OVERVIEW
This article details using ADMX templates for configuration deployment from Active Directory Group Policy or Intune Configuration Profiles.
SOLUTION
Active Directory Group Policy Management-
Extract the Contents: Begin by copying and extracting the contents of the provided zip file to a convenient location.
-
Locate the PolicyDefinitions Folder: Identify the appropriate location for the ADMX and ADML files:
-
Central Store (Recommended for Domain Environments): \\\\{domain.com}\\SYSVOL\\{domain}\\policies\\PolicyDefinitions
-
Local Computer (If not using a Central Store): %systemroot%\\PolicyDefinitions
-
-
Important: ADML files must reside within language-specific subfolders within the PolicyDefinitions directory. For example, U.S. English ADML files should be placed in a subfolder named en-US.
-
Copy ADMX Files: Copy both Okta.admx and OktaODA.admx files to the PolicyDefinitions folder:
-
Central Store: \\{domain.com}\SYSVOL\{domain}\policies\PolicyDefinitions`
-
Local Computer: %systemroot%\\PolicyDefinitions
-
-
Copy ADML Files: Copy both Okta.adml and OktaODA.adml files to the corresponding language subfolder (e.g., en-US) within the PolicyDefinitions folder:
-
Central Store:\\\\{domain.com}\\SYSVOL\\{domain}\\policies\\PolicyDefinitions\\en-US
-
Local Computer: %systemroot%\\PolicyDefinitions\\en-US
-
-
Open Group Policy Editor:
-
Press the Windows Key + R to open the Run dialog.
-
Type gpedit.msc and press Enter.
-
-
Verify Template Availability:
-
Navigate to Computer Configuration -> Policies -> Administrative Templates
-
The Okta -> Okta Device Access policy settings should now be visible under Administrative Templates.
-
-
Configuring Group Policy Settings:
-
Access Policy Settings: Within the Group Policy Editor, navigate to the specific Okta Device Access policy settings you wish to modify.
-
Enable Policies: Double-click on the desired policy setting and select "Enabled".
-
Configure Settings: Make the necessary adjustments to the policy options.
-
Apply Changes: Click "Apply" and then "OK" to save the configuration.
Example: -
To configure “AllowedFactors," double-click on “AllowedFactors" and select “Enabled.”
-
In the settings below, enter * in the text box
-
Apply Changes: Click "Apply" and then "OK" to save the configuration.
-
-
Verify Registry Changes:
-
On a client machine affected by the GPO, you can verify that the policy settings have been applied by checking the corresponding registry entries.
-
The specific registry keys modified will depend on the policy configured.
Example: -
Navigate to HKLM\Software\Policies\Okta\Okta Device Access and verify whether "AllowedFactors" is enabled.
-
-
Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings.
-
Navigate to Intune Admin Center:
-
Open your web browser and go to the Microsoft Intune admin center.
-
-
Access Device Configuration:
-
In the left-hand navigation pane, select Devices.
-
Under Manage devices, select Configuration.
-
-
Import ADMX:
-
Click on the Import ADMX tab.
-
Upload Files:
▪ ADMX file: Click "Browse" or drag and drop your Okta.admx file.
▪ ADML file for default language: Click "Browse" or drag and drop your corresponding Okta.adml file (e.g., from the en-US folder). -
Once the files are uploaded, Intune will validate them.
-
If validation is successful, click Next.
-
Review the summary and click Create.
-
The imported template will now appear in the list of available imported administrative templates. Wait for the "Upload status" to show "Available".
-
-
Repeat the above steps to import OktaODA.admx ADMX file and OktaODA.adml ADML file.
-
Create a configuration profile using imported admx
Once the ADMX/ADML files are successfully imported, you can create a configuration profile to deploy these settings: -
Navigate to Configuration:
-
Go to Devices > Manage Devices -> Configuration.
-
-
Create Policy:
-
Click Create -> New Policy.
-
Platform: Select Windows 10 and later.
-
Profile type: Select Templates.
-
In the template list, choose Imported Administrative templates (Preview).
-
Click Create.
-
-
Basic Information:
-
Name: Provide a descriptive name for the profile (e.g., "Okta_ODA_Intune").
-
Description: (Optional) Add a description for the profile.
-
Click Next.
-
-
Configuration Settings:
-
The settings defined in your ADMX file will be displayed, categorized as "All Settings", "Computer Configuration”, "User Configuration".
-
Browse to "Computer Configuration" and "Okta", "Okta Device Access" to configure.
-
For each setting:
▪ Select the setting.
▪ Choose Enabled, Disabled, or Not Configured.
▪ If Enabled, configure any associated values (e.g., text input, dropdown selection) as defined in the ADMX.
▪ Example:
▪ To configure “AllowedFactors," double-click on “AllowedFactors" and select “Enabled.”
▪ In the settings below, enter * in the text box
▪ Click OK -
Click Next after configuring all desired settings.
-
-
Scope Tags (Optional):
-
Assign scope tags if your organization uses them for role-based access control.
-
Click Next.
-
-
Assignments:
-
Included groups: Click Add groups and select the Azure AD user or device groups to which this policy should apply.
▪ Computer Configuration settings should be assigned to device groups. -
Click Next.
-
-
Review + Create:
-
Review all the settings and assignments.
-
Click Create to deploy the profile.
-
VERIFYING ADMINISTRATIVE TEMPLATE CHANGES ON CLIENT MACHINES
After the policy has been assigned and client devices have synced with Intune, you can verify the changes using the following methods. The default Intune policy sync cycle for Windows devices is approximately every 8 hours. However, a sync can be manually initiated to expedite policy application.
-
Manually Initiating an Intune Sync:
-
From the Company Portal App (if installed):
▪ Open the Company Portal app on the Windows device.
▪ Go to Settings (often represented by a gear icon or found in a menu).
▪ Look for a Sync button or option and click it. This will initiate a check-in with Intune. -
From the Windows Settings App:
▪ Open Settings on the Windows device (Windows Key + I).
▪ Go to Accounts.
▪ Select Access work or school.
▪ Click on the account connected to Azure AD/Intune (e.g., "Connected to <YourOrganization>'s Azure AD").
▪ Click the Info button.
▪ Scroll down to the "Device sync status" section and click the Sync button.
-
-
Once the sync is complete (which may take a few minutes), proceed with the verification methods below.
-
Event Viewer
▪ Intune uses the DeviceManagement-Enterprise-Diagnostics-Provider event log to record MDM policy application.
▪ Open Event Viewer: On the client machine, press Windows Key + R, type eventvwr.msc, and press Enter.
▪ Navigate to the Log:-
Go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
▪ Look for Relevant Events: -
Filter for events related to policy application. Event ID 813, indicates a policy (like an ADMX setting) is successfully applied. Event ID 814 indicates a successful Set command for a policy.
-
-
Registry Editor
▪ Since ADMX settings configure registry keys, you can directly verify them in the Registry Editor.
▪ Open Registry Editor: On the client machine, press Windows Key + R, type regedit, and press Enter.-
Caution: Be extremely careful when navigating and modifying the registry. Incorrect changes can cause system instability.
▪ Verify Registry Changes: -
On a client machine, you can verify that the policy settings have been applied by checking the corresponding registry entries i.e., HKLM\Software\Policies\Okta\Okta Device Access.
-
The specific registry keys modified will depend on the policy configured.
-
Example:
▪ Navigate to HKLM\Software\Policies\Okta\Okta Device Access and verify whether "AllowedFactors" is enabled.
▪ Check if the registry key and value exist and if the data matches the configuration you set in the Intune policy.
-
-
-
Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings.
