This article provides detailed steps on how to push Windows group policy on intune devices:
- Prerequisite.
- steps how to import custom ADMX templates into Microsoft Intune so that you can implement the policies to your managed devices in intune(Windows Update Policies and Powershell execution Policies).
Prerequisites
- Active Microsoft Intune subscription (with admin privileges).
- Access to ADMX templates from Microsoft for Windows Update and Powershell execution.
Steps how to import custom ADMX templates into Microsoft Intune
Applying Group policies are possible in Intune so that you can push out the configuration or settings for applications to your managed devices which can be done using ADMX templates.
- Obtaining the ADMX files.
- Extract the files.
- Identify dependencies.
- Upload into Intune.
- Use in configuration policies.
Obtaining the ADMX
The first step to being able to upload ADMX files into Intune is locating the ADMX files to configure policies for windows.
In our case, we need to update policies related to Windows Update and PowerShell. To do so, we need to obtain the Administrative Template (.admx & .adml) files, which can be downloaded from the Microsoft website. (The provided link is for downloading the template files for Windows 10 devices.)
Note : Each version of the operating system has its own set of Administrative Template files, which need to be downloaded based on the specific client OS for which you are updating the policy for.
Extract the Files
Extract the files by running the .msi file downloaded , which will extract the .admx files to the directory specified.
Modify your chosen destination to extract the files.
Files will be extracted to the directory specified.
Identify dependencies
some ADMX templates will reference other and they need to be present before the ADMX can be uploaded and used.
Our windows update ADMX template that is depended on is ‘Microsoft.Policies.Windows’, so this would need to be uploaded first.
Upload into Intune
To upload your chosen ADMX files into Intune you will first need to go to the Import ADMX page. This can be found within Intune by going to Devices > Configuration > Import ADMX.
First upload the Dependency File to intune.
Next, select the corresponding .adml file (language file) for the same Administrative template. In our case, we are uploading the en-US language file.
Open ‘en-US’ and select windows.adml
Once Files are selected , Click Next.
Click Create.
You will be returned the the Import ADMX page and the file that you just selected to import will now be listed.
At first, this will show a status saying ‘Upload in progress’ showing that the settings template you selected is being implemented into Intune then it changes to ‘Available’ status.
Follow the same steps and upload the admx file for “Windows Update”.
configuration policies
Once you have imported all of the ADMX files that you require into Intune, you can start implementing the settings contained within into a configuration policy.
To do this return the the Configuration > Policies page and then select Create and then New Policy
This will open the ‘Create a Profile’ blade on the right of the page, from here select ‘Windows 10 and later’ as your platform and ‘Templates’ as your profile type.
Select the required operating system for which the policies will be implemented.
Select "Template" as the Profile Type since we are using template based configurations.
Afterward, search for the template name that you uploaded to Intune in the previous steps.
Select the correct Template name and click create.
You will then be taken to the ‘Create Profile’ page, starting with the ‘Basics’ page in which you can enter the details for your profile.
Once you are done with the details you have entered select ‘Next’ at the bottom of the page to move on to the next step. You will then be on the configuration settings page.
Select and enable the required policies as per the Windows prerequisites guidelines.
Configuration
-
Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
-
- Auto download and notify for install
-
Specify intranet Microsoft update service -> Enable the policy and set both URL’s in the "Options" section:
-
http://Your_WSUS_Server_Hostname:8530
- Note: if using SSL use https and 8531
-
http://Your_WSUS_Server_Hostname:8530
-
Automatic Update detection frequency -> Enable the policy and set "Check for updates at the following interval (hours)" in the "Options" section:
- 4 hours
-
Allow signed updates from an intranet Microsoft update service location -> Enable the policy
- This is required in order to install non-Microsoft 3rd Party Software Updates and when SSL has been configured on the WSUS server.
- Everything else in the Windows Update section should be set to Not configured.
-
Click Next once the above policies are configured according to the details provided.
You will arrive at the Scope Tags section. Leave it as default if you don’t have any tags created earlier and click Next.
In the next step , simply select the groups of either users or devices that you want the selected settings to apply to.
You can also choose to add Device Filters to your chosen groups or add groups to be excluded from the policy as well.
You can then select next to move onto the final page which is to review your settings.
Once you have reviewed your settings then select ‘Create’ to finish.
After creating the policy, you can monitor the status of the policies applied to the client machines by clicking on the policy you created.
The steps outlined above are for Windows Update policies. To implement the same for PowerShell, upload the corresponding ADMX file for PowerShell and adjust the policy as follows.
Windows Components -> Windows PowerShell ->
- Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section
Comments
0 comments
Please sign in to leave a comment.