The latest in Group Policy settings parity in Mobile Device Management

Published 04-13-2021 10:10 AM 11.1K Views

By Go Komatsu – Sr. Program Manager | Windows and Aasawari Navathe, Program Manager II | Microsoft Endpoint Manager

 

Many organizations are looking to manage their endpoints via modern management to support the growing remote workforce and remove the need for on-premises connectivity. Years ago, the industry was starting to standardize on mobile management for endpoint management (through the Mobile Device Management (MDM) policy delivery channel). For Windows, it began standardizing with Windows Phone. At that time, it didn’t make sense to move over all Group Policy settings into modern management (via MDM). This resulted in an initial gap in management capabilities on MDM. Over time, with new Windows releases, we've continued to add more settings to MDM, but there were still some gaps that resulted in blocking customer migrations to modern management. Filling this long tail of MDM settings parity drove the need to focus on improvements to provide the best experience for customers.

 

Microsoft heard that customer feedback on MDM settings availability. Over the past year, both Windows and Microsoft Endpoint Manager – Intune teams were laser focused in closing that gap. If you are in the Windows Insider program, you may have noticed since H2 CY2020, new settings have become available in the Policy Configuration Service Provider (CSP) that were previously never available to customers in MDM. This was an intensive effort between several Windows component teams all trying to make sure that admins no longer considered setting availability in MDM as a blocker to move to modern management.

 

Over the past year, we also released Group Policy analytics in public preview. It is a tool and feature in Intune that analyzes your on-premises group policy objects (GPOs). It helps you determine how GPO settings translate to the cloud. The output shows which settings are supported by MDM providers, deprecated settings, or settings not available to MDM providers. There’s also the capability to directly migrate to a profile with those MDM settings in Endpoint Manager. Group Policy analytics also lists the settings and categories as they would be named when you make your eventual Device Configuration policy in MDM.

 

With the March, 2103 release of Microsoft Endpoint Manager and coming soon (expected), in the April, 2104 release of Intune, you will find:

  1. The device configuration settings catalog has been updated to list thousands of settings that previously were not available for configuration via MDM (Figure 1). You will see these as being marked as available for Windows Insiders only. These include settings from Windows components like Control Panel (Figure 2), which are critical for security and desktop standardization.
    Figure 1: Device configuration settings catalogFigure 1: Device configuration settings catalog

    Figure 2: Control PanelFigure 2: Control Panel

  2. The Group Policy analytics (preview) tool has been updated so that when you now go through the import process of your Group Policy object (GPO), the MDM Support column will reflect the newly available settings. computer_2_aasawari.png

 

Call to action: If you want to try out these new settings, you can target any devices on a Windows Insiders build (Build 21343 or later).

 

Further, you can also import your GPO into the Group Policy analytics tool for the latest data in the MDM Support column.

 

Feedback
You can provide feedback on Group Policy analytics when you select Got feedback. To get information on the customer experience, the feedback is aggregated, and sent to Microsoft. Entering an email is optional, and may be used to get more information.

 

Upcoming milestones
The next key milestone will be a backport of these settings to in-market Windows versions. This will result in settings availability on Windows 10 2004 and newer releases. The estimated timeline for this backport will be H2 CY2021.

 

Learn more
https://aka.ms/gpanalyticsdocs 
Policy CSP - Windows Client Management | Microsoft Docs

 

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

3 Comments
New Contributor

This is something my team has been watching closely.  We've spent months setting up GPO-equivalents in Intune and some settings can be more challenging than others.  Tools like GPO analytics tool, Settings Catalog, and the Firewall Migration Tool have helped a lot but we still have many settings and configurations that need to be moved. 


I look forward to H2 CY2021 when we can utilize these improvements in our production environment.

 

 

Regular Visitor

Hi, when can we expect Group Policy Analytics to have a "Create my CSP" button, after we import our GPO?  This is the next logical step in migrating away seamlessly from on prem GPO to cloud policies.  Sure we can manually create the CSPs, but we just need that next step of automation from Microsoft.  

@CaseyB We have that functionality in private preview right now. Email your tenant ID to gpanalyticspreview@microsoft.com so we can add you.

