Create a Custom ADMX Policy

If your MDM does not provide a method for running scripts, you may want to create a Custom ADMX Policy to apply registry settings to your Windows 10 devices for situations where there are not CSPs available.

There are some limitations to what registry settings you can apply via Custom ADMX Policy. Policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the following locations (Note – the following locations are ALLOWED):

  • Software\Policies\Microsoft\Office\
  • Software\Microsoft\Office\
  • Software\Microsoft\Windows\CurrentVersion\Explorer\
  • Software\Microsoft\Internet Explorer\
  • software\policies\microsoft\shared tools\proofing tools\
  • software\policies\microsoft\imejp\
  • software\policies\microsoft\ime\shared\
  • software\policies\microsoft\shared tools\graphics filters\
  • software\policies\microsoft\windows\currentversion\explorer\
  • software\policies\microsoft\softwareprotectionplatform\
  • software\policies\microsoft\officesoftwareprotectionplatform\
  • software\policies\microsoft\windows\windows search\preferences\
  • software\policies\microsoft\exchange\
  • software\microsoft\shared tools\proofing tools\
  • software\microsoft\shared tools\graphics filters\
  • software\microsoft\windows\windows search\preferences\
  • software\microsoft\exchange\
  • software\policies\microsoft\vba\security\
  • software\microsoft\onedrive

You can also choose to use existing ADMX group policies that are available for software packages such as Google Chrome and Microsoft Office. I have used both. Just be sure to encode the policy before applying them.

Here is an example of a custom ADMX policy that I created in order to apply the following registry setting:

HKCU:\Control Panel\International\User Profile

HttpAcceptLanguageOptOut

This is the Custom ADMX Policy that must be pushed to your device first before applying the actual policy setting:

Note carefully that I didn’t both to edit anything that wasn’t 100% necessary. Most of you will probably want to pretty up the category and policy names so that it is prettier. I am more of a minimalist 🙂 or maybe just a little bit lazy!

The only thing that is really important is that you:

  1. Specify which registry location and key you need to set
  2. Specify whether it is a “User” policy or a “Machine” policy
  3. Make note of the Policy Name that you are going to need to reference when applying the policy

Now that I have my policy applied, I want to set the registry key value to “1” (aka enabled). The next step is to push the following policy to the device to actual add the registry key with the correct value:

If you navigate to the registry of the device, you will see the custom ADMX Policy in this location:

HKLM:\Software\Microsoft\PolicyManager\ADMXDefault

You will also see the applied policy, in this location:

HKLM:\Software\Microsoft\PolicyManager\Current

and, of course, the destination registry key that we intended to set is now successfully applied.

Here is a really good article with video about how Custom Policies are created and applied –> https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration

I used the article to figure out how to do this the first time, but it was a pain so I hope that my example will be helpful to you if you are looking to create a custom policy for the first time.

Join the Conversation

1 Comment

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: