Microsoft is about to make Windows 10 device configurations in Endpoint Manager/Intune way more powerful. While digging through Microsoft’s documentation about Windows MDM, I noticed a new list of CSP policies prefixed with “ADMX_”. GitHub commits indicate the documentation of these policies didn’t exist until late last year. That wouldn’t be much to talk about, except these new policies match Windows’ built-in group policies.
Take a moment to let that statement sink in. One of the biggest frustrations I’ve run into with Intune device profiles has been the lack of parity with group policies. Some settings, like configuring screensavers to be secure, aren’t available in Windows’ MDM. The only way I’ve managed to work around these device policy limitations has been to use PowerShell scripts.
The ADMX backed policies’ documentation all say they are available in the “latest Windows 10 Insider Preview Build”. And finally, Microsoft released the first Windows Insider Preview Build for 2021, which included the needed functionality. As it stands right now, the process of using the new ADMX backed policies isn’t easy. It requires creating custom device profiles, knowing the correct OMA-URI, and how to format the data. Getting the correct format involves looking at the corresponding .admx file built into Windows. My hope is Microsoft will add all of these policies to the “Administrative Template” based device profiles quickly. Some already exist, but it is a fraction of the settings available in GPOs.
I hope to share more info on using ADMX backed policies as Windows 10 21H1 becomes available.
As always, have fun