By Go Komatsu – Sr. Program Manager | Windows and Aasawari Navathe, Program Manager II | Microsoft Endpoint Manager
Updated 6/7/22: With the April (2204) release of Microsoft Intune combined with the May 10th, 2022, Windows updates these policies now also work on the Pro versions of Windows 10 and 11. If you use Windows 10 Pro, ensure you have KB5013942 (OS version 19042.1706, 19043.1706, and 19044.1706) installed to take advantage of these policies. For Windows 11 Pro, ensure you have KB5013943 (OS version 22000.675) installed.
Updated 9/20/21: This Windows update has now been released as part of the September 2021 patch Tuesday (KB5005565) for Windows 10 versions 2004 and later. This monthly update includes KB5005101 where these changes were made. These policies will only work on Windows Enterprise and Education versions. In addition, Windows 11 includes the necessary updates to make these policies work.
Many organizations are looking to manage their endpoints via modern management to support the growing remote workforce and remove the need for on-premises connectivity. Years ago, the industry was starting to standardize on mobile management for endpoint management (through the Mobile Device Management (MDM) policy delivery channel). For Windows, it began standardizing with Windows Phone. At that time, it didn’t make sense to move over all Group Policy settings into modern management (via MDM). This resulted in an initial gap in management capabilities on MDM. Over time, with new Windows releases, we've continued to add more settings to MDM, but there were still some gaps that resulted in blocking customer migrations to modern management. Filling this long tail of MDM settings parity drove the need to focus on improvements to provide the best experience for customers.
Microsoft heard that customer feedback on MDM settings availability. Over the past year, both Windows and Microsoft Endpoint Manager – Intune teams were laser focused in closing that gap. If you are in the Windows Insider program, you may have noticed since H2 CY2020, new settings have become available in the Policy Configuration Service Provider (CSP) that were previously never available to customers in MDM. This was an intensive effort between several Windows component teams all trying to make sure that admins no longer considered setting availability in MDM as a blocker to move to modern management.
Over the past year, we also released Group Policy analytics in public preview. It is a tool and feature in Intune that analyzes your on-premises group policy objects (GPOs). It helps you determine how GPO settings translate to the cloud. The output shows which settings are supported by MDM providers, deprecated settings, or settings not available to MDM providers. There’s also the capability to directly migrate to a profile with those MDM settings in Endpoint Manager. Group Policy analytics also lists the settings and categories as they would be named when you make your eventual Device Configuration policy in MDM.
With the March, 2103 release of Microsoft Endpoint Manager and coming soon (expected), in the April, 2104 release of Intune, you will find:
The device configuration settings catalog has been updated to list thousands of settings that previously were not available for configuration via MDM (Figure 1). You will see these as being marked as available for Windows Insiders only. These include settings from Windows components like Control Panel (Figure 2), which are critical for security and desktop standardization. Figure 1: Device configuration settings catalog
Figure 2: Control Panel
The Group Policy analytics (preview) tool has been updated so that when you now go through the import process of your Group Policy object (GPO), the MDM Support column will reflect the newly available settings.
Call to action: If you want to try out these new settings, you can target any devices on a Windows Insiders build (Build 21343 or later).
Feedback You can provide feedback on Group Policy analytics when you select Got feedback. To get information on the customer experience, the feedback is aggregated, and sent to Microsoft. Entering an email is optional, and may be used to get more information.
Upcoming milestones This Windows update has now been released as part of the September 2021 patch Tuesday (KB5005565) for Windows 10 versions 2004 and later. This monthly update includes KB5005101 where these changes were made. These policies will only work on Windows Enterprise and Education versions. In addition, Windows 11 includes the necessary updates to make these policies work.