Easily configure Start via Windows 10 MDM

This blog post is about the ability to configure Start on Windows 10 devices. Mainly focused on Windows 10 Desktop devices. Before Windows 10, version 1703, it was already possible to configure the layout of Start by using the StartLayout setting. Windows 10, version 1703, introduces many, many more settings related to configuring Start via Windows 10 MDM. All of these settings are available via the existing Policy CSP. These new settings range from configuring settings available in the Settings panel until configuring settings related to the Power button and the user tile.

In this post I’ll go through almost all newly introduced settings and I’ll briefly show how to configure these settings by using Microsoft Intune hybrid and standalone. I’ll end this post by showing the effect of the configured settings for the end-user.

Available settings

As Windows 10, version 1703, introduced many new settings to manage Start, I thought it would be good to briefly go through these new settings. The root node for the Start related settings is, in the Policy CSP, ./Vendor/MSFT/Policy. The Start related settings are grouped below ./Vendor/MSFT/Policy/Config/Start and contains the following settings.

Setting Value Description
ForceStartSize 0 – Do not force
1 – Force non-fullscreen
2 – Force fullscreen
This setting allows the administrator to force the Start screen size
HideAppList* 0 – None
1 – Hide all app list
2 – Hide and disable
3 – Hide, remove and disable
This setting allows the administrator to configure Start by collapsing or removing the all app list.
HideChangeAccountSettings 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Change account settings option from the user tile.
HideFrequentlyUsedApps* 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the the most used apps.
HideHibernate 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Hibernate option from the Power button.
HideLock 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Lock option from the user tile.
HidePowerButton* 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the the Power button.
HideRecentJumplists* 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Recently used items option from the jumplists.
HideRecentlyAddedApps* 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the recently added apps.
HideRestart 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Restart option from the Power button.
HideShutDown 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Shutdown option from the Power button.
HideSignOut 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Sign out option from the user tile.
HideSleep 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Sleep option from the Power button.
HideSwitchAccount 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the Switch account option from the user tile.
HideUserTile* 0 – Do not hide
1 – Hide
This setting allows the administrator to configure Start by hiding the user tile.
NoPinningToTaskbar 0 – Pinning enabled
1 – Pinning disabled
This setting allows the administrator to configure the taskbar by hiding the option to pin and unpin apps on the taskbar.

*Setting requires restart to take effect.

Configure settings

After going through the available settings in the Start node, of the Policy CSP, let’s have a closer look at the configuration of those settings. These available settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

Start_IntuneHybridThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices.

Microsoft Intune standalone (Azure portal)

Start_IntuneStandAloneThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile, or add a row to an existing custom profile. With a new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices.

Effective settings

Let’s end this post with the end-user experience. However, I’ll do that a bit different as I usually do. I’ll do that by showing the settings, and options, that are affected by the available settings.

Start_SettingsThe first section of configurable settings are all related to settings in the Settings panel. More specifically, Settings > Personalization > Start. In this section the following settings can be configured (as shown in the screenshot):

  • HideAppList;
  • HideRecentlyAddedApps;
  • HideFrequentlyUsedApps:
  • ForceStartSize;
  • HideRecentJumpLists.

Note: I’ve had some issues with configuring the HideAppList setting.

Start_PowerButtonThe second section of configurable settings are all related to the Power button. I’ll show these settings, by showing the available options of the Power button and the related setting. In this section the following settings can be configured (as shown in the screenshot):

  • HideSleep:
  • HideHibernate;
  • HideShutdown;
  • HideRestart;
  • HidePowerButton.

Start_UserTileThe third section of configurable settings are all related to the user tile. I’ll show these settings, by showing the available options of the user tile and the related setting. In this section the following settings can be configured (as shown in the screenshot):

  • HideChangeAccountSettings;
  • HideLock;
  • HideSignOut;
  • HideSwitchAccount;
  • HideUserTile.

More information

For more information about the Policy CSP, please refer to this article about the Policy CSP.

Share

Easily configure desktop and lock screen image via Windows 10 MDM

This blog post uses the Personalization configuration service provider (CSP) to manage the desktop and lock screen image on Windows 10 devices. This CSP was added in Windows 10, version 1703, which is currently available as Insider Preview build.

This blog post is about the ability to easily configure separate images for the desktop and the lock screen on Windows 10 devices. Before Windows 10, version 1703, this was possible by using an MSI or by using the EnforceLockScreenAndLogonImage setting. However, the latter setting was only able to configure the lock screen image and not the desktop image. Windows 10, version 1703, introduces the Personalization CSP, which enables the administrator to manage the desktop and lock screen image. In this post I’ll briefly go through the available settings in the Personalization CSP and I’ll show how to configure the desktop and lock screen image via Microsoft Intune hybrid and Microsoft Intune standalone. I’ll end this post by showing the end-user experience.

Configuration

Now let’s start with the configuration. Like last week I’ll split the configuration in two sections. The first section is about the available settings in the Personalization CSP and the second section is about the configuration of the desktop and lock screen image.

Available settings

As the Personalization CSP is new in Windows 10, version 1703, I thought it would be good to briefly go through the available settings. The root node for the Personalization CSP is ./Vendor/MSFT/Personalization and it contains the following settings.

Setting Description
DesktopImageUrl This setting allows the administrator to specify an image to be used as desktop image.
DesktopImageStatus This setting allows the administrator to query the status of the desktop image.
LockScreenImageUrl This setting allows the administrator to specify an image to be used as lock screen image. 
LockScreenImageStatus This setting allows the administrator to query the status of the lock screen image.

