microsoft
Enterprise support for Windows: Enable possibility to set managed settings via Intune (Setting Catalogs & OMA-URI)
Currently there is a possibility to centrally manage list of allowed extensions and update mode via Group Policy for Windows. That's great, however, lots of enterprises (small and large) are migrating from on-prem/hybrid device management to cloud only and usually this means, that management of Windows-settings happens only via Intune not GPO.
Unfortunately, ingesting Visual Studio Code GPO-settings are not able to do via Intune as GPO-settings are set to following registry location, where ingesting settings has been blocked:
- Software\Policies\Microsoft
Due to these restrictions, importing VS Code ADMX-templates to Intune and deploy through that way does not work either as the following registry path is, indeed, blocked, plus, importing admx-template to Intune will cause this error:
It would be really awesome, if you can provide support to set managed settings via Intune using either settings catalog or OMA-URI. Right now, at least Visual Studio provides possibility to set settings via settings catalog. Hopefully, this will come to Intune too.
Hi @joaomoreno, I'm not sure is this already on your backlog so I created this just in case.
Intune management is sorely needed. Shouldn't even be using custom admx ingestion. This and all Microsoft products should be configurable in the new shiny policy management system Microsoft is pushing.
Struggling even using the registry options from the GPO policy to work around the limitation of importing the policy to intune
If I add;
Reg Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VSCode
Key AllowedExtensions
Value ms-vscodepowershell
I get a message saying "Setting has invalid type, expected "object". Fix in JSON"
@md7648 do these docs help https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions If not - what do you think is missing from the docs?
@md7648 do these docs help https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions If not - what do you think is missing from the docs?
No those don't help much, theres a lot about how to configure the JSON settings for individual install but they are terrible for how to add to Intune or to configure the GPO
Ideally the format of what needs to get into something like a Reg Add command such as;
reg add "HKLM\SOFTWARE\Policies\Microsoft\VSCode" /v AllowedExtensions /t REG_SZ /d ms-vscode.powershell
Ah figured it out - correct command is;
reg add "HKLM\SOFTWARE\Policies\Microsoft\VSCode" /v AllowedExtensions /t REG_SZ /d {"id":"ms-vscode.powershell"}
Can you please file an issue here https://github.com/microsoft/vscode-docs so we improve our docs?
Workaround via Intune Compliance script
Check to see if VS Code is installed
##build regkey
$regpath = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VSCode"
$name = "AllowedExtensions"
$Value = '{"ms-vscode.powershell":true,"oracle.oracle-java":true,"microsoft":true}'
##first check if VS Code installed
$findinstall = Get-Package -Name '*visual studio code*'
if($findinstall -eq $null)
{
##if installed exit
Write-Host "VS Code Not Installed" -ForegroundColor Green
exit 0
}
else
{
##if vs code is installed check relevant reg entries
Push-Location
Set-Location hklm:
#doesregkeyexist
$testregistry = Get-ItemProperty -Path $regpath -Name $name -ErrorAction SilentlyContinue
if ($testregistry -eq $null)
{
$result = Write-Host "Reg Does Not Exist" -ForegroundColor Red
exit 1
}
ELSE
{
$result = write-host "Entry Exists" -ForegroundColor Green
exit 0
}
}
Remediation Script
##build reg entry
$regpath = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VSCode"
$name = "AllowedExtensions"
$Value = '{"ms-vscode.powershell":true,"oracle.oracle-java":true,"microsoft":true}'
##switch to registry to install
Push-Location
Set-Location hklm:
##doesregkeyexist (check again to match first check)
$testregistry = Get-ItemProperty -Path $regpath -Name $name -ErrorAction SilentlyContinue
##if no key exists - then add
if ($testregistry -eq $null)
{
New-Item -Path $regpath
New-ItemProperty -Path $regpath -Name $name -Value $Value -Force
New-ItemProperty -Path $regpath -Name UpdateMode -Value Default -Force
$result = Write-Host "New Reg Added" -ForegroundColor Yellow
exit 0
}
ELSE
{
##if key exists write and exit
$result = write-host "Entry Exists" -ForegroundColor Green
exit 1
}
Why can't I import ADMX and ADML files into Intune to enforce my rules like Chrome or Lenovo Commercial Vantage? I have no problems with these applications, but the VS Code files still don't work
Why can't I import ADMX and ADML files into Intune to enforce my rules like Chrome or Lenovo Commercial Vantage? I have no problems with these applications, but the VS Code files still don't work
This would be very helpful. There's one for Visual Studio.
I tried importing the ADMX/ADML file to Intune but there's a problem with the key path - apparently creating the key via intune is not allowed given the path where it needs to go. I kept getting "not allowed to create the key in the given path" (or something along those lines).
Hi @joaomoreno, I'm not sure is this already on your backlog so I created this just in case.
Any update on this? I'm really surprised there is GPO support but not Intune?
+1 - we really need these available from the settings catalog in Intune, and having to do yet another 'remediation' powershell script for what should be controllable via policy shouldn't be the way.
The lack of support in Intune is preventing us from rolling out updates for VSCode from the Intune Enterprise App catalogue. (so 2 levels of license being paid for without the means to manage in an enterprise environment 'properly' )
With the introduction of agentic mode and MCP, it would be highly beneficial for Microsoft to prioritize enabling management capabilities for VS Code within Intune. The current lack of native management options has forced us to pin specific versions of VS Code, which negatively impacts user productivity by limiting access to updates and creating potential compatibility issues.
We also would appreciate if the settings are directly configurable via intune or admx files.
The import does work for us, but rolling out the settings fails with
ERROR CODE
0x20101
ERROR DETAILS
The administrative template file failed to be sent to the device.
+1
I can import the ADMX and ADML into Intune, however I receive 131329 when applying to the device, due to the registry restrictions.
This definitely needs fixing, it even infers in the official documentation that Intune is supported - https://code.visualstudio.com/docs/setup/enterprise#_group-policy-on-windows
