Giters

Harvester57 / Security-ADMX

Custom ADMX template focused on hardening Windows 10 systems

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support for import ADMX template into Intune

script-it-check-it-quick-rewrite-it opened this issue · comments

commented

I recently tried to import the template into intune. It uploaded and all the options are there, but I receive the following error when I tried to apply the setting:
SETTING
Limits print driver installation to Administrators (\Additional hardening settings\Additional system hardening settings)
STATE
Error
ERROR CODE
0x20101
ERROR DETAILS
The administrative template file failed to be sent to the device.

Error code: 131329

Looking up the error code seems to point to: The administrative template file failed to be sent to the device.

I have imported other GPOs such as FireFox, Google Chrome Update, etc. into Intune before. Is there another ADMX dependency I need to upload also? For example, in order to get Google Chrome Update admx file to upload, I needed to upload the Windows.admx and google.admx in addition.

commented

After doing some research, I found the following:

When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten.

Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the following locations:

  • Software\Policies\Microsoft\Office\
  • Software\Microsoft\Office\
  • Software\Microsoft\Windows\CurrentVersion\Explorer\
  • Software\Microsoft\Internet Explorer\
  • software\policies\microsoft\shared tools\proofing tools\
  • software\policies\microsoft\imejp\
  • software\policies\microsoft\ime\shared\
  • software\policies\microsoft\shared tools\graphics filters\
  • software\policies\microsoft\windows\currentversion\explorer\
  • software\policies\microsoft\softwareprotectionplatform\
  • software\policies\microsoft\officesoftwareprotectionplatform\
  • software\policies\microsoft\windows\windows search\preferences\
  • software\policies\microsoft\exchange\
  • software\microsoft\shared tools\proofing tools\
  • software\microsoft\shared tools\graphics filters\
  • software\microsoft\windows\windows search\preferences\
  • software\microsoft\exchange\
  • software\policies\microsoft\vba\security\
  • software\microsoft\onedrive
  • software\Microsoft\Edge
  • Software\Microsoft\EdgeUpdate\

source: Microsoft

With the help from Camille Debay's Admix Validator Powershell script, only the following are able to be used via Intune:

  • Number of PBKDF2 iterations for cached logons credentials hashing
  • Additional registry fix for CVE-2015-6161
  • Additional registry fix for CVE-2017-8529