Updated: Converting group policy settings (ADMX templates) into Fixlets

Hello!

I decided it would be fun to start playing around with converting ADMX templates to fixlets and I wanted to share my progress here.

My current version of the ADMX to Fixlet converter is as follows:
Enable/Disable:

Dropdown Selection:
````("" & it & “”) of concatenations “” of ("" & item 5 of it & " - " & item 1 of it & " - " & item 2 of it & “<![CDATA[<" & escape of concatenations "
" of substrings separated by "%0a" of item 4 of it & "> ]]>not exists (key %22HKEY_LOCAL_MACHINE” & item 4 of it & “%22 of registry) whose (exists value %22” & item 1 of it & “%22 of it and value %22” & item 1 of it & "%22 of it = " & item 3 of it & “)Click here to deploy this action.” & “regset %22[HKEY_LOCAL_MACHINE” & item 4 of it & “]%22 %22” & item 1 of it & “%22=dword:” & item 3 of it & “”) of (item 0 of it, item 0 of item 1 of it, node value of child node of item 1 of (it,(selects “/policyDefinitionResources/resources/stringTable/string” of xml document of file “C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml”)) whose ( node value of attribute “id” of item 1 of it = item 0 of it) of ((preceding text of first “)” of following text of first “.” of (item 0 of item 1 of item 1 of it))) | “None”, item 1 of item 1 of item 1 of it, item 2 of it, item 3 of it) of (attribute “name” of it as text, (attribute “valueName” of it as text, (attributes “displayName” of it as text, attributes “value” of selects “value/decimal” of it as text) of selects “item” of it) of (selects “elements/enum” of it), attribute “key” of it as text, node value of child node of item 1 of (it,(selects “/policyDefinitionResources/resources/stringTable/string” of xml document of file “C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml”)) whose ( node value of attribute “id” of item 1 of it = item 0 of it) of ((preceding text of first “)” of following text of first “.” of (attribute “displayName” of it as text))) | “None”) of ((child nodes of selects “/policyDefinitions/policies” of xml document of file “C:\Windows\PolicyDefinitions\WindowsUpdate.admx”) whose (((attribute “class” of it as text) equals “Machine” or (attribute “class” of it as text) equals “Both”) and exists attribute “valueName” of it as text and exists selects “elements” of it))```

This will create a fixlet for each policy that has a drop-down. This will create a large number of fixlets depending on how many dropdown options there are.

To use the output copy it to a .bes file and import it into your console!

At the moment this has the following limitations:

  1. Only works for Enable/Disable and drop down security policies in Group Policy at the moment
  2. I might need to modify it to do x64 registry on x64 and x86 registry on x86…

The next steps I think will be to prompt the console operator for the name of the ADMX and ADML templates (or assume the ADML template from the name of the ADMX template) and then automatically upload the corresponding fixlets to BigFix automatically. Finally, support for non enable/disable fixlets would be cool too!

3 Likes

This is related, though not helpful: Idea: Automatically create config tasks based upon ADMX templates

I think I’ve decided that I’m not terribly interested in Group Policy objects that prompt for a field as those are basically impossible to write good fixlets for anyway (in that you can’t verify the value, just see if it doesn’t exist)

If anyone has any thoughts on a way to achieve this let me know!

1 Like

Does the ADMX list the possible values?

In the case that the ADMX lists possible values, my second piece of relevance will generate fixlets for those items. So for the setting like, “Select a time to check for updates” with possible values of, “0:00” or “1:00” or “2:00” or … or “23:00” or “24:00” the second piece of relevance will generate a fixlet for every possible value (in this case, 24 fixlets).

It’s settings like, “Specify a Windows Update Server” where you would give it, “http://yourWSUSserver:port” that I would have difficulty creating fixlets for.

In that case you generate a fixlet that generates a fixlet for that specific setting, including setting the relevance to the WSUS server given by the user when prompted.