This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge.
Figure 1: Workplace Ninja Virtual Edition session
The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve completely documented the use, parameters and what it exactly does.
| function Update-PolicySetting { | |
| <# | |
| .SYNOPSIS | |
| A simple function to update policy settings by using MDM WMI Bridge | |
| .DESCRIPTION | |
| This function provides the capability to adjust policy settings by using the MDM WMI Bridge. | |
| It supports the capabilities to create, update and remove an instance | |
| .PARAMETER className | |
| This parameter is required for the name of the WMI class | |
| .PARAMETER parentID | |
| This parameter is required for the name of the parent node of the OMA-URI | |
| .PARAMETER instanceID | |
| This parameter is required for the name of the WMI instance, which is the node of the OMA-URI | |
| .PARAMETER configureProperty | |
| This parameter is required when configuring a setting and is the name of the property | |
| .PARAMETER valueProperty | |
| This parameter is required when configuring a setting and is the value of the property | |
| .PARAMETER removeInstance | |
| This switch is used to indicate that the specified variables are used for deleting the WMI instance | |
| .EXAMPLE | |
| Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1 | |
| This example will run the function and configure a the property to hide the app list in Start | |
| .EXAMPLE | |
| Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -removeInstance | |
| This example will run the function and remove the instance of Start | |
| .NOTES | |
| Author: Peter van der Woude | |
| Contact: pvanderwoude@hotmail.com | |
| #> | |
| param ( | |
| [Parameter(Mandatory=$true)]$className, | |
| [Parameter(Mandatory=$true)]$parentID, | |
| [Parameter(Mandatory=$true)]$instanceID, | |
| [Parameter(Mandatory=$false)]$configureProperty, | |
| [Parameter(Mandatory=$false)]$valueProperty, | |
| [Parameter(Mandatory=$false)][Switch]$removeInstance | |
| ) | |
| try { | |
| #Get a specific instance | |
| $instanceObject = Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Filter "ParentID='$parentID' and InstanceID='$instanceID'" -ErrorAction Stop | |
| } | |
| catch { | |
| Write-Host $_ | Out-String | |
| } | |
| #Verify the action | |
| if ($removeInstance -eq $false) { | |
| #Verify if the additional required parameters are provided | |
| if ($PSBoundParameters.ContainsKey('configureProperty') -and ($PSBoundParameters.ContainsKey('valueProperty'))) { | |
| #Verify if the instance already exists | |
| if ($null -eq $instanceObject) { | |
| try { | |
| #Create a new instance | |
| New-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Property @{ InstanceID=$instanceID; ParentID=$parentID; $configureProperty=$valueProperty } -ErrorAction Stop | |
| Write-Output "Successfully created the instance of '$instanceID'" | |
| } | |
| catch { | |
| Write-Host $_ | Out-String | |
| } | |
| } | |
| else { | |
| try { | |
| #Adjust a specific property | |
| $instanceObject.$configureProperty = $valueProperty | |
| #Modify an existing instance | |
| Set-CimInstance -CimInstance $instanceObject -ErrorAction Stop | |
| Write-Output "Successfully adjusted the instance of '$instanceID'" | |
| } | |
| catch { | |
| Write-Host $_ | Out-String | |
| } | |
| } | |
| } | |
| else { | |
| Write-Output ">> Make sure to provide a value for configureProperty and valueProperty when creating or adjusting an instance <<" | |
| } | |
| } | |
| elseif ($removeInstance -eq $true) { | |
| #Verify if the instance already exists | |
| if ($null -ne $instanceObject) { | |
| try { | |
| #Remove a specific instance | |
| Remove-CimInstance -InputObject $instanceObject -ErrorAction Stop | |
| Write-Output "Successfully removed the instance of '$instanceID'" | |
| } | |
| catch { | |
| Write-Host $_ | Out-String | |
| } | |
| } | |
| else { | |
| Write-Output "No instance available of '$instanceID'" | |
| } | |
| } | |
| } |
An example to use this function to hide the app list in Start can be found below.
Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1 As mentioned during my session, the required parameters can be found mainly by looking at WMI by using the WMI Explorer. The name of the instance is the node of the OMA-URI that contains the required configuration. In this case Start. When you can’t find the required information, you can always refer to the documentation that’s shared below.
Figure 2: Getting the information via the WMI Explorer
More information
During my sessions I’ve showed many reference to post that describe the subjects that I covered. For future reference those posts are summarized below.
Nice and inspirational work sir.
Quick question re Autoplay policies if you don’t mind. I get “A general error occurred that is not covered by a more specific error code” for the below. Any advise ?
Update-PolicySetting -className ‘MDM_Policy_Config01_Autoplay02’ -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID ‘Autoplay’ -configureProperty ‘SetDefaultAutoRunBehavior’ -valueProperty ‘disabled
On the other hand the
“Update-PolicySetting -className “MDM_Policy_Config01_Settings02” -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID “Settings” -configureProperty “AllowAutoPlay” -valueProperty 1 -Verbose” works. Obscurely different
classes, but still, apprach is the same.
The former is ADMX-backed policy, but I would assume it ships with Windows 10 by default, no need to inject anything, is it?
Thanks!
Hi Aleksandr,
Did you verify if the actual value that you should configure matches with what you’re trying to configure (you can peak at the Result class)?
Regards, Peter
Well, after settings the former, and running the: Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Settings02”, I get the below. So works the way I see it.
AllowAutoPlay : 1
AllowDataSense :
AllowDateTime :
AllowEditDeviceName :
AllowLanguage :
AllowOnlineTips :
AllowPowerSleep :
AllowRegion :
AllowSignInOptions :
AllowVPN :
AllowWorkplace :
AllowYourAccount :
InstanceID : Settings
PageVisibilityList :
ParentID : ./Vendor/MSFT/Policy/Config
PSComputerName :
Whereas for for “Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Autoplay02”” I get empty results, which is expected, as it wasn’t set in the first place.
I think the ADMX-backed policy needs XML input and etc, which I can’t grasp at this stage with my tired brain alas.
Thank you
Ah, check, now I understand what you’re looking for. To disable the setting you can use the following value ‘]]>’.
Regards, Peter
Hi Peter,
Sorry, not sure I follow sir. Possible some escape character here ?
Thanks!
Thank you, Aleksandr, my comment got all messed up indeed. In that case have a look at the example here: https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies#admx-backed-policy-examples.
Have a look at the request syncml example of disabling a ADMX-backed policy and specifically the data-element. You need everything of that element.
Regards, Peter
Hi Peter,
I know this is an old post, but I wonder you could advise how to set (in essence override, at least temporary) the RemovableDrivesRequireEncryption Bitlocker CSP (className ‘MDM_BitLocker’) to disabled state?
Thanks!
Hi AZ,
When the settings is available via the MDM Bridge, you should be able to use this to configure the setting.
Regards, Peter