%3CLINGO-SUB%20id%3D%22lingo-sub-2270708%22%20slang%3D%22en-US%22%3ERe%3A%20The%20latest%20in%20Group%20Policy%20settings%20parity%20in%20Mobile%20Device%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2270708%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20something%20my%20team%20has%20been%20watching%20closely.%26nbsp%3B%20We've%20spent%20months%20setting%20up%20GPO-equivalents%20in%20Intune%20and%20some%20settings%20can%20be%20more%20challenging%20than%20others.%26nbsp%3B%20Tools%20like%20GPO%20analytics%20tool%2C%20Settings%20Catalog%2C%20and%20the%20Firewall%20Migration%20Tool%20have%20helped%20a%20lot%20but%20we%20still%20have%20many%20settings%20and%20configurations%20that%20need%20to%20be%20moved.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20look%20forward%20to%20H2%20CY2021%20when%20we%20can%20utilize%20these%20improvements%20in%20our%20production%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269167%22%20slang%3D%22en-US%22%3EThe%20latest%20in%20Group%20Policy%20settings%20parity%20in%20Mobile%20Device%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Go%20Komatsu%20%E2%80%93%20Sr.%20Program%20Manager%20%7C%20Windows%20and%20Aasawari%20Navathe%2C%20Program%20Manager%20II%20%7C%20Microsoft%20Endpoint%20Manager%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20organizations%20are%20looking%20to%20manage%20their%20endpoints%20via%20modern%20management%20to%20support%20the%20growing%20remote%20workforce%20and%20remove%20the%20need%20for%20on-premises%20connectivity.%20Years%20ago%2C%20the%20industry%20was%20starting%20to%20standardize%20on%20mobile%20management%20for%20endpoint%20management%20(through%20the%20Mobile%20Device%20Management%20(MDM)%20policy%20delivery%20channel).%20For%20Windows%2C%20it%20began%20standardizing%20with%20Windows%20Phone.%20At%20that%20time%2C%20it%20didn%E2%80%99t%20make%20sense%20to%20move%20over%20all%20Group%20Policy%20settings%20into%20modern%20management%20(via%20MDM).%20This%20resulted%20in%20an%20initial%20gap%20in%20management%20capabilities%20on%20MDM.%20Over%20time%2C%20with%20new%20Windows%20releases%2C%20we've%20continued%20to%20add%20more%20settings%20to%20MDM%2C%20but%20there%20were%20still%20some%20gaps%20that%20resulted%20in%20blocking%20customer%20migrations%20to%20modern%20management.%20Filling%20this%20long%20tail%20of%20MDM%20settings%20parity%20drove%20the%20need%20to%20focus%20on%20improvements%20to%20provide%20the%20best%20experience%20for%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20heard%20that%20customer%20feedback%20on%20MDM%20settings%20availability.%20Over%20the%20past%20year%2C%20both%20Windows%20and%20Microsoft%20Endpoint%20Manager%20%E2%80%93%20Intune%20teams%20were%20laser%20focused%20in%20closing%20that%20gap.%20If%20you%20are%20in%20the%20Windows%20Insider%20program%2C%20you%20may%20have%20noticed%20since%20H2%20CY2020%2C%20new%20settings%20have%20become%20available%20in%20the%20Policy%20Configuration%20Service%20Provider%20(CSP)%20that%20were%20previously%20never%20available%20to%20customers%20in%20MDM.%20This%20was%20an%20intensive%20effort%20between%20several%20Windows%20component%20teams%20all%20trying%20to%20make%20sure%20that%20admins%20no%20longer%20considered%20setting%20availability%20in%20MDM%20as%20a%20blocker%20to%20move%20to%20modern%20management.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOver%20the%20past%20year%2C%20we%20also%20released%20Group%20Policy%20analytics%20in%20public%20preview.%20It%20is%20a%20tool%20and%20feature%20in%20Intune%20that%20analyzes%20your%20on-premises%20group%20policy%20objects%20(GPOs).%20It%20helps%20you%20determine%20how%20GPO%20settings%20translate%20to%20the%20cloud.%20The%20output%20shows%20which%20settings%20are%20supported%20by%20MDM%20providers%2C%20deprecated%20settings%2C%20or%20settings%20not%20available%20to%20MDM%20providers.%20There%E2%80%99s%20also%20the%20capability%20to%20directly%20migrate%20to%20a%20profile%20with%20those%20MDM%20settings%20in%20Endpoint%20Manager.%20Group%20Policy%20analytics%20also%20lists%20the%20settings%20and%20categories%20as%20they%20would%20be%20named%20when%20you%20make%20your%20eventual%20Device%20Configuration%20policy%20in%20MDM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWith%20the%20March%2C%202103%20release%20of%20Microsoft%20Endpoint%20Manager%20and%20coming%20soon%20(expected)%2C%20in%20the%20April%2C%202104%20release%20of%20Intune%2C%20you%20will%20find%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%20class%3D%22start%22%3E%0A%3CLI%3EThe%20device%20configuration%20settings%20catalog%20has%20been%20updated%20to%20list%20thousands%20of%20settings%20that%20previously%20were%20not%20available%20for%20configuration%20via%20MDM%20(Figure%201).%20You%20will%20see%20these%20as%20being%20marked%20as%20available%20for%20Windows%20Insiders%20only.%20These%20include%20settings%20from%20Windows%20components%20like%20Control%20Panel%20(Figure%202)%2C%20which%20are%20critical%20for%20security%20and%20desktop%20standardization.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image1_aasawari.