Support Tip: Ingesting Office ADMX-Backed policies using Microsoft Intune

J.C. Hornbeck · ‎Feb 21 2019

Hello everyone, today we have a great article from Intune Technical Advisor Mohammed Abudayyeh. In this article, Mohammed walks through the process of ingesting Office ADMX files and creating ADMX-backed policies for Win32 and Desktop Bridge apps using Windows 10 MDM.

We released ADMX-backed administrative templates available within Intune. The feature allows a templated access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). If the policy you're wanting to implement is available in these administrative templates then that would be the recommended method to use vs ADMX ingestion as discussed here. You can learn more here: Use Windows 10 templates to configure group policy settings in Microsoft Intune.

=====

Introduction

Starting with Windows 10 version 1703, we can now import ADMX files (aka ADMX ingestion) and set ADMX-backed policies for Win32 and Desktop Bridge apps using Windows 10 Mobile Device Management (MDM). In this scenario, the ADMX files that define the policy information are delivered to your devices using the Policy CSP URI ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall and then the ingested ADMX files are processed into MDM policies. This post covers the following topics:

The Registry keys used
The steps to ingest ADMX files
Reviewing the settings after deployment
An example using PowerPoint

Registry Keys

When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the following locations:

Software\Policies\Microsoft\Office\
Software\Microsoft\Office\
Software\Microsoft\Windows\CurrentVersion\Explorer\
Software\Microsoft\Internet Explorer\
software\policies\microsoft\shared tools\proofing tools\
software\policies\microsoft\imejp\
software\policies\microsoft\ime\shared\
software\policies\microsoft\shared tools\graphics filters\
software\policies\microsoft\windows\currentversion\explorer\
software\policies\microsoft\softwareprotectionplatform\
software\policies\microsoft\officesoftwareprotectionplatform\
software\policies\microsoft\windows\windows search\preferences\
software\policies\microsoft\exchange\
software\microsoft\shared tools\proofing tools\
software\microsoft\shared tools\graphics filters\
software\microsoft\windows\windows search\preferences\
software\microsoft\exchange\
software\policies\microsoft\vba\security\
software\microsoft\onedrive

Steps to ingest ADMX files

Step 1 - Download the ADMX files

The first thing we need to do is download the ADMX files for Office 16 to your computer. They can be found at https://www.microsoft.com/en-us/download/details.aspx?id=49030. You will notice that each product under Microsoft office has its own ADMX-Backed Policies.

Step 2 - Create the OMA-URI custom policy

Now we need to deliver these ADMX policies to the computers you want to manage:

1. In the Azure portal, select All services, filter on Intune, then select Microsoft Intune.

2. Select Device configuration -> Profiles -> Create profile.

3. Enter the following settings:

Name: Enter a name for the profile, such as Office 16 custom profile.
Description: Enter a description for the profile.
Platform: Choose Windows 10 and later.
Profile type: Choose Custom.

4. Under Custom OMA-URI Settings click Add and enter the following settings:

Name: Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
Description: Enter a description that gives an overview of the setting, and any other important details.
OMA-URI (this is case sensitive): Enter the OMA-URI you want to use as a setting ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Office16Policy
Data type: Choose the data type you'll use for this OMA-URI setting. Select String.
Value: Enter the data value you want to associate with the OMA-URI you entered. In our case we will put the content of Office16 ADMX file into the Value field.

The table below shows the OMA-URI, Data Type and Value for the rest of the Office apps.

Office Application	OMA-URI	Data Type	Value
Microsoft Access 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Access16	String	The content inside access16.admx
Microsoft Excel 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Excel16	String	The content inside excel16.admx
Microsoft Lync 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/lync16	String	The content inside lync16.admx
Microsoft OneNote 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Onenote	String	The content inside onent16.admx
Microsoft Outlook 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Outlook16	String	The content inside outlk16.admx
Microsoft PowerPoint 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Powerpoint16	String	The content inside ppt16.admx
Microsoft Project 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Project16	String	The content inside proj16.admx
Microsoft Publisher 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Publisher16	String	The content inside pub16.admx
Microsoft Visio 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Visio16	String	The content inside visio16.admx
Microsoft Word 2016	./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Word16	String	The content inside word16.admx

Note that you can put all application settings in one profile by repeating step 4 for each.

5. Select OK to save your changes. Continue to add more settings as needed.

6. When finished, choose OK and then Create to create the Intune profile.

Step 3 - Assign the policy to users

1. Click Assignments, then click Select Groups and select the group you want to assign your policy to. In this example we’re assigning the policy to the All Users & All Devices group.

