This blog is going to show you how to create custom ADMX templates within a couple of minutes to deploy some HKEY_CURRENT_USER settings to your Intune-managed device

Please note: This blog isn’t going to be a deep dive into building those ADMX templates from scratch. I am going to show you how to deploy some HKCU settings without having deep knowledge about writing an ADMX.

1. Introduction

We all know the pain when we need to push a specific HKEY_CURRENT_USER setting, and there isn’t a settings catalog or an existing ADMX available.

Luckily, there are already some lovely ADMX templates available for many settings. One of the most used these days is the ADMX to mount drive letters from your Azure Ad Joined devices to your on-premises file server without having a Hybrid setup.

Mounting | Mapping | Managing Drive letters with Intune MDM (call4cloud.nl)

Of course, there are also enough examples out there that will require a PowerShell script to change some settings. OSDBuilder/Global Set-FileExplorerOptions.ps1 at main · manelrodero/OSDBuilder · GitHub

As shown above, this PowerShell script would create some additional currentversion\explorer settings in the current user’s registry.

When you block PowerShell with Applocker, you could run into some issues when deploying these scripts in the user session when using Intune. As always, I’ve got you covered here!

Intune User / HKCU registry settings from system context (call4cloud.nl)

The above blog will show you how to ensure the setting is deployed to the logged-in user from the system context. That’s nice, isn’t it? But I guess we can do better!!!

Wouldn’t it be nice for us to build our own ADMX/ADML and import it into Intune with the fantastic ADMX import function in Intune?

I guess it would right? So I decided to write a blog on how I started writing custom ADMX files as I was already doing this way back in the day.

2. Create Custom ADMX

First off, you really don’t need to know anything about converting registry settings to ADMX and, by doing so, building that ADMX yourself! Okay, it could be useful; that’s totally true. Looking back, I started creating ADMX files by using this simple VBS script. I have been using it for a very long time now, and it just still works!

It took me some time to find it again on the World Wide Web, but if I am not mistaken, this tool was written by Mariano. I changed some parts in the past few years, but it is pretty much the same script. Feel free to download it here.

Please Note: Don’t forget to remove the .txt part after downloading

3. How does it work

When you have downloaded the tool/VBS script from the link above, we will need some settings that it can convert. I will use the example I showed you in part 1 of this blog.

I created a shiny reg file with some settings that I wanted to deploy to my users. (I did not use HKLM in this example, but using HKEY_LOCAL_MACHINE in the reg file does work!)

Please note: Remove any other additional reg keys / Categories if they aren’t needed! A good example below!

I ensured the cleaned reg file was placed inside the same folder as the reg 2 ADMX converter tool.

As shown above, with a simple command you can start the conversion of the reg file. You must add the preferred language and name to it, and just press enter to start the conversion. Within 2 seconds, you will have your freshly created ADMX and ADML files.

I first decided to add these files and the en-us folder (with the ADML in it) to my own c:\windows\policydefinitions folders so it would appear in my local group policy management tool

As shown above, all the settings I defined in the reg file are now converted to some user-based group policy settings.

When opening the ADMX itself, we will notice that it is not nice to look at. I guess we are lucky again because there is an online converter tool for almost everything you want to convert.

Best XML Formatter and XML Beautifier (jsonformatter.org)

As shown above, you will have the option to download to new and improved ADMX file… but who cares what it looks like right? As long as it works… I can live with it

If the ADMX could be successfully opened with GPEDIT, we can start uploading the ADMX to Intune by using this wonderful new feature instead of ingesting the ADMX with a CSP

After we waited some minutes to get it uploaded to Intune we can start building our “Imported administrative template” by creating a new device configuration profile

As shown below, when browsing the template we just imported, we will notice all of the settings we configured

I defined some settings and started a sync on a test device. While doing so I made sure I had opened the SyncML tool from Oliver Kieselbach

Windows 10 MDM client activity monitoring with SyncML Viewer – Modern IT – Cloud – Workplace (oliverkieselbach.com)

Within a few seconds after pressing sync, I noticed the ADMXInstall operation

If you want to be sure the ADMX is installed on your device, we will need to open Regedit and open the software\microsoft\policymanager\admxinstalled registry key

As shown above, a nice new ADMX was delivered. Within a second or 2, the ./user setting was also shown in the SyncML log

There are no errors, and also the devicemanagement-enterprise-diagnostics-provider admin event log is showing the right policy.

I guess it’s time to check out if the policy did its job! I opened the user his registry and browsed to the explorer\advanced key. As shown below, all the settings we configured in Intune are deployed to the device!

After some more time waiting, we will also notice the Intune device report mentioning the succeeded setting status

For the people who are interested if it is also possible to convert HKLM settings to be used for an ADMX with this tool? As shown below, of course, it’s possible!!!

4. How it doesn’t work

Creating and building our own ADMX to deploy some additional settings is great, but as we learned when ingesting ADMX files in the past, sometimes it doesn’t work as we expected.

Why? Because some ingested policies are just not allowed to be written.

Luckily, those keys have exclusions. Otherwise, I guess I wouldn’t have used that currentversion\explorer example.

But when we don’t listen and push some policies that aren’t allowed, don’t look at the guy above when you end up with error events 850 and 865, mentioning that the registry key is blocked and you have been denied write access!

5. Another option to deploy a custom ADMX

Writing Converting your own ADMX template is of course pretty cool but you could also use Mikael Karlsson his wonderful tool to create the ADMX that could be ingested!

You could do so by opening the Intune Tools in the Intune Management Tool and choosing “Reg Values” as shown below.

Annnnnddd… and instantly import it to Intune

When clicking on import, it will create a new custom policy with the ADMX and the setting you just configured

Okay… it doesn’t give you the nice GUI option I showed you earlier when importing your own ADMX/ADML files but ey… it gets the job done?

6. Troubleshooting the ADMX import

When using a custom-made tool and the wonderful new Intune ADMX import function, you could encounter some weird import and device configuration errors.

Luckily I got you covered here! I created a separate blog mentioning all the ADMX errors you could get! Go check it out!

Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)

Conclusion

Of course, we can write an ADMX on our from scratch but why would we do so when we have the option to deploy some settings by converting some registry settings to a simple ADMX? I know it doesn’t have all the options in it but it does work.

Again all the credits for this script go to Mariano Cosentino for writing a tool that is over 10 years old and that still kicks ass.