First of all, what is OMA-DM? Open Mobile Alliance (OMA) Device Management (DM) is a device management protocol used by modern management tools to manage the modern day devices. OMA DM supports Provisioning, Device Configuration, Software Upgrades and Fault Management of devices. Windows 10 1511 comes with loads of device management capabilities with OMA-DM. We can create custom OMA DM policies in SCCM/ConfigMgr Current Branch 1511 and deploy it ONLY to Intune MDM clients. OMA-DM management capabilities are NOT opened for SCCM/ConfigMgr fully managed clients, rather it’s opened only for MDM channels. More details about OMA DM and Windows 10 policies here.
How to create Custom OMA DM policy to Deny Time and Date changes on Windows 10 Devices with SCCM Current Branch (CB)?
Open SCCM/ConfigMgr CB console and browse through “\Assets and Compliance\Overview\Compliance Settings\Configuration Items” and create a new Configuration Item called “OMA DM Custom Compliance Policy“. Select the option “Settings for Devices Managed Without Configuration Manager Client” and click Next.
Select the supported platforms for this configuration Item called OMA DM Custom Compliance Policy. Windows 8.1 and Windows 10 are the OS platforms I selected for SCCM CB OMA DM custom policy. Click Next.
Complete the Wizard just clicking Next, Next, Next (default settings) and Finish.
Right click on the SCCM CB Configuration Item which we created and go to properties.
Click on SETTINGS tab and click on New settings button.
Create New settings window and select setting type OMA URI, Data Type Integer and OMA-URI – ./Vendor/MSFT/Policy/Config/Settings/AllowDateTime. With this setting and remediation rule we can disable the time setting in Windows 10 MDM client.
URI full path: ./Vendor/MSFT/Policy/Config/Settings/AllowDateTime
- Data type: Integer
- Allowed values:
- 0 – not allowed
- 1 – allowed
- Default value: 1
Click on Compliance Rules and create one new compliance rule. Also specify the remediation rules.
Now Create Baseline for the SCCM Configuration Item we have created with OMA DM setting. Right click on the Configuration Baselines and select on create configuration baseline (SCCM Path :- \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines).
On SCCM Configuration Baseline window, Type in the name of the baseline “Deny Date and Time Using OMA DM”. Select the Configuration Item which we created in the above session called OMA DM Custom Compliance Policy.
Now it’s time to Deploy the SCCM Configuration Baseline which we created. Right click on Baseline and select Deploy.
Deploy the SCCM Configuration Baseline to user collection “Test Users“. Also, we can schedule the deployment for the MDM devices. I normally stick with default schedule and that is 7 days.
Once deployment is created we can see the compliance status and deployment start time etc…
We can check the status of the SCCM Configuration Baseline from Monitoring Workspace (\Monitoring\Overview\Deployments). In this scenario, we got a report back from Windows 10 1511 MDM client that the device is noncompliance.
The end result of the Deny the change of Date and Time settings in Windows 10 :- OMA DM compliance policy works well in this scenario.
Some Stuff about troubleshooting of Windows 10 OMA DM related configuration and policy errors. There is no log files related lightweight MDM clients for Intune and SCCM CB. However more details are available in event logs Microsoft / Windows / DeviceManagement-Enterprise-Diagnostics-Provider/Admin.
Some of the sample event logs related to the deployment failures of the SCCM CB OMA DM Configuration Baseline.
MDM ConfigurationManager: Command failure status. Configuration Source ID: (38A4E807-7216-49FC-BFB8-80E610C1BE56), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (CmdType_Add), CSP URI: (./Vendor/MSFT/Policy/Config/AboveLock), Result: (Unknown Win32 Error code: 0x86000002).
MDM PolicyManager: Set policy int, Policy: (AllowActionCenterNotifications), Area: (AboveLock), EnrollmentID requesting set: (38A4E807-7216-49FC-BFB8-80E610C1BE56), Current User: (Device), Int: (0x0), Enrollment Type: (0x13), Scope: (0x0), Result:(0x86000002) Unknown Win32 Error code: 0x86000002.
MDM PolicyManager: Policy is rejected by licensing, Policy: (AllowActionCenterNotifications), Area: (AboveLock), Result:(0x86000002) Unknown Win32 Error code: 0x86000002.
Another important piece of work along with OMA DM is configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. The configuration service providers (CSP) used to manage registry keys over the air or by using an application. More details here and here.