Skype for Business Client ADMX Group Policy Template

Over the weekend, I decided to “improve” the Office 2013 ADMX template for Skype for Business client. Having deployed Skype for Business server for a few customers there are certain end user experience requirements that could not be delivered using the standard ADMX provided by Microsoft. To avoid the worry of pushing out settings using batch files and registry imports which at the best of times can have its own unique problems, I thought why not give an ADMX a shot?

With that in mind, I decided rather than to start from scratch with my own ADMX, I would use the Office 2013 ADMX as a baseline.

Although, the improvements are by no means ground breaking it lifts the complexity of some of the common questions posed by end users and even some business compliance requirements. Hopefully, someone will find them useful🙂

I should probably point out here, that this ADMX is not supported by Microsoft, but I have tested this on several machines and had no catastrophic problems. Enter the usual disclaimer: Use at your own risk!

Features Added

  • Automatically add Windows Firewall rules to the client workstation when Skype for Business starts
  • Disable to first-run video of Skype for Business Client
  • Set Skype for Business client as the default IM Provider on the client workstation
  • Force Skype for Business client to start when user signs in to the workstation
  • Disable the conversation preservation state
  • Change the default trace logging directory to a custom location (wouldn’t use this for hot desk / multiple SIP account machines)
  • Enable Windows Event logging for the Skype for Business client (use for troubleshooting only!)
  • Disable IM Spell Checking
  • Disable the use of Emoticons and disable viewing of Emoticons

Screenshot

 

Installation Instructions

  1. Download the Office 2013 ADMX files from Microsoft – http://www.microsoft.com/en-gb/download/details.aspx?id=35554
  2. Extract files to a folder of your choice.
  3. Copy the ADMX and ADML files to your Group Policy central store
  4. Download the Skype for Business ADMX from my One Drive – http://1drv.ms/1CgwEng
  5. Extract the files, and copy and paste them into your Group Policy central store. This will not overwrite the Lync ADMX file
  6. Open Group Policy Management Console and create your GPO!

It is worth noting that settings configured using the Lync ADMX will also apply to Skype for Business clients and therefore you should configure the shared settings using the supported version of the ADMX (lync) and any Skype for Business settings using the SfB ADMX.

Information

The settings in the Skype for Business ADMX are considered to be user preference settings. This means that if you apply them to a machine and later remove the GPO, the settings will not be removed. To revert the settings back to default, you must first undo your changes in the ADMX and let them apply to the workstation before removing the GPO.

32 thoughts on “Skype for Business Client ADMX Group Policy Template

  1. Thanks, we do run SfB on our primary and secondary schools where the pupils have 1 PC each. We’d like to restrict access to SfB (at least prevent it from logging on automatically) during the school day, but not ban it altogether. Is this achievable with GPO? Sorry if I’m missing something basic🙂

    Like

    1. Hi Lars

      I actually had a similar scenario where by I had to lock down Outlook and prevent that from being launched between 2 time periods in a day for corp users. The only way I managed to get this not by GPO but a mixture of Powershell and ICACLS. I created a script that basically iterated through a computer list from an OU and set the file permissions on outlook.exe (lync.exe in your case) to deny access to the executable, and then another script to allow based on the ending time. Made these scheduled tasks and stored scripts in shared folder. If using UAC, I had to use a program called runaspc to elevate the script. Dont have the example anymore as customer paid for it but you can use the same logic here.

      thanks

      Mark

      Like

  2. Hi Mark, thanks for your suggestion. I’ll try just preventing SfB automatic startup by rewriting a registry value at logon (with gpo) for now, and see if that maybe takes some pressure off. If not, I might try doing something like you suggested (I’ll have to archive it ;-)).

    I take it that this admx should work with the SfB client regardless of on-prem server or not (office 365 like we use)? I’m testing it on a couple of computers just to see if I can get it to work, but the group policy shows up as empty on the target computers, although I’ve tried to setting the policy Prevent users from running Skype for Business in computer configuration. You mention “The settings in the Skype for Business ADMX are considered to be user preference settings. ” Does this mean I don’t set the settings under comp/user configuration/policies/administrative templates? Sorry, but I’m not a very advanced GPO user, I have very limited experience with custom ADMX-es.

