Section 8 of 8
In Progress

8. Deploying custom configuration profiles

16th January 2023

Aim: To understand that you can deploy custom settings not exposed by the Intune interface using configuration profiles. 

When deploying settings to Windows devices via Intune configuration profiles, the payloads delivered consist of Open Mobile Alliance – Uniform Resources (OMA-URIs), and that is the same whether using a pre-configured profile or using “custom” configuration profiles. 

The Windows Configuration Service Provider (CSP) reads and applies the profile settings defined in Extensible Markup Language (XML) configured for the OMA-URI payload.  Note this is distinct from the Group Policy Object model, which uses Client Side Extensions (CSE) to configure settings.  Due to the different methods used, there isn’t a one-to-one correlation between the settings supported (see course section on Group Policy analytics). 

That said, CSP is similar to CSE in providing an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only. 

If you have used other mobile device management (MDM) service providers solutions to manage Windows devices, you will already be familiar with CSP OMA-URIs.  Historically (and this may still be the case if you are using an alternative MDM to Microsoft Intune), the best option was to configure custom profiles using the OMA-URI CSP endpoints to configure Windows.  Intune then started to support importing administrative templates (ADMX) using custom profiles to configure those settings.  Later, Intune supported administrative templates natively for apps such as Microsoft Office and others (Google Chrome, etc.) and it’s now best to use “settings catalog” type profiles, which is where Microsoft is investing their efforts to make it easier to manage Windows devices using Intune (although there are still some cases where custom profiles may be your only option). 

As a simple example of when you might use a custom profile, the “Update” CSP references the endpoints and settings to create a profile with Windows Update policies.  Configuring a built-in Intune policy setting the “Automatic update behaviour” to auto install won’t expose “active hours” in the user interface.  If you want to reconfigure “active hours” deviating from the default values of 8:00 AM to 5:00 PM, you can do so manually by creating a custom policy as per