With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features. One of those features is the introduction of the settings catalog, which is now in preview.
Microsoft describes the settings catalog as: “Settings catalog lists the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings.“
You can use the settings catalog functionality for both Windows 10 and macOS (only to configure and deploy Microsoft Edge settings).
Some background on Configuration Service Providers (CSP)
Windows 10 has built in support for the Mobile Device Enrollment Protocol (MS-MDE), and devices rolled out using this protocol can be managed using the Mobile Device Management Protocol (MS-MDM). MS-MDM is a subset of the Open Mobile Association (OMA) Device Management Protocol (OMA-DM). If a third party MDM solution supports the protocols it can manage Windows 10 as well. It’s therefore also not needed to install a management agent on the Windows 10 device.
Windows 10, when managed through MDM can be configured using so called Configuration Provider Settings (CSP) which expose device configuration settings. Settings are added with each new Windows 10 version Microsoft releases. By using an MDM solution you are able to read, set, modify, or delete configuration settings on the device.
CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Endpoint Manager. CSPs can be configured either from the Microsoft Endpoint Manager portal when made available by Microsoft or by using the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) standard. The CSP settings which are available can be found here: Configuration service provider reference
OMA-URI
Settings which you cannot set in the GUI of Microsoft Endpoint Manager but are available as a CSP can be set using OMA-URI. You can do this by creating a custom profile type when creating a configuration policy.
If we look a bit further in one of the specific settings we can see the following:
![Edit Row
CMA-URI Settings
Name *
Description
OMA-URI *
Data type
Value *
x
Password Reset from Login Screen
Password Reset from Login Screen
'Vendor/MSFT/Policy/Config/Authenticatian/..
Integer](https://www.vansurksum.com/wp-content/uploads/2021/02/image-23.png)
The OMA-URI for this example is:./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset and you can find more information about what is done in the Policy CSP Documentation. The Policy configuration service provider enables the enterprise to configure policies on Windows 10.
For each CSP Microsoft provides a diagram like the one below. So, if we look at the OMA-URI in this case we can break the URI into the following
- ./Vendor/MSFT/Policy is the root node for the Policy CSP
- Config which is used to set policy values which can also be queried later on
- Authentication which is the AreaName
- AllowAadPassworRest which is the PolicyName
![./Vendor/MSFT
Policy
Config
Areo Nam e
PolicyName
PolicyName
Result
AreoName
Policy Name
Policy Name
ConfigOperations
ADM Xinstall
App Nam e
Policy
UniquelD
Added in Windows 10,
version 1703
UniquelD
Preference
UniquelD
UniquelD](https://www.vansurksum.com/wp-content/uploads/2021/02/image-24.png)
If you look a bit further in the documentation you will find the following:
![Aut entication/A owAa Passwo
Windows Edition
Home
pro
Business
Enterprise
Education
Scope:
v' Device
Reset
Supported?
€3
€3
€3
€3
Added in Windows 10, version 1709. Specifies whether password reset is enabled for
Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to
enable self service password reset feature on the windows logon screen.
The following list shows the supported values:
0 (default) — Not allowed.
• 1 — Allowed.](https://www.vansurksum.com/wp-content/uploads/2021/02/image-25.png)
So this means that this CSP is not available on Windows 10 Home Edition, you can also see that if you set its value to 1, the setting will be enabled.
So, this should give you some basic idea on how Microsoft Endpoint Manager can configure settings on a device supporting CSP for settings which are not available in the GUI, as you can imagine this can become quite complex and error prone. Now let’s go into more detail on what the Settings Catalog is
What is the Settings Catalog?
The settings catalog is dynamically build based on the current available CSPs, by introducing this functionality Microsoft will be able to make new settings available faster for configuration, or expose settings which were only available by using a custom profile type configuration profile.
