{"id":341,"date":"2019-05-22T09:12:35","date_gmt":"2019-05-22T09:12:35","guid":{"rendered":"http:\/\/172.23.1.43\/?p=341"},"modified":"2022-06-07T22:36:16","modified_gmt":"2022-06-07T22:36:16","slug":"deep-dive-admx-ingestion-on-windows-10","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2019\/05\/22\/deep-dive-admx-ingestion-on-windows-10\/","title":{"rendered":"Deep Dive &#8211; ADMX Ingestion on Windows 10"},"content":{"rendered":"\n<p>As I have <a href=\"http:\/\/172.23.1.43\/2019\/02\/28\/how-to-deploy-office-admx-ws1\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">solved the issue on ingesting the Office16.admx<\/a>, I thought I would review the whole ingestion process to help understand how it works under the hood and how to manage it.<\/p>\n\n\n\n<p>Since Windows 10 1703, ADMX can be ingested and processed by the MDM layer via the policy CSP with the URI <\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">.\/Device\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/<\/code><\/pre>\n\n\n\n<p>For this article, I will use ADMX files that I have created for each situation. The name of the example application is <strong>CamilleApp<\/strong> and published by&nbsp;<strong>DebayCorp<\/strong>&nbsp;company.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h1 class=\"wp-block-heading\">ADMX Ingestion<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">The ADMXInstall URI<\/h2>\n\n\n\n<p>The ADMX Install URI has 3 configurable settings:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">...\/ConfigOperation\/ADMXInstall\/{AppName}\/{Area}\/{UniqueID}<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration:underline;\"><strong>AppName:<\/strong><\/span><strong>&nbsp;<\/strong>Name of the Application targeted by this ADMX. Depending what you are targeting it should be unique to the application in case to cater for multiple version of the same application.<br>Operation supported : <code>Add<\/code>, <code>Get<\/code>, <code>Delete<\/code><br>Example: Office 2016 and Office 2013 should be Office2016 and Office2013<\/p>\n\n\n\n<p><span style=\"text-decoration:underline;\"><strong>ADMX Area:<\/strong><\/span><strong>&nbsp;<\/strong>There are 2 areas which ADMX ingestion covers; which are Policy and Preference.<br><strong>Policy<\/strong> is for usual GPO<br><strong>Preference<\/strong> is for preference GPO<br>Operation supported : <code>Add<\/code>, <code>Get<\/code>, <code>Delete<\/code><\/p>\n\n\n\n<p><strong><span style=\"text-decoration:underline;\">UniqueID:<\/span><\/strong>&nbsp;This parameter is unique to the ADMX installation, it is only used at the installation. Policy Manager uses it for versioning in case of update, more detail below.<br>Operation supported : <code>Add<\/code>, <code>Get<\/code><\/p>\n\n\n\n<p>The ADMX Install URI, follows LocURI format, you should stick to alphanumeric characters (<code>a-z<\/code>, <code>A-Z<\/code>,<code>0-9<\/code>) and may use underscore(<code>_<\/code>), I would advise against any other characters which can be used in URI, as this may be used in some other scenario.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Limitation<\/h2>\n\n\n\n<p>Finally, as described in <a rel=\"noopener noreferrer\" href=\"http:\/\/172.23.1.43\/2019\/02\/28\/how-to-deploy-office-admx-ws1\/\" target=\"_blank\">my previous article on Office<\/a>, there are some limitations on the ingestion process. I&#8217;ve coded a PS script to validate the ADMX against these limitations.<br><a href=\"https:\/\/github.com\/CamilleDebay\/Scripts\/blob\/master\/ADMX\/ADMXValidation.ps1\" data-type=\"URL\" data-id=\"https:\/\/github.com\/CamilleDebay\/Scripts\/blob\/master\/ADMX\/ADMXValidation.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">ADMXValidation Script<\/a><\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>the ingested policies are not allowed to write to locations within the&nbsp;<strong>System<\/strong>,&nbsp;<strong>Software\\Microsoft<\/strong>, and&nbsp;<strong>Software\\Policies\\Microsoft<\/strong>&nbsp;keys, except for the following locations:<\/p><ul>\n<li>Software\\Policies\\Microsoft\\Office\\<\/li>\n<li>Software\\Microsoft\\Office\\<\/li>\n<li>Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\<\/li>\n<li>Software\\Microsoft\\Internet Explorer\\<\/li>\n<li>software\\policies\\microsoft\\shared tools\\proofing tools\\<\/li>\n<li>software\\policies\\microsoft\\imejp\\<\/li>\n<li>software\\policies\\microsoft\\ime\\shared\\<\/li>\n<li>software\\policies\\microsoft\\shared tools\\graphics filters\\<\/li>\n<li>software\\policies\\microsoft\\windows\\currentversion\\explorer\\<\/li>\n<li>software\\policies\\microsoft\\softwareprotectionplatform\\<\/li>\n<li>software\\policies\\microsoft\\officesoftwareprotectionplatform\\<\/li>\n<li>software\\policies\\microsoft\\windows\\windows search\\preferences\\<\/li>\n<li>software\\policies\\microsoft\\exchange\\<\/li>\n<li>software\\microsoft\\shared tools\\proofing tools\\<\/li>\n<li>software\\microsoft\\shared tools\\graphics filters\\<\/li>\n<li>software\\microsoft\\windows\\windows search\\preferences\\<\/li>\n<li>software\\microsoft\\exchange\\<\/li>\n<li>software\\policies\\microsoft\\vba\\security\\<\/li>\n<li>software\\microsoft\\onedrive<\/li>\n<li>software\\Microsoft\\Edge<\/li>\n<li>Software\\Microsoft\\EdgeUpdate\\<\/li>\n<\/ul><\/blockquote>\n\n\n\n<h1 class=\"wp-block-heading\">Import Process<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Admin process<\/h2>\n\n\n\n<p>The import process require 2 steps.