Policy management with Microsoft Intune

Hi Robert, it is usually noted setting by setting. I am unaware of an all-up list/table of Windows GPO settings and their deprecation status. This is generally difficult as we tend to leave policy around in the case folks are running older versions of Windows. Here is an example of what you might find. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-enterprise-privacy-settings

Hi Todd, there are multiple events that will trigger a device to check in to receive policy. Some examples are the 8 hour polling schedule, an expedited schedule at enrollment, user login, receipt of a push notification from check in Intune, and a user hitting the sync button. A check-in itself can take a few seconds depending on the size of the SyncML payload. There are other factors to note like AAD grouping change processing time and assignment time in Intune. Hope this helps!

Hi Joseph, nothing official planned now. Are you looking to connect something like this to an external source or maintain within Intune?

There are some great third-party tools for this, for example MickeK/IntuneManagement and almenscorner/IntuneCD. Everything's just a .json on the back-end 🙂

Sure! What would you like to know?

I agree. It's way too hard to unpick everything. Like if your admin sets a policy and applies it to users/devices that have a conflicting policy setting, it would be awesome if it could flag that up right away, rather than wait for failures and broken devices? It is 2022 🙂

For many GPP scenarios we are looking to modern equivalents. For Drive mapping and registry keys, my advice is to use ADMX import. As mentioned in the video, not all reg keys are available for configuration to reduce the security risk of these policies. For printing, we've recently released our settings for universal print. I'm not an expert in printing so let us know if there is more you're looking for.

Please please give us preferences. I want to deliver good defaults to my users, without locking them down. Power/sleep/lock screen image/blue light reduction/default zoom level, focus assist settings - all these are super hard at the moment.

Hi Nicol. The short answer is yes. For user scope assigned to devices, the settings will write to HKCU and apply to all users that use that device. Think loopback merge. For device scoped settings assigned to users, those settings will write to HKLM and also apply to any user using the same device as a user targeted with these settings, so be careful. The caveat is for Enterprise multisession devices as mentioned in the session where device scope and user scope need to be targeted to the same resource type. You can do this within one policy, but just be aware. More info here: https://learn.microsoft.com/en-us/mem/intune/configuration/settings-catalog#device-scope-vs-user-scope-settings

Thanks for the question Rudy ;). I was just thinking the same thing. Stay tuned.