![Simplified policy creation workflow
Settings catalog
Search. Browse. select any setting
Policy
A customizable unit Of settings that
can be targeted to users and groups
Policy Templates
Scenario based collection Of settings](https://www.vansurksum.com/wp-content/uploads/2021/02/image-29.png)
The current way of creating policies using Profile types will continue to exist, Microsoft calls them “Policy Templates” now, not to be confused with Group Policy Templates (ADMX). The figure below shows the difference between the old (1) and new (2) experience.
![](https://www.vansurksum.com/wp-content/uploads/2021/02/image-26-1024x709.png)
Below I will show the new experience when using the Settings Catalog (Preview) option, which will bring up a familiar wizard but with other options.
On the Configuration Settings tab of the Create device configuration profile you will see the new Settings Catalog functionality, you can click on Add settings to configure the settings.
![Create device configuration profile
Windows 10 and later - Settings catalog (preview)
V Basics Configuration settings
@ Assignments
@ Scope tags
@ Review + create
Settings catalog
With the settings catalog, you can choose which settings you want to
configure. Click an Add settings to browse or search the catalog for the
settings you want to configure.
Learn mare
+ Add settings](https://www.vansurksum.com/wp-content/uploads/2021/02/image-31.png)
Clicking on Add setting will bring up the Settings picker panel, where you can use Search to search for the setting you want to make, or browse through the category.
![Settings picker
Use commas " among search terms to lookup settings by their kew.ards
p eerch for a setting
+ Add filter
Browse by category
Above Lack
Accounts
> Administrative Templates
Application Defaults
Auditing
Authentication
3itLacker
BITS
Bluetooth
Browser
Setting name
Select a category to show settings
x
Search](https://www.vansurksum.com/wp-content/uploads/2021/02/image-28.png)
You can also use a filter to narrow down the search options available based on Operating System Edition (for now, this might change since we are still in preview)
So if we go back to the CSP example, where we enabled Password reset from the login screen, we can now simply search for Password Reset, which gives us the option for us to choose directly
![Settings picker
Use commas " among search terms to lookup settings by their kew.ards
P password reset
+ Add filter
Browse by category
Authentication
1 results in the "Authentication" category
Setting name
Allow Aad Password Reset
x
Search
Specifies whether password reset is enabled for AAD accounts.
Learn more](https://www.vansurksum.com/wp-content/uploads/2021/02/image-27.png)
If you click on the information behind the setting name, you will get a brief description on what the setting does, and if you click on the “Learn more” link you are redirected to the CSP documentation page, which points to the Authentication/AllowAadPasswordReset page.
Once you have configured your setting, you can assign, scope and create the configuration profile.
Conclusion
Microsoft has released a lot of efforts to make the creation of configuration settings easier for your Microsoft Endpoint Manager managed clients. First of all they made more and more configurable options (now called templates) available in the MEM admin portal GUI. Secondly they introduced Security baselines, which bundles Microsoft recommended configuration settings. The also introduced the Policy sets option which allows you to combine several settings into one item that you can apply to your users/devices.
The settings catalog is really nice addition, it removes the complexity of defining OMA-URI settings using a custom configuration profile, and I also believe that Microsoft will be able to introduce new functionality must better using the settings catalog.
Administrators need to be careful though, it’s really easy to create a configuration profile with a settings catalog with hundreds of settings where they could easily lose track of what those settings do. It would also be nice if Microsoft would create a filter where you can distinct between settings specific for devices, and settings specific for users so that you can better determine whether you want to assign this to device or user based groups.
Last but not least, I really hope Microsoft uses the settings catalog functionality to also supply us with the security baselines so that we have one uniform way of dealing with settings. One of the big disadvantages of the security baselines in my opinion is that it’s hard to find out what settings correspond with each other. (setting in security baseline compared to setting in configuration profile).
For the rest I’m really excited for this great new addition, and I’m going to play with it some more in my lab environment.
Reference
https://docs.microsoft.com/en-us/mem/intune/configuration/settings-catalog
1 thought on “A first look at the settings catalog in Microsoft Endpoint Manager”