Microsoft Intune Installation

Overview

1. Download templates
2. Upload templates
3. Configure templates
4. Deploy templates to devices/users/groups

Adding Policy Files to Intune

Downloading Policy Templates

Microsoft Policy Template

1. Download and run this file
2. After finished installing policies, navigate to the Intune Configuration profile upload page and click the Import ADMX tab.
3. Click the + Import button
4. In the selection window navigate to C:\Windows\Policy Definitions\
5. Locate the Windows.admx file and select it.
6. Add the Windows.adml file located at C:\Windows\Policy Definitions\en-US\
7. Click the blue Next button.
8. Verify the displayed info is correct and then click the blue Create button.

Edge Policy Template

1. Navigate to Microsoft Edge for Business
2. Scroll down and locate the archetype of windows your systems are on and click the blue text that should read Download Windows XX-bit Policy where XX is 64, 32, or ARM64
   1. NOTEMost people will choose the 64 option if you're unsure which you should get.
3. Locate the file you downloaded, it should have a name similar to MicrosoftEdgePolicyTemplates.cab
4. Extract the MicrosoftEdgePolicyTemplates.zip file
5. Extract the MicrosoftEdgePolicyTemplates folder

Uploading Policy Templates to Intune

1. Open your browser of choice and navigate to Intune Admin Center webpage and login as an administrator
2. On the left side click Devices
3. On the new side bar that appears scroll down to the Policy section and click Configuration profiles
4. Click the Import ADMX tab and then click Import
5. In the field labeled ADMX file click the blue folder icon to the right of it
6. Navigate to where you exported that folder in step 5 and then go to the following: Windows -> ADMX -> msedge.admx
7. Click the Open button to confirm the file.
8. In the field labeled ADML file click the blue folder icon to the right of it
9. Navigate to where you exported the folder in step 5 and then go to the following subfolder: Windows -> ADMX -> en-US -> msedge.adml
10. Click the Open button to confirm the file.
11. Click the blue Next button
12. Check that you have the two correct files added, it should read ADMX file: msedge.admx and ADML file for the default langeuage: msedge.adml
13. If everything looks correct, click Create
14. Wait for the profile to upload, typically takes a few minutes.
    • NOTE You cannot close or refresh the tab that you started the upload on or it will fail. Please leave the tab open until the status shows Completed. You may need to click the Refresh button on top of the table for it to update to show completed.

Setting up the Edge/Chrome Policy in Intune

NOTE: You must have completed the Adding Policy Files to Intune steps before you proceed. If you don't see the settings mentioned in the next steps make sure you've completed the Adding Policy Files to Intune steps.

Edge Force Install

1. Navigate to Intune Device Configuration Profiles
2. Click the + Create profile button
3. Set the Platform drop down to Windows 10 and later
4. Set the Profile type drop down to Settings catalog
5. Click the blue Create button.
6. Give your profile a name such as Edge Force Install Extension
7. Give the profile a description if you wish
8. Click the blue Next button
9. Click the blue text that read + Add settings
10. In the field labeled Search for a setting input Microsoft Edge
11. Scroll through the list until you locate Microsoft Edge\Extensions and click it
12. Then scroll through the bottom list and look for the option named Control which extensions are intalled silently Click the checkbox on the left
13. Do another search from step 10 and input Microsoft Edge and look for an option called Microsoft Edge
14. Look for the option Allow managed extensions to use the Enterprise Hardware Platform API and click the checkbox
15. Look for the option Browser sign-in settings and click the checkbox
16. Look for the option Configure automatic sign in with an Active Directory domain account when there is no Azure AD domain account
17. Look for the option Configure InPrivate mode availability
18. Click the X in the top right of the Settings Picker menu.
19. Enable all of the policies and configure the following:
    1. Browser sign-in settings: "Force users to sign-in to use the browser"
    2. Configure automatic sign in with an Active Directory domain account when there is no Azure AD domain account: "Sign in and make domain account non-removable"
    3. Configure InPrivate mode availability: "InPrivate Mode Disabled"
    4. Enter in the app name into "Control which extensions are installed silently" : 
    5. npnkndcccppmijoadmlaacmfbolcfppp;https://storage.googleapis.com/mm-cf-download.managedmethodsdev.com/main/updates.xml
20. Click the blue Next button at the bottom
21. Set any Scope Tags if you have any you'd like to set
22. Click the blue Next button at the bottom
23. Set which users, groups or devices you'd like to have this policy enforced on by clicking the Add Groups, Add All Users or Add All Devices.
24. Alternatively you can add all users or devices and then add groups to the exclude list.
25. Click the blue Next button
26. Review all the options and ensure they look correct and then click the blue Create button at the bottom to create the policy

Chrome Force Install (Windows OS)

NOTE: This will only apply to Chrome on Windows OS and not Chrome OS or Mac OS

1. Navigate to Intune Device Configuration Profiles
2. Click the + Create profile button
3. Set the Platform drop down to Windows 10 and later
4. Set the Profile type drop down to Settings catalog
5. Click the blue Create button.
6. Give your profile a name such as Edge Force Install Extension
7. Give the profile a description if you wish
8. Click the blue Next button
9. Click the blue text that read + Add settings
10. In the field labeled Search for a setting input Microsoft Edge
11. Do a search for Chrome
12. Locate the field called Google Google Chrome Extensions and click it
13. In the table below locate the Configure the list of force-installed apps and extensions option and check the box next to it.
14. In the search field from step 11, do another search for Chrome and click the row called Google Google Chrome
15. Look for an option called Browser sign-in settings and click the checkbox
16. Look for an option called Enables managed extensions to use the Enterprise Hardware Platform API and click the checkbox
17. Look for an option called Incognito mode availability and click the checkbox
18. Look for an option called Add restrictions on managed accounts and click the checkbox
19. Click the X in the top right of the Settings Picker menu
20. Look for the section labeled Google Chrome > Extensions and check the toggle to enable that policy.
21. Input the following into the field that should have appeared
    1. npnkndcccppmijoadmlaacmfbolcfppp;https://storage.googleapis.com/mm-cf-download.managedmethodsdev.com/main/updates.xml
22. Click the toggle for each option to enable it and configure the following settings after:
    1. Add restrictions on managed accounts: "A Managed Account Must be a primary account"
    2. Browser sign in settings: "Force-users to sign-in to use the browser"
    3. Incognito mode availability: "Incognito Mode Disabled"
23. Click the blue Next button at the bottom
24. Set any Scope Tags if you have any you'd like to set
25. Click the blue Next button at the bottom
26. Set which users, group or devices you'd like to have this policy enforced on by clicking the Add Groups, Add All Users or Add All Devices.
27. Alternatively you can add all users or devices and then add groups to the exclude list.
28. Click the blue Next button
29. Review all the options and ensure they look correct and then click the blue Create button at the bottom to create the policy