question

GavelisMartin-6910 avatar image
0 Votes"
GavelisMartin-6910 asked Jason-MSFT commented

ADMX-backed Custom Policy DNS_SearchList

Hi,

I´m trying to get the DNS suffix search list populated on our AAD machines as we´re in the transition phase from domain to cloud. And the autopilot / Intune-only machines have some name resolution "issues" as not everybody works with fqdn.

On AD the DNS suffix search list worked fine with GPO but on Intune I´m a bit lost with custom policies. I found this ADMX backed one from Microsoft:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient#admx-dnsclient-dns-searchlist

From which I tried to create a custom policy:

OMA-URI:
./Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList

and Value (String):
<enabled/>
<data id="DNS_SearchListLabel" value="ops.global.ad,na.global.ad,eu.global.ad,global.ad"/>

On my targeted Windows 10 2004 Enterprise I can see in the event viewer (apps..>microsoft>windows>devicemanagement-enterprise>admin) that it shows an error 404:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (D2E622F6-EB75-40D7-9F2B-1594EBB1E082), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList), Result: (The system cannot find the file specified.).

On C:\Windows\PolicyDefinitions there´s a dnsclient.admx file from which I got the "DNS_SearchListLabel" which is hopefully correct.

But I´m pretty new to the custom policies and a bit lost at the moment. Thanks in advance for your help!


mem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Jason-MSFT commented

@GavelisMartin-6910, For the error, it means the OMA-URI is not configured correctly.

From the document, it seems the OMA-URI is "./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList". I have tested in the lab, but it is still failed. From the document, I find this CSP is only available in the latest Windows 10 insider Preview Build. I think this is the reason why we failed.

61823-image.png

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (35.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Crystal,

Do you know if this is still the case? If so, is there any indication when this will go GA? In order to move to a pure AAD environment, this management functionality is important.

Thanks,
Eric

0 Votes 0 ·
GavelisMartin-6910 avatar image
0 Votes"
GavelisMartin-6910 answered Crystal-MSFT commented

Sorry for late reply, it seems I got no or missed a mail notification. Oh, just seen I have to enable first.

Thanks @Crystal-MSFT !
Indeed, I´ve overlooked the part that it´s only working on latest preview built. That absolutely explains it.

Actually I´m testing a PS script (pushed with Intune), but it seems that it only runs once and if something locally reverts back the DNS search suffix list, it won´t be automatically reapplied.

Anybody another idea how to get entries forced to the DNS suffix search list (reapplying/forced)? It was so easy in good old GPO times ;)

Thanks
Martin

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GavelisMartin-6910, Thanks for marking the reply as answer. I am glad that the information can help. For the Powershell script, Yes, once the script executes, it doesn't execute again unless there's a change in the script or policy. As a workaround, maybe we can update the script to let it deploy again. Meanwhile, I will do more research, if there's any good method I can find, I will post back.

0 Votes 0 ·