Support Tip: Custom OMA-URI’s not always applying to Windows 10 Devices

This is really bad guys. A very important process I use is now broken. We have hundreds of endpoints now that can't get newly whitelisted applications.

I also wonder how you "troubleshoot" .. the block you mentioned has happend already earlier than your post here.

The custom OMA-URI with files larger than 350k is an really old topic, we had a long ongoing ticket on Microsoft regarding this years ago. The resolution was that only files larger than 350k was re not consistently applied in Windows 10 devices. Using the xml-string was the solution then, here it was possible to use larger xml content than it was possible in the file section.

blocking the functionality in general without presenting an alternative way of using the Microsoft Applocker functionality means for all our devices that we have to remove 70 percent of the allowed applications, what is of course impossible. Please reactivate the cusom OMA-URI in full scale and present an alternative solution before snipping within the system.

Ray Ellington  Tottaly agree

Intune_Support_Team blocking this without providing an alternative is putting my team in a really bad place. Giving no warning saying that you are going to pull this feature that has been in place for years is highly concerning.

Intune_Support_Team  We are having the same issue as well - We had this solution created by Microsoft consultants four months ago and now we are trying to update for Windows 10 2004 and we can't use the existing solution because we are being prevented from uploading our new bin file.

This change needs to be rolled back as it was consistently working fine for our workstations.  You shouldn't break all of the eggs to try to prevent a few eggs from breaking.

Hi NickyF and Shawn Reynolds, thank you both for your feedback! We’ve followed up with you over direct message to learn more about your scenario and provide further assistance.

Absolutely true! My understanding was the same as mlippold  mentioned .. Microsoft has some issues with custom OMA-URi and except of resolving this issues they just disabled the feature. Limit to 350k is basically  is a disable of the feature since it's not usable anymore for anything.

All referred articles like

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune

or

https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

are totally useless since the only security you could provide with 350k is "none" / admin mode

the ADMX custom policy upload is, yes, a possibility to upload registry editing policies, but no CSP policies which adds e.g. whitelist Information in XML or bin format. therefore the "resolution" presented is just a empty box.. 

We are trying to get a solution from MS since 5 weeks and the only thing I've learned was that we have more understanding of the topic then they have. Presenting ADMX as the solution is the best example since they have no administrative template that in anyway that supports the Microsoft Applocker CSP or the Microsoft windows defender application control in Intune.

I just can repeat my request "tear down this wall!" and withdraw the limitation of 350k that seems to be enabled just because you don't want to resolve tickets anymore that are related to custom OMA-URi policies.

kr

Nicky 

Hey,

I'm running into the same issue it seems. I can't upload my WDAC policy, and i realy can't keep this under 350kb. Has there been a solution for this yet?
 
kr
Jorn

Hi, ( Intune_Support_Team , Jakker400 , NickyF, mlippold, Shawn Reynolds )

This article specifies Windows 10, does anyone know whether the situation is any different on Windows 11?