2. Click Save to save the assignment.

When complete, your profile is shown in the Device configuration - Profiles list.

Reviewing the settings after deployment

1. On a targeted computer, run RegEdit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\. Drill down and you should see policy settings, similar to those shown in the screen shot below.

2. Now navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault.You should see entries similar to the ones below depending on the policies you configured in step 2 above.

An example using PowerPoint

Now that we’ve gone over through how this works, let’s walk through an example. We’ll configure the default save location for PowerPoint files and customize the AutoRecover frequency and AutoRecover save location for PowerPoint as well.

1. In the Azure portal, select All services, filter on Intune, then select Microsoft Intune.

2. Select Device configuration -> Profiles -> Create profile.

3. Enter the following settings:

Name: Enter a name for the profile, such as Customer PowerPoint Save Location.
Description: Enter a description for your profile.
Platform: Choose Windows 10 and later.
Profile type: Choose Custom.

4. Under Custom OMA-URI Settings, select Add and enter the following settings:

Name: Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
Description: Enter a description that gives an overview of the setting, and any other important details.
OMA-URI (case sensitive): Enter the OMA-URI you want to use as a setting. In this example it will be ./User/Vendor/MSFT/Policy/Config/Office16~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~L_Save
Data Type: String
Value: <enabled/><data id="L_defaultfilelocation0" value="default"/>

So how did we know all that? We can see this in the Registry:

Looking in the ppt16.admx file (you can open it in Notepad) we can also see other important information that this setting uses:

<policy name="L_Defaultfilelocation" class="User" displayName="$(string.L_Defaultfilelocation)" explainText="$(string.L_Specifiesthedefaultlocationforpresentationfiles)" presentation="$(presentation.L_Defaultfilelocation)" key="software\policies\microsoft\office\16.0\powerpoint\options">

<parentCategory ref="L_Save" />

<elements>

<text id="L_defaultfilelocation0" key="software\policies\microsoft\office\16.0\powerpoint\recentfolderlist" valueName="default" required="true" expandable="true" />

</elements>

</policy>

So when we’re done it should look something like this:

5. Select OK to save your changes. In this example I’m going to add a few other settings like L_AutoRecoversavefrequencyminutes as it will be enabled by just inputting the required settings (i.e. we do not need to add <enabled/>

<parentCategory ref="L_Save" />

<elements>

<boolean id="L_EnablesaveAutoRecoverinfo" valueName="saveautorecoveryinfo">

<trueValue>

<decimal value="1" />

</trueValue>

<falseValue>

<decimal value="0" />

</falseValue>

</boolean>

<decimal id="L_AutoRecoversavefrequencyminutes" valueName="frequencytosaveautorecoveryinfo" minValue="1" maxValue="9999" />

<text id="L_AutoRecoversavelocation" valueName="pathtoautorecoveryinfo" expandable="true" />

</elements>

</policy>

This policy includes multiple values inside of it like, the highlighted ones above (boolean, decimal and text). For these kinds of policies, I suggest adding the ADMX inside windows policy definitions and the ADML files inside Policy Definition/en-us in order to review the policy settings and the parameters inside it. Using gpedit.msc and looking under Microsoft PowerPoint 2016 we can see the data inside these parameters to enable it.

Putting all this together, the settings from the Intune side to enable this policy are as follows:

OMA-URI: ./User/Vendor/MSFT/Policy/Config/ Office16~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~L_Save/L_SaveAutoRecoverinfo
Data-Type: String
Value:

<data id="L_AutoRecoversavefrequencyminutes" value="1"/>

<data id="L_AutoRecoversavelocation" value="%USERPROFILE%\Application Data\Microsoft\PowerPoint"/>

It will look something like this:

When finished, choose OK and then Create to create your Intune profile. When complete, your profile will be shown under Device configuration -> Profiles.

Summary

This guide shows us the full cycle of ingesting ADMX files for Office and how to work with the policies inside, noting that each policy has its own configuration settings and that you need to be aware of how to deal with them to deliver them successfully to your targeted computers.

I also mentioned how some policies inside each ADMX file are different from other, and how you need to review the required policy from the administrative template since as it will show you a clear view of the settings included in each policy.

