cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

Managing Windows MDM Policies (Policy CSP) in JC CMD

shawnsong
Rising Star III
Rising Star III

Hi Folks,

Recently, I came across a use case (configuring Delivery Optimisation for Windows update, more on that later) - Which it seems only configurable via "group policy" or the setting UI, I would always opt for manageability via PowerShell so, it seems my saving grace will be the CSP policy 

Yes, it is ๐Ÿ™‚

The Caveats

  • MSFT has a MDM bridge WMI provider - which essentially enables the local interaction with CSP policies. (Or you need to have an Intune subscription) 
  • ONLY localsystem account has access to these WMI providers. 
  • Hence, the example codes below works perfectly in JumpCloud cmd - since JC agent will invoke localsystem for running a cmd. 
  • Only modify the settings in production when you tested it thoroughly please ๐Ÿ˜‰.

How Does it Work?

TL;DR - you may find the full script here

First of all, I will start constructing the CIM instance from the DeliveryOptimisation class as instructed - also leverage the policy result (existing settings) for instantiating the instance object. 

# Configuring Delivery Optimisation settings
$classname = "MDM_Policy_Config01_DeliveryOptimization02"
$PRclassname = "MDM_Policy_Result01_DeliveryOptimization02"
$namespace = "root\cimv2\mdm\dmmap" 
$classProperties = (Get-CimClass -Namespace $namespace -ClassName $classname | select CimClassProperties).cimclassproperties

# Hardcoding the InstanceID & ParentID for the new CIM instance
$obj = @{
    instanceID="DeliveryOptimization"
    ParentID="./Vendor/MSFT/Policy/Config"

}

$session = Get-CimInstance -namespace $namespace -ClassName $classname

if ($null -eq $session){
    #creating cim instance if it's not there
    $session = New-CimInstance -Namespace $namespace -ClassName $classname -Property $obj
}

# Populating the policy result (existing settings) into an variable
$orginalProp = Get-CimInstance -Namespace $namespace -ClassName $prclassname

# Building the CIM instance based on the attributes collected from the policy result
foreach ($propName in $classProperties.name){
   if ($propName-ne "instanceID" -and $propName -ne "ParentID"){
        $obj.add($propName,$orginalProp.$propname)
   }
   
}

Now, the easy part - making the changes, and apply it:

# Making the changes
$session.DODownloadMode = 2
$session.DOAbsoluteMaxCacheSize = 1000
$session.DOMonthlyUploadDataCap = 10

# Apply the changes
Set-CimInstance -CimInstance $session -verbose

Cleaning up afterwards:

# Cleaning up
remove-ciminstance -CimInstance $session

Once you ran it in cmd, you will get an cmd result like this:

this is the orginal setting


DOAbsoluteMaxCacheSize                       : 1000
DOAllowVPNPeerCaching                        : 
DOCacheHost                                  : 
DOCacheHostSource                            : 
DODelayBackgroundDownloadFromHttp            : 
DODelayCacheServerFallbackBackground         : 
DODelayCacheServerFallbackForeground         : 
DODelayForegroundDownloadFromHttp            : 
DODownloadMode                               : 2
DOGroupId                                    : 
DOGroupIdSource                              : 
DOMaxBackgroundDownloadBandwidth             : 
DOMaxCacheAge                                : 
DOMaxCacheSize                               : 
DOMaxForegroundDownloadBandwidth             : 
DOMinBackgroundQos                           : 
DOMinBatteryPercentageAllowedToUpload        : 
DOMinDiskSizeAllowedToPeer                   : 
DOMinFileSizeToCache                         : 
DOMinRAMAllowedToPeer                        : 
DOModifyCacheDrive                           : 
DOMonthlyUploadDataCap                       : 10
DOPercentageMaxBackgroundBandwidth           : 
DOPercentageMaxForegroundBandwidth           : 
DORestrictPeerSelectionBy                    : 
DOSetHoursToLimitBackgroundDownloadBandwidth : 
DOSetHoursToLimitForegroundDownloadBandwidth : 
InstanceID                                   : DeliveryOptimization
ParentID                                     : ./Vendor/MSFT/Policy/Config
PSComputerName                               : 

this is the modified setting
DOAbsoluteMaxCacheSize                       : 1000
DOAllowVPNPeerCaching                        : 
DOCacheHost                                  : 
DOCacheHostSource                            : 
DODelayBackgroundDownloadFromHttp            : 
DODelayCacheServerFallbackBackground         : 
DODelayCacheServerFallbackForeground         : 
DODelayForegroundDownloadFromHttp            : 
DODownloadMode                               : 2
DOGroupId                                    : 
DOGroupIdSource                              : 
DOMaxBackgroundDownloadBandwidth             : 
DOMaxCacheAge                                : 
DOMaxCacheSize                               : 
DOMaxForegroundDownloadBandwidth             : 
DOMinBackgroundQos                           : 
DOMinBatteryPercentageAllowedToUpload        : 
DOMinDiskSizeAllowedToPeer                   : 
DOMinFileSizeToCache                         : 
DOMinRAMAllowedToPeer                        : 
DOModifyCacheDrive                           : 
DOMonthlyUploadDataCap                       : 50
DOPercentageMaxBackgroundBandwidth           : 
DOPercentageMaxForegroundBandwidth           : 
DORestrictPeerSelectionBy                    : 
DOSetHoursToLimitBackgroundDownloadBandwidth : 
DOSetHoursToLimitForegroundDownloadBandwidth : 
InstanceID                                   : DeliveryOptimization
ParentID                                     : ./Vendor/MSFT/Policy/Config
PSComputerName                               : 

VERBOSE: Performing the operation "Set-CimInstance" on target "MDM_Policy_Config01_DeliveryOptimi
zation02 (InstanceID =
 "DeliveryOptimization", ParentID = "./Vendor/MSFT/Policy/Config")".
VERBOSE: Perform operation 'Modify CimInstance' with following parameters, ''namespaceName' = 
root/cimv2/mdm/dmmap,'instance' = MDM_Policy_Config01_DeliveryOptimization02 (InstanceID = "Deliv
eryOptimization", 
ParentID = "./Vendor/MSFT/Policy/Config")'.
VERBOSE: Operation 'Modify CimInstance' complete.

And the UI is reflecting correctly too:

DO1.jpgDO2.jpg

What else you can do with the MDM policies? Imagine the whole category of settings are all possible, to list a few:

  • MDM_Policy_Config01_Browser02 - to manage Edge policies
  • MDM_Policy_Result01_WiFi02  - to manage WiFi settings like "Allow Internet Sharing", "Allow Manual WiFi Configuration" etc.
  • MDM_Policy_Result01_Privacy02 - an extensive list of privacy settings can be managed. 

Many many more ๐Ÿ˜Ž

p.s. I will dive deeper into the Delivery Optimisation use case in another post, stay tuned. 

 

 

 

1 REPLY 1

skogan
Novitiate I

I certainly appreciate the quick tutorial for the MDM bridge, but your solution is simply an INSANE overkill.
The same thing can be accomplished with a simple registry setting or, better yet, using the LGPO tool:
https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.DeliveryOptimization::Absolute...