Call4Cloud | MMP-C | Autopilot | Device Preparation

Convert Registry Settings to ADMX

Patch My Pc | install & update thousands of apps

This blog is going to show you how to create custom ADMX templates within a couple of minutes to deploy some HKEY_CURRENT_USER settings to your Intune-managed device

Please note: This blog isn’t going to be a deep dive into building those ADMX templates from scratch. I am going to show you how to deploy some HKCU settings without having deep knowledge about writing an ADMX.

1. Introduction

We all know the pain when we need to push a specific HKEY_CURRENT_USER setting, and there isn’t a settings catalog or an existing ADMX available.

Luckily, there are already some lovely ADMX templates available for many settings. One of the most used these days is the ADMX to mount drive letters from your Azure Ad Joined devices to your on-premises file server without having a Hybrid setup.

Mounting | Mapping | Managing Drive letters with Intune MDM (call4cloud.nl)

Of course, there are also enough examples out there that will require a PowerShell script to change some settings. OSDBuilder/Global Set-FileExplorerOptions.ps1 at main · manelrodero/OSDBuilder · GitHub

Afbeelding met tekst  Automatisch gegenereerde beschrijving

As shown above, this PowerShell script would create some additional currentversion\explorer settings in the current user’s registry.

When you block PowerShell with Applocker, you could run into some issues when deploying these scripts in the user session when using Intune. As always, I’ve got you covered here!

Intune User / HKCU registry settings from system context (call4cloud.nl)

The above blog will show you how to ensure the setting is deployed to the logged-in user from the system context. That’s nice, isn’t it? But I guess we can do better!!!

You Know You Can Do Better Wink GIF - You Know You Can Do Better Wink Flirt  - Discover & Share GIFs

Wouldn’t it be nice for us to build our own ADMX/ADML and import it into Intune with the fantastic ADMX import function in Intune?

I guess it would right? So I decided to write a blog on how I started writing custom ADMX files as I was already doing this way back in the day.

2. Create Custom ADMX

First off, you really don’t need to know anything about converting registry settings to ADMX and, by doing so, building that ADMX yourself! Okay, it could be useful; that’s totally true. Looking back, I started creating ADMX files by using this simple VBS script. I have been using it for a very long time now, and it just still works!

It took me some time to find it again on the World Wide Web, but if I am not mistaken, this tool was written by Mariano. I changed some parts in the past few years, but it is pretty much the same script. Feel free to download it here.

Please Note: Don’t forget to remove the .txt part after downloading

3. How does it work

When you have downloaded the tool/VBS script from the link above, we will need some settings that it can convert. I will use the example I showed you in part 1 of this blog.

I created a shiny reg file with some settings that I wanted to deploy to my users. (I did not use HKLM in this example, but using HKEY_LOCAL_MACHINE in the reg file does work!)

Exporting the hkey_current_user registry settings to create custom admx

Please note: Remove any other additional reg keys / Categories if they aren’t needed! A good example below!

i removed the additional registry keys, so i can start converting registry settings to admx

I ensured the cleaned reg file was placed inside the same folder as the reg 2 ADMX converter tool.

using the reg 2 ADMX tool to start converting the registry settings to an ADMX file, so i can import it in Intune

As shown above, with a simple command you can start the conversion of the reg file. You must add the preferred language and name to it, and just press enter to start the conversion. Within 2 seconds, you will have your freshly created ADMX and ADML files.

the converted registry settings are now stored in an admx file and also the language folder is in the sam efolder

I first decided to add these files and the en-us folder (with the ADML in it) to my own c:\windows\policydefinitions folders so it would appear in my local group policy management tool

Opening the admx file in the group policy object editor to find out if thesettings are in it

As shown above, all the settings I defined in the reg file are now converted to some user-based group policy settings.

When opening the ADMX itself, we will notice that it is not nice to look at. I guess we are lucky again because there is an online converter tool for almost everything you want to convert.

