Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (2024)

In Microsoft Intune, Configuration Service Providers (CSP’s) are used to configure settings on Windows PCs. Here’s the official definition:

A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot

Here’s the important part for Intune admins, “SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM)”. That’s how Intune pushes CSP-based policies to managed devices; it’s using Synchronous Markup Language (Sync ML) and OMA device management (OMA DM).

Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure different features. The OMA-URI settings can be scoped to either users or devices and some only apply to specific versions of Windows 10.

That all sounds quite confusing at first glance I know. If you’re familiar with Group Policy Objects (GPOs), then you can think of CSPs as kind of like small, pseudo-GPO’s in that they contain settings that you configure centrally via an MDM solution like Intune. Another analogy that works for me is to think of OMA-URI locations as registry key paths containing properties that you want to set via policy. Intune likes to use the Policy CSP to configure Windows 10 settings so all you have to figure out is which one you want to use and where it lives. That’s where the Policy CSP documentation comes in handy.

There’s a lot on that page that you need to know, but there’s also a lot that you don’t need to pay attention to. The bottom line is that we need to build an OMA-URI path that points to a setting we want to configure, and that doc has the few bits of information needed to do so.

Finding your way along the OMA-URI path

When building out the OMA-URI path to configure a setting in Windows 10, you’ll need to get these bits of information from the CSP documentation. Luckily, these are all easy to get:

  • Scope
  • Root node
  • Policy CSP sub-category
  • Area and policy name


There are two scope available for applying CSP settings: User and Device. We’ll come back to how to find this in an example, and it’s easy to figure out, but for now, just remember, the scope is the first part of the OMA-URI path. You’ll see what I mean in a minute. For now, we’ll just call it ./<Scope> which means our OMA-URI path has a beginning:


You can skip using a scope for device-wide settings, and the majority of Intune custom policies will target the device scope, but I like to use it just to be safe.

Root node

The root node of the Policy CSP is always called /Vendor/MSFT/Policy. That will be the root node for all custom policies used with Intune.

At this point, our new OMA-URI path now looks like this:


These are case sensitive. Watch those p’s and Q’s as you’re building out the path.

Policy CSP sub-category

The Policy CSP has two sub-categories: Policy/Config/AreaName and Policy/Result/AreaName. We’re only ever going to care about the Policy/Config/AreaName.

So, now the OMA-URI path looks like the following Where AreaName is something we still need to define:


Policy name information

We’ll need more than just the AreaName to finish building our OMA-URI path—we also need the PolicyName.

The AreaName/PolicyName specifies the name/value pair used in the policy. To find the AreaName/PolicyName combination, just skim through the list of available policies at the bottom of your favorite CSP documentation page to see which section matches your custom policy requirements. Once you have that, you’re done!

The final, full OMA-URI path looks something like this:


So that’d be the OMA-URI path to enable you to configure some Windows 10 setting with Intune.

An example might help.

Allow Azure AD password reset

This is a pretty common custom policy that I see implemented a lot. And for good reason. Something like 30% of help desk calls involve helping users reset their passwords. Why not let them reset their own passwords while you focus on something more strategic with all that $$$ you’re going to save by enabling SSPR and reducing the number of help desk calls? Let’s build out the OMA-URI path together for this one.

We already know it’s going to start like this:


How do we find the AreaName/PolicyName information? Easy, just scroll down the Policy CSP documentation page until you see something that might relate to SSPR. Something like the Authentication Section. See Authentication/AllowAadPasswordReset? That’s the AreaName/PolicyName combination we’ll use to configure self-service password reset from the Windows 10 login screen. The documentation shows us all the information we need to define the OMA-URI path for AAD password reset:

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (1)

We can see which Windows editions and Windows 10 versions the CSP is supported for. This one works for Windows 10 Pro, Business, Enterprise, and Education editions version 1709 and later. Good to know so we can verify it’s something that will work in our environment, but not necessary for the OMA-URI path. What is necessary is that scope setting. This one is for the Device scope. That means our full OMA-URI path is:


The supported values for this setting are:

  • 0 (default) –not allowed
  • 1—allowed

0 and 1. Looks like an integer value to me.

Now we have an OMA-URI path and a setting value to use to configure it. That’s everything we need to make the option for self-service password reset available to our users from the Windows 10 login screen using Intune.

There’s more to enabling SSPR on the backend than just making the option available on the login screen. In other words, this is probably the last part of that process, but it makes for a good custom policy example. All we’re doing with this policy is making the password reset option available at the login screen. Or what identity types like to call the GINA (graphical identification and authentication).

