Last week, our multi-part series started off with a bang. As of this writing, already 1000 people have read about infrastructure, compliance, integrations, and enrollments. You can read it here. Also, check out part 3 on apps here. This week, we move onto:
The goal is to show how to bridge to the items that configure your Windows 10 PCs currently in Workspace ONE and Intune-afy them! We will start by showing how Windows devices are configured in Workspace ONE and follow that with how you translate those capabilities to Microsoft Intune. First up Profile-palooza!
What are Profiles Really?
Before we get into everything, let’s quickly discuss what a profile actually is.
For us to understand profiles, we should understand some basics. Similar to Group Policies, configuration service providers (CSPs) are an interface between settings an MDM administrator wants to set on devices and the local device settings themselves. Like GPOs, they read, set, modify, and delete device configurations.
The format of CSPs are in SyncML, which is an XML-based language that is pushed down from a MDM server like WS1 or Intune. You even have platforms like SCCM that can leverage a different interface in terms of a WMI to CSP bridge.
The structure of CSPs is fairly logical and most people don’t need to know them too deep as your MDM does most of the heavy lifting (the degree of simplification is based on your MDM).
An example of a payload is this:
<Replace>
<CmdID>a7949be0-69a8-4ee6-b2c7-71f2d51e0bd7</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/Policy/Config/Browser/ConfigureOpenMicrosoftEdgeWith</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Replace>
<CmdID>dbdb6dd7-632e-4278-9f62-c589d4bb8a71</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/Policy/Config/Browser/HomePages</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>https://www.synterex.com</Data>
</Item>
</Replace>
We won’t spend too much more time on them, but the key is to know that CSPs are the modernization of GPOs and you can read about the different CSPs here. Essentially, we have individual CSPs for each area, which most people just know as profiles. Sometimes we have to get crazy and deploy custom XMLs, but overall MDMs make life easy.
Workspace ONE Windows Profiles
Last year, VMware finally introduced their DDUI experience (23.06), which basically introduced many different CSPs into the GUI. Specifically, these CSPs were introduced:
Simply, what you need to know is you can configure a profile as either the user context or the device context. Once you do, you can search for profile settings/keys and push them down. This creates the syncML payload that is delivered to devices in the Policy folder in the registry similar to Group Policies as mentioned earlier. This demo below gives you a nice idea:
VMware has a nice tool called the policy builder, which you can use to help with building your Custom XML profiles for anything missing in the GUI. You can check out the video below, which helps:
Translating Workspace ONE Profiles to Intune
The translation to Microsoft Intune is really easy. Intune offers configuration profiles, which come in a few different flavors:
- Settings Catalog
- Templates
- Endpoint Security
One of the things that could be confusing to Workspace ONE admins is that you define the user/device context based on how you deploy the profile. That works very logically like GPOs would, but it’s good to call out.
Settings Catalog Profiles
Settings Catalog profiles are similar to the WS1 DDUI, but we have many more options available.
Above Lock | Enterprise Cloud Print | Microsoft Lync Feature Policies | Settings |
Accounts | eSIM | Microsoft Office 2016 | Shared PC |
Administrative Templates | Experience | Microsoft Office 2016 (Machine) | Smart Screen |
Application Defaults | Exploit Guard | Microsoft Outlook 2016 | Speech |
Auditing | Federated Authentication | Microsoft PowerPoint 2016 | Start |
Authentication | File Explorer | Microsoft Project 2016 | Storage |
BitLocker | Firewall | Microsoft Publisher 2016 | System |
BITS | FSLogix | Microsoft Teams | System Services |
Bluetooth | Games | Microsoft Visio 2016 | Task Manager |
Browser | Handwriting | Microsoft Visual Studio | Task Scheduler |
Camera | Human Presence | Microsoft Word 2016 | Text Input |
Cellular | Kerberos | Mixed Reality | Time Language Settings |
Cloud Desktop | Kiosk Browser | Network Isolation | Troubleshooting |
Config Refresh | Lanman Workstation | Network List Manager | Trusted Certificate |
Connectivity | Licensing | News and interests | User Rights |
Control Policy Conflict | List Sync | Notifications | Virtualization Based Technology |
Converters | Local Policies Security Options | OneDrive | VPN Connection |
Credential Providers | Local Security Authority | OneNote Options | Wi-Fi Connection |
Cryptography | Lock Down | PDE | Wi-Fi Settings |
Data Protection | Maps | Personalization | Widgets |
Defender | Memory Dump | PKCS certificate | Windows AI |
Delivery Optimization | Microsoft Access 2016 | PKCS imported certificate | Windows Defender Security Center |
Device Guard | Microsoft App Store | Power | Windows Hello for Business |
Device Health Monitoring | Microsoft Defender for Endpoint | Printer Provisioning | Windows Ink Workspace |
Device Lock | Microsoft Edge | Privacy | Windows Licensing |
Display | Microsoft Edge – Default Settings | Reboot | Windows Logon |
Dma Guard | Microsoft Edge Update | Remote Desktop | Windows Subsystem For Linux |
Eap | Microsoft Edge Web View2 | SCEP certificate | Windows Update For Business |
Education | Microsoft Excel 2016 | Search | Wireless Display |
Security |
Template Profiles
Template Profiles are logical groups of settings. organized by functionality. You can leverage templates for easily configuring policy for things like Wi-Fi, VPN, certificates and more.