Configure settings

After going through the available settings in the Personalization CSP, it’s good to know that only the DesktopImageUrl and the LockScreenImageUrl are configurable settings. The other two settings can only be used to query the status. To configure the desktop and lock screen image, the following OMA-URI configurations can be used (in both cases the data type and value are the same):

  • OMA-URI – Desktop image: ./Vendor/MSFT/Personalization/DesktopImageUrl
  • OMA-URI – Lock screen image: ./Vendor/MSFT/Personalization/LockScreenImageUrl
  • Data type: String
  • Value: [<PATH>\<FILE>]
    • In this value <PATH> can be a http(s) url, or a file url;
    • In this value <FILE> can be a jpg, jpeg or png image.

This configuration information can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

Personalization_IntuneHybridThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices.

Microsoft Intune standalone (Azure portal)

Personalization_IntuneStandaloneThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile, or add a row to an existing custom profile. With a new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices.

End-user experience

As usual, let’s end this post with the end-user experience. Before really going to the end-user experience, it’s good to show an easy method to verify the configuration. The configuration can be verified In the registry, at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP. At this location it shows the url and the status of the desktop and lock screen image. Even better, it also show the local path of both images. In other words, whether the image is local, or remote, it will always be cached and used from a local location, as shown below.

Registry_Personalization

The real end-user experience is, of course, not in the registry. The real en-user experience can be easily found when logging on to the configured Windows 10 device. The desktop image will be configured, as shown below on the right, and the lock screen image will be configured, as shown below on the left.

LogonScreen_Example Desktop_Example

More information

For more information about the Personalization CSP, please refer to this article about the Personalization CSP.

Share

Offboard Windows 10 devices of Windows Defender Advanced Threat Protection

This week a follow-up on my post of last week. Last week was about onboarding Windows 10 devices for Windows Defender Advanced Threat Protection (ATP) and this week will be about offboarding Windows 10 devices of Windows Defender ATP. For devices that are leaving the company, for whatever reason, it’s good to first offboard those devices of Windows Defender ATP. That will remove the Windows Defender ATP settings from the device and the device will stop collecting and sending data. In this post I’ll show how to offboard Windows 10 devices, via Configuration Manager and Microsoft Intune, and I’ll show the end result. The steps in this post will be similar to the steps in the post of last week.

Configuration

Just like last week, there are multiple methods available to offboard Windows 10 devices of Windows Defender ATP. Those methods are Group Policy, Configuration Manager, mobile device management (including Microsoft Intune) and a local script. I’ll have a closer look at the configurations for offboarding Windows 10 devices via Configuration Manager and Microsoft Intune.

Create offboarding configuration file

Before starting with the configuration, it’s required to create an offboarding configuration file. The process for this is fairly simple and straightforward. Logon to the Windows Defender Security Center and select Endpoint Management. Now select Endpoint offboarding, select the configuration method and download the required file, as shown below. After selecting download, an additional confirmation message will show, mentioning the expiration date of the offboarding package. For security reasons an offboarding package will always expire after 30 days.

System Center Configuration Manager Mobile Device Management
WDATP_SCCM_Offboarding WDATP_MDM_Offboarding

Configure endpoints using Configuration Manager

The first configuration method that I would like to show is using Configuration Manager, by creating and deploying a Windows Defender ATP Policy.  This configuration method is only supported on Windows 10 devices, version 1607 and later, running the Configuration Manager client. On-premises mobile device management and Microsoft Intune hybrid MDM-managed computers are not supported. The following 6 steps show how to create the Windows Defender ATP Policy. After that, simply deploy the created policy.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender ATP Policies;
2 On the Home tab, in the Create group, click Create Windows Defender ATP Policy to open the Create Windows Defender ATP Policy Wizard;
3

CWDATPPW_General_OffOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the Windows Defender ATP policy;
  • Description: (Optional) Provide a description about the Windows Defender ATP policy;
  • Select Offboarding – Remove devices from the online service (for example, when the device is no longer managed).
4

CWDATPPW_ConfigFile_OffOn the Configuration File page, Browse to the WindowsDefenderATP.offboarding file that is available in the downloaded WindowsDefenderATPOffboardingPackage.zip file and click Next;

Note: The default name of the offboarding package, also contains the expiration date of the offboarding package.

5 On the Summary page, click Next;
6 On the Completion page, click Close.

Note: Make sure that a device is not targeted with an onboarding and offboarding configuration at the same time. This might cause unpredictable behavior.

Configure endpoints using Microsoft Intune

The second configuration method that I would like to show is using Microsoft Intune hybrid and Microsoft Intune standalone, Windows Defender ATP supports Microsoft Intune by providing OMA-URI settings to create policies to manage endpoints. To achieve this the following OMA-URI configuration can be used:

  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
  • Date type: String
  • Value: [Content of the WindowsDefenderATP.offboarding file that is available in the downloaded WindowsDefenderATPOffboardingPackage_valid_until_yyyy-mm-dd.zip file]

Just to make sure that it’s absolutely clear, the value, of the OMA-URI configuration, is literally a copy-paste action of the content available in the WindowsDefenderATP.offboarding file. This information can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

CI_WindowsATP_OffboardingThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

CIRule_WindowsATP_OffboardingIn this case, I also provide a screenshot of the configured rule. Again to make absolutely sure that it’s a lot of characters that the rule should comply to.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices.

