{"id":147,"date":"2019-02-28T11:40:52","date_gmt":"2019-02-28T11:40:52","guid":{"rendered":"http:\/\/172.23.1.43\/?p=147"},"modified":"2022-06-07T22:26:14","modified_gmt":"2022-06-07T22:26:14","slug":"how-to-deploy-office-admx-ws1","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2019\/02\/28\/how-to-deploy-office-admx-ws1\/","title":{"rendered":"ADMX Backed &#8211; The Office Case"},"content":{"rendered":"\n<p>This case come from one of my customer, they followed the Chrome example available at&nbsp;<a href=\"https:\/\/code.vmware.com\/samples\/3329\/windows-10---chrome-admx\" target=\"_blank\" rel=\"noopener noreferrer\">code.vmware.com<\/a>, but didn&#8217;t seems to work correctly for the Office ADMX available from Microsoft, as the profile said &#8220;Install Failed&#8221;.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Step 1 &#8211; Reproduce<\/h1>\n\n\n\n<p>Created a custom XML in the console in this format :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Add&gt;\n &lt;CmdID&gt;2&lt;\/CmdID&gt;\n &lt;Item&gt;\n  &lt;Target&gt;\n   &lt;LocURI&gt;.\/Device\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/Office16\/Policy\/Version1&lt;\/LocURI&gt;\n  &lt;\/Target&gt;\n  &lt;Data&gt;{AMDX DATA HERE converted from &lt;value&gt; to &lt;value&gt; }&lt;\/Data&gt;\n &lt;\/Item&gt;\n&lt;\/Add&gt;<\/code><\/pre>\n\n\n\n<!--more-->\n\n\n\n<p>Deploying the profile gives the following SyncML response from the device :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Status&gt;\n &lt;CmdID&gt;3&lt;\/CmdID&gt;\n &lt;MsgRef&gt;3&lt;\/MsgRef&gt;\n &lt;CmdRef&gt;2&lt;\/CmdRef&gt;\n &lt;Cmd&gt;Add&lt;\/Cmd&gt;\n &lt;Data&gt;425&lt;\/Data&gt;\n&lt;\/Status&gt;<\/code><\/pre>\n\n\n\n<p>According to the SyncML Protocol,&nbsp;<strong>425<\/strong> mean &#8216;<strong><em>access denied<\/em><\/strong>&#8216;.<\/p>\n\n\n\n<p>Discovered that later but you have also an Windows Event ID 850 in <strong>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider\/Admin&nbsp;<\/strong>which gives the information required&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide\"><img decoding=\"async\" width=\"730\" height=\"438\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/02\/admx-backed-officeadx-windows-event-error.jpg\" alt=\"ADMX-Backed-OfficeADX-Windows-Event-Error\" class=\"wp-image-244\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/02\/admx-backed-officeadx-windows-event-error.jpg 730w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/02\/admx-backed-officeadx-windows-event-error-300x180.jpg 300w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Step 2 &#8211; Back to basics<\/h1>\n\n\n\n<p>I decided to try another ADMX but as I wanted to rule out any issue with 3rd party ADMX, I&#8217;ve used my own.<\/p>\n\n\n\n<p>Deployed using the same profile as Office, worked as the SyncML response is 200, checked the registry at <b>HKLM\\SOFTWARE\\MICROSOFT\\PolicyManager\\AdmxInstalled<\/b><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" width=\"445\" height=\"237\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/02\/admx-backed-admxtesting-registry.jpg\" alt=\"ADMX-Backed-ADMXTesting-Registry\" class=\"wp-image-148\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/02\/admx-backed-admxtesting-registry.jpg 445w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/02\/admx-backed-admxtesting-registry-300x160.jpg 300w\" sizes=\"(max-width: 445px) 100vw, 445px\" \/><\/figure><\/div>\n\n\n\n<p>We can see the ADMX install with the right settings.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Step 3 &#8211; RTFM<\/h1>\n\n\n\n<p>I started to read docs.microsoft.com, I come across this documentation, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/win32-and-centennial-app-policy-configuration\" target=\"_blank\" rel=\"noopener noreferrer\">Win32 and Desktop Bridge app policy configuration<\/a>.