Ingest Zoom ADMX and manage Zoom settings using Microsoft Intune

Recently I got a request to manage Zoom settings using Microsoft Intune. The most specific setting which was requested is How to configure autoupdate setting of Zoom desktop client using Intune. There are three options for configuring Zoom Desktop Client.

You can use an MSI Installer and deploy using pre-configured settings / switches or You can use ADMX files and configure it using Microsoft Intune using Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings or you can manually configure each device by using registry editor.

In this blog post, we will use ADMX Template file and OMA-URI settings and using this we will configure few common zoom configuration settings.

• Using MSI Installer.
• Active Directory administrative templates via GPO or Intune.
• Updating registry keys on windows machines manually.

There are two parts to managing Zoom Desktop Client setings using Intune.

• Push Zoom ADMX Template File to all the devices you want to manage by using Device Configuration Profile.
• Create Device Configuration Profile to configure specific settings using OMA-URI.

Download Zoom ADMX Template File

First, download Zoom ADMX template file using this link: Mass-deploying with Group Policy Objects. Search for the Section “Available Templates” and click on Policies for version 5.11.3 or whichever latest version available.

Extract the contents of the zip file in a folder and Find the .admx file. There are two version of Zoom Meeting ADMX files available one is for User based policies which are named as HKCU and other one is Machine based Zoom Meetings Policies which are named as HKLM. We will be using HKLM version of the policies which are Machine based policies. File Name: ZoomMeetings_HKLM.admx.

Ingest Zoom ADMX Template file In Intune

Once you have downloaded Zoom ADMX Template File, now you will need to Ingest it into Intune and assign this to all managed devices. Please follow below steps to Ingest Zoom ADMX file in Intune.

There is also a new way to Import ADMX files in Intune. Please refer to the article How To Import ADMX Files In Intune to know more detailed information / step by step guide.

• Login on Microsoft Endpoint Manager admin Center.
• Click on Devices -> Configuration profiles.
• Clicon on + Create Profile.
• Select Platform as Windows 10 and later
• Profile Type: Templates
• Template Name: Custom

Basics Tab

Name: Zoom ADMX Template Ingestion

Description: This device Profile configuration will ingest Zoom ADMX template in Intune for managing Zoom Desktop Client Settings.

Configuration settings Tab

Click on Add to add OMA-URI Settings as per below. Click on Save once you have added all below settings.

Name	Zoom ADMX Import
Description	Importing Zoom ADMX Template
OMA-URI	./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/zoom/Policy/zoom
Data type	String
Value	Open ADMX file ZoomMeetings_HKLM.admx and copy all the contents of the file and paste it in Value field.

After you click on Save, you can verify the OMA-URI Settings and click on Next to Proceed.

Assignments Tab

Assign this device Configuration profile to either All devices or All Users or if you want to assign this device configuration profile to specific devices then you can create an Azure AD Security group and add devices into the group.

Add the group in Included groups section of this Policy. As in my organization, Zoom is being used by all users and installed on all the devices. Therefore, I will be pushing zoom ADMX template on all devices.

Review + Create

Review the device configuration profile settings and then click on Create button to create this policy.

Once the policy has been created successfully. It will take some time to deploy on target machines. You can click on Device Configuration profile created and check the status from Device and user check-in status. As you can see from below screenshot, the admx file has been ingested into two machines successfully.

Verify Zoom ADMX Template Ingestion on End User Device

You have already confirmed the deployment of Zoom ADMX Template Ingestion using Intune Device Configuration Profile monitoring. It has been successfully deployed on 2 devices. How to confirm If Zoom ADMX Template has been ingested on the device ?. You can confirm it using Registry Editor by checking two registry keys AdmxInstalled and AdmxDefault.

• Go to Start -> Search for Registry Editor. Click on Registry Editor to Open.
• Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled Registry Key.
• Expand the GUID and then Expand zoom -> Policy -> zoom to verify the ADMX template Installation.

Go to the registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault and Expand the GUID and you can see that the registry keys created for zoom configuration which confirms that the template has been ingested successfully on the device. If you have deployed Zoom ADMX template to hundered’s of devices, you don’t need to verify it on each and every device. You can monitor device configuration profile for Zoom ADMX Ingestion from Microsoft Endpoint Manager Admin center.

Manage Zoom Desktop Client settings using Intune device configuration Profile OMA-URI Settings

Now, we have deployed ADMX template to all our devices, we can manage Zoom desktop client settings via Intune device configuration profile by using OMA-URI path.

You will not be able to find the settings via Intune User Interface to configure. Therefore, OMA-URI path needs to be created for each setting and then used to configure a particular setting of the application. Let’s look at how you can create OMA-URI Path for each settings.

How to build an OMA-URI

To build OMA-URI path for any setting, we need to refer to ZoomMeetings_HKLM.admx file which was downloaded earlier.

I will provide an example OMA-URI path which we will use to configure Zoom AutoUpdate setting and we will then deconstruct the path to understand how its created.

Zoom AutoUpdate OMA-URI Setting
./Device/Vendor/MSFT/Policy/Config/zoom~Policy~ZoomUsCommunication~zoomupdates/AU2_EnableAutoUpdate_Policy

./<scope>/Vendor/MSFT/Policy/Config/AreaName/PolicyName

The first part is ./<scope> which can either be Device or User. As we are configuring a Device based policy, we will use Device keyword for our scope.

