With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features. One of those features is the introduction of the settings catalog, which is now in preview.
Microsoft describes the settings catalog as: “Settings catalog lists the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings.“
You can use the settings catalog functionality for both Windows 10 and macOS (only to configure and deploy Microsoft Edge settings).
Some background on Configuration Service Providers (CSP)
Windows 10 has built in support for the Mobile Device Enrollment Protocol (MS-MDE), and devices rolled out using this protocol can be managed using the Mobile Device Management Protocol (MS-MDM). MS-MDM is a subset of the Open Mobile Association (OMA) Device Management Protocol (OMA-DM). If a third party MDM solution supports the protocols it can manage Windows 10 as well. It’s therefore also not needed to install a management agent on the Windows 10 device.
Windows 10, when managed through MDM can be configured using so called Configuration Provider Settings (CSP) which expose device configuration settings. Settings are added with each new Windows 10 version Microsoft releases. By using an MDM solution you are able to read, set, modify, or delete configuration settings on the device.
CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Endpoint Manager. CSPs can be configured either from the Microsoft Endpoint Manager portal when made available by Microsoft or by using the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) standard. The CSP settings which are available can be found here: Configuration service provider reference
Settings which you cannot set in the GUI of Microsoft Endpoint Manager but are available as a CSP can be set using OMA-URI. You can do this by creating a custom profile type when creating a configuration policy.
If we look a bit further in one of the specific settings we can see the following:
The OMA-URI for this example is:./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset and you can find more information about what is done in the Policy CSP Documentation. The Policy configuration service provider enables the enterprise to configure policies on Windows 10.
For each CSP Microsoft provides a diagram like the one below. So, if we look at the OMA-URI in this case we can break the URI into the following
- ./Vendor/MSFT/Policy is the root node for the Policy CSP
- Config which is used to set policy values which can also be queried later on
- Authentication which is the AreaName
- AllowAadPassworRest which is the PolicyName
If you look a bit further in the documentation you will find the following:
So this means that this CSP is not available on Windows 10 Home Edition, you can also see that if you set its value to 1, the setting will be enabled.
So, this should give you some basic idea on how Microsoft Endpoint Manager can configure settings on a device supporting CSP for settings which are not available in the GUI, as you can imagine this can become quite complex and error prone. Now let’s go into more detail on what the Settings Catalog is
What is the Settings Catalog?
The settings catalog is dynamically build based on the current available CSPs, by introducing this functionality Microsoft will be able to make new settings available faster for configuration, or expose settings which were only available by using a custom profile type configuration profile.
The current way of creating policies using Profile types will continue to exist, Microsoft calls them “Policy Templates” now, not to be confused with Group Policy Templates (ADMX). The figure below shows the difference between the old (1) and new (2) experience.
Below I will show the new experience when using the Settings Catalog (Preview) option, which will bring up a familiar wizard but with other options.
On the Configuration Settings tab of the Create device configuration profile you will see the new Settings Catalog functionality, you can click on Add settings to configure the settings.
Clicking on Add setting will bring up the Settings picker panel, where you can use Search to search for the setting you want to make, or browse through the category.
You can also use a filter to narrow down the search options available based on Operating System Edition (for now, this might change since we are still in preview)
So if we go back to the CSP example, where we enabled Password reset from the login screen, we can now simply search for Password Reset, which gives us the option for us to choose directly
If you click on the information behind the setting name, you will get a brief description on what the setting does, and if you click on the “Learn more” link you are redirected to the CSP documentation page, which points to the Authentication/AllowAadPasswordReset page.
Once you have configured your setting, you can assign, scope and create the configuration profile.
Microsoft has released a lot of efforts to make the creation of configuration settings easier for your Microsoft Endpoint Manager managed clients. First of all they made more and more configurable options (now called templates) available in the MEM admin portal GUI. Secondly they introduced Security baselines, which bundles Microsoft recommended configuration settings. The also introduced the Policy sets option which allows you to combine several settings into one item that you can apply to your users/devices.
The settings catalog is really nice addition, it removes the complexity of defining OMA-URI settings using a custom configuration profile, and I also believe that Microsoft will be able to introduce new functionality must better using the settings catalog.
Administrators need to be careful though, it’s really easy to create a configuration profile with a settings catalog with hundreds of settings where they could easily lose track of what those settings do. It would also be nice if Microsoft would create a filter where you can distinct between settings specific for devices, and settings specific for users so that you can better determine whether you want to assign this to device or user based groups.
Last but not least, I really hope Microsoft uses the settings catalog functionality to also supply us with the security baselines so that we have one uniform way of dealing with settings. One of the big disadvantages of the security baselines in my opinion is that it’s hard to find out what settings correspond with each other. (setting in security baseline compared to setting in configuration profile).
For the rest I’m really excited for this great new addition, and I’m going to play with it some more in my lab environment.