Microsoft Intune standalone

CP_WindowsATP_OffboardingThe configuration in Microsoft Intune standalone can be performed by starting the Create Policy for Custom Configuration (Windows 10 Desktop and Mobile and later) in the Microsoft Intune administration console. Navigate to the OMA-URI Settings section and the custom settings can be added by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the policy can be saved and can be deployed to Windows 10 devices.

Note: Make sure that a device is not targeted with an onboarding and offboarding configuration at the same time. This might cause unpredictable behavior.

End result

Let’s end this blog post by having a look at the end result. I’ll do that by showing that a successful offboarding can be verified in the registry of the Windows 10 device, as shown below. The OnboardingState should be set to 0.

WDATP_Registry_Offboarding

More information

For more information about Windows Defender ATP and the offboarding, please refer to the following articles:

Share

Onboard Windows 10 devices for Windows Defender Advanced Threat Protection

This week a blog post about onboarding Windows 10 devices for Windows Defender Advanced Threat Protection (ATP). Windows Defender ATP is a relatively new service that will help enterprises to detect, investigate, and respond to advanced attacks on their networks. In this post I’ll show how to onboard Windows 10 devices, via Configuration Manager and Microsoft Intune, and I’ll show the end result in the Windows Defender Security Center and the Configuration Manager administration console.

Configuration

There are multiple methods available to onboard Windows 10 devices for Windows Defender ATP, Group Policy, Configuration Manager, mobile device management (including Microsoft Intune) and a local script. I’ll have a closer look at the configurations for onboarding Windows 10 devices via Configuration Manager and Microsoft Intune.

Create onboarding configuration file

Before starting with the configuration, it’s required to create an onboarding configuration file. The process for this is fairly simple and straightforward. Logon to the Windows Defender Security Center and select Endpoint Management. Now simply select the configuration method and download the required file, as shown below.

System Center Configuration Manager Mobile Device Management
WDATP_SCCM_Enrollment WDATP_MDM_Enrollment

Configure endpoints using Configuration Manager

The first configuration method that I would like to show is using Configuration Manager, by creating and deploying a Windows Defender ATP Policy. By adding and deploying a client onboarding configuration file, via the Windows Defender ATP Policy, Configuration Manager can monitor the deployment status and the  Windows Defender ATP agent health. Windows Defender ATP is only supported on Windows 10 devices, version 1607 and later, running the Configuration Manager client. On-premises mobile device management and Microsoft Intune hybrid MDM-managed computers are not supported. The following 7 steps show how to create the Windows Defender ATP Policy. After that, simply deploy the created policy.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender ATP Policies;
2 On the Home tab, in the Create group, click Create Windows Defender ATP Policy to open the Create Windows Defender ATP Policy Wizard;
3

CWDATPPW_GeneralOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the Windows Defender ATP policy;
  • Description: (Optional) Provide a description about the Windows Defender ATP policy;
  • Select Onboarding – Add devices to the online service and start sending threat data for analysis.
4

CWDATPPW_ConfigFileOn the Configuration File page, Browse to the WindowsDefenderATP.onboarding file that is available in the downloaded WindowsDefenderATPOnboardingPackage.zip file and click Next;

5

CWDATPPW_AgentConfigOn the Agent Configuration page, select, depending on the requirements, None or All the file types and click Next;

6 On the Summary page, click Next;
7 On the Completion page, click Close.

Configure endpoints using Microsoft Intune

The second configuration method that I would like to show is using Microsoft Intune hybrid and Microsoft Intune standalone, Windows Defender ATP supports Microsoft Intune by providing OMA-URI settings to create policies to manage endpoints. To achieve this the following OMA-URI configuration can be used:

  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  • Date type: String
  • Value: [Content of the WindowsDefenderATP.onboarding file that is available in the downloaded WindowsDefenderATPOnboardingPackage.zip file]

Just to make sure that it’s absolutely clear, the value, of the OMA-URI configuration, is literally a copy-paste action of the content available in the WindowsDefenderATP.onboarding file. This information can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

CI_WindowsATP_OnboardingThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

CIRule_WindowsATP_OnboardingIn this case, I also provide a screenshot of the configured rule. Again to make absolutely sure that it’s a lot of characters that the rule should comply to.

Once the configuration are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices.

Microsoft Intune standalone

CP_WindowsATP_OnboardingThe configuration in Microsoft Intune standalone can be performed by starting the Create Policy for Custom Configuration (Windows 10 Desktop and Mobile and later) in the Microsoft Intune administration console. Navigate to the OMA-URI Settings section and the custom settings can be added by using the earlier mentioned OMA-URI settings.

Once the configurations are finished, the policy can be saved and can be deployed to Windows 10 devices.

End result

Let’s end this blog post by having a look at the end result. I’ll do that by providing a status view from the Windows Defender Security Center. Before doing that, it’s good to mention that a successful onboarding can be verified in the registry of the Windows 10 device, as shown below.

WDATP_Registry

Once the onboarding is successful for the Windows 10 devices, the information about those devices will start flowing to the Windows Defender Security Center. The Machines section in the Windows Defender Security Center will provide an overview of those devices and their status, as shown below.

WDATP_Machines

To see more information about the Windows 10 devices, click on a device and it will show a Machines view about the selected device. This view contains information about the logged on users, the reporting status, the alerts and the machine timeline. To get information in the Alerts section, I’ve simply created an EICAR test file, as shown below. This also enables me to select the alert and get more information about the alert, see the process tree and see the incident graph.

WDATP_Alerts

From a Configuration Manager perspective, I’ve saved the coolest information until the end. Windows 10 devices managed with the Configuration Manager client and successfully onboarded with the Windows Defender ATP Policy will also report information to Configuration Manager. This information can be viewed via additional columns in normal device views and collections. Even better, it will also show agent information in the Windows Defender ATP Status dashboard, as shown below.

