Transition to the Cloud - some architectural hints

intune Aug 25, 2020

In my last post I have talked about basic knowledge about Intune. Now it would be appropriate to give a few tips from an architectural point of view to make the way to the cloud. In specific about how to manage devices with device configuration profiles or common GPO's.

Nowadays organizations mostly use on-prem domain controller with a Active Directory structure and the computer and user objects. On top of this structure GPO's regulate user & computer controls/settings for selected OU's. (organization units) Here is my first hint regarding this; if you ever wanted to have an overview of all group policy objects visit GPSearch.

legacy on-prem

Group policy management console should be familiar to the most people.
gp-editor
Source: Microsoft

Intune cloud based

Intune differentiates to multiple device configuration segments. The representing part for GPO management console in Intune is called "Administrative templates".
deviceconfigurationprofile_administrative-templates

Intune has the advantage for separating configuration profiles. In my opinion this is really helpful for finding settings. Additionally this even provides extra possibilities with settings that GPO's couldn't even offer. Take a look to the full list of all device configuration options:
deviceconfigurationprofile

Coming from an on-premises environment

When creating a new cloud environment in Autopilot I would strongly advise you to (re)start from begin. To my experience, this chance should be used to overthink and update the endpoint infrastructure to all it's terms. For example: the whole enrollment concept in particular, the endpoint lifecycle, the backend architecture, the endpoint configurations for software/update/security/compliance management.

What do you need to configure?

Most policies can be handled with the Intune configuration profiles. However, in some situations it may require administrative templates for some settings. An example case would be the Office GPO, that is really massive. To calm you a little bit; yes everything that my on-prem GPO could offer is also provided in the Administrative template.

And what if the Administrative templates do not cover the legacy GPO's?

So one problem we can run in, are the GPO policies that are not in the Administrative templates. But Microsoft offers ADMX backed policies, which act like a method to develop own GPO's. This is relies on OMA-URI (Open Mobile Alliance Uniform Resource Identifier) paths that are to control every device feature with paths called CSP (configuration service providers). (read more about it)

Group Policy analytics

UPDATE: Intune now offers a new method to analyze local on-prem GPO's and show how to configure them in Intune. To start an import open Group policy management gpmc.msc and backup a GPO. Now import the GPReport.xml file to Intune.
group-policy-analytics

DEPRECIATED: Migration analysis tool

If you start the migration to Autopilot it is often very helpful to do a kind of reconnaissance for the existing GPO's in the productive environment. A tool I can recommend is the migration analysis tool found here on GitHub. This is a tool to record and document like "gpresult". But the really interesting point is that every single policy that is affected on the machine gets translated into a valid Intune policy. But keep in mind that this is mainly to help you out with non-existing Intune policies where you have to work with OMA-URI.

Vmware Policy Builder

The Vmware policy builder is also a quite pleasant appliance to configure OMA-URI settings. In particular with string values, because in Intune you unfortunately have not really a value template.

Security aspects

To configure security policies such as virus protection, disk encryption, etc., you can (confusingly) use several ways to get to your goal. But this doesn't mean that they all work. (at least in my case) I can recommend to create a Bitlocker profile as device configuration profile in endpoint protection, and use the Baselines for Windows 10, ATP and Edge.

Security Baselines, a wonderful thing

This Baselines can save a lot of time by giving best practices in security through Windows 10 Endpoint, ATP (advanced threat protection) and Microsoft Edge Browser. However I have seen that sometimes you need to check which settings are exactly done in this policies. Use the compliance Toolkit from Microsoft and download the Security Baseline zip file. There is an Excel sheet (FINAL-MS Security Baseline) that shows all settings in detail.
securitybaseline-1

Niklas Tinner

Young IT Nerd.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.