<\/p>\n\n\n\n<p><strong>Step 1 &#8211; Create the URI<\/strong><\/p>\n\n\n\n<p>The URI must be created for each ADMX you want to import.<br>My application name is <b><i>CamilleApp&nbsp;<\/i><\/b>and the ADMX target <strong><em>Policy<\/em><\/strong>.<br>For the uniqueID, we can use any value for now as this is unique to this installation. I&#8217;m going to use <strong><em>Version1<\/em><\/strong> for this example.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperation\/ADMXInstall\/CamilleApp\/Policy\/<strong>Version1<\/strong><\/pre>\n\n\n\n<p><strong>Step 2 &#8211; Build the SyncML<\/strong><\/p>\n\n\n\n<p>The SyncML is a standard SyncML with the ADMX escaped to avoid any interference between the ADMX format and the SyncML format.<br>It uses the <code>Add<\/code> operation.<\/p>\n\n\n\n<p><strong>Note<\/strong>: Anything before <code>policydefinition<\/code> need to be removed before adding it to the SyncML<\/p>\n\n\n\n<p>Generic SyncML:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Add&gt;\n    &lt;CmdID&gt;2&lt;\/CmdID&gt;\n    &lt;Item&gt;\n        &lt;Target&gt;\n            &lt;LocURI&gt;.\/Device\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/CamilleApp\/Policy\/Version2&lt;\/LocURI&gt;\n        &lt;\/Target&gt;\n        &lt;Data&gt;{ADMX escaped from &lt; &gt; to &amp;lt; &amp;gt; }&gt;&lt;\/Data&gt;\n    &lt;\/Item&gt;\n&lt;\/Add&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>To validate that the ingestion has processed correctly, you can have a look in the <strong>Windows Event Viewer<\/strong> at <strong><em>Applications and Services Logs &gt; Microsoft &gt; Windows &gt;<\/em> <em>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider &gt; Admin<\/em><\/strong><br>The ingestion process only logs when there are errors, it will tell which ADMX failed and where in the ADMX there is an issue.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-355 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-what-1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"626\" height=\"438\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-what-1.jpg\" alt=\"ADMX-Ingestion-Error-what\" class=\"wp-image-355\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-what-1.jpg 626w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-what-1-300x210.jpg 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/a><figcaption>Which ADMX is failing<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image size-full wp-image-357 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-where.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"626\" height=\"438\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-where.jpg\" alt=\"ADMX-Ingestion-Error-where\" class=\"wp-image-357\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-where.jpg 626w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-error-where-300x210.jpg 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/a><figcaption>Where it is failing<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Behind the scenes<\/h2>\n\n\n\n<p>Policy Manager is responsible for ingesting the ADMX sent over SyncML. There are 2 places where Policy Manager stores the information, the registry and locally.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Registry<\/h3>\n\n\n\n<p>Policy Manager store in <code class=\"\">AdmxDefault<\/code>&nbsp;and <code class=\"\">AdmxInstalled<\/code>, the registry keys are located in&nbsp;<code class=\"\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image alignnone size-full wp-image-376\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-location-registry.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"912\" height=\"335\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-location-registry.jpg\" alt=\"ADMX-Ingestion-Location-Registry\" class=\"wp-image-376\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-location-registry.jpg 912w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-location-registry-300x110.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-location-registry-768x282.jpg 768w\" sizes=\"(max-width: 912px) 100vw, 912px\" \/><\/a><figcaption>Registry<\/figcaption><\/figure>\n\n\n\n<p><em><strong>AdmxDefault<\/strong><\/em>: Contains the settings from the ADMX itself, with where each settings apply on which registry key, take note of the <code>SourceAdmxFile<\/code> with the value.