Intune: Deploying ADMX-Backed policies using Microsoft Intune

Howdy folks !!!

Today's blog is about how to deploy ADMX-Backed policies using Microsoft Intune.

What is ADMX-Backed Policy?

ADMX-Backed policy is nothing but a Group Policy setting in a form of Windows 10 CSP which can be deployed to devices via MDM channel. (Intune)

Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.

Summary of steps to enable a policy:

  1. Find the policy from the list ADMX-backed policies.
  2. Find the Group Policy related information from the MDM policy description.
  3. Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
  4. Locate the Policy Definition file (C:\windows\PolicyDefinitions) and open with any XML Editor.
  5. Create OMA-URI and its value for the policy.
  6. Create a Device Configuration Policy in Intune and Assign to the user.

Each ADMX policy has various elements.

Text Element

MultiText Element

List Element

No Elements

Enum Element

Decimal Element

Boolean Element

 

In our example we are going see a ADMX policy which has List element.

Step 1:

We have chosen the below ADMX-Backed policy.

ActiveXControls/ApprovedInstallationSites

ADMX Info:

  • GP English name: Approved Installation Sites for ActiveX Controls
  • GP name: ApprovedActiveXInstallSites
  • GP path: Windows Components/ActiveX Installer Service
  • GP ADMX file name: ActiveXInstallService.admx

 

Step 2:

Understood the policy description as below.

This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved ActiveX Install sites specified by host URL.

If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.

If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.

Note: Wild card characters cannot be used when specifying the host URLs.

 

Step 3:

We need to determine the parameters required for this policy. We can use the Local Group Policy Editor on the Windows 10 Device.

  1. Open Run-> GPEDIT.MSC
  2. Use GP path identified from Step 1 and navigate to Windows Components/ActiveX Installer Service

3. Open the GP found in Step 1 as GP English Name for this policy.

This policy requires two parameters when enabled.

Host URL and Value

 

Once applied, it creates a Reg Key as below.

 

 

Step 4:

Identify the ADMX file name from Step 1 and locate the file under C:\windows\PolicyDefinitions

 

 

Copy the file to other location  (Like C:\temp) and open the copied file using XML editor.

 

The XML file has a <policies> <policies/> tag has all policies associated with that ADMX file.

Our policy name is ApprovedActiveXInstallSites as mentioned in Step 1 GP Name.

 

Step 5:

From the above Policy, we should build the OMA-URI and its value.

Important parameters to make a note are Class and elements

  • Class defines whether it is Device policy or User policy.
  • Elements defines how the value should be formatted.

In our example, we see Class = Machine  and the OMA-URI for this policy is

./Device/Vendor/MSFT/Policy/Config/ActiveXControls/ApprovedInstallationSites

[Note: This is case sensitive and make sure the name exactly matches what we have in Policy CSP identified in Step 1]

Now we need to create the value for the policy. For Intune, we should use String as Data Type as mentioned in article and Intune doesn't require encoding  and no SyncML required.

Our policy has enabled or disabled and a list element and should contain multiple values.

When a policy setting has multiple values, we need to use below as separator.

 

 

Having said that our policy value will be below.

 

 

 

Step 6:

Now we need to create a Device Configuration Policy in Intune and assign to a user.

 

Assign the profile to a group.

Monitor the status

On Portal

On Device

 

Senthilkumar Pandurangan

Support Escalation Engineer | Microsoft Intune 

 

Disclaimer: This posting is provided "AS IS" with no warranties and confers no rights

Comments

  • Anonymous
    May 25, 2018
    I hope that someone will write some nice PowerShell tool for these operations.