The release of Windows 10 version 1703 ushered in a new way of configuring policy for Mobile Device Management, through select Group Policy administrative templates (ADMX backed policies). However during testing of ADMX ingestion into Intune, I found a major blocker to their use.
Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for a small number of whitelisted locations. You can see the complete list in this article.
As you may know a great number of settings typically configured via Group Policy Objects (GPO) write to restricted keys. Those who’d like true GPO like configurations when Azure AD joining devices may be left wanting more than the current admx ingestion allows for. Fortunately Michael Niehaus recently posted a great blog titled, “Configuring Windows 10 defaults via Windows Autopilot using an MSI” In the blog Mr. Niehaus describes the process of using the Wix Toolkit and Powershell to create Windows 10 customizations which can be deployed as a app from Intune. While this doesn’t provide the same locked down experience as a GPO it will at least allow us to set the desired default settings in Windows 10.
I’ve used other third-party tools in the past to create custom .msi files to be deployed from Intune but those tools are not free so I decided to build upon the foundation provided by Niehaus. Using the script he’s provide on GitHub I found it quite easy to add a custom default power plan to Windows 10 during Autpilot.
- On a test PC create a custom power plan called “Intune Power Plan” and configure the settings as you’d like them to be on all computers
- Run Command Prompt with admin rights
- Type “powercfg/l” command and press Enter
- Copy the GUID of the Intune Power Plan
- From the cmd prompt mkdir C:\temp
- From the cmd prompt run powercfg -export “C:\temp\IntunePowerPlan.pow” <GUID of the power plan>
- Download and extract Niehaus’ Intune branding files GitHub:
https://github.com/mtniehaus/IntuneBranding
- Download and install Wix Toolkit 3.x:
http://wixtoolset.org/releases/
- Download the powershell Wix extension
https://github.com/flcdrg/PowerShellWixExtension
- Copy C:\temp\IntunePowerPlan.pow to the “IntuneBranding” directory extracted from Niehaus’ Intune branding GitHub
- In Branding.ps1 add the following to the end of the file add:
NOTE: When copying quotes from the internet they often convert to smart quotes, you may need to replace all of the quotes below with straight quotes using find and replace in notepad
{
# STEP 11: Set Custom Power Scheme
Write-Host “Importing the power scheme”
Mkdir “C:\Windows\Resources\Power Themes” -Force | Out-Null
Copy-Item “$($installFolder)AutopilotPowerPlan.pow” “C:\Windows\Resources\Power_Themes\AutopilotPowerPlan.pow” -Force
cmd /c powercfg /import “C:\Windows\Resources\Power Themes\AutopilotPowerPlan.pow”
Write-Host “Setting custom power scheme as default”
reg.exe add “HKLM\SOFTWARE\Policies\Microsoft\Power\PowerSettings” /v ActivePowerScheme /t REG_SZ /d “<GUID of the power plan>” /f | Out-Host
reg.exe add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{025A5937-A6BE-4686-A844-36FE4BEC8B6D}” /v ActivePowerScheme /t REG_SZ /d “<GUID of the power plan>” /f | Out-Host
}
- Build the the msi using the “make.cmd” extracted from Niehaus’ Intune branding GitHub. For more detailed instructions see the README.md in the download
- Upload the .msi to Intune adding the /quiet /norestart switches and assign it to a group of Autopilot devices.
Please reach out to New Signature for all of your Windows Autopilot needs or questions.