<\/p>\n\n\n\n<p><em><strong>AdmxInstalled<\/strong><\/em>: Contain the URI received by Policy Manager from SyncML sent by the MDM server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Local Files<\/h3>\n\n\n\n<p>ADMX files, once ingested, are stored in the Policy Manager folder located in&nbsp;<code class=\"\">C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\PolicyManager\\<\/code>, we can see that the name of the file is the unique ID specified in the URI initially.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-361 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-location-files.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"620\" height=\"124\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/04\/admx-ingestion-location-files.jpg\" alt=\"ADMX-Ingestion-Location-Files\" class=\"wp-image-361\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-location-files.jpg 620w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/04\/admx-ingestion-location-files-300x60.jpg 300w\" sizes=\"(max-width: 620px) 100vw, 620px\" \/><\/a><figcaption>Local Files<\/figcaption><\/figure><\/div>\n\n\n<h1 class=\"wp-block-heading\">Update ADMX<\/h1>\n\n\n\n<p>An ADMX is specific to an application or a set of applications; should these applications get new features, there may be a requirement to extend or update.<br>In the GPO world, you would replace the ADMX by the new one.<br>For AMDX Ingestion, you install a new version on top of the previous one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ADMX Full update<\/h2>\n\n\n\n<p>In this example, the ADMX has been updated to add <code>MachineSetting3<\/code>&nbsp;in the <code>MachineSettings<\/code> area. The ADMX still contains all the previous settings in it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Admin Process<\/h3>\n\n\n\n<p><strong>Step 1 &#8211; Create the URI<\/strong><\/p>\n\n\n\n<p>The inital URI used for the initial import the ADMX was<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperation\/ADMXInstall\/CamilleApp\/Policy\/<strong>Version1<\/strong><\/pre>\n\n\n\n<p>The unique ID needs to be modified, again the unique ID can be anything, here I&#8217;m going to use <code>Version2<\/code><\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperation\/ADMXInstall\/CamilleApp\/Policy\/<strong>Version2<\/strong><\/pre>\n\n\n\n<p><strong>Step 2 &#8211; Build the SyncML<\/strong><\/p>\n\n\n\n<p>The SyncML is again using <code>Add<\/code> operation, as described before this is, with <code>Get<\/code>, the only operation allowed.<\/p>\n\n\n\n<p>SyncML:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Add&gt;\n    &lt;CmdID&gt;2&lt;\/CmdID&gt;\n    &lt;Item&gt;\n        &lt;Target&gt;\n            &lt;LocURI&gt;.\/Device\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/CamilleApp\/Policy\/Version2&lt;\/LocURI&gt;\n        &lt;\/Target&gt;\n        &lt;Data&gt;{ADMX escaped from &lt; &gt; to &amp;lt; &amp;gt; }&lt;\/Data&gt;\n    &lt;\/Item&gt;\n&lt;\/Add&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Behind the scenes<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Registry<\/h4>\n\n\n\n<p>The registry was updated with the new setting <code>MachineSetting3<\/code>&nbsp;and the <code>SourceAdmxFile<\/code> value has been also updated to <code>Version2<\/code>&nbsp;for each setting.<\/p>\n\n\n\n<figure class=\"wp-block-image alignnone size-full wp-image-377\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-registry-2.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"912\" height=\"373\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-registry-2.jpg\" alt=\"ADMX-Ingestion-Update-Location-Registry\" class=\"wp-image-377\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-registry-2.jpg 912w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-registry-2-300x123.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-registry-2-768x314.jpg 768w\" sizes=\"(max-width: 912px) 100vw, 912px\" \/><\/a><figcaption>Registry shows Version2<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Local Files<\/h4>\n\n\n\n<p>In terms of local files, <code>Version2<\/code>&nbsp;has been added.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-362 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-files.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"615\" height=\"143\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-files.jpg\" alt=\"ADMX-Ingestion-Update-Location-Files\" class=\"wp-image-362\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-files.jpg 615w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-update-location-files-300x70.jpg 300w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/a><figcaption>Local Files updated<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Partial Update<\/h2>\n\n\n\n<p>Sometimes, it may happen that the ADMX is not complete and only contains some settings. Policy manager will still ingest but only update or create the corresponding settings.