./Device/Vendor/MSFT/Policy/Config/

Second Part is /Vendor/MSFT/Policy/Config/ -> This will remain the same for each setting you are going to configure.

./<scope>/Vendor/MSFT/Policy/Config/AreaName/PolicyName

Third Part is /AreaName/PolicyName this is what we need to construct according to the setting which we want to configure. Open ZoomMeetings_HKLM.admx file and search for the policy you want to configure.

For example: We want to configure Zoom AutoUpdate Policy. Search for AU2_EnableAutoUpdate_Policy. As you can see from below screenshot. Policy Name is: AU2_EnableAutoUpdate_Policy and its ParentCategory is zoomupdates. ZoomUsCommunication is parent category of zoomupdates.The Policy supports two values either Enabled or Disabled. Let’s now create our OMA-URI path based on these values we got from zoom admx file.

./Device/Vendor/MSFT/Policy/Config/zoom~Policy~ZoomUsCommunication~zoomupdates

The last part of the OMA-URI is the policy setting name which we want to configure. As we know the name of the Policy setting is AU2_EnableAutoUpdate_Policy. We will use it for the PolicyName part of OMA-URI.

./Device/Vendor/MSFT/Policy/Config/zoom~Policy~ZoomUsCommunication~zoomupdates/AU2_EnableAutoUpdate_Policy

Tip
You can also refer to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault registry location to find the AreaName part of the Policy instead of searching through admx to find parentcategory.

Manage Zoom AutoUpdate Setting using Intune

As we now know how to contruct OMA-URI path for a particular setting which we want to configure. You can create OMA-URI path for any other setting using the information provided in ZoomMeetings_HKLM.admx. We can use the OMA-URI Path we created for managing AutoUpdate setting of Zoom, lets create a Device Configuration Profile on Microsoft Endpoint Admin Center and push this setting to the device.

• Login on Microsoft Endpoint Manager admin Center.
• Click on Devices -> Configuration profiles.
• Clicon on + Create Profile.
• Select Platform as Windows 10 and later
• Profile Type: Templates
• Template Name: Custom

On Basics tab, Provide Name and Description of the device configuration profile. As we are configuring Zoom AutoUpdate using this configuration profile, we have used Name: Zoom AutoUpdate Enable and Description as “This Policy will Enable Zoom AutoUpdate on all Devices“

On Configuration settings tab, Click on Add to add OMA-URI Settings as per below. Click on Save once you have added all below settings.

Name	Zoom Autoupdate
Description	Enable Zoom AutoUpdate
OMA-URI	./Device/Vendor/MSFT/Policy/Config/zoom~Policy~ZoomUsCommunication~zoomupdates/AU2_EnableAutoUpdate_Policy
Data type	String
Value	<enabled/>

Once you click on Save button you can confirm that OMA-URI Setting has been added.

On Assignments tab, You can either add All devices or Add all users or create an Azure AD security group with specific devices or users and then add it to Configure this setting. I will be configuring this setting on All devices.

Review + create

Review the Profile configuration and then create this device configuration policy.

Monitoring

To check if the Device Configuration Profile has been deployed successfully. Please follow below steps:

• From Microsoft Endpoint Manager admin center, Click on Devices on the left hand side.
• Click on Configuration Profiles.
• Search for Zoom Autoupdate Enable device configuration profile.
• In the Overview section you can check the deployment status.

Confirm Setting from End User Device

After assignment of this device configuration policy to all the devices. You can monitor the status from the Microsoft Endpoint Manager Admin Center but you can also verify it on one or two devices manually to make sure that this policy is applying successfully. We will now check the device to verify if Zoom Autoupdate setting is applied successfully.

Force Initiate Intune Policy Refresh on Device Manually

If you check Zoom AutoUpdate setting on a device and it has not been applied then it could be that device is waiting for check-in to Intune to get the Policy. Usually when any assignment action happens on Intune for a device, Device starts to check-in immediately and get the policy. In case its taking longer then you can also force initiate Intune Policy refresh cycle. You can more information about this by on this blog post: How to force Intune Sync manually from a Windows device – CloudInfra

From Registry Editor

Follow below steps to Verify Zoom Desktop Client AutoUpdate setting:

• Go to Start -> Type Regedit and click on Registry Editor.
• Find the Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\Updates.
• You can check an Regisry Entry on the right hand side: AU2_EnableAutoUpdate which is now set to 1.

Please note that as this setting is configured using Intune, User will not be able to change it as its a global setting on the device. The Auto Update checkbox in Zoom Application will be checked and greyed out. It will only be managed using Intune.

From Zoom Desktop Client

You can also verify this setting from Zoom Desktop Client application. Please follow below steps to check this setting.

• Login on Zoom Meeting application / Zoom Cloud Meetings application / Zoom Desktop Client.

Click on Settings Icon.

Click on General. Scroll down on the general settings page to find Zoom Updates setting. As you can see that the setting is currently enabled and cannot be changed by user as its managed by Intune,

Conclusion

In this blog post, we have seen how to Ingest Zoom admx file into Intune, how to contruct OMA-URI Path for any Admx setting and Configured Zoom AutoUpdate using Intune OMA-URI Path. Not only AutoUpdate setting but you can manage all other Zoom Settings via Intune. You can contruct OMA-URI path for each setting by referrring to the Admx file and then use it to configure the setting on the device for Zoom Application.