Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
February 18, 2021February 18, 2021

A first look at the settings catalog in Microsoft Endpoint Manager

With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features. One of those features is the introduction of the settings catalog, which is now in preview.

Microsoft describes the settings catalog as: “Settings catalog lists the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings.“

You can use the settings catalog functionality for both Windows 10 and macOS (only to configure and deploy Microsoft Edge settings).

Some background on Configuration Service Providers (CSP)

Windows 10 has built in support for the Mobile Device Enrollment Protocol (MS-MDE), and devices rolled out using this protocol can be managed using the Mobile Device Management Protocol (MS-MDM). MS-MDM is a subset of the Open Mobile Association (OMA) Device Management Protocol (OMA-DM). If a third party MDM solution supports the protocols it can manage Windows 10 as well. It’s therefore also not needed to install a management agent on the Windows 10 device.

Windows 10, when managed through MDM can be configured using so called Configuration Provider Settings (CSP) which expose device configuration settings. Settings are added with each new Windows 10 version Microsoft releases. By using an MDM solution you are able to read, set, modify, or delete configuration settings on the device.

CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Endpoint Manager. CSPs can be configured either from the Microsoft Endpoint Manager portal when made available by Microsoft or by using the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) standard. The CSP settings which are available can be found here: Configuration service provider reference

OMA-URI

Settings which you cannot set in the GUI of Microsoft Endpoint Manager but are available as a CSP can be set using OMA-URI. You can do this by creating a custom profile type when creating a configuration policy.

 If we look a bit further in one of the specific settings we can see the following:

Edit Row 
CMA-URI Settings 
Name * 
Description 
OMA-URI * 
Data type 
Value * 
x 
Password Reset from Login Screen 
Password Reset from Login Screen 
'Vendor/MSFT/Policy/Config/Authenticatian/.. 
Integer
OMA-URI custom configuration profile

The OMA-URI for this example is:./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset and you can find more information about what is done in the Policy CSP Documentation. The Policy configuration service provider enables the enterprise to configure policies on Windows 10.

For each CSP Microsoft provides a diagram like the one below. So, if we look at the OMA-URI in this case we can break the URI into the following

  • ./Vendor/MSFT/Policy is the root node for the Policy CSP
  • Config which is used to set policy values which can also be queried later on
  • Authentication which is the AreaName
  • AllowAadPassworRest which is the PolicyName
./Vendor/MSFT 
Policy 
Config 
Areo Nam e 
PolicyName 
PolicyName 
Result 
AreoName 
Policy Name 
Policy Name 
ConfigOperations 
ADM Xinstall 
App Nam e 
Policy 
UniquelD 
Added in Windows 10, 
version 1703 
UniquelD 
Preference 
UniquelD 
UniquelD
Structure as described in documentation

 If you look a bit further in the documentation you will find the following:

Aut entication/A owAa Passwo 
Windows Edition 
Home 
pro 
Business 
Enterprise 
Education 
Scope: 
v' Device 
Reset 
Supported? 
€3 
€3 
€3 
€3 
Added in Windows 10, version 1709. Specifies whether password reset is enabled for 
Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to 
enable self service password reset feature on the windows logon screen. 
The following list shows the supported values: 
0 (default) — Not allowed. 
• 1 — Allowed.
AllowAADPasswordReset CSP

So this means that this CSP is not available on Windows 10 Home Edition, you can also see that if you set its value to 1, the setting will be enabled.

So, this should give you some basic idea on how Microsoft Endpoint Manager can configure settings on a device supporting CSP for settings which are not available in the GUI, as you can imagine this can become quite complex and error prone. Now let’s go into more detail on what the Settings Catalog is

What is the Settings Catalog?

The settings catalog is dynamically build based on the current available CSPs, by introducing this functionality Microsoft will be able to make new settings available faster for configuration, or expose settings which were only available by using a custom profile type configuration profile.

Simplified policy creation workflow 
Settings catalog 
Search. Browse. select any setting 
Policy 
A customizable unit Of settings that 
can be targeted to users and groups 
Policy Templates 
Scenario based collection Of settings
New options

The current way of creating policies using Profile types will continue to exist, Microsoft calls them “Policy Templates” now, not to be confused with Group Policy Templates (ADMX). The figure below shows the difference between the old  (1) and new (2) experience.