WDATP_SCCM

Keep in mind that the Windows Defender ATP Status dashboard only shows information for Windows 10 devices managed with the Configuration Manager client and not for Windows 10 devices managed via MDM.

More information

For more information about Windows ATP and the onboarding, please refer to the following articles:

Share

Managing Windows 10 IoT Core devices via MDM

This week a new challenge for a new blog post, managing Windows 10 IoT Core devices. The nice thing about Windows 10, even Windows 10 IoT Core, is the availability of MDM. The availability of MDM is what will help me with managing Windows 10 IoT Core devices. In this post I’ll go through the steps to create an enrollment profile to enroll Windows 10 IoT Core devices in Microsoft Intune hybrid. I’ll end this post with an overview of the end result in Configuration Manager

Configuration

Let’s start by looking at the configuration in Configuration Manager. To create an enrollment profile, for Windows 10 IoT Core devices, it’s required to provide a certificate profile and it’s optionally to provide a Wi-Fi profile.

Create certificate profile

The required component of the enrollment profile is, as mentioned before, a certificate profile. The certificate profile is used to automatically provision a trusted root certificate to the enrolled device. As part of preparing for the certificate profile, export a root certificate.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Compliance Settings > Company Resources > Certificate Profiles;
2 On the Home tab, in the Create group, click Create Certificate Profile to open the Create Certificate Profile Wizard;
3

CCPW_GeneralOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the certificate profile (max. 256 characters);
  • Description: (Optional) Provide a description about the certificate profile;
  • Select Trusted CA certificate.
4

CCP_TCACOn the Trusted CA Certificate page, provide the following information and click Next;

  • Browse to and select the Certificate file;
  • Select Computer certificate store – Root;
  • Certificate thumbprint will automatically populate.
5

CCPW_SPOn the Supported Platforms page, select Windows 10 and click Next;

Note: Windows 10 IoT Core doesn’t have it’s own platform option, which means that the generic Windows 10 should be used to make it applicable to all Windows 10 devices.

6 On the Summary page, click Next;
7 On the Completion page, click Close.

(Optional) Create Wi-Fi profile

The optional component of the enrollment profile is, as mentioned before, a Wi-Fi profile. In some scenarios this might be a required component, but it’s not required for the creation of an enrollment profile. Including a Wi-Fi profile in the enrollment profile can be useful when the Windows 10 IoT Core device needs the Wi-Fi profile for connecting with the Internet.

Create enrollment profile

After creating the required and optional components for the enrollment profile, it’s time to create the enrollment profile. The enrollment profile specifies settings that are required for the Windows 10 IoT Core device enrollment, including a certificate profile that will dynamically provision a trusted root certificate to the device and a Wi-Fi profile that will provision network settings if required.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > All Corporate-owned Devices > Windows > Enrollment Profile;
2 On the Home tab, in the Create group, click Create Enrollment Profile to open the Create Enrollment Profile wizard;
3

CEPW_GeneralOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the enrollment profile (max. 256 characters);
  • Description: (Optional) Provide a description about the enrollment profile;
  • Select as management authority Cloud.
4

CEPW_TrustedRootCertificateOn the Select Trusted Root Certificate page, select the earlier created certificate profile and click Next

5 On the Wi-Fi profiles page, optionally select the earlier created Wi-Fi profile and click Next;
6 On the Summary page, click Next;
7 On the Completion page, click Close.

Enrollment

After creating the enrollment profile and its required components, it’s time to look at delivering the enrollment profile to the Windows 10 IoT Core device. A Windows 10 IoT Core device doesn’t have the full-blown Windows 10 capabilities to perform a MDM enrollment. However, that doesn’t mean that they’re not capable. That’s were the enrollment package comes into the picture.

Export enrollment package

The first step in bringing the enrollment profile to the Windows 10 IoT Core device, is exporting the enrollment profile as an enrollment package.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > All Corporate-owned Devices > Windows > Enrollment Profile;
2 Select the earlier created enrollment profile and on the Home tab, in the Enrollment Profile group, click Export to open the Export Enrollment Package dialog box;
3

On the Export Enrollment Package dialog box, provide the following information and click Export;

  • EEP_GeneralValidity Period (days): Select the number of days that this package is valid;
  • Package File: Provide a unique name for the enrollment package;
  • Do not select the checkbox with Encrypt Package.
4 On the Export Enrollment Package dialog box, click OK;

Deploy enrollment package

The second step in bringing the enrollment profile to the Windows 10 IoT Core device, is copying the exported enrollment package to the Windows 10 IoT Core device. An alternative could be adding the enrollment package as a provisioning package to a Windows 10 IoT Core image.

1 Open File Explorer and remotely connect to the Windows 10 IoT Core device;
2 Copy the earlier created enrollment package to C:\Windows\Provisioning\Package;
3 Restart the Windows 10 IoT Core device.

End result

Now let’s end this post by looking at some of the information that will flow through the MDM channel into Configuration Manager. After restarting the Windows 10 IoT Core device it can take a couple of minutes before the device appears in Configuration Manager. The Windows 10 IoT Core device will show as a mobile device with the operating system IoTUAP (as shown below).

ConsoleOverview

After the first inventory of the Windows 10 IoT Core device, the information of the deivce will populate in the Resource Explorer. In my case, I used a Raspberry Pi 3 (as shown below on the left) and I installed a custom app (as shown below on the right).