Important notes

If you updated the content of any file you need to clean the directory from the targeted machines otherwise you will face some issues like the policy will remain in a pending status, other policies will be delayed and in some cases they will not be delivered into the machines.
The allowed characters limit is 35K otherwise you will get a notification in your admin portal that the file is exceeding the limit.
If you have a large file we recommend to split it using any XML/ADMX editors tools and send it over as Parts under the desired directory.

Mohammed Abudayyeh

Intune Technical Advisor

As always, if you have any feedback please leave us a comment below.

Blog post updates:

11/23/20: Included an "Important notes" section at the end of this post.

Alan Armstrong · ‎Feb 22 2019

This is a great post. useful information about where to confirm the ADMX has come down correctly. I have used it to deploy OneDrive auto configure with great success. Makes Autopilot devices have an even better experience.

Is there any plans to allow the following registry location to be used?

Software\Policies\Microsoft\OneDrive\TenantAutoMount

I see this being useful to be able to auto Mount MS Team sites within OneDrive via AD groups (attached to the MS Teams Site). I know it is a beta feature of OneDrive, but seems like a great and integrated idea.

mobazzari · ‎Feb 22 2019

Very useful , helpful and great article thanks for the publish Mohammed.

Jan Gutjahr · ‎Feb 22 2019

Very useful post, thanks. With Intune now natively supporting 'Administrative Templates' (still in preview I know) I have to ask the question if manually ingesting the ADMX is still required for Office/ODB etc.. Any advice on why I should use one over the other would be really appreciated. One reason I can think of is that maybe 'Administrative Templates' does not yet cover all settings? Regards, Jan

J.C. Hornbeck · ‎Feb 22 2019

@Alan - Thanks for the comment. We're always looking to improve and add new features so I'd suggest you post this on our UserVoice site here: https://microsoftintune.uservoice.com/forums/291681-ideas. The product team takes a great deal of direction from the ideas and feedback there so that's the best way to let them know what you'd like to see.

J.C. Hornbeck · ‎Feb 22 2019

@Jan - That's a great question! Which one to use really comes down to whichever method does what you want, and for me, whichever one is easier. You're right that Administrative Templates don't yet cover all settings yet but we're working to expand that, and that method is probably the easier of the two to implement in most scenarios. The end result on the device should be the same either way so I'd say it comes down to personal preference right now.

SMP-Ben · ‎Mar 19 2019

@J.C. Hornbeck Great guide! But something is not working in our intune. I followed it step by step and imported the Office16.admx with the URI "./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Office16Policy".

The Error in Intune ist just telling "-2016281112 (Remediation failed)". Then I looked it out lokal and get this Error (2. Screenshot). What is wrong?

Edit:

When I try it with the excel.admx it is working fine. Just not with the office16.admx

Edit2:

In the REG: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\...\Office16\Policy\Office16Policy, there is now an entry with the Name: "ErrorMessage", Value: "hr=-2147024891,Tag=key,line=18266,pos=146,depth=3"

Anmerkung 2019-03-19 155334.png

Dev Lunsford · ‎May 04 2019

Thanks for this. It's good that we can still deploy settings even though they aren't immediately available in the Administrative Templates section. It would be really nice to be able to actually ingest rather than drip feed an ADMX in, manually setting by setting. I feel like if everyone who had to use this method clubbed together we could pay someone to put in all these settings just once into the system so we didn't have to build them all manually. If we could even upload an ADMX and have it build the OMA-URI for us or... something ! Like I said, great that you've built in the flexibility but if GPOs worked like this I don't think I'd ever have got as far as I have.

Jeremy Hagan · ‎May 16 2019

@SMP-BenI am getting the same issue, but with a different line number. I wonder if there is a size limit on the XML? The Office one is over 18,000 line long and the others are around 5000 or less. Can anyone confirm?

EDIT

I Removed some policies from the file and reduced the size to 18251 lines, deleted the registry entry detailing the error and rebooted the machine and now it loaded the ADMX fine.

JoeMullarkey · ‎Apr 06 2020

Found this thread from last year. Great article. Does the Intune Office Cloud Policy Service perform this function now? or at least a large part of it?

icelava · ‎Jun 04 2020

How should group assignment be scoped?

Ingestion custom .admx files ain't too difficult; that is clearly targeted to groups of computers since the URI is device level ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office16/Policy/Office16Admx

But what of user scoped policies? Since the actual policy URIs are ./User/Vendor/MSFT/Policy/Config/Office16~L~L so on, should the assigned groups be of users or devices? At the moment, my Intune interface is just showing the ultimate deployment status pending, and the target computers' Office apps don't exhibit the default behaviour we want.

e.g.

