Thursday 2 April 2020

Using ADMX ingestion to configure the Zoom desktop application with Intune

Due to recent events I am seeing that organisations are having to come up with solutions quickly in order to enable their workforce, most of which it is the first time they are working from home. After working for a customer recently who wishes to deploy the Zoom desktop client to their whole organisation, I had a conversation with them and it was apparent that actually they were not entirely sure how specifically they wanted Zoom configured on install. On browsing the documentation I soon realised that there were some Group Policy templates available so, thinking ahead I thought it would be a good idea to see if I could import these policies to support any additional configuration requirements post install if the customers requirements changed over time.

So for a bit of background on this, as of Windows 10 1703 functionality was made available within the Intune service (and obviously the Window OS) giving the ability to support ADMX backed policies. So essentially the ability to transmit Group Policy settings in a format that are understood by the MDM client using the Policy CSP. This being achieved by importing or "ingesting" ADMX files and then configuring specific settings in relation to the ingested content. There are some caveats and considerations which  I am going to explain in this post and I want to keep it as simple as possible. Over time support has been provided for ADMX settings with the Administrative Templates profile within the Intune portal and most recently announced - these settings are now presented in an interface very similar to the experience of the Group Policy Management Console;


So how do we approach this then? First of all download the ADMX files for the Windows Desktop client. There are two versions, ZoomMeetings_HKCU if you want to deploy the policies within the users scope and ZoomMeetings_HKLM for devices. I went with the latter and then opened up the file with an xml editor.

From this, as per the documentation I needed to confirm that the registry keys for these policies were not within the exclusions list (I assumed this would be fine however its always worth a check)


I also wanted to look at the policies available and take note of the values supported for each policy, to use when creating the custom configuration profile to deploy the required settings


So lets take two settings in this example, we wish to prevent the end user from logging in using either their Google or Facebook credentials. What we essentially need to do now is deploy the ADMX file with an OMA-URI setting in order for it to be ingested and then disable these two settings using additional OMA-URI's for each. In order to know what values to use for these OMA-URI's a good approach (thanks Per Larsen for your excellent presentation at WMUG back in August 2019) is to deploy the ingested ADMX to the device first so these values are available in the registry.

First of all login to the Endpoint Manager admin center (EMAC) and navigate to Devices > Windows > Configuration Profiles > Create profile



Select Windows 10 and later as the platform and Custom as the profile type, give the profile a suitable name. Just as a reminder this profile will eventually contain both the fully ingested ADMX file and in addition the two OMA-URI strings for our settings.

Select add and then fill in the appropriate values;

Name; Something descriptive
Description; Add if required
OMA-URI; Should be in the following format with the items in bold being custom providing they are unique on the device ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/CustomZoomADMX/Policy/CustomZoomADMX
Data type; String
Value; The pasted contents of the ADMX file


Assign this to a device and then once the MDM profile has reported back as successfully deployed in Intune open the registry and navigate to HKLM:\Software\Microsoft\PolicyManager\ADMXInstalled to verify that the policy exists, there is a status and policy count



Now navigate to HKLM:\Software\Microsoft\PolicyManager\ADMXDefault and referring back to the ADMX file the settings we required were within the zoomgeneral category


Now we can go back to the profile we created earlier to add two more OMA-URI's using the above values

To enable the disable Facebook login policy
./Device/Vendor/MSFT/Policy/Config/CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral/DisableFacebookLogin_Policy

The same for the Google
./Device/Vendor/MSFT/Policy/Config/CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral/DisableGoogleLogin_Policy

Remembering that the available values for these settings can be found in the original ADMX file so the are both string and set to <enabled/>






Remember to change the beginning of the OMA-URI's to ./User if using user based ADMX policies

Originally the experience when launching the Zoom app on the device displayed the following options


After carrying out a policy sync you can now see the settings have applied


I hope you have found this useful, thanks for reading!