What's the status of this issue?

I'm working on finishing this up right now. Implementation complete, testing changes.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/38770411485aa61750a9eaa8ced44880bbe9adad

commit 38770411485aa61750a9eaa8ced44880bbe9adad
Author: Lutz Justen <ljusten@chromium.org>
Date: Mon Jan 02 11:21:29 2017

authpolicy: Use ChromeOS specific policy keys

ADMX templates for Chromad (chromebook-to-windows logon) use different
registry keys in their ADMX templates, so that policies don't interfere
with Chrome policies for Windows clients.

BUG= chromium:638560 
TEST=Works with new ADMX templates, other keys are ignored as they should.

Change-Id: Iba5832e3da26b714bd11f6ba5344c4561d47a106
Reviewed-on: https://chromium-review.googlesource.com/422326
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/38770411485aa61750a9eaa8ced44880bbe9adad/authpolicy/policy/policy_encoder_helper.cc

Won't need this in M-57, we're generating templates from dev builds, so it can go in later.

mcandia reported that he's not seeing the wallpaper policy in the ADMX templates that he's using.  Is that expected?

It seems like this is expected. The policy is marked as 'external', which seems to mean that our cloud servers attach some data that a Windows admin would not be able to set easily. The ADMX writer ignores external policies:

if policy_type == 'external':
      # This type can only be set through cloud policy.
      return

For the wallpaper policy, the cloud server computes a SHA-256 hash of the wallpaper image, so that Chrome can verify if the image is actually the expected one. This is a security feature.

Right now, all 'external' policies are images + hashes. There are actually online tools available to compute SHA-256 hashes. I'm wondering whether an AD admin could just use these to compute the hashes and the 'external' flag could be waived.

Afaiu, the definition of "external" types is really just a hash and an URL.  Any Windows admin could re-create them, it's just a little more work compared to using CPanel which does it automatically.  Thus I think you're right and we should include "external" policies in our ADMX template.

Talked to bartfab@, who originally created the feature. He said it's fine to include them in ADMX.

This CL includes 'external' policies: https://codereview.chromium.org/2653823006/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7a912ab95678117a84e94a33fb9e69da77d98f28

commit 7a912ab95678117a84e94a33fb9e69da77d98f28
Author: ljusten <ljusten@chromium.org>
Date: Wed Sep 20 15:01:49 2017

Generate ADMX template for Chrome OS policies

Generates an ADMX template to be used for editing policy on a
Windows AD server. The resulting GPOs can be fetched with the
authpolicy code written for the Chromad project (see Chromium
OS code base).

A single ADMX template is generated that contains both user and
device policy, using ADMX's CLASS attribute to distinguish the
two.

BUG= 638560 
TEST=Compiles and generates templates

Review-Url: https://chromiumcodereview.appspot.com/2481183002
Cr-Commit-Position: refs/heads/master@{#503142}

[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/BUILD.gn
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/resources/policy_templates.gni
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/resources/policy_templates.json
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/template_formatter.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/test_suite_all.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writer_configuration.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/adm_writer.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/adml_writer.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/adml_writer_unittest.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/admx_writer.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/admx_writer_unittest.py
[add] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/chromeos_adml_writer.py
[add] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/chromeos_adml_writer_unittest.py
[add] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/chromeos_admx_writer.py
[add] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/chromeos_admx_writer_unittest.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/doc_writer.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/doc_writer_unittest.py
[modify] https://crrev.com/7a912ab95678117a84e94a33fb9e69da77d98f28/components/policy/tools/template_writers/writers/reg_writer.py

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46a334169f967102881de54282c993a33641e658

commit 46a334169f967102881de54282c993a33641e658
Author: ljusten <ljusten@chromium.org>
Date: Thu Sep 21 15:13:07 2017

Include 'external' policies in grit output (admx, adm, doc etc.)

External-type policies consist of a URL and a SHA-256 hash.
Right now, they can only be set through cloud policy, but not,
for instance, through Active Directory. This CL allows that.
Admins will have to calculate the SHA-256 hash of the URL
themselves, e.g. using some widely available tools, and then
specify the URL together with the hash as a JSON string.

{ "url": "<url>", "hash": "<SHA-256 hash>" }

Right now, all external-type policies are Chrome OS-only, so that
none of them shows up in ADMX templates, but this will change when
Chrome OS specific ADMX templates are generated, see
https://codereview.chromium.org/2481183002/.

BUG= 638560 
TEST=Compiled, ran tests, temporarily modified an external-type policy to
support all platforms, generated templates for all platforms, checked
output in text editor, loaded ADMX templates into Active Directory tools.

Review-Url: https://chromiumcodereview.appspot.com/2653823006
Cr-Commit-Position: refs/heads/master@{#503451}

[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/adm_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/adm_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/adml_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/adml_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/admx_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/admx_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/doc_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/doc_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/json_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/json_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/plist_strings_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/plist_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/plist_writer_unittest.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/reg_writer.py
[modify] https://crrev.com/46a334169f967102881de54282c993a33641e658/components/policy/tools/template_writers/writers/reg_writer_unittest.py

Marked verified based on code review and test results.