Intune provide capability for deploy policies that are no displayed via the GUI by ingesting and applying group policy.
This works by first installing the group policy ADMX on the machine and then applying the changes specified in ADMX.
However I’ve come across a number of issues while ingesting ADMX files and had to figure out the trobuleshooting steps.
Policy ingestion steps and the problem
Here is an example of Office ADMX ingestion and some issues I’ve run across the way.
Microsoft doc on ingestion below
First step is to download and extract the Office ADMX file
Second step is to create a custom Windows 10 profile
With the following configuration
Open office16.admx and copy the content into the value field.
Save and assign the policy.
After the policy assignment deployment has failed
Intune policy pushes are recorded in the following event log
Looking at the event log I’ve noticed the following error
Looks like there is a problem with software\policies\microsoft\vtso registry key
Quick Google search (https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) reveals that the following keys cannot be modified in this way
Upon finding this I’ve had to modify the value in Intune policy and remove the following keys
<policy name="L_EnableMinimizeVbaResigning" class="User" displayName="$(string.L_MinimizeVbaResigning)" explainText="$(string.L_MinimizeVbaResigningExplain)" key="software\policies\microsoft\vba\security" valueName="minimizevbaresign"> <parentCategory ref="L_SecuritySettings" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> <policy name="L_DisableVSTOLegacy1Or2" class="User" displayName="$(string.L_VSTOLegacy1Or2)" explainText="$(string.L_VSTOLegacy1Or2Explain)" key="software\policies\microsoft\vsto" valueName="vstolegacy1or2disable"> <parentCategory ref="L_SecuritySettings" /> <supportedOn ref="windows:SUPPORTED_Windows7" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy>
Once this was done the ADMX has successfully installed