Windows 10 MDM Bridge WMI Provider: Settings template

This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge.

The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve completely documented the use, parameters and what it exactly does.

function Update-PolicySetting {
<#
.SYNOPSIS
A simple function to update policy settings by using MDM WMI Bridge
.DESCRIPTION
This function provides the capability to adjust policy settings by using the MDM WMI Bridge.
It supports the capabilities to create, update and remove an instance
.PARAMETER className
This parameter is required for the name of the WMI class
.PARAMETER parentID
This parameter is required for the name of the parent node of the OMA-URI
.PARAMETER instanceID
This parameter is required for the name of the WMI instance, which is the node of the OMA-URI
.PARAMETER configureProperty
This parameter is required when configuring a setting and is the name of the property
.PARAMETER valueProperty
This parameter is required when configuring a setting and is the value of the property
.PARAMETER removeInstance
This switch is used to indicate that the specified variables are used for deleting the WMI instance
.EXAMPLE
Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1
This example will run the function and configure a the property to hide the app list in Start
.EXAMPLE
Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -removeInstance
This example will run the function and remove the instance of Start
.NOTES
Author: Peter van der Woude
Contact: pvanderwoude@hotmail.com
#>
param (
[Parameter(Mandatory=$true)]$className,
[Parameter(Mandatory=$true)]$parentID,
[Parameter(Mandatory=$true)]$instanceID,
[Parameter(Mandatory=$false)]$configureProperty,
[Parameter(Mandatory=$false)]$valueProperty,
[Parameter(Mandatory=$false)][Switch]$removeInstance
)
try {
#Get a specific instance
$instanceObject = Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Filter "ParentID='$parentID' and InstanceID='$instanceID'" -ErrorAction Stop
}
catch {
Write-Host $_ | Out-String
}
#Verify the action
if ($removeInstance -eq $false) {
#Verify if the additional required parameters are provided
if ($PSBoundParameters.ContainsKey('configureProperty') -and ($PSBoundParameters.ContainsKey('valueProperty'))) {
#Verify if the instance already exists
if ($null -eq $instanceObject) {
try {
#Create a new instance
New-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Property @{ InstanceID=$instanceID; ParentID=$parentID; $configureProperty=$valueProperty } -ErrorAction Stop
Write-Output "Successfully created the instance of '$instanceID'"
}
catch {
Write-Host $_ | Out-String
}
}
else {
try {
#Adjust a specific property
$instanceObject.$configureProperty = $valueProperty
#Modify an existing instance
Set-CimInstance -CimInstance $instanceObject -ErrorAction Stop
Write-Output "Successfully adjusted the instance of '$instanceID'"
}
catch {
Write-Host $_ | Out-String
}
}
}
else {
Write-Output ">> Make sure to provide a value for configureProperty and valueProperty when creating or adjusting an instance <<"
}
}
elseif ($removeInstance -eq $true) {
#Verify if the instance already exists
if ($null -ne $instanceObject) {
try {
#Remove a specific instance
Remove-CimInstance -InputObject $instanceObject -ErrorAction Stop
Write-Output "Successfully removed the instance of '$instanceID'"
}
catch {
Write-Host $_ | Out-String
}
}
else {
Write-Output "No instance available of '$instanceID'"
}
}
}

An example to use this function to hide the app list in Start can be found below.

Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1 

As mentioned during my session, the required parameters can be found mainly by looking at WMI by using the WMI Explorer. The name of the instance is the node of the OMA-URI that contains the required configuration. In this case Start. When you can’t find the required information, you can always refer to the documentation that’s shared below.

More information

During my sessions I’ve showed many reference to post that describe the subjects that I covered. For future reference those posts are summarized below.

9 thoughts on “Windows 10 MDM Bridge WMI Provider: Settings template”

  1. Nice and inspirational work sir.

    Quick question re Autoplay policies if you don’t mind. I get “A general error occurred that is not covered by a more specific error code” for the below. Any advise ?

    Update-PolicySetting -className ‘MDM_Policy_Config01_Autoplay02’ -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID ‘Autoplay’ -configureProperty ‘SetDefaultAutoRunBehavior’ -valueProperty ‘disabled

    On the other hand the
    “Update-PolicySetting -className “MDM_Policy_Config01_Settings02” -parentID ‘./Vendor/MSFT/Policy/Config’ -instanceID “Settings” -configureProperty “AllowAutoPlay” -valueProperty 1 -Verbose” works. Obscurely different
    classes, but still, apprach is the same.

    The former is ADMX-backed policy, but I would assume it ships with Windows 10 by default, no need to inject anything, is it?

    Thanks!

    Reply
  2. Well, after settings the former, and running the: Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Settings02”, I get the below. So works the way I see it.

    AllowAutoPlay : 1
    AllowDataSense :
    AllowDateTime :
    AllowEditDeviceName :
    AllowLanguage :
    AllowOnlineTips :
    AllowPowerSleep :
    AllowRegion :
    AllowSignInOptions :
    AllowVPN :
    AllowWorkplace :
    AllowYourAccount :
    InstanceID : Settings
    PageVisibilityList :
    ParentID : ./Vendor/MSFT/Policy/Config
    PSComputerName :

    Whereas for for “Get-CimInstance -Namespace “root\cimv2\mdm\dmmap” -ClassName “MDM_Policy_Config01_Autoplay02”” I get empty results, which is expected, as it wasn’t set in the first place.

    I think the ADMX-backed policy needs XML input and etc, which I can’t grasp at this stage with my tired brain alas.

    Thank you

    Reply
  3. Hi Peter,

    I know this is an old post, but I wonder you could advise how to set (in essence override, at least temporary) the RemovableDrivesRequireEncryption Bitlocker CSP (className ‘MDM_BitLocker’) to disabled state?

    Thanks!

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.