Old versus new experience

Below I will show the new experience when using the Settings Catalog (Preview) option, which will bring up a familiar wizard but with other options.

On the Configuration Settings tab of the Create device configuration profile you will see the new Settings Catalog functionality, you can click on Add settings to configure the settings.

Create device configuration profile 
Windows 10 and later - Settings catalog (preview) 
V Basics Configuration settings 
@ Assignments 
@ Scope tags 
@ Review + create 
Settings catalog 
With the settings catalog, you can choose which settings you want to 
configure. Click an Add settings to browse or search the catalog for the 
settings you want to configure. 
Learn mare 
+ Add settings
Configuration Settings page

Clicking on Add setting will bring up the Settings picker panel, where you can use Search to search for the setting you want to make, or browse through the category.

Settings picker 
Use commas " among search terms to lookup settings by their kew.ards 
p eerch for a setting 
+ Add filter 
Browse by category 
Above Lack 
Accounts 
> Administrative Templates 
Application Defaults 
Auditing 
Authentication 
3itLacker 
BITS 
Bluetooth 
Browser 
Setting name 
Select a category to show settings 
x 
Search
Settings picker

You can also use a filter to narrow down the search options available based on Operating System Edition (for now, this might change since we are still in preview)

Add filter 
Add filter 
Choose filter type for resources 
Key 
Operator 
Value 
OS Edition 
Windows 
HoloLens 
HOIagraphic For Business 
31 
IOT Enterprise 
Bro 
Windows Education 
seta n 
ws Enterprise 
Windows Home 
Windows Professional
Filter

So if we go back to the CSP example, where we enabled Password reset from the login screen, we can now simply search for Password Reset, which gives us the option for us to choose directly

Settings picker 
Use commas " among search terms to lookup settings by their kew.ards 
P password reset 
+ Add filter 
Browse by category 
Authentication 
1 results in the "Authentication" category 
Setting name 
Allow Aad Password Reset 
x 
Search 
Specifies whether password reset is enabled for AAD accounts. 
Learn more
Chosen option

If you click on the information behind the setting name, you will get a brief description on what the setting does, and if you click on the “Learn more” link you are redirected to the CSP documentation page, which points to the Authentication/AllowAadPasswordReset page.

Once you have configured your setting, you can assign, scope and create the configuration profile.

Conclusion

Microsoft has released a lot of efforts to make the creation of configuration settings easier for your Microsoft Endpoint Manager managed clients. First of all they made more and more configurable options (now called templates) available in the MEM admin portal GUI. Secondly they introduced Security baselines, which bundles Microsoft recommended configuration settings. The also introduced the Policy sets option which allows you to combine several settings into one item that you can apply to your users/devices.

The settings catalog is really nice addition, it removes the complexity of defining OMA-URI settings using a custom configuration profile, and I also believe that Microsoft will be able to introduce new functionality must better using the settings catalog.

Administrators need to be careful though, it’s really easy to create a configuration profile with a settings catalog with hundreds of settings where they could easily lose track of what those settings do. It would also be nice if Microsoft would create a filter where you can distinct between settings specific for devices, and settings specific for users so that you can better determine whether you want to assign this to device or user based groups.

Last but not least, I really hope Microsoft uses the settings catalog functionality to also supply us with the security baselines so that we have one uniform way of dealing with settings. One of the big disadvantages of the security baselines in my opinion is that it’s hard to find out what settings correspond with each other. (setting in security baseline compared to setting in configuration profile).

For the rest I’m really excited for this great new addition, and I’m going to play with it some more in my lab environment.

Reference

https://docs.microsoft.com/en-us/mem/intune/configuration/settings-catalog

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/preview-microsoft-endpoint-manager-s-settings-catalog-to-more/ba-p/2116084

Tweet
Follow me
Tweet #WPNinjasNL

1 thought on “A first look at the settings catalog in Microsoft Endpoint Manager”

  1. Pingback: MDM policy processing on Windows 10 with Microsoft Endpoint Manager, a closer look | Modern Workplace Blog

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Mike on A guide to implementing Applocker on your Modern Workplace
  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT