This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge.
The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve completely documented the use, parameters and what it exactly does.
[gist https://gist.github.com/pvanderwoude/9f81a96fef6ffe6622106db2c995ce5c /]
An example to use this function to hide the app list in Start can be found below.
Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1
As mentioned during my session, the required parameters can be found mainly by looking at WMI by using the WMI Explorer. The name of the instance is the node of the OMA-URI that contains the required configuration. In this case Start. When you can’t find the required information, you can always refer to the documentation that’s shared below.
Figure 2: Getting the information via the WMI Explorer
More information
During my sessions I’ve showed many reference to post that describe the subjects that I covered. For future reference those posts are summarized below.
Nice and inspirational work sir.
Quick question re Autoplay policies if you don’t mind. I get “A general error occurred that is not covered by a more specific error code” for the below. Any advise ?
Update-PolicySetting -className ‘MDM_Policy_Config01_Autoplay02’ -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID ‘Autoplay’ -configureProperty ‘SetDefaultAutoRunBehavior’ -valueProperty ‘disabled
On the other hand the
“Update-PolicySetting -className “MDM_Policy_Config01_Settings02” -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID “Settings” -configureProperty “AllowAutoPlay” -valueProperty 1 -Verbose” works. Obscurely different
classes, but still, apprach is the same.
The former is ADMX-backed policy, but I would assume it ships with Windows 10 by default, no need to inject anything, is it?
Thanks!
Hi Aleksandr,
Did you verify if the actual value that you should configure matches with what you’re trying to configure (you can peak at the Result class)?
Regards, Peter
Well, after settings the former, and running the: Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Settings02”, I get the below. So works the way I see it.
AllowAutoPlay : 1
AllowDataSense :
AllowDateTime :
AllowEditDeviceName :
AllowLanguage :
AllowOnlineTips :
AllowPowerSleep :
AllowRegion :
AllowSignInOptions :
AllowVPN :
AllowWorkplace :
AllowYourAccount :
InstanceID : Settings
PageVisibilityList :
ParentID : ./Vendor/MSFT/Policy/Config
PSComputerName :
Whereas for for “Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Autoplay02”” I get empty results, which is expected, as it wasn’t set in the first place.
I think the ADMX-backed policy needs XML input and etc, which I can’t grasp at this stage with my tired brain alas.
Thank you
Ah, check, now I understand what you’re looking for. To disable the setting you can use the following value ‘]]>’.
Regards, Peter
Hi Peter,
Sorry, not sure I follow sir. Possible some escape character here ?
Thanks!
Thank you, Aleksandr, my comment got all messed up indeed. In that case have a look at the example here: https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#admx-backed-policy-examples.
Have a look at the request syncml example of disabling a ADMX-backed policy and specifically the data-element. You need everything of that element.
Regards, Peter
Hi Peter,
I know this is an old post, but I wonder you could advise how to set (in essence override, at least temporary) the RemovableDrivesRequireEncryption Bitlocker CSP (className ‘MDM_BitLocker’) to disabled state?
Thanks!
Hi AZ,
When the settings is available via the MDM Bridge, you should be able to use this to configure the setting.
Regards, Peter