%3CLINGO-SUB%20id%3D%22lingo-sub-1594149%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594149%22%20slang%3D%22en-US%22%3E%3CP%3EIntune%20has%20been%20working%20with%20the%20Windows%20team%20to%20troubleshoot%20reports%20that%20custom%20OMA-URI%20policies%26nbsp%3Bwith%20payloads%20over%26nbsp%3B350k%20bytes%20are%20not%20consistently%20applied%20in%20Windows%2010%20devices.%20Based%20on%20the%20results%20of%20our%20investigation%2C%20we%E2%80%99re%20going%20to%20block%20Intune%20creation%20of%20any%20custom%20OMA-URI%20policies%20that%20are%20larger%20than%20350k%20bytes.%20We%20do%20also%20plan%20to%20put%20an%20%E2%80%9Cunsupported%E2%80%9D%20profile%20type%20in%20an%20upcoming%20release%20to%20help%20highlight%20any%20existing%20policies%20greater%20than%20350k.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20policies%20with%20payloads%20over%26nbsp%3B350k%20bytes%2C%20you%20should%20see%20a%20message%20center%20post%20and%20actions%20for%20you%20to%20take%20to%20reduce%20the%20policy%20size.%3CSPAN%3E%26nbsp%3BTo%20determine%20the%20size%20of%20the%20custom%20OMA-URI%20policy%2C%20check%20the%20file%20properties%20of%20the%20original%20xml%20file%20used%20to%20configure%20the%20policy.%26nbsp%3B%3C%2FSPAN%3EYou%20can%20remove%20or%20reconfigure%20the%20unsupported%20and%20assigned%20custom%20profile%20names.%20Remove%20the%20non-assigned%20customURI%20profiles.%26nbsp%3B%3CSPAN%3ENote%20that%20when%20you%20unassign%20or%20remove%20custom%20OMA-URI%2C%20enrolled%20devices%20will%20continue%20to%20stay%20enrolled%2C%20just%20the%20policy%20may%20not%20be%20consistently%20applied%20until%20you%20resize%20and%20assign%20the%20policy.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20you%20have%20any%20questions%2C%20just%20let%20us%20know%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%26nbsp%3Bor%20through%20comments%20on%20this%20post.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBlog%20post%20updates%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E8%2F21%2F20%3A%20Formatting%20fixes.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1594149%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20for%20more%20information%20on%20custom%20OMA-URI%20size.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1594149%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOMA-URI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%2010%20Policies%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608636%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608636%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20really%20bad%20guys.%20A%20very%20important%20process%20I%20use%20is%20now%20broken.%20We%20have%20hundreds%20of%20endpoints%20now%20that%20can't%20get%20newly%20whitelisted%20applications.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608677%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608677%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F125526%22%20target%3D%22_blank%22%3E%40Ray%20Ellington%3C%2FA%3E%26nbsp%3B%20Tottaly%20agree%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20Then%20maybe%20Please%20create%20it%20under%20Configuration%20Profiles%20that%20we%20dont%20need%20to%20use%20custom%20OMA-URI%20policy%20for%20this.Everyone%20who%20is%20using%20this%20feature%20would%20be%20happy%20about%20this%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1609724%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609724%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20wonder%20how%20you%20%22troubleshoot%22%20..%20the%20block%20you%20mentioned%20has%20happend%20already%20earlier%20than%20your%20post%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20custom%20OMA-URI%20with%20files%20larger%20than%20350k%20is%20an%20really%20old%20topic%2C%20we%20had%20a%20long%20ongoing%20ticket%20on%20Microsoft%20regarding%20this%20years%20ago.%20The%20resolution%20was%20that%20only%20files%20larger%20than%20350k%20was%20%3CSPAN%3Ere%20not%20consistently%20applied%20in%20Windows%2010%20devices.%20Using%20the%20xml-string%20was%20the%20solution%20then%2C%20here%20it%20was%20possible%20to%20use%20larger%20xml%20content%20than%20it%20was%20possible%20in%20the%20file%20section.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eblocking%20the%20functionality%20in%20general%20without%20presenting%20an%20alternative%20way%20of%20using%20the%20Microsoft%20Applocker%20functionality%20means%20for%20all%20our%20devices%20that%20we%20have%20to%20remove%2070%20percent%20of%20the%20allowed%20applications%2C%20what%20is%20of%20course%20impossible.%20Please%20reactivate%20the%20cusom%20OMA-URI%20in%20full%20scale%20and%20present%20an%20alternative%20solution%20before%20snipping%20within%20the%20system.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610533%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610533%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3Bblocking%20this%20without%20providing%20an%20alternative%20is%20putting%20my%20team%20in%20a%20really%20bad%20place.%20Giving%20no%20warning%20saying%20that%20you%20are%20going%20to%20pull%20this%20feature%20that%20has%20been%20in%20place%20for%20years%20is%20highly%20concerning.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612471%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612471%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F486151%22%20target%3D%22_blank%22%3E%40NickyF%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17989%22%20target%3D%22_blank%22%3E%40Shawn%20Reynolds%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20both%20for%20your%20feedback!%20%3CSPAN%3EWe%E2%80%99ve%20followed%20up%20with%20you%20over%20direct%20message%20to%20learn%20more%20about%20your%20scenario%20and%20provide%20further%20assistance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1730177%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1730177%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%26nbsp%3BWe%20are%20having%20the%20same%20issue%20as%20well%20-%20We%20had%20this%20solution%20created%20by%20Microsoft%20consultants%20four%20months%20ago%20and%20now%20we%20are%20trying%20to%20update%20for%20Windows%2010%202004%20and%20we%20can't%20use%20the%20existing%20solution%20because%20we%20are%20being%20prevented%20from%20uploading%20our%20new%20bin%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20change%20needs%20to%20be%20rolled%20back%20as%20it%20was%20consistently%20working%20fine%20for%20our%20workstations.%26nbsp%3B%20You%20shouldn't%20break%20all%20of%20the%20eggs%20to%20try%20to%20prevent%20a%20few%20eggs%20from%20breaking.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1733346%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Custom%20OMA-URI%E2%80%99s%20not%20always%20applying%20to%20Windows%2010%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1733346%22%20slang%3D%22en-US%22%3E%3CP%3EAbsolutely%20true!%20My%20understanding%20was%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F815175%22%20target%3D%22_blank%22%3E%40mlippold%3C%2FA%3E%26nbsp%3B%20mentioned%20..%20Microsoft%20has%20some%20issues%20with%20custom%20OMA-URi%20and%20except%20of%20resolving%20this%20issues%20they%20just%20disabled%20the%20feature.%20Limit%20to%20350k%20is%20basically%26nbsp%3B%20is%20a%20disable%20of%20the%20feature%20since%20it's%20not%20usable%20anymore%20for%20anything.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20referred%20articles%20like%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-control%2Fdeploy-windows-defender-application-control-policies-using-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-control%2Fdeploy-windows-defender-application-control-policies-using-intune%3C%2FA%3E%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fapplocker-csp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fapplocker-csp%3C%2FA%3E%3C%2FP%3E%3CP%3Eare%20totally%20useless%20since%20the%20only%20security%20you%20could%20provide%20with%20350k%20is%20%22none%22%20%2F%20admin%20mode%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20ADMX%20custom%20policy%20upload%20is%2C%20yes%2C%20a%20possibility%20to%20upload%20registry%20editing%20policies%2C%20but%20no%20CSP%20policies%20which%20adds%20e.g.%20whitelist%20Information%20in%20XML%20or%20bin%20format.%20therefore%20the%20%22resolution%22%20presented%20is%20just%20a%20empty%20box..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20get%20a%20solution%20from%20MS%20since%205%20weeks%20and%20the%20only%20thing%20I've%20learned%20was%20that%20we%20have%20more%20understanding%20of%20the%20topic%20then%20they%20have.%20Presenting%20ADMX%20as%20the%20solution%20is%20the%20best%20example%20since%20they%20have%20no%20administrative%20template%20that%20in%20anyway%20that%20supports%20the%20Microsoft%20Applocker%20CSP%20or%20the%20Microsoft%20windows%20defender%20application%20control%20in%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20can%20repeat%20my%20request%20%22tear%20down%20this%20wall!%22%20and%20%3CSPAN%3Ewithdraw%26nbsp%3B%3C%2FSPAN%3Ethe%20limitation%20of%20350k%20that%20seems%20to%20be%20enabled%20just%20because%20you%20don't%20want%20to%20resolve%20tickets%20anymore%20that%20are%20related%20to%20custom%20OMA-URi%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ekr%3C%2FP%3E%3CP%3ENicky%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

