So for a bit of background on this, as of Windows 10 1703 functionality was made available within the Intune service (and obviously the Window OS) giving the ability to support ADMX backed policies. So essentially the ability to transmit Group Policy settings in a format that are understood by the MDM client using the Policy CSP. This being achieved by importing or "ingesting" ADMX files and then configuring specific settings in relation to the ingested content. There are some caveats and considerations which I am going to explain in this post and I want to keep it as simple as possible. Over time support has been provided for ADMX settings with the Administrative Templates profile within the Intune portal and most recently announced - these settings are now presented in an interface very similar to the experience of the Group Policy Management Console;
So how do we approach this then? First of all download the ADMX files for the Windows Desktop client. There are two versions, ZoomMeetings_HKCU if you want to deploy the policies within the users scope and ZoomMeetings_HKLM for devices. I went with the latter and then opened up the file with an xml editor.
From this, as per the documentation I needed to confirm that the registry keys for these policies were not within the exclusions list (I assumed this would be fine however its always worth a check)
I also wanted to look at the policies available and take note of the values supported for each policy, to use when creating the custom configuration profile to deploy the required settings
So lets take two settings in this example, we wish to prevent the end user from logging in using either their Google or Facebook credentials. What we essentially need to do now is deploy the ADMX file with an OMA-URI setting in order for it to be ingested and then disable these two settings using additional OMA-URI's for each. In order to know what values to use for these OMA-URI's a good approach (thanks Per Larsen for your excellent presentation at WMUG back in August 2019) is to deploy the ingested ADMX to the device first so these values are available in the registry.
First of all login to the Endpoint Manager admin center (EMAC) and navigate to Devices > Windows > Configuration Profiles > Create profile
Select Windows 10 and later as the platform and Custom as the profile type, give the profile a suitable name. Just as a reminder this profile will eventually contain both the fully ingested ADMX file and in addition the two OMA-URI strings for our settings.
Select add and then fill in the appropriate values;
Name; Something descriptive
Description; Add if required
OMA-URI; Should be in the following format with the items in bold being custom providing they are unique on the device ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/CustomZoomADMX/Policy/CustomZoomADMX
Data type; String
Value; The pasted contents of the ADMX file
Assign this to a device and then once the MDM profile has reported back as successfully deployed in Intune open the registry and navigate to HKLM:\Software\Microsoft\PolicyManager\ADMXInstalled to verify that the policy exists, there is a status and policy count
Now navigate to HKLM:\Software\Microsoft\PolicyManager\ADMXDefault and referring back to the ADMX file the settings we required were within the zoomgeneral category
Now we can go back to the profile we created earlier to add two more OMA-URI's using the above values
To enable the disable Facebook login policy
./Device/Vendor/MSFT/Policy/Config/CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral/DisableFacebookLogin_Policy
The same for the Google
./Device/Vendor/MSFT/Policy/Config/CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral/DisableGoogleLogin_Policy
Remembering that the available values for these settings can be found in the original ADMX file so the are both string and set to <enabled/>
Remember to change the beginning of the OMA-URI's to ./User if using user based ADMX policies
Originally the experience when launching the Zoom app on the device displayed the following options
After carrying out a policy sync you can now see the settings have applied
I hope you have found this useful, thanks for reading!
nice
ReplyDeleteThis was very helpful, thank you. I've was enable to create some custom oma-uri's but struggling with something like ForceSSOURL. Do you happen to know the correct syntax for data field. Nothing I tried has worked so far.
ReplyDelete