./User/Vendor/MSFT/Policy/Config/Office16~Policy~L_MicrosoftOfficeSystem~L_AutoSave/L-autoSaveDefaultOffExcel
./User/Vendor/MSFT/Policy/Config/Office16~Policy~L_MicrosoftOfficeSystem~L_AutoSave/L-autoSaveDefaultOffPowerPoint
./User/Vendor/MSFT/Policy/Config/Office16~Policy~L_MicrosoftOfficeSystem~L_AutoSave/L-autoSaveDefaultOffWord

icelava · ‎Jun 05 2020

So yesterday in trying all these out, in turns out that "naviely" ingesting the stock office16.admx has some seriously insidious effect on the whole Intune-Windows MDM environment.

The ADMX-ingestion config profile is perpetually stuck in pending status. The custom Office OMA-URI policies config profile also stuck pending. Not only that, it seems all computers affected won't respond to other types of config profiles too. Intune and the Windows computers all seem stuck in some state of limbo and not sure how to resuscitate them all.

Doesn't appear we're the only organisation to be struck by such a show-stopper.

https://social.technet.microsoft.com/Forums/en-US/c87e8844-1c3e-4494-b311-070244c6dc27/issue-with-ad...

UPDATE

So while Intune tech support refuse to take responsibility or any action or even any hint on how to actually clear this Windows-Intune sync coma situation, I tried a theory and it has proven to get the affected Windows computers to "snap out of it".

Manually delete off from Registry

Every HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\<PROVIDER ID>\Office16~Poilcy~ key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\<PROVIDER ID>\Office16

Trigger a sync with MDM, and Intune should now be able to push down - using the correct built-in AT configuration profile - the policies will re-populate under app namespace of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\<PROVIDER ID>\office16v2~Poilcy~

CONCLUSION

This article is not just out-dated and incompatible, but also downright dangerous and presents a show-stopper since computers begin ignoring MDM directives/commands. The techniques mentioned here must be ignored.

MoAbuDayyeh · ‎Nov 22 2020

@icelava hi there, thank you for your notes i wrote this article and i just finish testing it, theres a couple of updates on it but its not related to the issue observed by you since you basicly cleaned up the already depolyed files and deploy it again on the otherhand i maybe didnt get your exact issue so please share with me your contact info so i can reach you directly before reflecting the new updates on this blog.

icelava · ‎Nov 27 2020

Hi @MoAbuDayyeh, I'm not sure whether you should update the article or outright invalidate it. When I first learnt about MDM via Intune late last year, I came across this article as an example of how to apply custom software policies by way of ADMX ingestion. Back then I don't remember Intune directly having Office 2016 ATs internally, but it didn't matter since we were only interested in controlling other software like Lenovo Vantage or Google Chrome; we ingested their ADMX templates accordingly and applied configuration profiles with no problems.

Come earlier this year, we decided to control some behaviours of Office apps, and referring back to this article, performed the same steps, and then found all our targeted computers stuck in pending status and never responding to any subsequent MDM commands thereafter. Effectively all the organisation's Windows computers were no longer manageable by us the IT operations team.

It is by the stroke of luck in experimenting with (manually deleting) the above Registry keys did we managed to wake our computers from their comas and have them responding to MDM again. This is however a huge DOS vulnerability in the Windows MDM client stack, and I have already alerted tech support to raise this problem to the relevant Windows development team.

Only later did we realise Intune now offered Office 2016 ATs out of the box, and that is the proper and safe way to configure their behaviours. This custom ADMX method is now completely dangerous to use.

Sebastian Cerazy · ‎Dec 01 2020

Sadly the build-in policies are yet far away from standard GPO can offer (ie set user's fonts in Outlook

Stephan2k · ‎Nov 09 2023

Hi,

so if I understand it correctly you must not ingest anymore the ADMX files that way and the article regarding Office is obsolete. Anyways, I received following 404 error:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (BFFCF769-413D-4AEB-90B5-2FF018ED55FF), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./User/Vendor/MSFT/Policy/Config/word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~L_Security/L_TurnOffFileValidation), Result: (The system cannot find the file specified.).

Unfortunately, I did not try @icelava 's way, but this feels like that I have to run a remediation script all the time to check if the error exists? I would be nice if someone could give us (me) a statement.

Thanks

Stephan

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs