In this blogpost, I want to describe how the new MDM Group Policy functionality can be used to configure your Windows 10 workstation. With the Windows 10 Creators Update we’ve the possibility to deploy and apply Group Policy objects through the MDM channel. This means that the policy configuration support in Windows 10 will be expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). In this blogpost, I want to use this new functionality to activate and configure the App-V client on a Windows 10 MDM Managed workstation.
Before we dive into the configuration in Intune I want to describe some basic information on how ADMX files will be handled and which settings can be configured through a MDM solution. ADMX files can either contain operating system (OS) settings that are shipped with Windows or they can describe settings of applications, which are separate from the OS. When looking to the Local Group Policy Editor the settings can be found in the following locations:
- OS settings: Computer Configuration/Administrative Templates
- Application settings: User Configuration/Administrative Templates
With this functionality, you can use the shipped ADMX policy files located at %SystemRoot%\policydefinitions or you can ingest ADMX files through the Policy CSP. This blogpost will focus on the first option. In one of my next blogposts I will focus on using the other option. Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. Within Windows 10 a set of ADMX-backed policies policies can be used through the Policy CSP. The current list of policies can be found here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed.
But how do we configure Group Policy settings through the Policy CSP. First, we need to define the URI of the corresponding setting which we want to configure. This URI need to be entered within the Configuration Policy in Intune. When we have this URI we need to define the value of the Group Policy setting. Through the GPedit graphical user interface you can configure the following states: Not Configured, Enabled, and Disabled. But how do we configure this through a MDM solution:
- Enabling a policy setting: This is done by adding ‘<enabled />’ as value to the corresponding setting. If the GPO has no other options this is enough. If the corresponding settings has options, those options need to be entered after the <enabled /> value. Those options need to be defined as ‘<data />’ tags.
- Disabling a policy setting: This is done by adding ‘<disabled />’ as value to the corresponding setting.
- Setting a policy setting to not configured: This is done by added no value.
More detailed information about this can be found here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies. Now let’s take a look how to create the configuration in Intune to enable and configure the App-V client on a Windows 10 MDM managed device.
- Open Intune in the new portal (portal.azure.com) and click on Device Configuration:
- Click on Create Profile and fill in all the needed information. Select Windows 10 and later as platform and Custom as Profile Type.
- Now click on Add to add the GPO Setting ‘Enable the App-V client’ to this custom configuration profile. After filling in the Name and Description of this setting add the following OMI URI to this Row: ‘./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient’. Since this setting has only the option to enable, disable and not configure the setting you can select String as Datatype and ‘<enabled />’ as value. Finally click on OK to add the setting to the profile.
- Next step is to configure the publishing server which will be used by the App-V client. The first step I did was creating a XML file with all the needed settings for this Policy Setting. So create and save an XML file with the following text:
<enabled/> <data id="Publishing_Server1_Name_Prompt" value="Name"/> <data id="Publishing_Server_URL_Prompt" value="http://app-vserver"/> <data id="Global_Publishing_Refresh_Options" value="1"/> <data id="Global_Refresh_OnLogon_Options" value="0"/> <data id="Global_Refresh_Interval_Prompt" value="15"/> <data id="Global_Refresh_Unit_Options" value="0"/> <data id="User_Publishing_Refresh_Options" value="0"/> <data id="User_Refresh_OnLogon_Options" value="0"/> <data id="User_Refresh_Interval_Prompt" value="15"/> <data id="User_Refresh_Unit_Options" value="1"/>
- Now click again on Add to Add the GPO Setting ‘App-V Publishing Server’. After filling in the Name and Description of this setting add the following OMI URI to this Row: ‘./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer1’. Since this GPO setting has additional options we need to add these to this. So select String (XML File) as data type and add the XML file created in step 4 to the row:
- Click on OK to add this row to the profile and Click on Save. The last step is to assign this policy to your users, in my case I used a group:
After creating and assigning this policy let’s take a look into what will happen on the Windows 10 client. You can monitor the process in the following eventlog: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider. Now let’s take a look to the results of this Configuration Policy:
And finally check if the publishing server information is also applied on this device:
I want to make an important note about setting App-V client settings through both PowerShell and GPO via MDM. When you use PowerShell to disable the App-V client cannot be enabled through a MDM GPO. This is by design. So the overall advice in this is to use one way of configuring your App-V client within Windows 10!
Hi, nice blog post. Where did you get the right OMA URI from? Unfortunately Microsoft does not show it in their table.
Hi Manfred,
You can find the settings here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed.
Regards, Arjan
Hi Arjan,
thanks for the answer but I can’t find the OMA-URI path needed by Intune on that page.
The root node for the APPV related settings is, in the Policy CSP, ./Vendor/MSFT/Policy. The APPV related settings are grouped below ./Vendor/MSFT/Policy/Config/appvirtualization and contains the following settings shown at https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed
Thank you I got this setup and going however I run into a authentication issue when syncing with the publishing server. How do you handle authentication to the publication server from a non-domain joined device? ie. Intune.
Windows Error: 0x80190191
We’ve AAD Joined machines. I had to disable global refresh and enable user refresh instead. After this change it was working. Which type of refresh do you have configured?
Regards, Arjan
That appears to have been the solution I was looking for thank you so much. =)