With the shift towards management through the cloud, in particular Microsoft Endpoint Manager, one thing that has come up time and time again is the comparison between Group Policy and MDM Profiles. I have covered some the mappings between these on the blog already, but one thing which I always thought would be an issue was the UI itself.

Administrative Templates – The UI Issue

The reason of course is that anyone who has been in an admin role will be familiar with group policy manager, or even the local group policy MMC snap in. We all learned how to apply settings at a computer or user level and how to drill down through the various settings within. It became second nature, to instinctively know where a setting was based on the folder structure, as it basically just made sense.

When Administrative Templates was introduced in Intune back in 2018, I was very excited as this was one of key areas that was needed in the product. When I covered the release of the feature back at Ignite in 2018 (https://msendpointmgr.com/2018/10/17/configure-admx-settings-with-microsoft-intune-administrative-templates/), I signed off by having the following wish list;

Security Baselines – Originally on my list when creating this blog post, but as you will see from the before mentioned Ignite session, this is going to be catered for

– Originally on my list when creating this blog post, but as you will see from the before mentioned Ignite session, this is going to be catered for ADMX Import Facility – To allow for third party ADMX settings to be deployed

– To allow for third party ADMX settings to be deployed Improved Settings View – The list of settings can be spanned over several pages and for those coming from a systems administration background and being used to GPO’s, the formatting could be improved upon. Perhaps a tree view or a blade style view might prove more navigable

Taking that last item, I felt that the UI didn’t feel like it was something that the majority of seasoned admins would warm to. Sure if you were just starting out and this was the new world order, then no issue, but for those in the game a bit longer, it felt a bit alien and non intuitive. The search feature was a good idea, no doubt, but the returned settings were not clear enough as to what was for the user or the computer for instance.

Legacy Administrative Templates View

As more and more settings were introduced, the problem I fear got compounded as although the search function worked, it just never was as straight forward as what you had expected when you had been spoilt by the Group Policy Management Console (who would of thought anyone would have said that).

So as we grew from the initial 288 settings to the number of settings/pages returned grew and grew when searching..

Introducing the revamped Administrative Template UI

Today I am extremely pleased to say, a new and improved tree view settings UI went live to tenants all around the globe;

New Tree View UI

This update provides the most intuitive means for administrators transitioning from GPO’s to manage their now cloud managed devices. It provides a familiar GPO style tree view, while also including a search mechanism. So you are now getting the best of both worlds within the same UI, a GPEditV2.0 if you like.

We can also clearly identify which settings are associated with the computer or the user, just as we did before with GPO, rather than having to read the setting string for each setting;

This of course makes it also easier when planning out deployment of your Administrative Template profiles, as you can create base computer and user profiles just as you would have done in group policy. I prefer that approach compared to the one policy does all, until it breaks, or you need to make changes for subsets of users.

We still of course get settings for the products we had previously;

Windows 10

Office 2016

Edge

OneDrive

Configuration

Configuration of the administrative template profile is still as it was before, within the Device Configuration \ Profiles section of the portal. For those of you unfamiliar with this, I’ll step through it here;

Open the Microsoft Endpoint Manager portal (https://devicemanagement.portal.azure.com/)

(https://devicemanagement.portal.azure.com/) Click on Devices

on Click on Configuration Profiles

Click on Create Profile

Select Windows 10 and later as the platform

as the platform Select Administrative Templates as the profile type

as the profile type Click Create

Provide a Name for your profile, then click Next

for your profile, then click Select the settings you wish to apply, then click Next

the you wish to apply, then click If you are using Scope Tags, select these (More information here – https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags)

Select the users or devices you wish to assign the profile to . (As I suggest here you could create baseline policies which are applied to the device and users separately) and click Next ;

. (As I suggest here you could create baseline policies which are applied to the device and users separately) and click ; Click Create

At this point the portal will start reporting on compliance, once your devices have refreshed their policies.

Conclusion

This marks a great step forward for making the process of moving from on-premise to in-cloud easier for the admin. So hats off to those involved within Microsoft and it is amazing to see that the company listens to the community, its customers and MVP’s to help drive usability and features within their products.

Now and ADMX import button and I have all three items ticked off my initial wish list. No pressure, at all.

(2545)