RBP_DeviceInformation RBP_InstalledApps

The nice thing is that, as Windows 10 MDM is used in combination with Configuration Manager, I can extend the inventory (see the PTCLOUD entry above) and I can configure settings. For this I can use the available configuration service providers (CSP).

More information

For more about managing Windows 10 IoT Core devices and enrollment profiles (documentation for on-premises MDM), please refer to:

Share

Block and allow apps on Samsung KNOX devices

This week a blog post about the capabilities to block apps from starting and to allow apps to install on Samsung KNOX devices. I thought it would be good to mention these capabilities, as many are only familiar with the capability to work with compliant or noncompliant apps on Android. That capability can only be used for reporting functionalities. These capabilities are specifically for Samsung KNOX devices and can truly, and literally, block apps from starting. During this post I’ll go through the high-level steps to configure a blocked app and the end-user experience for both capabilities.

Information

Let’s start with some information about what can be achieved by using the block apps from starting and the allow apps to install capabilities. When using the block apps from starting capability, a list must be created of apps that are blocked from running on the device. Apps in this list are blocked from being run, even if they were already installed when the policy was applied. This list doesn’t prevent users from installing the apps. When using the the allow apps to install capability, a list must be created of apps that users of the device are allowed to install from the Google Play store. Only the apps in this list can be installed. No other apps can be installed from the store. This list doesn’t prevent users from starting the apps.

Configuration

Now let’s have a look at the high-level steps for these configuration. However, before I’m going to look at these steps, it’s good to mention that the configurations can be achieved by using OMA-URI settings. The following OMA-URI settings are available for these configurations:

  • To create a block apps from starting list, use the following OMA-URI: ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/PreventStartPackages
  • To create an allow apps to install list, use the following OMA-URI: ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages

To find the value for these OMA-URI settings, the Google Play Store can be used. The app identifier that is used within the store, is what is needed to add a value to the block or allow lists. For example, when I’m looking at the OWA for Android app, in the store, the bold section, in the following URL, represents the required value: https://play.google.com/store/apps/details?id=com.microsoft.exchange.mowa&hl=en.

Now let’s have a look at how these two come together in the configurations for Microsoft Intune hybrid and Microsoft Intune standalone.

Environment Configuration
Microsoft Intune hybrid

PreventStartPackages_MSIhThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Android and Samsung KNOW (below Settings for devices managed without the Configuration Manager client) on the General page and to select Android KNOX Samsung Standard 4.0 and higher on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings.

Once the configuration is finished the created configuration item can be added to a configuration baseline and can be deployed to Samsung KNOX devices.

Microsoft Intune standalone

PreventStartPackages_MSIsThe configuration in Microsoft Intune standalone can be performed by starting the Create Policy for Custom Configuration (Android 4.0 and later, Samsung KNOX Standard 4.0 and later) in the Microsoft Intune administration console. Navigate to the OMA-URI Settings section and the custom settings can be added.

Once the configuration is finished the policy can be saved and can be deployed to Samsung KNOX.

Note: When the block or allow lists must contain multiple apps, one of the following four characters ; : , | can be used as a delimiter.

End-user experience

Let’s end this blog post by having a look at the end-user experience. Below, on the left, is the end-user experience when the end-user starts an app that is blocked from starting. It’s indeed correct that it doesn’t show a screenshot. Reason behind that is because it actually lacks a real end-user experience. When the end-user tries to start a blocked app, the app won’t start and the end-user won’t get any notifications. Below, on the right, is the end-user experience when the end-user tries to install an app that is not allowed to install. The end-user will receive an error message accompanied by the message “Security policy prevents installation of this application”, which is a clear end-user experience.

Block app from starting Allow app to install
The app won’t start and the end-user won’t get a notification about what’s happening. Screenshot_20170122-125800

More information

Fore more information about blocking and allowing apps on Android devices, please refer to:

Share

Managing Windows Defender via Windows 10 MDM is getting easier and easier

This post is an updated version of a blog post that I did one-and-a-half year ago about managing Windows Defender, of Windows 10, via OMA-DM. As I still get questions about that post and the OMA-URI settings that are used in that post, I thought it would be good to mention that easier methods are available nowadays. Starting with Configuration Manager 1610 and the Microsoft Intune standalone update around March/ April 2016, it’s simply configurable through the console. No need anymore to configure all those OMA-URI settings manually.

Within this post I’ll provide a quick overview of the configuration options, followed by an overview of the end result. That end result will show how the configured settings simply translate to the known OMA-URI settings.

Configuration

Now let’s have a quick look at the required configurations for Microsoft Intune hybrid and Microsoft Intune standalone. I won’t provide a step-by-step guidance, but I will show were to find the settings and what to do with them.

Environment Configuration
Microsoft Intune hybrid

CCIW_WinDefThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page. Now select Windows Defender on the Device Settings page and the configuration can begin.

Once the configuration is finished the created configuration item can be added to a configuration baseline and can be deployed to Windows 10 devices managed via the MDM channel.

Microsoft Intune standalone

WinDef_MSISThe configuration in Microsoft Intune standalone can be performed by starting the Create Policy for General Configuration (Windows 10 Desktop and Mobile and later) in the Microsoft Intune administration console. Navigate to the Endpoint Protection section and the Windows Defender settings will show.

Once the configuration is finished the policy can be saved and can be deployed to Windows 10 devices managed via the MDM channel.

Note: That these configuration options are available nowadays, doesn’t mean that it’s not possible anymore to create custom OMA-URI settings. That is still a valid method to configure these type of settings and changes to these types of settings will always be the first available via custom OMA-URI settings.

