Since Windows 10 1703 you can use a feature called ADMX ingestion to extend policy settings in Intune. What it basically does is to parse an ADMX file and build a MDM policy of it. In the end you can configure the ADMX settings via OMA-URIs in Intune.
More details about ADMX ingestion can be read here Win32 and Desktop Bridge app policy configuration.
During the last time I’m working a lot in the field of Modern IT and Modern Workplace. In the Modern Workplace scenario I like to have Windows 10 clients joined to Azure Active Directory and auto enrolled into Intune (preferred as an AutoPilot enrollment). The nice thing here is, the device gets configured right after the Azure Active Directory join. In this scenario we typically configure necessary system settings. In addition to that I want to drive the user experience and I want to present the files in OneDrive without further sign-in by the user. Normally the user needs to sign-in with his email address to accomplish this.
To solve this we need to configure OneDrive to silently setup the user account information from the Windows signed-in user. According the article Use Group Policy to control OneDrive sync client settings we can use the following two registry keys for that:
HKCU\SOFTWARE\Microsoft\OneDrive\EnableADAL=1 (dword) HKLM\SOFTWARE\Policies\Microsoft\OneDrive\SilentAccountConfig=1 (dword)
As we do not have a native Configuration service provider for OneDrive right now we need to configure these settings via ADMX ingestion policy. We can get the OneDrive ADMX from here:
%LocalAppData%\Microsoft\OneDrive\-build-version-\adm\OneDrive.admx
We need the original OnDrive.admx file as a template and we copy the complete policyDefinitions node to a new file. Then we remove every policy node except the policy node with SilentAccountConfig. As we have no node for EnableADAL in the ADMX file we duplicate policy node SilentAccountConfig as additional node under the policies node. In this new node we rename the attribute values “name” and “valueName” to EnableADAL. As last step we replace SOFTWARE\Policies\Microsoft\OneDrive with SOFTWARE\Microsoft\OneDrive.
The result is the following xml file:
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions"> <policyNamespaces> <target prefix="OneDriveNGSC" namespace="Microsoft.Policies.OneDriveNGSC" /> <using prefix="windows" namespace="Microsoft.Policies.Windows" /> </policyNamespaces> <resources minRequiredRevision="1.0" /> <categories> <category name="OneDriveNGSC" displayName="$(string.OneDriveNGSCSettingCategory)"> <parentCategory ref="windows:Software" /> </category> </categories> <policies> <policy name="EnableADAL" class="User" displayName="$(string.EnableADAL)" explainText="$(string.EnableADAL_Help)" key="SOFTWARE\Microsoft\OneDrive" valueName="EnableADAL"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="SilentAccountConfig" class="Machine" displayName="$(string.SilentAccountConfig)" explainText="$(string.SilentAccountConfig_help)" key="SOFTWARE\Microsoft\OneDrive" valueName="SilentAccountConfig"> <parentCategory ref="OneDriveNGSC" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> </policies> </policyDefinitions>
Why the replacement of \Policies\ in the registry path?
Excerpt from Win32 and Desktop Bridge app policy configuration (17th of November 2017)
Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the following locations:
- software\microsoft\onedrive
Because of this exception we can use SOFTWARE\Microsoft\OneDrive to configure the both keys. EnableADAL is listed under the registry key without \Policies\ but SilentAccountConfig is listed under \Policies\ path. The exceptions are subject to change and Microsoft is constantly adding new paths to it. The following is based on the exceptions available at the time of writing Nov ’17. Before building something by your own go and verify which exceptions are currently available and adapt your strategy accordingly.
The path \Policies\ is based on the group policy technique where the sub key is used to overlap the default settings of an application. For example: SOFTWARE\Policies\Microsoft\OneDrive\SilentAccountConfig will overlap an application setting SOFTWARE\Microsoft\OneDrive\SilentAccountConfig. With the xml file above we target the application setting of OneDrive and not the policy setting of OneDrive (keep in mind the default value of OneDrive is overwritten then).
Why not using the whole OneDrive.admx file without \Policies? I’m not sure which of the settings all work without \Policies\ in the path. It depends on the targeted application. With further testing you may find settings working successfully like SilentAccountConfig with OneDrive. For me it was enough for now to have the EnableADAL and SilentAccountConfig settings configured.
