Enable Group Policy Settings with Visual Studio Administrative Templates (ADMX)
IT Administrators often want to control, via group policy, certain aspects of Visual Studio behavior to achieve consistency, compliance, and compatibility across their organizations.
One challenge has been that there was no easy way to discover what global policies exist for Visual Studio. Because there was no centralized repository that captured the Visual Studio policy options, there was also no consistent method to deploy settings using standard management and deployment tools such as the Group Policy Editor or Microsoft Endpoint Manager, resulting in duplicated, inefficient, and sometimes incorrect effort.
To address this issue, we are very happy to announce the release of Visual Studio Administrative Templates (ADMX/ADML), which enables you to easily discover, manage and control Visual Studio behaviors governed by group policy settings. With this release, you will be able to configure settings for Visual Studio feedback, Live Share, install, update, and privacy settings such as those around the Customer Experience Improvement Program and Intellicode remote analysis.
The Visual Studio group policy settings contained in the ADMX file are machine-wide for all users, meaning they intend to cover all applicable installed instances, versions, and SKUs of Visual Studio. Sometimes a policy is particular to a specific version of Visual Studio, and the template clearly calls this out.
To get started enabling group policy settings for your organization, download the ADMX template package and select where you would like to install the template files. Installing to the default location ‘C:\Windows\PolicyDefinitions’ will enable the Group Policy Editor (gpedit.exe) tool to easily discover and edit available Visual Studio group policies.
Visual Studio Administrator Templates within Group Policy Editor tool
As of June 2023, Microsoft Endpoint Manager now includes Visual Studio policies within the Settings catalog alongside other configuration policies such as those defined by Windows, Office and Edge. The documentation for using Visual Studio Administrative Templates to configure group policy settings in Microsoft Intune is available at Microsoft Learn.
For more information, please refer to the Visual Studio Administrators Guide. As always, we welcome your feedback. For problems or suggestions, please let us know by submitting your feedback at Visual Studio Feedback.
Edward Skrod Software Engineer II, Setup & Acquisition
Light
Dark
7 comments
this comment has been deleted.
Maybe you should look for a new company?
While a company could certainly do that the inverse problem exists as well. If you have a team of developers and you want to take advantage of new features (such as .NET 7) then how can you guarantee all the team updates? This would be one solution.
Yet another issue is around security. VS can be used by malicious players to gain access to a developer machine (which often has more privileges then a regular user) and then use that machine to target other vulnerable machines. In many cases today hackers are gaining access to otherwise secure resources by targeting the machines of those who have permissions. Updating VS takes time and requires you to close it. Many developers I know rarely do this so their machines are vulnerable if a security issue is found. This is really no different than any other software that could be hacked (OS, databases, etc). The job of IT security is to keep machines secure without users having to do anything manually.
Now hopefully you work in a company where your infrastructure, development and security teams actually talk and don’t just blindly push out any updates. This would be bad (irrelevant of VS). Most companies, in my experience, test the update on non-critical machines first (or with users who understand the risks) to work out any issues before pushing the update to everyone. If you don’t work in such a company then I believe there are larger policy issues at play. Either work to fix those policies or look for another job because it isn’t someplace you should probably be working at.
All this is optional however. Just because VS supports GP now doesn’t mean your company has to use it. It is just another option like everything else. If you have admin privileges on your own machine (as many devs do) then you can even override the domain policy locally to prevent the updates if you really want to. But if a malicious user gets into your network through your unpatched machine and infrastructure did everything they could to prevent that then ultimately it is your job on the line. You chose to leave the door unlocked after they tried to lock it.
There needs to be more features in this like being able to push out internal Nuget repositories so that everyone is on the same page.
Can you be more specific about what you mean by this? Are you asking for the equivalent of a team settings file where all your devs can have the same settings? If so then I think you should post that using the Make a Suggestion feature in VS. Note that this has been requested since 2019 and the requests keep getting closed.
Has the Intune ADMX import functionality been verified? It does not seem to work.
Results in “The administrative template file failed to be sent to the device”, which appears to be because importing ADMX templates that target ‘Software\Policies\Microsoft’ are explicitly blocked, and VisualStudio is not on the allowed sub-key list per:
https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration#overview
Hi Joe – you are unfortunately correct. Windows is in the process of adding Visual Studio to the allowable list, and their fix will ship in mid Feb.