End result

Let’s finish this post by looking at the end result. I could do this by showing the Windows Defender section in the Settings panel on a Windows 10 device, but that will only show grayed out settings and the message Some settings are managed by your organization. I think it’s more interesting to link the created settings to the OMA-URI settings. A great place to look at that is the Deployments node in the Configuration Manager administration console. When I’m looking at the compliance state of the deployment, it will show the Setting Name and the related Instance (in this case the OMA-URI setting), as shown below.

WinDef_Compl

Like last week, I can use a combination of PSEXEC and my favorite WMI Explorer, to locate the created instance with the results of the created policies. As should be familiar by now, the Policy/Result node groups the evaluated policies from all available providers that can be configured. That’s the reason why the example below shows the MDM_Policy_Result01_Defender02 class instead of the MDM_Policy_Config01_Defender02 class. The first class relates to the Policy/Result node and the second class relates to the Policy/Config node.

MDM_Defender02

More information

Fore more information about the managing Windows Defender and the Policy CSP, please refer to:

Share

Windows 10 MDM and the MDM Bridge WMI Provider

This week another blog post about Windows 10 and OMA-DM, but this week will be short and different. Starting this week I won’t be referring to OMA-DM anymore, instead I’ll be referring to Windows 10 MDM. The main reason for that is change is to align with Microsoft. Also, it simply makes more sense. OMA-DM is the standards based protocol on which the Windows 10 MDM protocol is based. In other words, Windows 10 MDM is not exactly the same as the OMA-DM standards. Technically speaking it’s not wrong to refer to OMA-DM, but it simply makes more sense to refer to Windows 10 MDM.

That being said, this blog post will be different for another reason. This week I’ll try to bring Windows 10 MDM closer to the regular methods, by simply pointing out the existence of the MDM Bridge WMI Provider. This post is all about creating awareness.

MDM Bridge WMI Provider

One of the most heard comments about Windows 10 MDM is related to the lack of knowing what’s happening. Well, I can’t really take that away, maybe the newly introduced logging in 1607 can, but I can show how to see the changes of the Windows 10 MDM configurations.

The MDM Bridge WMI Provider is the bridge to the Windows 10 MDM capabilities. An easy method to see what’s happening is using a WMI Explorer, or something simple as Windows Management Instrumentation Tester (wbemtest). Simply connecting to the root\cimv2\mdm\dmmap namespace is similar to connecting to the MDM Bridge WMI Provider. The classes in this namespace all translate to a configuration service provider (CSP) of Windows 10 MDM. This makes it fairly easy to see what’s happening to the configurations done via Windows 10 MDM.

Below is an example of the MDM_Policy_Result01_Experience02 class, in which the AllowManualMDMUnenrollment instance property was changed during the enrollment of the device. That class and instance property relates to the configuration OMA-URI of ./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment.

Before After
BeforeEnroll AfterEnroll

Knowing this immediately opens up another world. This enables everyone to get information through the MDM Bridge WMI Provider by simply using PowerShell. Looking at the previous example, I can simply use the following PowerShell command, as there is only one instance, to get the information as shown in the table below.

Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" ` -ClassName "MDM_Policy_Result01_Experience02"

Before After
BeforeEnroll_PS AfterEnroll_PS

This also means that the MDM Bridge WMI Provider can be used to trigger configuration changes through Windows 10 MDM. For now, I’ll leave that up to everyone’s imagination.

Important notes

There are a few important notes about the MDM Bridge WMI Provider that should be known and I’ll try to summarize them briefly:

  • Administrative permissions are required to connect with the MDM Bridge WMI Provider. Without those permissions there will be an access denied error when connecting to the MDM Bridge WMI Provider;
  • The local system context is required to view and adjust device settings. This can be achieved by using something like PsExec.exe;
  • Be aware that there is a difference between user settings and device settings. Specific user settings won’t show when connected in the system context and specific device settings won’t show when connected in the user context;
  • Be aware that my example mixed Config and Result properties and nodes. That’s related to the design of the Policy CSP. The Config section handles the configurations requests and the Result section provides a read-only path to the actual configuration.

More information

Fore more information about Windows 10 MDM, the Windows 10 CSP and the MDM Bridge WMI Provider, please refer to:

Share

Managing Windows Update for Business on Windows 10 via OMA-DM

WUfB_DeferThis week another blog post about Windows 10 and OMA-DM. This week I’m going to have a look at managing Windows Update for Business on Windows 10. However, this time I’ll group the currently available policy settings per subject, to easily provide some more background information. Also, by now I assume that I don’t have to go through all the steps to create a Configuration Item or a Configuration Policy anymore.

To manage Windows Update for Business, IT organizations can use the Policy configuration service provider (CSP) and to report about Windows Update for Business IT organizations can mainly use the Update CSP. During this blog post I’ll provide more information about Windows Update for Business, the Policy CSP, the Update CSP and the available policy configurations. I’ll end this post with configuration examples for Microsoft Intune standalone and Microsoft Intune hybrid.

Introduction

Let’s start with a short introduction about Windows Update for Business. What is it and how is different from Windows Update and Windows Server Update Services (WSUS). Windows Update for Business enables IT organizations to keep the Windows 10 devices always up to date with the latest security updates and Windows features by directly connecting these devices to Windows Update. By only using policies, Windows Update for Business is an easily established and implemented system which enables IT organizations to exercise control on how their Windows 10 devices are updated.