In Intune we configure a Device Configuration Profile for Windows 10 as a Custom policy. We need to construct the OMA-URI for ADMX ingestion as described here: Win32 and Desktop Bridge app policy configuration
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}
Device Configuration Profile: ADMX Ingestion – CustomOneDrive.admx
Name: CustomOneDrive.admx OMA-URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx Data type: string Value: <xml content from above>
The next step is to configure the ADMX ingested settings:
Again we follow the article Win32 and Desktop Bridge app policy configuration. Excerpt how to configure user or device policy:
In the policy class, the attribute is defined as “User” and the URI is prefixed with
./user. If the attribute value is “Machine”, the URI is prefixed with./device. If the attribute value is “Both”, the policy can be configured either as a user or a device policy.The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. {AppName} and {SettingType} are derived from the URI that is used to import the ADMX file. In this example, the URI is:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01.{CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3.
Therefore, from the example:
- Class: User
- Policy name: L_PolicyPreventRun_1
- Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3
- URI:
./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1
In Intune we configure a Device Configuration Profile for Windows 10 as a Custom policy with two custom settings. Important we need to specify EnableADAL as ./User to map it to HKCU and SilentAccountConfig as ./Device to map it to HKLM.
Device Configuration Profile: ADMX Config – CustomOneDrive.admx
OMA URI Settings:
Name: EnableADAL OMA-URI: ./User/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/EnableADAL Data type: string Value: <enabled/>
Name: SilentAccountConfig OMA-URI: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/SilentAccountConfig Data type: string Value: <enabled/>
In the end we assign the device configuration profile to a user group and if applied successfully we will see OneDrive singed-in shortly after the Desktop appears:
If you look into Start > Settings > Accounts > Access work or school > your Tenant > Info your should see Policy listed as: OneDriveNGSC~Policy~OneDriveNGSC as defined above.
Special thanks to Mark for inspiring me to write about that topic my very first blogpost here.
Peter van der Woude has a good article about ADMX ingestion to configure Google Chrome site isolation.
UPDATE May 25th: Senthil’s Blog has a great article about it, I can truly recommend to read: Intune: Deploying ADMX-Backed policies using Microsoft Intune.
UPDATE October 17th: I recommend to use the Administrative Templates in Intune now to configure OneDrive Settings as they will be available soon in every tenant. A very good post by my fellow Maurice Daly can be found here:
Configure ADMX settings with Microsoft Intune Administrative Templates
http://www.scconfigmgr.com/2018/10/17/configure-admx-settings-with-microsoft-intune-administrative-templates/
UPDATE December 10th: I highly recommend to use a custom name during ingestion, instead of the admx policy name like this:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/OneDriveAdmx
During my initial writing of this blog post this was not a problem but it may lead now to conflicts with other features, therefore use a custom prefix like Custom, e.g.:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDriveNGSC/Policy/CustomOneDriveAdmx
The custom name will prevent that the upcoming “Administrative Templates” feature like explained in Maurice Blog post will generate a conflict as this feature will also ingest admx files in the background and if it will find an already ingested policy with the same name it generates a conflict.
Modern IT - Cloud - Workplace 
Very nice and detailed write-up, one of the best out on the web.
Some questions i have i hope you will answer.
In the first oma-uri for ingesting the admx for {AppName} you have OneDriveNGSC , is this a name you choose yourself or has it to be a parameter fron the admx and if yes which parameter should this be?
Also in this oma-uri for {SettingType} you have Policy , again is this always Policy when ingesting an oma-uri ?
In the enableADAL oma-uri the OneDriveNGSC for {appname} and {settingtype }is derived from the import
The {CategoryPathFromAdmx} value which value/parameter in the admx is this?
Thanks RKast!
Yes {AppName} is free for your choice, I chose to align it with the policy of the app and this one is called in the namespace OneDriveNGSC in the admx file
For {SettingType} you have to use Policy
The referenced article from MS is great for explaining how to build the URI, have a look at section: URI format for configuring an app policy
https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration
the important sentence here is:
{CategoryPathFromAdmx} is derived by traversing the parentCategory parameter.
In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3.
Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3.
you can find the referenced xml example on the target link above.
in the Onedrive ADMX xml we have just one parentCategory so we do not need to traverse backwards:
parentCategory ref=”OneDriveNGSC”
The AppName is: OneDriveNGSC
and the SiltentAccountConfig is derived from:
policy name=”SilentAccountConfig”
so we will use =>
./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/SilentAccountConfig
the confusing part here is that the AppName is OneDriveNGSC and the ParentCategory also OneDriveNGSC
imagine we chose AppName OneDriveClient then the URI would be:
./Device/Vendor/MSFT/Policy/Config/OneDriveClient~Policy~OneDriveNGSC/SilentAccountConfig
Oliver,
I get your point and lost a lot of braincells with it 🙂
You search for the policy to set, in the link above you sent the policy “L_PolicyPreventRun_1″
Then make not of the ‘parentCategory ref’ of the policy, in this case Category3
Then search for a [category name=”Category3”] in the ADMX file and make note if there is a ‘parentCategory ref’ in this case yes it’s “ParentCategoryArea”
Then search for a [category name=”ParentCategoryArea”] in the ADMX file and make note if there is a ‘parentCategory ref’ for this category, in this case the parentCategory for “ParentCategoryArea” is “ParentCategoryArea” 🙂 so no more parentCategory
This is the correct oma-uri for dummies method 🙂 ?
Yes traverse through all categories to find {CategoryPathFromAdmx}:
category name=”Category3″ -> parentCategory ref=”Category2″
category name=”Category2″ -> parentCategory ref=”ParentCategoryArea”
category name=”ParentCategoryArea”
follow the chain backwards 🙂 and then build the URI
{AppName}~{SettingType}~{CategoryPathFromAdmx}
-> URI: ./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1
Hi Oliver,
I was testing this with an example policy in the TerminalServer.admx file.
I want to set the policy “Specify SHA1 thumbprints of certificates representing trusted .rdp publishers”
Can you please check if both OMA-URI are correct ? (fyi i changed brackets to [ ] )
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/RDS/Policy/TerminalServer
./user/Vendor/MSFT/Policy/Config/RDS~Policy~TS_GP_NODE~TS_CLIENT/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2
[enabled/]
[data id=”TRUSTED_CERTIFICATE_THUMBPRINTS” value=”00 11 22 33 44 55 66 77″/]
PS. i know ingesting policies are not allowed to write to locations software\policies\windows nt where the above policy writes but i want to know how derive such policy
Hi RKast,
it looks good can’t find any issue with it.
ok
Oliver,
Thank you so much for checking and clear guidance in the blog. Luckily i understand now how to use the technique. Also read you did help with run a mdt ts from intune 🙂 @ https://deploymentresearch.com/Research/Post/663/Cloud-OS-Deployment-Part-1-Running-MDT-Task-Sequences-from-Microsoft-Intune
Great to hear! And yes I helped to provide technical details of the Management Extension. Sharing is everything. That’s how great solutions are found.
Oliver, I saw you posted a question about two weeks ago about Enum values in a ADMX file. Did you ever get an answer on that or figure out the solution? What do you do when the ADMX file doesn’t contain an and tag and just an Enum list?
Hi David,
I‘m enjoying vacation at the moment and did not further research there. As soon as I‘m back and I find something out I‘ll update my blog and post. It‘s definitely on my agenda to find out after vacation.
Best,
Oliver
I’ll keep posted on docs.microsoft.com and your blog as well then. For now I will probably just work around it with Powershell scripts until ADMX settings are built into the Intune GUI.
I’m trying to implement the AutoMountTeamSites part of the onedrive.admx but I can’t find the good configuration on the data id part. I use OMA-URI : ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/AutoMountTeamSites after type of data String and put:
Is there something wrong on my input ? I can’t find explanation for List Box type input on the web…
Hi Ludo,
yes that’s quite a challenge all the time to figure out how the correct syntax is. In your case you have to look here: https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#a-href-idlist-elementalist-element-and-its-variations it describes the list entries. Be careful with the separator and I had to use the value as a tuple when I configured single values. For example if you only specify an URL I needed to specify URLURL. If you have key values to specify it is obvious to have KEYVALUE. In the case for OneDrive AutoMount I think you need URLURL.
Let me know if you have further trouble, then I will test it out for you in my lab in a few days.
best,
Oliver
Thanks a lot, I have try with KEYVALUE like it’s wrote on the microsoft website but it fails and then the insertion returns me: -2016281112 (Remediation failed) . Then I follow the debug process but didn’t find where the matter is. If you wan’t to make a test I can send you a csv extract of my onedriveadmx policy. It’s the same of yours but with AutomountTeamSites value added and the twice value (SilentAccountConfig and EnableOneDriveFileOnDemand) that we can found now on administrative template has been removed for used with the last modification of microsoft.
