As organizations move from traditional on-premises Group Policy to cloud-based device management with Microsoft Intune, a common challenge emerges: what to do with existing custom ADMX files. These files often represent years of investment in policy enforcement for line-of-business apps, security baselines, and Windows configuration.
While Microsoft Intune supports ADMX ingestion (also called ADMX consumption), it isn’t always the best option. This post outlines when to use ADMX ingestion, its pros and cons, and alternative approaches.
When?
Planning a move away from on-prem dependencies to a cloud-based endpoint management environment? Think in advance about how you will consume and manage custom ADMX files. These files are typically created to support the configuration of line-of-business applications or custom configurations. Other than driving the administrative experience in Group Policy, they also define the specific settings and values to be managed.
Why?
ADMX files drive the administrative experience in Group Policy. This post explains the nature and value of these files in more detail.
Intune does not use ADMX files for anything other than understanding the possible administrative intent. It consumes the file and creates a custom configuration profile that can be managed in Intune.
ADMX files were not only artifacts of Group Policy (GP) from the beginning but also allowed IT pros to define settings for apps and scenarios not natively covered by GP. Anything in the registry was fair game for custom ADMX. It provided admins with significant flexibility in endpoint management.
That said, there are some considerations. Just because you ‘can’ do something doesn’t mean you ‘should’. (I’m pretty sure my dad said that to me constantly!)
What to Consider When Migrating Custom ADMX files to Intune?
When thinking through your Group Policy environment, it is important to take a few moments to consider the need. Just because you are doing some endpoint management thing in GP does not mean you want to do it in Intune.
Before migration, ask yourself
- What do these settings do?
- Why are we managing these settings?
- What teams, users, groups, roles, etc. should be impacted by these settings?
- Are there regulatory implications to consider?
Only proceed with settings your organization still requires. Leave those other latent settings alone and take time to clear up the shop.
Natively, you need to manually pick settings to migrate from GP and evaluate their compatibility with Intune. With products like GPO Migrator or Change Manager for Group Policy/Intune, you can quickly map your settings between Group Policy and Intune and check compatibility upfront.
Pros and Cons of ADMX Consumption in Intune
Advantages
- Reuses existing investments in custom ADMX files
- Enables management of unsupported or niche settings
- Helps accelerate GPO-to-Intune migration
- No need to modify application code
Limitations and Risks
- Higher complexity than Settings Catalog profiles
- Requires manual Open Mobile Alliance – Uniform Resources (OMA-URI) construction
- No built-in validation or policy user interface
- Troubleshooting can be difficult
- Not future-proof, as Microsoft favors CSP-based management
Key takeaway:
ADMX ingestion is powerful—but best treated as a transitional or specialized solution, not a default strategy.
Alternatives
To state maybe the obvious, Settings Catalog is amazing and provides Microsoft the ability to quickly and regularly update the environment with limited engineering. But it only provides what Microsoft puts in there. It is not extensible.
When doing ADMX ingestion, a custom policy is created. In this document on OMA-URIs, Microsoft explains all this in detail. There are a few examples of where you can put your fingers on the service and really nail your understanding of what is happening in the background.
Custom policies only allow you to use settings already defined in the Configuration Service Providers (CSPs); therefore, you may have settings not defined in the available CSPs. What then? Microsoft Intune and Settings Catalog, and other things, use CSPs as the source of the actual settings definitions. This is similar to how Group Policy Editor and GPMC use ADMX files as the source for values.
If you need parity with existing GP or have a specific business-critical need, you may consider ADMX ingestion. Another use case is when you are simply trying to support the configuration of custom registry values that are not present in the Settings Catalog. In this case, ADMX ingestion may work out, given the known limitations and complexities.
This is surely up to opinions, but I prefer leaning on PowerShell scripts to deploy those configurations.
Final Thoughts
Custom ADMX ingestion in Microsoft Intune fills an important gap—but it should be used deliberately and sparingly. For organizations transitioning from Group Policy, it can provide short-term continuity, but Settings Catalog and native CSPs should remain the long-term goal.
If you treat ADMX ingestion as a bridge, not a destination, you’ll avoid complexity while still supporting the configurations your business depends on.
FAQ
FAQ
Q: What are custom ADMX files and why do organizations use them?
A: Custom ADMX files define administrative templates for Group Policy, allowing organizations to manage settings for line-of-business applications, unique security requirements, or Windows configurations not natively supported by Group Policy.
Q: Can I use my existing custom ADMX files in Microsoft Intune?
A: Yes, Intune supports ADMX ingestion, allowing you to reuse your existing custom ADMX files. However, it is best treated as a transitional or specialized solution due to added complexity and no native built-in validation features.
Q: What should I consider before migrating custom ADMX files to Intune?
A: Review which settings are still needed, assess compatibility with Intune, and determine if those settings should be managed in the cloud. Only migrate what your organization truly requires.
Q: How can I make the migration of custom ADMX files to Intune easier?
SDM Software products, such as GPO Migrator or Change Manager for Group Policy/Intune, allow you to quickly map your settings between Group Policy and Intune and check compatibility upfront.
Q: Are there alternatives to ADMX ingestion in Intune?
A: Yes. The Settings Catalog is the preferred approach for supported scenarios, offering easier management and frequent updates. For advanced or unsupported configurations, PowerShell scripts can also be used.
Q: Is ADMX ingestion in Intune a long-term solution?
A: No. While useful for bridging the gap during migration, Microsoft favors CSP-based management and the Settings Catalog for the long term. Use ADMX ingestion sparingly and focus on moving to supported, future-proof solutions.