    Like

    1. Hi Lars
      The GPO settings should appear under user configuration / Policies / Administrative Templates / Skype for Business If you give me a few hours I will double check everything but am sure it works. Will come back to you later properly
      thanks

      Like

  3. Hi, getting an error “An appropriate resource file can not be found for file \PolicyDefinitions\sfb15.admx error+2: The system cannot find the file specified.

    Like

  4. Hi there, we have Office 365 with Skype for business 2015, We have 20+ terminal servers that users connect in and we want to be able to run Skype meetings within the terminal session (2008 R2), but when the Skype Plugin for business run the install users are not able due to policies indicating can’t install.

    how do we get around this ?

    thanks,
    Ben

    Like

    1. Hi Ben
      Using the Skype for Business client on RDS servers is not recommended for fast changing content such as video / desktop sharing meeting content, powerpoints etc. You can enable RemoteFX which gives a better experience than just RDS on its own, but not brilliant. You are unable to take advantage of the VDI plugin either as this is not supported on RDS host servers. If you had VDI then you could use this to offload the media and graphical loads onto the VDI client rather than the VDI instance.

      Sounds like your problem is going to be GPO / Security related. Must admit I have not had this requirement scenario before. Have you tried the steps in this blog article? http://blogs.technet.com/b/nettracer/archive/2013/08/04/allowing-lync-2013-webapp-plugin-in-locked-down-terminal-server-environments.aspx

      thanks
      Mark

      Like

      1. I’ve been trying to use this blog article, but app locker does not seem to work, or simply does not want to run, do we run by user or terminal server ?

        Like

      2. I’ve taken another path, but got security concern – I tried this
        Windows Server disable the perUser-Installation of a .msi per default.
        The Solution is:
        Add a Registry Key “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer” with the Entry “DisableMSI” with the Value 0. (https://msdn.microsoft.com/en-us/library/aa368304.aspx?f=255&MSPPError=-2147217396).

        This worked by I want to look it down to only the skype plug in for business.msi file can be installed and no other msi files

        Like

  5. I’ve been trying to get these to work but without luck. Checking out registry the key that gets applied in my Windows/CurrentVersion/Run is “C:/program files (x86)\Microsoft Office 15\root\office15\lync.exe” /fromrunkey

    However this path doesn’t exist for us, our Skype is C:\Program Files (x86_\Microsoft Office\Office 15\lync.exe

    Our SFB is installed through Lync 2013 + Update to SFB. As far as i’m aware there is no standalone install for SFB for on premise.

    Any ideas?

    Like

    1. Hi
      If the machine is domain joined and the user has their UPN configured exactly like their SIP address, then this is auto filled out for you. There is a setting to auto start the client and minimize to the system tray, I think that setting is in the standard ADMX from Microsoft.

      Like

      1. The UPN and SIP are identical but its not autofilled, i set the xml to auto start which it does but I cant find the GPO for the system tray – any help is appreciated thanks for you repiy

        Like

      2. Same here, using Office 365 platform and email address is not auto filled and first thing first is still running first time Skype starts

        Like

    1. Hey Daniel, I ran into the same as you but I ended up just editing the S4B 2015 template myself and got it working that way. hope this helps

      Like

      1. Hi, if you open the ADMX and change version 15.0 to 16.0 in all the reg locations then it should work for 2016. Just haven’t the time at the moment to keep the gpo up to date, sorry.

        Like

      2. Mitch, all I did was change the version number in the template anywhere it said 15 to 16 just like Mark stated. If you still have issues let me know and I’ll be more than happy to help.

        Like

  6. Hi Mark,
    I updated the admx and adml files to use for 16.0 instead of 15.0 by doing a simple search/replace. I put the the files in the sysvol policies folder and fired up GPMC. I found the settings for User in a new GPO and set two options. I used the Group policy results after logging in test user on a single isolated computer in an OU where I had no other GPO linked except for this one. the results show that the settings were correctly applied. One of them was to autostart SFB. I relogged in with the same user (and I know SFB is installed and the user account info is correctly entered), but no auto start.
    In the SFB options I can of course manually check the start with windows logon option and it works, but the policy did not seem to configure that.
    Any suggestions?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s