Since a couple of months Microsoft Intune offers the possibility to use ADMX templates to configure Microsoft Office 365 Pro Plus. Earlier on this was possible via scripting to configure Microsoft Office. This is not ideal because our managed services department had a hard time controling this. When I read about the ADMX templates I was eager to start testing. I will share my experiences with you.
In the examples I assume that the users that you configure these options for work on fat clients.
Preparation for Intune
For the examples I will elaborate on these parts of the Microsoft Office 365 suite:
Outlook
OneDrive
First things first, let’s start with an example to configure a profile with an ADMX template:
1. Log on to https://devicemanagement.microsoft.com/ to enter Microsoft Endpoint manager.
2. Go to devices and configuration profiles:
3. Click on create profile:
4. Set the profile name, set the plaform, the configuration type and click on create:
The new configuration profile is now created. After that, there are 3 options available:
Properties
Settings
Assignment
You can use the properties option to change the name and description for configuration profile.
The settings option is for the ADMX settings.
With the assignment option you can add the profile to users or devices.
Example for Microsoft Office 365 Outlook
Firstly I will start with Outlook since this application has the most impact for the most users.
I would start with these options:
Automatically configure profile based on Active Directory Primary SMTP address once. – “Set to enabled”
Disable First Run Movie – “Set to enabled”
Disable Office First Run on application boot – “Set to enabled”
Calendar week numbers.- “Set to enabled”
Turn off Coming Soon – “Set to enabled”
Disable Opt-in Wizard on first run – “Set to enabled”
Disable shared mail folder caching – “Set to enabled”
Download shared non-mail folders – “Set to disabled”
I would disable the shared folder caching because Outlook doesn’t handle this well when multiple users make a lot of changes to same mailbox. For example: When 5 users work in the same shared mailbox and they catagorize e-mail, it takes a while to sync when using cache mode. If you don’t use cache mode for the shared mailboxes the changes are visible instantly for all 5 users.
It is always possible to configure more options. The option that I suggest form a basic configuration for Outlook which I find fitting for our users. There are always specific cases for clients.
Example for Microsoft Office 365 OneDrive
Secondly we are going to configure OneDrive via a policy. In addition, I would advise you to create a seperate policy for OneDrive since not all users can or may use OneDrive.
I would start with these options:
Coauthor and share in Office desktop apps – “Set to enabled”
Disable the tutorial that appears at the end of OneDrive Setup – “Set to enabled”
Prevent users from changing the location of their OneDrive folder – “Set to enabled”
Prevent users from redirecting their Windows known folders to their PC – “Set to enabled”
Require users to confirm large delete operations – “Set to enabled”
Silently move Windows known folders to OneDrive – “Set to enabled” (Don’t forget to enter your tenant ID)
Silently sign in users to the OneDrive sync client with their Windows credentials – “Set to enabled”
Use OneDrive Files On-Demand – “Set to enabled”
These options form a nice basis for the OneDrive configuration and help the user get rid of all the first run movies and such. Furthermore these policy’s help protect their data and help them to collaborate with their co-workers.
Conclusion
We have created a new configuration profile for Windows 10 devices which we use to configure Microsoft Outlook and Microsoft OneDrive. I have shown some examples and elaborated on that.
In conclusion, I think you will agree that configuration profiles are a nice addition for Microsoft Intune and if you have any questions don’t hesitate to ask.
References
What’s new in Intune: https://docs.microsoft.com/en-us/intune/fundamentals/whats-new
https://www.scconfigmgr.com/2019/07/10/extended-administrative-templates-in-microsoft-intune/
Hi Niels,
Great article! However, when I use the OneDrive .admx settings in my test-tenant it downloads/configures the old OneDrive for Business version instead of the new version, while the new version is installed aswell. I also need to enter my credentials in the new OneDrive client once I open it. Got any fix for this?
Thanks and greetings,
Robin
Hi Robin,
Thanks for reading the blog. You are correct, these settings are for OneDrive for Business. I always deploy this version of OneDrive from the Office 365 Pro Plus Suite because it is the business version and the configuration profiles work on this version of the App.
The new OneDrive client is the personal one which doesn ‘t get touched by the configuration profile, I think that’s why you need to enter credentials. I think you should be using the OneDrive for Business installation. I do that as well.
If you have any questions don’t hesitate to ask!
Niels
Hey
I have tried this out too to also disable the Download shared non-mail folders setting and have applied to a User group.
Even though intune suggests the deployment succeeded settings dont apply in outlook – any suggestions where to troubleshoot am keen to move this to intune rather than GPO!
Thanks!
Hi Mark,
You should check the registry and the IntuneManagement extension Log in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. Use CMTrace from Config Management Toolkit to parse the log files.
Thanks,
Niels
Thank you will look here – I raised this with support too and they said pointed out the path to “Disable shared mail folder caching” in intune is – \Microsoft Outlook 2016\Outlook Options\Delegates – suggesting it may only work in Office 2016 and not 365 although Microsoft suggest some settings here will work with Office 365 – but it seems it works fine for you with Office 365!
Thanks
Thanks for following up!