Administrative Templates | Kiosk |
BIOS configurations | Microsoft Defender for Endpoint |
Custom | Network boundary |
Delivery optimization | PKCS certificate |
Device firmware configuration interface | PKCS imported certificate |
Device restrictions | SCEP certificate |
Device restrictions (Windows 10 Team) | Secure assessment (Education) |
Domain join | Shared multi-user device |
Edition upgrade and mode switch | Trusted certificate |
VPN | |
Endpoint protection | Wi-Fi |
Identity protection | Windows health monitoring |
Imported Admin Templates (Preview) | Wired network |
One thing that makes this next level now is a new feature in public preview. You can now import ADMX files, which add them to Intune for bringing in custom GPO settings like Google Chrome settings for example. Check out the demo below to see how that works:
Endpoint Security Profiles
This is an area of confusing for even many MVPs. Essentially, endpoint security lets you configure security capabilities like:
- Antivirus
- Disk Encryption
- Windows Firewall
- Microsoft Defender for Endpoint
- App Control for Business
- Attack Surface Reduction
- LAPS
Instead of having to use the settings catalog, they make it super easy to configure core capabilities, which are vital to the health of Windows devices. The overall idea is Microsoft Intune makes profiles so much easier for us.
Windows Autopatch
It’s hard to not talk about the incredible Windows Autopatch. I like to refer to it as “Windows Update for Business on steroids.”
Windows Autopatch removes the need to plan and operate the update process. Microsoft becomes responsible for keeping devices properly patched by using Windows Update for Business along with other service components.
The baselines for Autopatch sit at:
- 95% of eligible devices are on the latest Windows quality update within 21 days.
- 99% of eligible devices on a supported version of Windows so they can continue to get feature updates.
- 90% of eligible devices on a supported version of the Monthly Enterprise Channel.
- Configures eligible devices to be on Microsoft Edge’s progressive rollouts on the Stable channel.
- Configures eligible devices to be on the standard automatic update channel for Microsoft Teams.
- Automatically patches drivers during the Windows update cycle as long as Windows Update hasn’t caused any driver or hardware issues.
Windows autopatch is self-healing and does things like addresses unhealthy devices itself without administrator intervention. Autopatch also monitors in-progress updates and may expedite critical updates. When issues occur, updates will get paused or rolled back.
Baselines in Workspace ONE
Windows Baselines in Workspace ONE are basically a security baseline aka recommended security guidelines for a device. You can simply deploy them to collections of devices or users and made small tweaks to them.
In Workspace ONE, we have the Microsoft “Windows Security Baseline” (21H2/22H2) and CIS Level 1 and 2 (21H2/22H2). One nice thing they provide are the ability to add individual settings to the Security Baseline that are outside the scope. In addition, they support a custom GPO backup aka Custom Baseline. The one issue with custom GPO is that it requires lgpo.exe to be deployed, which has created some issues for some people historically. Lgpo.exe is a Microsoft product that helps you manage local group policy.
They also support the ability to create your own baselines, where you search through a variety of policy settings. You can see an example below:
Inevitably, the reality is that baselines are just a way to build a standardized set of policy, which helps with the manageability of your Windows devices.
What About Baselines in Microsoft Intune?
As usual, Intune takes baselines to an entirely new level. The overall collection of baselines include:
- Windows security baselines
- Microsoft Defender for Endpoint baselines
- Microsoft Edge security baselines
- Windows 365 security baselines
- Microsoft 365 Apps security baselines
So, as we saw in previous sections some of the things from Workspace ONE get moved around in Intune. Custom baselines are achieved with the new Import GPO capabilities. Two things that Intune cannot do are creating manual Windows security baselines and add unrelated policy settings to the Windows security baselines. They aren’t really major blockers, and the other baselines make life amazing. A single area to manages MDE, Edge, Office Apps, etc. is sensational.
Scripts in Workspace ONE
Scripts are straight-forward. PowerShell is supported and you can use 3 different contexts (System, User with admin, and without admin). You can set it to run as 32-bit or 64-bit along with setting a specific timeout. They also support environment variables, if necessary, but I haven’t needed them personally. Your standard $env:key situation.
In addition, you can also use scripts to create “Sensors” which are pieces of data that you can access on the device. They look like this:
We can also use the high potential “Freestyle Orchestrator” which I have written about a few times.
Check out this video demo below on creating a nice workflow for remediating a problematic Office issue:
Translating Scripts to Microsoft Intune
Scripts are one area that we do lose a few things in. Simply, you can upload scripts, run as logged in user or system, enforce signed scripts, and run it in 32-bit or 64-bit. Many WS1 admins will miss Freestyle Orchestrator and possibly sensors, but we meet the basic requirements needed for managing scripts.
We’ve heard some “rumblings” of orchestration coming to Intune in 2024, but personally I am going to solve most of these issues by using ControlUp Edge DX, which powers my automation journey today. Check the video below:
Product Provisioning in Workspace ONE
The final section we are touching on this week is not super common, but some are still leveraging it. Product provisioning is basically dropping files/commands to devices. I was on the fence whether this belongs in this part or the next part (which covers apps).
A nice example is this provisioning package for Dell Command | Update. You can see below the files we drop:
We, also have the actions:
Historically, some people might use product provisioning when an app deployment isn’t working too well. We would see this with some utilities like printer drivers, but obviously multiple ways to skin a cat. We will cover how people use a dummy file next week and do the same thing with an app deployment, but that about covers this.
We won’t be covering anything on the Intune side for product provisioning as their options will focus will be app deployment based.
Final Thoughts
So, we covered a bunch of stuff this week. The TL:DR is that Microsoft Intune bridges nicely from Workspace ONE with one or two items like sensors/Freestyle Orchestrator currently missing. They do an excellent job making up for it with their baseline options and ADMX imports to name a few. We will be back in our next installment when we cover apps.
2 thoughts on “The Workspace ONE Admin’s Guide to Microsoft Intune Part 2: To Profiles and Beyond!”
Pingback: Intune Newsletter - 22nd March 2024 - Andrew Taylor
Pingback: Weekly Newsletter – 17th of March 2024 to 22nd of March 2024