IT organizations can specify which devices go first in an update wave, and which devices will come later, and can make the delivery of updates to branch offices and remote sites, with limited bandwidth, very efficient.
Windows Update for Business can even be used in combination with existing management tools, such as ConfigMgr. It basically allows IT organizations to manage how and when Windows 10 devices receive updates and upgrades and provides controls to help organizations validate update quality as well as time their update deployments.

Configuration

Now let’s have a look at the configuration options for Windows Update for Business via OMA-DM. I’ll have a look at how to defer updates and upgrades, how to pause updates and upgrades and how to optimize the deployment. However, it should be noted that at this moment not everything can be configured via OMA-DM, yet.

Policy CSP & Update CSP

Before really looking at the configuration scenarios, it’s good to have a quick look at the Policy CSP and the Update CSP. The Policy CSP enables IT organizations to configure company policies on Windows 10 devices. Those policies also include the configuration options for Windows Update for Business, The Update CSP enables IT organizations to get information about the update status of Windows 10 devices. Below is a quick overview of both CSPs.

Policy CSP Update CSP
PolicyCSP UpdateCSP

Defer upgrades

To use Windows Update for Business, Windows 10 devices must be configured to Current Branch for Business (CBB). This can be configured by using one of the following policies.

Policy Description
Update/BranchReadinessLevel

  • 16 (default) – Systems takes upgrades from Current Branch (CB). 
  • 32 – System takes upgrades from Current Branch for Business (CBB).
New for Windows 10, version 1607. Allows the IT organization to set a device to the Current Branch or the Current Branch for Business servicing branch.
Update/RequireDeferUpgrade

  • 0 (default) – User gets upgrades from Current Branch (CB).
  • 1 – User gets upgrades from Current Branch for Business (CBB).
Allows the IT organization to set a device to the Current Branch or the Current Branch for Business servicing branch.

Defer upgrade and update periods

Windows Update for Business provides IT organizations the ability  to control when updates and upgrades are deployed to their Windows 10 devices. This can be achieved by specifying deferral windows from when the updates and upgrades are initially made available on Windows Update. There are restrictions as to how long IT organizations can delay updates and upgrades. The following table details the deferral periods and supported values.

Policy Description
Update/DeferFeatureUpdatePeriodInDays

  • Supported values are 0-180.
New for Windows 10, version 1607. Allows the IT organization to defer Feature Updates for up to 180 days.
Update/DeferQualityUpdatePeriodInDays

  • Supported values are 0-30.
New for Windows 10, version 1607. Allows the IT organization to defer Quality Updates for up to 30 days.
Update/DeferUpdatePeriod

  • Supported values are 0-4.
Allows the IT organization to delay updates for up to 4 weeks.
Update/DeferUpgradePeriod

  • Supported values are 0-8.
Allows the IT organization to delay upgrades for up to 8 months.

Pause upgrades and updates

Windows Update for Business also provides IT organizations the ability to pause updates and upgrades on a per device basis. This pause functionality ensures that no updates or upgrades will be made available for the specified device. The device will remain in this state until the configured period has passed or when the device is specifically “unpaused”. At that point updates are auto-resumed. The following table details the pause options and the supported values.

Policy Description
Update/PauseDeferrals

  • 0 (default) – Deferrals are not paused.
  • 1 – Deferrals are paused.
Allows the IT organization to pause updates and upgrades for up to 5 weeks. Paused deferrals will automatically be reset after 5 weeks, or when the value is set back to 0.
Update/PauseFeatureUpdates

  • 0 (default) – Feature Updates are not paused.
  • 1 – Feature Updates are paused for 60 days.
New in Windows 10, version 1607. Allows the IT organization to pause Feature Updates for up to 60 days. Paused Feature Updates will automatically be reset after 60 days, or when the value is set back to 0.
Update/PauseQualityUpdates

  • 0 (default) – Quality Updates are not paused.
  • 1 – Quality Updates are paused for 35 days.
New in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. Paused Quality Updates will automatically be reset after 35 days, or when the value is set back to 0.

Optimize delivery

By grouping machines into similar deferral periods, IT organizations can cluster devices into deployment or validation groups which can be used as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause, IT organizations can effectively control and measure update deployments by rolling out to a small pool of devices first to verify quality, prior to a broader roll-out in the organization.

At this moment Windows 10 doesn’t provide configuration options via OMA-DM to specifically configure a device in a specific group. However, it’s still possible to configure a specific set of devices with a similar deferral period and to take advantage of the default configuration in Windows 10 to get updates from PCs on my local network,

Update approval

Windows Update for Business also provides IT organizations with the ability to restrict the updates that are installed on a device to only those on the update approval list. That list can be configured via the Update CSP and enables the IT organization to accept the End User License Agreement (EULA) on behalf of the end-user. This can be configured by using the following policy.

Policy Description
Update/RequireUpdateApproval

  • 0 – The device installs all applicable updates.
  • 1 – The device only installs updates that are both applicable and on the Approved Updates list.
Allows the IT organization to restrict the updates that are installed on a device to only those on an update approval list. It enables the IT organization to accept the EULA associated with the approved update on behalf of the end-user.

Example configuration

Now let’s end this post slightly different as usual. This time not with the end-user experience, but with example configurations, as I didn’t provide any throughout this post. Also, the biggest end-user experience is already shown in the picture at the beginning of this post, which is showing a grayed-out Defer upgrades setting. Below is an example of the RequireDeferUpgrade setting in Microsoft Intune hybrid (Configuration Item) and Microsoft Intune standalone (Configuration Policy).