Best XML Formatter and XML Beautifier (jsonformatter.org)

using the xml formatter to find out if the admx template | adml template is successful

As shown above, you will have the option to download to new and improved ADMX file… but who cares what it looks like right? As long as it works… I can live with it

If the ADMX could be successfully opened with GPEDIT, we can start uploading the ADMX to Intune by using this wonderful new feature instead of ingesting the ADMX with a CSP

importing the admx and adml file to Intune to make them available in the administrative templates

After we waited some minutes to get it uploaded to Intune we can start building our “Imported administrative template” by creating a new device configuration profile

As shown below, when browsing the template we just imported, we will notice all of the settings we configured

configuring the settings in the imported administrative templates (preview) settings

I defined some settings and started a sync on a test device. While doing so I made sure I had opened the SyncML tool from Oliver Kieselbach

Windows 10 MDM client activity monitoring with SyncML Viewer – Modern IT – Cloud – Workplace (oliverkieselbach.com)

Within a few seconds after pressing sync, I noticed the ADMXInstall operation

Afbeelding met tekst  Automatisch gegenereerde beschrijving

If you want to be sure the ADMX is installed on your device, we will need to open Regedit and open the software\microsoft\policymanager\admxinstalled registry key

checking out if the converted registry settings to admx showed up in the hkey_current_user registry aftre importing and assigning the admx in intune

As shown above, a nice new ADMX was delivered. Within a second or 2, the ./user setting was also shown in the SyncML log

Afbeelding met tekst  Automatisch gegenereerde beschrijving

There are no errors, and also the devicemanagement-enterprise-diagnostics-provider admin event log is showing the right policy.

checking out if the event 814 showed up that shows if the settings are indeed imported to the device

I guess it’s time to check out if the policy did its job! I opened the user his registry and browsed to the explorer\advanced key. As shown below, all the settings we configured in Intune are deployed to the device!

the admx with the converted registry settings was indeeed succesfully deployed to the device

After some more time waiting, we will also notice the Intune device report mentioning the succeeded setting status

the Intune Device report also shows the imported ADMX and its corresponding settings are successfully deployed to the device

For the people who are interested if it is also possible to convert HKLM settings to be used for an ADMX with this tool? As shown below, of course, it’s possible!!!

4. How it doesn’t work

Creating and building our own ADMX to deploy some additional settings is great, but as we learned when ingesting ADMX files in the past, sometimes it doesn’t work as we expected.

Why? Because some ingested policies are just not allowed to be written.

ingested polices are not allowed to write to locatons within the system\software\microsoft and software\policies\microsoft except a few locations

Luckily, those keys have exclusions. Otherwise, I guess I wouldn’t have used that currentversion\explorer example.

Obviously Meme GIF - Obviously Meme Obvious - Discover & Share GIFs

But when we don’t listen and push some policies that aren’t allowed, don’t look at the guy above when you end up with error events 850 and 865, mentioning that the registry key is blocked and you have been denied write access!

events 850 and 865, mentioning that the registry key is blocked and you have been denied write access!
events 850 and 865, mentioning that the registry key is blocked and you have been denied write access!

5. Another option to deploy a custom ADMX

Writing Converting your own ADMX template is of course pretty cool but you could also use Mikael Karlsson his wonderful tool to create the ADMX that could be ingested!

You could do so by opening the Intune Tools in the Intune Management Tool and choosing “Reg Values” as shown below.

Annnnnddd… and instantly import it to Intune

When clicking on import, it will create a new custom policy with the ADMX and the setting you just configured

Okay… it doesn’t give you the nice GUI option I showed you earlier when importing your own ADMX/ADML files but ey… it gets the job done?

6. Troubleshooting the ADMX import

When using a custom-made tool and the wonderful new Intune ADMX import function, you could encounter some weird import and device configuration errors.

Luckily I got you covered here! I created a separate blog mentioning all the ADMX errors you could get! Go check it out!

Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)

Conclusion

Of course, we can write an ADMX on our from scratch but why would we do so when we have the option to deploy some settings by converting some registry settings to a simple ADMX? I know it doesn’t have all the options in it but it does work.

Again all the credits for this script go to Mariano Cosentino for writing a tool that is over 10 years old and that still kicks ass.

3 thoughts on “Convert Registry Settings to ADMX

  1. This worked great for me! A software application that I use was bundled with some ADMX files but they never would import. Always received an error message in Intune.

    I came across this article and was able to convert the software reg keys I needed easily into ADMX files and imported perfectly.

    The only piece that did not work for me was the XML Formatter and Beautifier webpage. Even after selecting my ADMX file, nothing would be imported. Page just kept resetting itself.

  2. This tool has been amazing. Works everytime I have needed some reg settings. Far and away easier than scripts or remediations to add reg settings.

    I wish MS would license this and keep it going for as long as possible.

  3. Worked really well, is there a way I can deploy this MSI file via intune so it can be installed on all machines

Leave a Reply

Your email address will not be published. Required fields are marked *

31  +    =  41

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.