovery and inspection.
- Also interested in this 🙂
- Is providing ADMX files for customers to import the preferred way for software vendors to let customers manage their products, or is there a more cloud-native, preferred way?
- Mike-DanoskiThanks for the question Jay. We focused on adding ADMX import as ISVs have been creating and publishing ADMX policy for years and it makes sense to re-use this great content versus inventing something new. So yes, importing ADMX and managing via MDM is the preferred cloud management method of third party application policy.
- Security baseline is a very great tool to confirm the security on Endpoints. But there is no good way to find exceptions admins should make when they get feedback from the users. Thier should be a report on the base of these settings which should show users issues are being blocked such that admins are able to make exceptions to these baselines easily
- Hi Muhammed, Thanks for your question! I wonder if you're describing the feature that allows your to monitor your baselines and any conflicts they may have when applied to policies. See here and let me know if that doesn't address your comment: https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines-monitor
- Mike-DanoskiAdding to what Julia said, at Ignite we announced a new AI based feature that will highlight settings based on how organizations like yours have set these certain settings. One goal of this is to flag those settings that may have more impact to users as you note and thus, admins haven't configured.
- Is there a list of what policies use what ADMX file? How does ADMX files get updated on the machine? We have a few machines that have error 65000 with a OneDrive policy. These machines all have the same windows build / cumulative update / fully patched.
- Mike-DanoskiHi Lucas. Some CSPs are ADMX backed meaning the CSP relies on the built-in windows ADMX files on a machine behind the scenes, and some are just specifically what we call ADMX ingested that we install via the ADMXInstall CSP. For ADMXInstalled settings like Office, Edge, OneDrive and imported ADMX settings there is a chance that the config command lands on the device before the ADMXInstall command completes. We're constantly making improvements to this specific condition, but it will always be a chance it can happen and should be temporary.
- Hi Mike, Do you know how temporary? These machines have had this error show up for at least 2~ weeks. I've seen some machines remediate themselves after the next sync scan, so I definitely get what you mean. But I imagine after 2 weeks, there is probably another underlying issue?
- We entered the Compliance Settings configuration setup just before the Settings Catalog went live. I truly appreciate everything which went into building this for us, and the continuous enhancements you all have made with it over the last year. Knowing the old process to build these out, this solution means the world to me. 😄
- Sadly, the slides and presentation is blurry and hard to read 😞
- Joe_LurieThey are clear for me. You can also stream this on Twitter and on YouTube, if that helps YouTube: https://www.youtube.com/watch?v=lR1GHSPH854
- Thank you sir so much for the suggestion, but sadly still blurry on YouTube. I will try the replay when I get home after work.
- Why does the built in baselines in Intune not contain all the settings from the baselines that can be downloaded with the Microsoft Security Compliance Toolkit?
- Hi Nicol, Thanks so much for your question! New baseline versions are occasionally released to correspond with new versions of Windows 10/11. As new Windows settings become available with new versions of Windows 10/11, the MDM Security Baseline might receive a new version instance that includes the newest settings. Each new version instance of a baseline can add or remove settings or introduce other changes. Although the updated versions of Intune security baselines are not yet available, you'll be happy to know we are actively working on them and they will be available in one of our upcoming releases.
- That sounds really great, will there be like a listing of the differences from the last baseline or an export spreadsheet where we can compare the previous or our current settings?