Intune has been working with the Windows team to troubleshoot reports that custom OMA-URI policies with payloads over 350k bytes are not consistently applied in Windows 10 devices. Based on the results of our investigation, we’re going to block Intune creation of any custom OMA-URI policies that are larger than 350k bytes. We do also plan to put an “unsupported” profile type in an upcoming release to help highlight any existing policies greater than 350k.

 

If you have policies with payloads over 350k bytes, you should see a message center post and actions for you to take to reduce the policy size. To determine the size of the custom OMA-URI policy, check the file properties of the original xml file used to configure the policy. You can remove or reconfigure the unsupported and assigned custom profile names. Remove the non-assigned customURI profiles. Note that when you unassign or remove custom OMA-URI, enrolled devices will continue to stay enrolled, just the policy may not be consistently applied until you resize and assign the policy.

 

If you have any questions, just let us know @IntuneSuppTeam or through comments on this post.

 

Blog post updates:

8/21/20: Formatting fixes.

7 Comments
New Contributor

This is really bad guys. A very important process I use is now broken. We have hundreds of endpoints now that can't get newly whitelisted applications.

Senior Member

@Ray Ellington  Tottaly agree

@Intune Support Team  Then maybe Please create it under Configuration Profiles that we dont need to use custom OMA-URI policy for this.Everyone who is using this feature would be happy about this

New Contributor

I also wonder how you "troubleshoot" .. the block you mentioned has happend already earlier than your post here.

 

The custom OMA-URI with files larger than 350k is an really old topic, we had a long ongoing ticket on Microsoft regarding this years ago. The resolution was that only files larger than 350k was re not consistently applied in Windows 10 devices. Using the xml-string was the solution then, here it was possible to use larger xml content than it was possible in the file section.

 

blocking the functionality in general without presenting an alternative way of using the Microsoft Applocker functionality means for all our devices that we have to remove 70 percent of the allowed applications, what is of course impossible. Please reactivate the cusom OMA-URI in full scale and present an alternative solution before snipping within the system.

New Contributor

@Intune Support Team blocking this without providing an alternative is putting my team in a really bad place. Giving no warning saying that you are going to pull this feature that has been in place for years is highly concerning.

Hi @NickyF and @Shawn Reynolds, thank you both for your feedback! We’ve followed up with you over direct message to learn more about your scenario and provide further assistance.

Visitor

@Intune Support Team  We are having the same issue as well - We had this solution created by Microsoft consultants four months ago and now we are trying to update for Windows 10 2004 and we can't use the existing solution because we are being prevented from uploading our new bin file.

 

This change needs to be rolled back as it was consistently working fine for our workstations.  You shouldn't break all of the eggs to try to prevent a few eggs from breaking.

New Contributor

Absolutely true! My understanding was the same as @mlippold  mentioned .. Microsoft has some issues with custom OMA-URi and except of resolving this issues they just disabled the feature. Limit to 350k is basically  is a disable of the feature since it's not usable anymore for anything.

 

All referred articles like

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

or

https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

are totally useless since the only security you could provide with 350k is "none" / admin mode

 

the ADMX custom policy upload is, yes, a possibility to upload registry editing policies, but no CSP policies which adds e.g. whitelist Information in XML or bin format. therefore the "resolution" presented is just a empty box.. 

 

We are trying to get a solution from MS since 5 weeks and the only thing I've learned was that we have more understanding of the topic then they have. Presenting ADMX as the solution is the best example since they have no administrative template that in anyway that supports the Microsoft Applocker CSP or the Microsoft windows defender application control in Intune.

 

I just can repeat my request "tear down this wall!" and withdraw the limitation of 350k that seems to be enabled just because you don't want to resolve tickets anymore that are related to custom OMA-URi policies.

 

kr

Nicky