Hi Ludo,
back from vacation. I have configured your setting in my tenant to see if I can get it to work. I’m not sure what to specify for the AutoMount but it is applied successful in my tenant to my test device. I ingested the latest OneDrive ADMX:
and then I configure it via VALUE separator VALUE, see example below:
please try it like this.
best,
Oliver
Hi Oliver, I have try your answer and it works but in my case it seems that the url contain value=”Test(tenantId=xxx&siteId=xxx&webId=xxx&listId=xxx&webUrl=httpsxxx&version=1)” and the & seems to fail the data string input. Have you any id of protection that I can add for use this & ?
Hi Ludo,
yes try to use an URL Encoder to escape the & in the URL. There are a lot of websites out there just search for url encode in Google. type in your URL and let it encode correctly. & will then be replace by %26 and the browsers understand this format. I guess this will work here also.
best,
Oliver
Good morning!
Your blog has been instrumental in learning how to do this. However, I am stumped as to why I cannot seem to enable my policy. I’d appreciate a second set of eyes and any advice.
I’m ingesting the Office 2013 Admx and trying to enable the “Disable First Run Optin Wizard” policy.
Here are my settings:
**Excerpt from the admx**
Ingestion OMA-URI Settings:
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Office15/Policy/Office15Admx
Policy Enable OMA-URI Settings:
./User/Vendor/MSFT/Policy/Config/Office15~Policy~L_MicrosoftOfficeSystem~L_Privacy~L_TrustCenter/L_DisableOptinWizard
String
Hi Walter,
looks good, I checked your OMA-URIs found no mistake, used them and configured it in my tenant on a test device. I didn’t experienced a problem and they are applied successful.
For ingestion I used a simplified ADMX as value for testing and more clarity:
<?xml version="1.0" encoding="utf-16"?> <policyDefinitions revision="1.0" schemaVersion="1.0"> <policyNamespaces> <target prefix="office15" namespace="office15.Office.Microsoft.Policies.Windows" /> <using prefix="windows" namespace="Microsoft.Policies.Windows" /> </policyNamespaces> <supersededAdm fileName="office15" /> <resources minRequiredRevision="1.0" /> <categories> <category name="L_MicrosoftOfficeSystem" displayName="$(string.L_MicrosoftOfficeSystem)" /> <category name="L_Privacy" displayName="$(string.L_Privacy)"> <parentCategory ref="L_MicrosoftOfficeSystem" /> </category> <category name="L_TrustCenter" displayName="$(string.L_TrustCenter)"> <parentCategory ref="L_Privacy" /> </category> </categories> <policies> <policy name="L_DisableOptinWizard" class="User" displayName="$(string.L_DisableOptinWizard)" explainText="$(string.L_DisableOptinWizardExplain)" key="software\policies\microsoft\office\15.0\common\general" valueName="shownfirstrunoptin"> <parentCategory ref="L_TrustCenter" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> </policies> </policyDefinitions>to configure the policy I used your OMA-URI as already said and the string value:
Maybe you have a leading or trailing white space somewhere? Remember OMA-URIs are case sensitive and allow white spaces, so easy to have a trailing white space somewhere and the policy breaks.
best,
Oliver
It works! I did have a space at the end…
However, I’m not sure if there’s documentation out there about this that I missed but the enabled policy does not seem to work for the Guest account on Shared PC mode. It works when I sign in as myself though.
Thanks for your help Oliver.
Seems to me like your informative research calls out Microsoft, on how BETA one drive really is and how Microsoft are entirely culpable for frustrating all the IT administrator community with botched releases/changes and no real thought about Data Leakage security/administrative controls and installation path design. Who configures these click2run products like onedrive and teams to install to %LOCALAPPDATA% without administrative control. %LocalAppdata% does not roam with RDS roaming profiles, so Microsoft have completely wiped out the possibility of using onedrive and Teams in Citrix/Terminal Session Hosts. What a joke!. Using JSON files too! what happened to hardware C# programmers.. You just can’t get the staff.
Missed the comment entry, was hidden between a lot of spam entries. Partly agree to your statement, the strategy to place OneDrive into LocalAppData has some nice advantages like running installer in user context which makes it more easy to update. And remember they target commercial users and enterprise with the product. But totally agree it is hard for some other scenarios. Google Chrome for example does both, the Google installer asks for machine install and falls back to user install in user profile if not possible to install in machine context. So everything has advantages and downsides. For the Terminal Server scenario you might want to have a look at https://konnekt.io which can solve the troubles there.
best,
Oliver