<\/p>\n\n\n\n<p>In this example, the ADMX add <code>MachineSetting4<\/code>&nbsp;in the <code>MachineSettings<\/code> area. The ADMX does not contain all the other settings in it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Admin Process<\/h3>\n\n\n\n<p><strong>Step 1 &#8211; Create the URI<\/strong><\/p>\n\n\n\n<p>The last URI used for the import the ADMX was<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperation\/ADMXInstall\/CamilleApp\/Policy\/<strong>Version2<\/strong><\/pre>\n\n\n\n<p>The unique ID needs to be modified, again the unique ID can be anything, here I&#8217;m going to use <strong><code>Version3Partial<\/code><\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperation\/ADMXInstall\/CamilleApp\/Policy\/<strong>Version3Partial<\/strong><\/pre>\n\n\n\n<p><strong>Step 2 &#8211; Build the SyncML<\/strong><\/p>\n\n\n\n<p>SyncML:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Add&gt;\n    &lt;CmdID&gt;2&lt;\/CmdID&gt;\n    &lt;Item&gt;\n        &lt;Target&gt;\n            &lt;LocURI&gt;.\/Device\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/CamilleApp\/Policy\/Version3Partial&lt;\/LocURI&gt;\n        &lt;\/Target&gt;\n        &lt;Data&gt;{ADMX escaped from &lt; &gt; to &amp;lt; &amp;gt; }&lt;\/Data&gt;\n    &lt;\/Item&gt;\n&lt;\/Add&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Behind the scenes<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Registry<\/h4>\n\n\n\n<p>The registry was updated with the new setting <code>MachineSetting4<\/code>&nbsp;and&nbsp;<code>SourceAdmxFile<\/code>&nbsp;has&nbsp;<code>Version3Partial<\/code>&nbsp;for itsvalue. All other settings,&nbsp;<code>SourceAdmxFile<\/code> value remain&nbsp;<code>Version2<\/code>.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-367 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"815\" height=\"358\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set1.jpg\" alt=\"ADMX-Ingestion-PartialUpdate-Location-Registry-set1\" class=\"wp-image-367\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set1.jpg 815w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set1-300x132.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set1-768x337.jpg 768w\" sizes=\"(max-width: 815px) 100vw, 815px\" \/><\/a><figcaption>MachineSetting1 remains on Version2<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image size-full wp-image-368 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set4.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"853\" height=\"358\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set4.jpg\" alt=\"ADMX-Ingestion-PartialUpdate-Location-Registry-set4\" class=\"wp-image-368\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set4.jpg 853w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set4-300x126.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-registry-set4-768x322.jpg 768w\" sizes=\"(max-width: 853px) 100vw, 853px\" \/><\/a><figcaption>MachineSetting4 is at Version3Partial<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">Local Files<\/h4>\n\n\n<div class=\"wp-block-image alignnone size-full wp-image-366\">\n<figure class=\"aligncenter\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-files.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"616\" height=\"169\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-files.jpg\" alt=\"ADMX-Ingestion-PartialUpdate-Location-Files\" class=\"wp-image-366\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-files.jpg 616w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-partialupdate-location-files-300x82.jpg 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><\/a><figcaption>Local Files updated<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Recap<\/h2>\n\n\n\n<p>Updating an ADMX is quite straight forward, the use of unique ID allows correct updates and helps Windows to map the settings against the correct ADMX, that&#8217;s why only <code>Add<\/code> operations are allowed on it and there is no <code>Delete<\/code>.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Delete ADMX<\/h1>\n\n\n\n<p>We understood that the node UniqueID is used for uniqueness of each setting, so it make sense to not have the <code>Delete<\/code> operation on it.<br>As part of the lifecycle, an ADMX might need to be deleted as the application is not used anymore or some parts are not required.<\/p>\n\n\n\n<p>In the ADMX install URI, we have 2 nodes which allow <code>Delete<\/code> operation, <strong>AppName<\/strong> and <strong>Area<\/strong> and depending on what you are trying to achieve you target one or the other.<\/p>\n\n\n\n<p>Remember that the area can be <code>Policy<\/code> or <code>Preference<\/code>. So you can delete either of them for each application.<\/p>\n\n\n\n<p>The first things to know about deleting an ADMX from a machine, is that <span style=\"text-decoration:underline;\">any settings applied have to be removed before trying to delete the ADMX<\/span>. Policy manager will generate a 851 error in the logs (at <strong><em>Applications and Services Logs &gt; Microsoft &gt; Windows &gt;<\/em><em>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider &gt; Admin<\/em><\/strong>) to notify of this issue.