Localize ADMX Group Policy strings via Touchdown#40515
Open
benhillis wants to merge 1 commit into
Open
Conversation
benhillis
force-pushed
the
user/benhill/admx-localization
branch
from
35b9762 to
5c33c86
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Integrates WSL’s ADMX/ADML Group Policy strings into the Touchdown localization pipeline so that translated .adml files are generated nightly and validated alongside existing .resw localization assets.
Changes:
- Adds an
en-USADML baseline and wires it into the nightly Touchdown localization pipeline output mapping. - Extends
validate-localization.pyto validate ADML locked-token invariants and string-id parity across locales, and updates CI invocation accordingly. - Updates the auto-PR creation script to stage newly created files (e.g., first-time
intune/<locale>/WSL.admloutputs) before committing.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
tools/devops/validate-localization.py |
Adds ADML parsing + validation and updates CLI/argv handling to accept an ADML folder parameter. |
tools/devops/create-change.py |
Stages all changes (including untracked files) before committing so new localized outputs aren’t dropped. |
intune/en-US/WSL.adml |
Introduces the en-US ADML baseline with {Locked="..."} annotations for translators. |
.pipelines/wsl-build-nightly-localization.yml |
Adds the ADML baseline to Touchdown inputs and output mapping into intune/<locale>/. |
.pipelines/build-stage.yml |
Passes the ADML folder to localization validation in CI. |
benhillis
force-pushed
the
user/benhill/admx-localization
branch
from
5c33c86 to
e1cdb1a
Compare
benhillis
force-pushed
the
user/benhill/admx-localization
branch
from
e1cdb1a to
88b8b6b
Compare
benhillis
force-pushed
the
user/benhill/admx-localization
branch
from
88b8b6b to
8287582
Compare
OneBlue
reviewed
May 12, 2026
Add the WSL ADMX policy strings to the nightly Touchdown localization
pipeline so translated .adml files are produced for every locale already
covered by Resources.resw. Translated files land at
intune/<locale>/WSL.adml, matching the Group Policy on-disk layout (the
language-neutral WSL.admx stays at intune/WSL.admx).
Changes:
* intune/en-US/WSL.adml: new baseline ADML file. Each translatable
string is annotated with {Locked="..."} XML comments so translators
preserve product names (Windows Subsystem for Linux, WSL, WSL1, WSL2,
Store WSL), .wslconfig keys (wsl2.kernel, wsl2.systemDistro,
wsl2.kernelCommandLine, wsl2.nestedVirtualization,
wsl2.kernelDebugPort, wsl2.networkingmode, wsl2.firewall), command
names (wsl.exe, debug-shell, mount), networking-mode enum values
(None, NAT, Mirrored, VirtioProxy), and the policy state literal
Disabled.
* .pipelines/wsl-build-nightly-localization.yml: add intune/en-US/WSL.adml
to the trigger paths and to the TouchdownBuildTask resourceFilePath
block. The combined ';O:intune\' mapping puts translated files at
intune/<locale>/WSL.adml.
* tools/devops/validate-localization.py: add validate_adml() which
enforces the same locked-token invariant as .resw (every {Locked="X"}
token must appear verbatim in its target string value), validates
that translated locales have the same string ids as the en-US
baseline, and is parameterized by the ADML folder name. The argv
shortcut used in CI to avoid a pip install dependency on click now
accepts both 3 args (back-compat) and 4 args (with explicit ADML
folder).
* .pipelines/build-stage.yml: pass 'intune' explicitly to
validate-localization.py so the validation invocation reads
'localization/strings en-US intune' -- both folders visible at the
call site, consistent with the rest of the script's parameterization.
* tools/devops/create-change.py: include untracked files in the
'Changed files:' report and stage them with 'git add -A' (via
repo.git.add(A=True)) before commit. Without this, Touchdown's
first-time ADML outputs land as untracked files in newly created
intune/<locale>/ directories and are silently dropped by 'git commit
-a', which only stages modifications and deletions of already-tracked
files. Confirmed against ADO build 146781281: Touchdown returned
WSL.adml translations for 20 locales and saved them on disk, but the
resulting auto-PR (#40511) contained only the resw modifications.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benhillis
force-pushed
the
user/benhill/admx-localization
branch
from
8287582 to
7e8c14a
Compare
JohnMcPMS
approved these changes
May 13, 2026
Member
JohnMcPMS
left a comment
JohnMcPMS
left a comment
There was a problem hiding this comment.
My python isn't great but it seems like it should work generally if it is running now.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the WSL ADMX policy strings to the nightly Touchdown localization pipeline so translated
.admlfiles are produced for every locale already covered byResources.resw. Translated files land atintune/<locale>/WSL.adml, matching the Group Policy on-disk layout (the language-neutralWSL.admxstays atintune/WSL.admx).Changes
intune/en-US/WSL.adml— new baseline ADML file. Each translatable string is annotated with{Locked="..."}XML comments so translators preserve product names (Windows Subsystem for Linux, WSL, WSL1, WSL2, Store WSL),.wslconfigkeys (wsl2.kernel,wsl2.systemDistro,wsl2.kernelCommandLine,wsl2.nestedVirtualization,wsl2.kernelDebugPort,wsl2.networkingMode,wsl2.firewall), command names (wsl.exe,debug-shell,mount), networking-mode enum values (None,NAT,Mirrored,VirtioProxy), and the policy state literalDisabled..pipelines/wsl-build-nightly-localization.yml— addsintune/en-US/WSL.admlto the trigger paths and to theTouchdownBuildTaskresourceFilePathblock. The combined;O:intune\mapping puts translated files atintune/<locale>/WSL.adml.tools/devops/validate-localization.py— addsvalidate_adml()enforcing the same locked-token invariant as.resw(every{Locked="X"}token must appear verbatim in its target string value), id parity for both<stringTable>and<presentationTable>between baseline and translated files, and a<!-- ... -->based comment scan for locked tokens (since ElementTree drops comments). All CLI args are now--optionform with module-level defaults (RESOURCE_FOLDER,BASELINE_LANGUAGE='en-US',ADML_FOLDER='intune'); the CI fast path runs zero-arg with nopip install clickdependency. Local overrides use the click flag form..pipelines/build-stage.yml— invokes the validator with no args (waslocalization/strings en-US); the script now sources both folders and the baseline language from its module-level defaults.tools/devops/create-change.py— includes untracked files in theChanged files:report and stages them withgit add -A(viarepo.git.add(A=True)) before commit. Without this, Touchdown's first-time ADML outputs would land as untracked files in newly createdintune/<locale>/directories and be silently dropped bygit commit -a, which only stages modifications and deletions of already-tracked files.Verification
Manually queued
wsl-github-localizationagainst this branch (ADO build146781281). Touchdown returnedWSL.admltranslations for 20 locales (cs-CZ, da-DK, de-DE, en-GB, es-ES, fi-FI, fr-FR, hu-HU, it-IT, ja-JP, ko-KR, nb-NO, nl-NL, pl-PL, pt-BR, pt-PT, ru-RU, sv-SE, tr-TR, zh-CN, zh-TW) and saved them to disk atintune/<locale>/WSL.adml. A subsequent run with thecreate-change.pyfix in this branch will produce a follow-up auto-PR containing those.admlfiles alongside the usual.reswupdates. Validator was sanity-tested zero-arg under both Windows and WSL Linux (case-sensitive FS): 22 resw locales + ADML baseline pass; injecting bogus locked tokens or removing strings/presentations from a fake locale correctly fails with exit 1.Note: depends on no other PR. The unrelated nightly-pipeline target-branch fix that surfaced during this debugging is in #40510.