<\/p>\n\n\n\n<p>In the overview, it describe how the ADMX are imported and what are the check against it, and at one point, it says the following :<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>the ingested policies are not allowed to write to locations within the&nbsp;<strong>System<\/strong>,&nbsp;<strong>Software\\Microsoft<\/strong>, and&nbsp;<strong>Software\\Policies\\Microsoft<\/strong>&nbsp;keys, except for the following locations:<\/p><ul>\n<li>Software\\Policies\\Microsoft\\Office\\<\/li>\n<li>Software\\Microsoft\\Office\\<\/li>\n<li>Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\<\/li>\n<li>Software\\Microsoft\\Internet Explorer\\<\/li>\n<li>software\\policies\\microsoft\\shared tools\\proofing tools\\<\/li>\n<li>software\\policies\\microsoft\\imejp\\<\/li>\n<li>software\\policies\\microsoft\\ime\\shared\\<\/li>\n<li>software\\policies\\microsoft\\shared tools\\graphics filters\\<\/li>\n<li>software\\policies\\microsoft\\windows\\currentversion\\explorer\\<\/li>\n<li>software\\policies\\microsoft\\softwareprotectionplatform\\<\/li>\n<li>software\\policies\\microsoft\\officesoftwareprotectionplatform\\<\/li>\n<li>software\\policies\\microsoft\\windows\\windows search\\preferences\\<\/li>\n<li>software\\policies\\microsoft\\exchange\\<\/li>\n<li>software\\microsoft\\shared tools\\proofing tools\\<\/li>\n<li>software\\microsoft\\shared tools\\graphics filters\\<\/li>\n<li>software\\microsoft\\windows\\windows search\\preferences\\<\/li>\n<li>software\\microsoft\\exchange\\<\/li>\n<li>software\\policies\\microsoft\\vba\\security\\<\/li>\n<li>software\\microsoft\\onedrive<\/li>\n<li>software\\Microsoft\\Edge<\/li>\n<li>Software\\Microsoft\\EdgeUpdate\\<\/li>\n<\/ul><\/blockquote>\n\n\n\n<p>We know that the Office ADMX is using <strong>Software\\Microsoft\\Office\\<\/strong> but is it possible that it may have something not in the white list?<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Step 4 &#8211; Wrapping Up and Scripting<\/h1>\n\n\n\n<p>I started checking manually as no script available and coding one would take longer, also Notepad++ is very efficient if you know how to use it.<\/p>\n\n\n\n<p>Bingo! One of the policy within office16.admx goes to <strong>software\\policies\\microsoft\\vsto <\/strong>which is not in the white list.<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;policy name=&quot;L_DisableVSTOLegacy1Or2&quot; class=&quot;User&quot; displayName=&quot;$(string.L_VSTOLegacy1Or2)&quot; explainText=&quot;$(string.L_VSTOLegacy1Or2Explain)&quot; key=&quot;software\\policies\\microsoft\\vsto&quot; valueName=&quot;vstolegacy1or2disable&quot;&gt;\n  &lt;parentCategory ref=&quot;L_SecuritySettings&quot; \/&gt;\n  &lt;supportedOn ref=&quot;windows:SUPPORTED_Windows7&quot; \/&gt;\n&lt;\/policy&gt;<\/code><\/pre>\n\n\n\n<p>Deleted this policy from the ADMX, added the new ADMX in the profile and no issue, registry keys created correctly<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large\"><img decoding=\"async\" width=\"623\" height=\"204\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/10\/ADMX-Backed-OfficeADMX-Registry.jpg\" alt=\"\" class=\"wp-image-839\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/10\/ADMX-Backed-OfficeADMX-Registry.jpg 623w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/10\/ADMX-Backed-OfficeADMX-Registry-300x98.jpg 300w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><figcaption>Registry<\/figcaption><\/figure>\n\n\n\n<p>If you need to deploy the policy, you will require to deploy it with other means like powershell script or else.<\/p>\n\n\n\n<p>As Office use multiple ADMX, we need to check every ADMX file, in order to make sure that there is no issue with the other ones. As there is 11 ADMX just for Office 2016, and other version will have other ADMX, I created a PowerShell script which check the ADMX file and give the name of the problematic policy. You can also specifiy a folder with ADMX files in it and it will analyze everyone of them.<\/p>\n\n\n\n<p>PowerShell script : <a href=\"https:\/\/github.com\/CamilleDebay\/Scripts\/blob\/master\/ADMX\/ADMXValidation.ps1\">https:\/\/github.com\/CamilleDebay\/Scripts\/blob\/master\/ADMX\/ADMXValidation.ps1<\/a><\/p>\n\n\n\n<p><br>Usage:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-powershell\">.\\ADMXValidation.ps1 -Path &quot;C:\\Temp\\Admx\\&quot; [-DisplayCorrectPolicy]\n\n-Path : Path to folder or admx file - Mandatory\n-DisplayCorrectPolicy : Display name of correct policies - Optional<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This case come from one of my customer, they followed the Chrome example available at&nbsp;code.vmware.com, but didn&#8217;t seems to work&hellip;<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[274133536,44496998,1986749,672890795],"tags":[4704036,284229,23912726,672890823,672890814,672890813],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/147"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=147"}],"version-history":[{"count":28,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/147\/revisions"}],"predecessor-version":[{"id":1416,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/147\/revisions\/1416"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}