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-error-settings.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"626\" height=\"438\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-error-settings.jpg\" alt=\"ADMX-Ingestion-Delete-Error-Settings\" class=\"wp-image-379\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-error-settings.jpg 626w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-error-settings-300x210.jpg 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Admin Process<\/h2>\n\n\n\n<p>The same way we have proceed from <strong>Install<\/strong> and <strong>Update<\/strong>, this process is executed in 2 steps, agreeing that you have deleted the settings before hand. In this example, I&#8217;m going to delete the <em><strong>Policy<\/strong><\/em> part of the application.<\/p>\n\n\n\n<p><strong>Step 1 &#8211; Create the URI<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted wp-block-prismatic-blocks language-\">...\/ConfigOperations\/ADMXInstall\/CamilleApp\/Policy<\/pre>\n\n\n\n<p><strong>Step 2 &#8211; Build the SyncML<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;Delete&gt;\n    &lt;CmdID&gt;1&lt;\/CmdID&gt;\n    &lt;Item&gt;\n        &lt;Meta&gt;\n            &lt;Format&gt;chr&lt;\/Format&gt;\n            &lt;Type&gt;text\/plain&lt;\/Type&gt;\n        &lt;\/Meta&gt;\n        &lt;Target&gt;\n            &lt;LocURI&gt;.\/Vendor\/MSFT\/Policy\/ConfigOperations\/ADMXInstall\/CamilleApp\/Policy&lt;\/LocURI&gt;\n        &lt;\/Target&gt;\n    &lt;\/Item&gt;\n&lt;\/Delete&gt;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Behind the scenes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Registry<\/h3>\n\n\n\n<p>The registry shows the app as we only have deleted the Policy part of it, so if a Preference policy was defined, it would not be impacted and still be on the device.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-380 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-registry.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"789\" height=\"214\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-registry.jpg\" alt=\"ADMX-Ingestion-Delete-Location-Registry\" class=\"wp-image-380\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-registry.jpg 789w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-registry-300x81.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-registry-768x208.jpg 768w\" sizes=\"(max-width: 789px) 100vw, 789px\" \/><\/a><figcaption>CamilleApp is now empty<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Local Files<\/h3>\n\n\n\n<p>Same as the registry, the application folder is still here but the Policy folder had been removed.<\/p>\n\n\n<div class=\"wp-block-image size-full wp-image-381 aligncenter\">\n<figure class=\"\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-files.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"561\" height=\"154\" src=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-files.jpg\" alt=\"ADMX-Ingestion-Delete-Location-Files\" class=\"wp-image-381\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-files.jpg 561w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/05\/admx-ingestion-delete-location-files-300x82.jpg 300w\" sizes=\"(max-width: 561px) 100vw, 561px\" \/><\/a><figcaption>Local folder is now empty<\/figcaption><\/figure><\/div>\n\n\n<h1 class=\"wp-block-heading\">Conclusion<\/h1>\n\n\n\n<p>While Modern Management rely on CSPs for configuration. Third party applications still use ADMX files. ADMX ingestion provide a way of managing applications directly in CSP without no additional requirements. This provides an easy way for admins and enterprises to migrate GPOs and maintain these ADMX over the air.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<p>Sources :<\/p>\n\n\n\n<ul><li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/policy-configuration-service-provider\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/policy-configuration-service-provider<\/a><\/li><li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/win32-and-centennial-app-policy-configuration\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/win32-and-centennial-app-policy-configuration<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>As I have solved the issue on ingesting the Office16.admx, I thought I would review the whole ingestion process to&hellip;<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2157457,38600,1986749,672890795],"tags":[722452,672890813],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/341"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":37,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"predecessor-version":[{"id":1423,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/341\/revisions\/1423"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}