A first look at the settings catalog in Microsoft Endpoint Manager

With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features. One of those features is the introduction of the settings catalog, which is now in preview.

Microsoft describes the settings catalog as: “Settings catalog lists the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings.

You can use the settings catalog functionality for both Windows 10 and macOS (only to configure and deploy Microsoft Edge settings).

Some background on Configuration Service Providers (CSP)

Windows 10 has built in support for the Mobile Device Enrollment Protocol (MS-MDE), and devices rolled out using this protocol can be managed using the Mobile Device Management Protocol (MS-MDM). MS-MDM is a subset of the Open Mobile Association (OMA) Device Management Protocol (OMA-DM). If a third party MDM solution supports the protocols it can manage Windows 10 as well. It’s therefore also not needed to install a management agent on the Windows 10 device.

Windows 10, when managed through MDM can be configured using so called Configuration Provider Settings (CSP) which expose device configuration settings. Settings are added with each new Windows 10 version Microsoft releases. By using an MDM solution you are able to read, set, modify, or delete configuration settings on the device.

CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Endpoint Manager. CSPs can be configured either from the Microsoft Endpoint Manager portal when made available by Microsoft or by using the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) standard. The CSP settings which are available can be found here: Configuration service provider reference

OMA-URI

Settings which you cannot set in the GUI of Microsoft Endpoint Manager but are available as a CSP can be set using OMA-URI. You can do this by creating a custom profile type when creating a configuration policy.

 If we look a bit further in one of the specific settings we can see the following:

Edit Row CMA-URI Settings Name * Description OMA-URI * Data type Value * x Password Reset from Login Screen Password Reset from Login Screen 'Vendor/MSFT/Policy/Config/Authenticatian/.. Integer
OMA-URI custom configuration profile

The OMA-URI for this example is:./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset and you can find more information about what is done in the Policy CSP Documentation. The Policy configuration service provider enables the enterprise to configure policies on Windows 10.

For each CSP Microsoft provides a diagram like the one below. So, if we look at the OMA-URI in this case we can break the URI into the following

  • ./Vendor/MSFT/Policy is the root node for the Policy CSP
  • Config which is used to set policy values which can also be queried later on
  • Authentication which is the AreaName
  • AllowAadPassworRest which is the PolicyName
./Vendor/MSFT Policy Config Areo Nam e PolicyName PolicyName Result AreoName Policy Name Policy Name ConfigOperations ADM Xinstall App Nam e Policy UniquelD Added in Windows 10, version 1703 UniquelD Preference UniquelD UniquelD
Structure as described in documentation

 If you look a bit further in the documentation you will find the following:

Aut entication/A owAa Passwo Windows Edition Home pro Business Enterprise Education Scope: v' Device Reset Supported? €3 €3 €3 €3 Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. The following list shows the supported values: 0 (default) — Not allowed. • 1 — Allowed.
AllowAADPasswordReset CSP

So this means that this CSP is not available on Windows 10 Home Edition, you can also see that if you set its value to 1, the setting will be enabled.

So, this should give you some basic idea on how Microsoft Endpoint Manager can configure settings on a device supporting CSP for settings which are not available in the GUI, as you can imagine this can become quite complex and error prone. Now let’s go into more detail on what the Settings Catalog is

What is the Settings Catalog?

The settings catalog is dynamically build based on the current available CSPs, by introducing this functionality Microsoft will be able to make new settings available faster for configuration, or expose settings which were only available by using a custom profile type configuration profile.

Simplified policy creation workflow Settings catalog Search. Browse. select any setting Policy A customizable unit Of settings that can be targeted to users and groups Policy Templates Scenario based collection Of settings
New options

The current way of creating policies using Profile types will continue to exist, Microsoft calls them “Policy Templates” now, not to be confused with Group Policy Templates (ADMX). The figure below shows the difference between the old  (1) and new (2) experience.

Old versus new experience

Below I will show the new experience when using the Settings Catalog (Preview) option, which will bring up a familiar wizard but with other options.

On the Configuration Settings tab of the Create device configuration profile you will see the new Settings Catalog functionality, you can click on Add settings to configure the settings.

Create device configuration profile Windows 10 and later - Settings catalog (preview) V Basics Configuration settings @ Assignments @ Scope tags @ Review + create Settings catalog With the settings catalog, you can choose which settings you want to configure. Click an Add settings to browse or search the catalog for the settings you want to configure. Learn mare + Add settings
Configuration Settings page

Clicking on Add setting will bring up the Settings picker panel, where you can use Search to search for the setting you want to make, or browse through the category.

Settings picker Use commas " among search terms to lookup settings by their kew.ards p eerch for a setting + Add filter Browse by category Above Lack Accounts > Administrative Templates Application Defaults Auditing Authentication 3itLacker BITS Bluetooth Browser Setting name Select a category to show settings x Search
Settings picker

You can also use a filter to narrow down the search options available based on Operating System Edition (for now, this might change since we are still in preview)

Add filter Add filter Choose filter type for resources Key Operator Value OS Edition Windows HoloLens HOIagraphic For Business 31 IOT Enterprise Bro Windows Education seta n ws Enterprise Windows Home Windows Professional
Filter

So if we go back to the CSP example, where we enabled Password reset from the login screen, we can now simply search for Password Reset, which gives us the option for us to choose directly

Settings picker Use commas " among search terms to lookup settings by their kew.ards P password reset + Add filter Browse by category Authentication 1 results in the "Authentication" category Setting name Allow Aad Password Reset x Search Specifies whether password reset is enabled for AAD accounts. Learn more
Chosen option

If you click on the information behind the setting name, you will get a brief description on what the setting does, and if you click on the “Learn more” link you are redirected to the CSP documentation page, which points to the Authentication/AllowAadPasswordReset page.

Once you have configured your setting, you can assign, scope and create the configuration profile.

Conclusion

Microsoft has released a lot of efforts to make the creation of configuration settings easier for your Microsoft Endpoint Manager managed clients. First of all they made more and more configurable options (now called templates) available in the MEM admin portal GUI. Secondly they introduced Security baselines, which bundles Microsoft recommended configuration settings. The also introduced the Policy sets option which allows you to combine several settings into one item that you can apply to your users/devices.

The settings catalog is really nice addition, it removes the complexity of defining OMA-URI settings using a custom configuration profile, and I also believe that Microsoft will be able to introduce new functionality must better using the settings catalog.

Administrators need to be careful though, it’s really easy to create a configuration profile with a settings catalog with hundreds of settings where they could easily lose track of what those settings do. It would also be nice if Microsoft would create a filter where you can distinct between settings specific for devices, and settings specific for users so that you can better determine whether you want to assign this to device or user based groups.

Last but not least, I really hope Microsoft uses the settings catalog functionality to also supply us with the security baselines so that we have one uniform way of dealing with settings. One of the big disadvantages of the security baselines in my opinion is that it’s hard to find out what settings correspond with each other. (setting in security baseline compared to setting in configuration profile).

For the rest I’m really excited for this great new addition, and I’m going to play with it some more in my lab environment.

Reference

https://docs.microsoft.com/en-us/mem/intune/configuration/settings-catalog

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/preview-microsoft-endpoint-manager-s-settings-catalog-to-more/ba-p/2116084

1 thought on “A first look at the settings catalog in Microsoft Endpoint Manager

  1. Pingback: MDM policy processing on Windows 10 with Microsoft Endpoint Manager, a closer look | Modern Workplace Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.