How to configure ADMX Backed Policies

Today we are going to discuss ADMX Backed Windows 10 policies with Intune.

After reading this article you will be able to configure ADMX backed policies yourself.

Nowadays, most industries are moving to cloud technologies with MDM solutions. A good example of cloud-based solutions is Microsoft Intune. It is quite a challenge to set up on-premises domains on Windows 10 devices. The reason is that the configuration environments for Intune and GPO are slightly different.

While transitioning from on-prem to cloud, environments must have at least the same capabilities. Another condition is that Microsoft Intune must include components syncing with GPO.

Although, there are thousands of settings available in Intune, unfortunately, they still do not cover all settings for Windows 10 devices.

Apparently, some settings are unavailable on the GUI. To fix this issue, Intune provided an option to configure a custom profile that can target the exact CSP using an OMA URI policy.

The supported CSPs for Intune can be found in the documentation: https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference

New ADMX Backed Policies

To resolve the above issue, Microsoft has launched 647 new MDM policies across 56 ADMX files for the Windows 10 Insider Preview Build.

Intune solutions rely on the Open Mobile Alliance Device Management (OMA-DM) protocol to exchange data using XML-based (SyncML) format. Now it is possible to import any ADMX file straight into Intune. This is almost like traditional Group Policy in the cloud.

The available ADMX policies are located in the Windows 10 devices, in the folder C:\Windows\PolicyDefinitions. Though, some ADMX files are not supported. To get an overview of the (current) supported settings you can refer to the Windows blog post.

The following method shows how to ingest ADMX backed policy to Intune.

Create a Custom Windows 10 policy

Creating custom windows ADMX policies stands for creating a Custom OMA-URI. 

Open Endpoint Manager https://endpoint.microsoft.com/

Navigate to Devices>Windows>Configuration Profiles> Click +Create Profile>Select Windows 10 and Later as Platform> In the Profile dropdown list select Custom and Create.

The below image shows OMA URI settings.

In the OMA URI settings fill the required fields as mandatory.

In the “Name” field give the meaning “full name” that identifies the policy.

Description (optional) – describe the policy.

OMA-URI ingest the ADMX policy

Ingest the custom ADMX through the Policy CSP, here ingesting means copy/paste. 

To ingest an ADMX file we must use the following format:

./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}

./Device/Vendor/MSFT/Policy/Config 

                            or

./User/Vendor/MSFT/Policy/Config

Here the Device or user refers to the policy is going to apply user context or device context.

Apply the settings we want to enforce.

 The below example shows the OMA-URI for configuring time zone, in the device context

And the Value used is String format. And the value is “India Standard Time”.

./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/ConfigureTimeZone

The below reference image shows the time zone of the device and makes the change work.

Note: all available time zones are also listed in the registry in the key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones.

The time zone configuration is stored in the Windows registry in the HKEY_LOCAL_MACHINE hive. The exact registry key is:

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

The time zone settings consist of multiple values as seen in the screenshot below.

./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/ConfigureTimeZone

Enter the above policy in the OMA-URI filed and provide the required value as string format “India Standard Time”.

Review and save the window. Assign the policy to the device group.

Once the device gets the policy downloaded it changes the registry value as mentioned.

The device now will show the behavior according to the settings pushed from Intune.

One important thing to note here is that, if the value for a node is set and the device is unenrolled, the value will not be changed.

The setting remains with the device until an external policy changes it using GPO, Intune, etc. Another option is that it can be changed manually by a local admin.

All the policy CSP information can be found in: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

This was a bite on how we can configure a custom profile using Intune. Thank you for your attention. We hope , that this information was useful for you.