Microsoft Intune hybrid Microsoft Intune standalone
WUfB_MIH WUfB_MISA

More information

Fore more information about Windows Update for Business, the Update CSP and the Policy CSP, please refer to:

Share

Reporting Windows Defender health on Windows 10 via OMA-DM

About a year ago I did a blog post about managing Windows Defender on Windows 10 via OMA-DM, by using the available policies in the Policy CSP. This week I’m going to have another look at Windows Defender, on Windows 10, but this time from a reporting perspective. This time I want to report about the health of Windows Defender on the Windows 10 devices that are managed via OMA-DM. To get that type of information I can use the Defender configuration service provider (CSP). The Defender CSP contains the information about the health of Windows Defender.

During this blog post I’ll go through the Defender CSP, the required configuration to get the Windows Defender health information and the administrator experience.

Defender CSP

DefenderCSPBefore starting with the required configuration to get the information about the health of Windows Defender, it’s good to have a quick look at the Defender CSP. That CSP is used to configure various Windows Defender actions across the enterprise. More specifically, I will go through the Health node. That node contains the information about the Windows Defender health status that I’m looking for.

  • ComputerState: This node provides the current state of the device;
  • DefenderEnabled: This node shows if the Windows Defender service is running;
  • RtpEnabled: This node shows if the real-time protection is running;
  • NisEnabled: This node shows if the network protection is running;
  • QuickScanOverdue: This node shows if a Windows Defender quick scan is overdue;
  • FullScanOverdue: This node shows if a Windows Defender full scan is overdue;
  • SignatureOutOfDate: This node shows if the Windows Defender signature is outdated;
  • RebootRequired: This node shows if a reboot is required;
  • FullScanRequired: This node shows if a Windows Defender full scan is required;
  • EngineVersion: This node shows the version number of the Windows Defender engine;
  • SignatureVersion: This node shows the version of the Windows Defender signatures;
  • DefenderVersion: This node shows the version of Windows Defender;
  • QuickScanTime: This node shows the time of the last Windows Defender quick scan;
  • FullScanTime: This node shows the time of the last Windows Defender full scan;
  • QuickScanSigVersion: This node shows the signature version used during the last quick scan;
  • FullScanSigVersion: This node shows the signature version used during the last full scan.

Configuration

Now it’s time to start with the required configuration to enable the ability to report about the Windows Defender health of Windows 10 devices managed via OMA-DM. However, it’s good to note that this is currently only possible in Microsoft Intune hybrid, as we need to extend the inventory on Windows 10 devices.

The Health node of the Defender CSP contains exactly the information that I’m looking for and that I would like to add to the inventory of my Windows 10 devices. Luckily, in a Microsoft Intune hybrid environment I can extend the hardware inventory to include specific OMA-URI settings. OMA-URI settings that can be added to the hardware inventory are shown, in the picture above, in a rectangular shape (and are documented with a supported Get operation).

All of the available settings, in the Health node of the Defender CSP, support the Get operation. If I want to add a custom class to the hardware inventory, with all the the available settings of the Health node, I can use the following in a MOF file.

[ SMS_Report (TRUE),
   SMS_Group_Name (“PTCLOUD Windows10 DefenderHealth”),
   SMS_Class_ID (“MICROSOFT|Windows10_DefenderHealth|1.0”),
   Namespace (“Reserved”),
   SMS_DEVICE_URI (“”) ]


class Windows10_DefenderHealth : SMS_Class_Template
{
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/ComputerState”)]
      String ComputerState;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/DefenderEnabled”)]
      Boolean DefenderEnabled;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/RtpEnabled”)]
      Boolean RtpEnabled;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/NisEnabled”)]
      Boolean NisEnabled;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/QuickScanOverdue”)]
      Boolean QuickScanOverdue;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/FullScanOverdue”)]
      Boolean FullScanOverdue;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/SignatureOutOfDate”)]
      Boolean SignatureOutOfDate;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/RebootRequired”)]
      Boolean RebootRequired;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/FullScanRequired”)]
      Boolean FullScanRequired;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/EngineVersion”)]
      String EngineVersion;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/SignatureVersion”)]
      String SignatureVersion;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/DefenderVersion”)]
      String DefenderVersion;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/QuickScanTime”)]
      String QuickScanTime;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/FullScanTime”)]
      String FullScanTime;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/QuickScanSigVersion”)]
      String QuickScanSigVersion;
     [SMS_Report (TRUE), SMS_DEVICE_URI(“WM:./Vendor/MSFT/Defender/Health/FullScanSigVersion”)]
      String FullScanSigVersion;
};

This MOF file can be used to extend the hardware inventory by simply performing the following steps in the Configuration Manager console.

1 In the Configuration Manager console, and navigate to Administration > Overview > Client Settings;
2 Open the Default Client Settings, navigate to Hardware Inventory and click Set Classes;
3

WindowsDefenderInvIn the Hardware Inventory Classes, click Import and Open the new MOF file.

This will add the new class for the inventory and will show it between the existing classes.

Also note that the dataldr.log will show the creation of the new class.

Result

Now let’s end this post with the most important thing, the visualization. The extension to the hardware inventory will make sure that the information about the Windows Defender health is reported by Windows 10 devices that are managed via OMA-DM. It will add the information, like every extension to the hardware inventory, to a custom table, with it’s own custom view, in the database. That will make it relatively easy to create a custom report, as shown below, to display the information in a readable form to the administrative users.

Administrator experience
WDExampleReport

Also, keep in mind that the information will also be available in the Resource Explorer, of the Configuration Manager console, for the Windows 10 devices that are managed via OMA-DM.

More information

Fore more information about the Defender CSP and the Policy CSP, please refer to:

Share