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272917i3B890A61A89F63A2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Image1_aasawari.png%22%20alt%3D%22Figure%201%3A%20Device%20configuration%20settings%20catalog%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%3A%20Device%20configuration%20settings%20catalog%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ControlPanel.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272919iD05B2361D1E8BF9D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ControlPanel.png%22%20alt%3D%22Figure%202%3A%20Control%20Panel%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20Control%20Panel%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EThe%20Group%20Policy%20analytics%20(preview)%20tool%20has%20been%20updated%20so%20that%20when%20you%20now%20go%20through%20the%20import%20process%20of%20your%20Group%20Policy%20object%20(GPO)%2C%20the%20MDM%20Support%20column%20will%20reflect%20the%20newly%20available%20settings.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22computer_2_aasawari.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272324iC69B8A644564C3A6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22computer_2_aasawari.png%22%20alt%3D%22computer_2_aasawari.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECall%20to%20action%3C%2FSTRONG%3E%3A%20If%20you%20want%20to%20try%20out%20these%20new%20settings%2C%20you%20can%20target%20any%20devices%20on%20a%20Windows%20Insiders%20build%20(Build%2021343%20or%20later).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFurther%2C%20you%20can%20also%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fconfiguration%2Fgroup-policy-analytics%23use-group-policy-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eimport%20your%20GPO%20into%20the%20Group%20Policy%20analytics%20tool%3C%2FA%3E%20for%20the%20latest%20data%20in%20the%20MDM%20Support%20column.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFeedback%3C%2FSTRONG%3E%3CBR%20%2F%3EYou%20can%20provide%20feedback%20on%20Group%20Policy%20analytics%20when%20you%20select%20%3CSTRONG%3EGot%20feedback%3C%2FSTRONG%3E.%20To%20get%20information%20on%20the%20customer%20experience%2C%20the%20feedback%20is%20aggregated%2C%20and%20sent%20to%20Microsoft.%20Entering%20an%20email%20is%20optional%2C%20and%20may%20be%20used%20to%20get%20more%20information.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUpcoming%20milestones%3C%2FSTRONG%3E%3CBR%20%2F%3EThe%20next%20key%20milestone%20will%20be%20a%20backport%20of%20these%20settings%20to%20in-market%20Windows%20versions.%20This%20will%20result%20in%20settings%20availability%20on%20Windows%2010%202004%20and%20newer%20releases.%20The%20estimated%20timeline%20for%20this%20backport%20will%20be%20H2%20CY2021.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELearn%20more%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgpanalyticsdocs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fgpanalyticsdocs%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-configuration-service-provider%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EPolicy%20CSP%20-%20Windows%20Client%20Management%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet%20us%20know%20if%20you%20have%20any%20questions%20by%20replying%20to%20this%20post%20or%20reaching%20out%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bon%20Twitter.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2269167%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20for%20more%20on%20Group%20Policy%20settings%20in%20MDM!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2269167%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2275147%22%20slang%3D%22en-US%22%3ERe%3A%20The%20latest%20in%20Group%20Policy%20settings%20parity%20in%20Mobile%20Device%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275147%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20when%20can%20we%20expect%20Group%20Policy%20Analytics%20to%20have%20a%20%22Create%20my%20CSP%22%20button%2C%20after%20we%20import%20our%20GPO%3F%26nbsp%3B%20This%20is%20the%20next%20logical%20step%20in%20migrating%20away%20seamlessly%20from%20on%20prem%20GPO%20to%20cloud%20policies.%26nbsp%3B%20Sure%20we%20can%20manually%20create%20the%20CSPs%2C%20but%20we%20just%20need%20that%20next%20step%20of%20automation%20from%20Microsoft.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276062%22%20slang%3D%22en-US%22%3ERe%3A%20The%20latest%20in%20Group%20Policy%20settings%20parity%20in%20Mobile%20Device%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276062%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F587469%22%20target%3D%22_blank%22%3E%40CaseyB%3C%2FA%3E%26nbsp%3BWe%20have%20that%20functionality%20in%20private%20preview%20right%20now.%20Email%20your%20tenant%20ID%20to%20%3CA%20href%3D%22mailto%3Agpanalyticspreview%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Egpanalyticspreview%40microsoft.com%3C%2FA%3E%26nbsp%3Bso%20we%20can%20add%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 14 2021 02:52 PM
Updated by: