Memoirs of an ADMX

Last Updated on November 4, 2022 by rudyooms

This blog is going to show you how you could create your own ADMX | ADML templates within a couple of minutes to deploy some HKEY_CURRENT_USER settings to your Intune-managed device

Please note: This blog isn’t going to be a deep dive into how to build those ADMX templates from scratch. I am going to show you how to deploy some HKCU settings without having deep knowledge about writing an ADMX on your own.

I will divide this blog into multiple parts

  1. Introduction
  2. The Tool
  3. How it works
  4. When it doesn’t work
  5. Another Option to deploy a custom ADMX
  6. Troubleshooting the ADM Import

1. Introduction

I guess we all know the pain when we need to push a specific HKEY_CURRENT_USER setting and there isn’t a settings catalog or an existing ADMX available

Luckily for a lot of settings, there are already some lovely ADMX templates available. One of the most used these days would probably be the ADMX to mount drive letters from your Azure Ad Joined devices to your on-premises fileserver without having a Hybrid setup

Mounting | Mapping | Managing Drive letters with Intune MDM (call4cloud.nl)

Of course, there are also enough examples out there, that will require a PowerShell script to change some settings.

OSDBuilder/Global Set-FileExplorerOptions.ps1 at main · manelrodero/OSDBuilder · GitHub

Afbeelding met tekst

Automatisch gegenereerde beschrijving

As shown above, this PowerShell script would create some additional currentversion\explorer settings in the current user its registry

When you are blocking PowerShell with Applocker, you could run into some issues when deploying these scripts in the user session when using Intune. As always I got you covered here!

Intune User / HKCU registry settings from system context (call4cloud.nl)

The above blog will show you how to make sure the setting would be deployed to the logged-in user from the system context. That’s nice, isn’t it? But I guess we can do better!!!

You Know You Can Do Better Wink GIF - You Know You Can Do Better Wink Flirt  - Discover & Share GIFs

Wouldn’t it be nice that we could build our own ADMX/ADML and import it into Intune with the fantastic ADMX import function in Intune.

I guess it would right? So I decided to write a blog on how I started writing custom ADMX files as I was already doing this way back in the day.

2. The Tool

First off, you really don’t need to have any knowledge about building an ADMX yourself! Okay, okay it could be useful, that’s totally true. When looking back, I started creating ADMX files by using this simple VBS script. I am using it for a very long time now and it just still works!

It took me some time to find it again on the world wide web, but if I am not mistaken this tool is written by Mariano

Mariano S. Cosentino 🇦🇷🇺🇸 (@Mok726) / Twitter

In the past few years, I changed some parts in it but it is pretty much the same script. Feel free to download it here.

Please Note: Don’t forget to remove the .txt part after downloading

3. How does it work

When you have downloaded the tool/VBS script from the link above, we will need some settings that it could convert. I am going to use the example I showed you in part 1 of this blog.

I created a nice shiny reg file with some settings in it that I wanted to deploy to my users (not using HKLM in this example but using HKEY_LOCAL_MACHINE in the reg file does work!)

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Please note: Remove any other additional reg keys / Categories if they aren’t needed! A good example below!

I made sure the cleaned reg file was placed inside the same folder as the reg 2 ADMX converter tool.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

As shown above, with a simple command you can start the conversion of the reg file. You will need to add the preferred language and name to it and just press enter to start the conversion. Within 2 seconds you will have your freshly created ADMX and ADML files

I first decided to add these files and the en-us folder (with the ADML in it) to my own c:\windows\policydefinitions folders so it would appear in my local group policy management tool

As shown above, all the settings I defined in the reg file are now converted to some user-based group policy settings.

When opening the ADMX itself, we will notice that the ADMX it not nice to look at. I guess we are lucky again because, for almost everything you want to convert, there is an online converter tool.

Best XML Formatter and XML Beautifier (jsonformatter.org)

As shown above, you will have the option to download to new and improved ADMX file… but who cares what it looks like right? As long as it works… I can live with it

If the ADMX could be successfully opened with GPEDIT, we can start uploading the ADMX to Intune by using this wonderful new feature instead of ingesting the ADMX with a CSP

Afbeelding met tekst

Automatisch gegenereerde beschrijving

After we waited some minutes to get it uploaded to Intune we can start building our “Imported administrative template” by creating a new device configuration profile

As shown below, when browsing the template we just imported, we will notice all of the settings we configured

Afbeelding met tekst

Automatisch gegenereerde beschrijving

I defined some settings and started a sync on a test device. While doing so I made sure I had opened the SyncML tool from Oliver Kieselbach

Windows 10 MDM client activity monitoring with SyncML Viewer – Modern IT – Cloud – Workplace (oliverkieselbach.com)

Within a few seconds after pressing sync, I noticed the ADMXInstall operation

Afbeelding met tekst

Automatisch gegenereerde beschrijving

If you want to be sure the ADMX is installed on your device, we will need to open Regedit and open the software\microsoft\policymanager\admxinstalled registry key

Afbeelding met tekst

Automatisch gegenereerde beschrijving

As shown above, a nice new ADMX was delivered. Within a second or 2, the ./user setting was also shown in the SyncML log

Afbeelding met tekst

Automatisch gegenereerde beschrijving

No errors and also the devicemanagement-enterprise-diagnostics-provider admin event log is showing the right policy.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

I guess it’s time to check out if the policy did its job! I opened the user his registry and browsed to the explorer\advanced key. As shown below, all the settings we configured in Intune are deployed to the device!

Afbeelding met tafel

Automatisch gegenereerde beschrijving

After some more time waiting, we will also notice the Intune device report mentioning the succeeded setting status

For the people who are interested if it is also possible to convert HKLM settings to be used for an ADMX with this tool? As shown below, of course, it’s possible!!!

4. How it doesn’t work

Creating and building our own ADMX to deploy some additional settings is great but just as we learned when ingesting ADMX files in the past, sometimes it doesn’t work how we expected it would.

Why? because some ingested policies are just not allowed to be written.

Text

Description automatically generated

Luckily those keys have exclusions, otherwise, I guess I wouldn’t have used that currentversion\explorer example.

Obviously Meme GIF - Obviously Meme Obvious - Discover & Share GIFs

But when we don’t listen and we just push some policies that aren’t allowed, don’t look at the guy above when you end up with an error event 850 and 865, mentioning that the registry key is blocked and you have been denied write access!

Graphical user interface, text, application, email

Description automatically generated
Graphical user interface, application, Word

Description automatically generated

5. Another option to deploy a custom ADMX

Writing Converting your own ADMX template is of course pretty cool but you could also use Mikael Karlsson his wonderful tool to create the ADMX that could be ingested!

You could do so by opening the Intune Tools in the Intune Management Tool and choosing “Reg Values” as shown below

Annnnnddd… and instantly import it to Intune

When clicking on import, it will create a new custom policy with the ADMX and the setting you just configured

Okay… it doesn’t give you the nice GUI option I showed you earlier when importing your own ADMX/ADML files but ey… it gets the job done?

6. Troubleshooting the ADMX import

When using a custom-made tool and using the wonderful new Intune ADMX import function, you could run into some weird import and device configuration errors.

Luckily I got you covered here! I decided to create a separate blog mentioning all the ADMX errors you could get! Go check it out!

Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)

Conclusion

Of course, we can write an ADMX on our from scratch but why would we do so when we have the option to deploy some settings by converting some registry settings to a simple ADMX? I know it doesn’t have all the options in it but it does work.

Again all the credits for this script go to Mariano Cosentino for writing a tool that is over 10 years old and that still kicks ass

Leave a Reply

Your email address will not be published.

15  +    =  19