Create the Intune custom policy

The hard part is over. Now we just need to log into the Microsoft Endpoint Manager admin center and create a pretty standard Windows 10 configuration profile. Do that by navigating here:

Log into the MEM admin center>Devices > Windows > Configuration profiles > + Create profile.

Select Windows 10 and later from the platform drop-down and custom as the profile type. Click Create.

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (2)

Now, just skip through the process as usual. On the Basics tab, give the policy a name, optional description, and click Next.

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (3)

The Configuration settings tab is where all the homework pays off. Click Add to enter the OMA-URI settings we found together and then click Add again.

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (4)

There are a few things to double-check at this point that can save you a lot of time troubleshooting later:

  • These OMA-URI values are case sensitive. Watch those p’s and Q’s. Verify everything is capitalized correctly before moving on.
  • Also watch out for any trailing spaces. If you leave an extra space in there, the policy will fail to apply because it can’t find an OMA-URI path with that trailing space and send you into a troubleshooting tizzy wondering what “0x87d1fde8 Remediation Failed” means in your device configuration profile status.

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (5)

Moving on. After you ensure the row is added successfully, just click next through the remaining tabs. Add any necessary scope tags and assign the policy to users so that they can reset their passwords. On the Applicability rules tab you can even make it so the policy is only applied to Windows 10 1709 or later devices—that’s when the SSPR capability was added to the CSP (documented in the CSP documentation we looked up earlier). Hopefully all your devices are above that level now though.

Check on your test devices and, after they’ve applied the policy successfully, Viola! Users can now reset their passwords from the login screen. You’re a hero! You’ve just saved your company boat loads of $$$ in reduced help desk calls and totally deserve a raise. Let me know how that goes.

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (6)

Some other interesting examples of using custom OMA-URI policies with Intune:

You’ve seen my blog; want to follow me on Twitter too? @JeffGilb

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (7)

Custom Microsoft Intune OMA-URI Policy ins-and-outs – Jeff Gilbert's Cloud (2024)


What is custom oma URI? ›

The OMA-URI is a path to a specific configuration setting that is supported by a CSP. The OMA-URI: It is a string that represents custom configuration for a Windows 10-based device. The syntax is determined by the CSPs on the client.

How do I create a custom policy in Intune? ›

Sign into the Microsoft Intune admin center. Click on Devices > Compliance Policies > Create Policy. Select “Windows 10 and later” as the platform for the policy. In the Basics tab, enter a name for the compliance policy settings and select the Custom Compliance setting.

How do I find out what Intune policies are applied? ›

In Intune portal, to check the policies applied to one user, we can go to Troubleshooting + support > Troubleshoot., enter the user name, it will list the policies applied to this user. On device side, we can check the Advanced diagnostic Report to check the policies applied.

How to create a MDM policy in Intune? ›

Log in to the Intune MDM admin portal. In the Intune admin portal, go to Devices > Android > Configuration profiles. Under Policies, click Create and select New Policy.

What is the OMA DM client? ›

The device management takes place by communication between a server (which is managing the device) and the client (the device being managed). OMA DM is designed to support and utilize any number of data transports such as: physically over both wireline (USB, RS-232) and wireless media (GSM, CDMA, IrDA, or Bluetooth)

How do I create a custom compliance policy in Intune? ›

Create custom compliance policy

Sign in to the Microsoft Intune admin center. Go to Devices > Compliance and choose Create policy. On the Basics tab, specify a Name that helps you identify them later. On the Compliance settings tab, expand the available categories and select Custom Compliance a.

What is an Azure custom policy? ›

Custom policies are configuration files that define the behavior of your Azure Active Directory B2C (Azure AD B2C) tenant. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, an identity developer can edit custom policies to complete many different tasks.

How do I upload a custom policy to Azure? ›

In the Azure portal, search for and select Azure AD B2C. In the left menu, under Policies, select Identity Experience Framework. Select Upload custom policy, browse select and then upload the ContosoCustomPolicy. XML file.

What apps can be managed by Intune? ›

Microsoft apps
AppPlatformOrg allowed accounts (iOS, Android)
Microsoft LoopAndroid
Office (Microsoft 365)Android
Microsoft 365 (Office)iOS
Microsoft OneDriveAndroid
34 more rows

Can Intune see what apps are installed? ›

Discovered apps is a separate report from the app installation reports. For personal devices, Intune never collects information on applications that are unmanaged. On corporate devices, any app whether it's a managed app or not is collected for this report.

How do you tell if a computer is managed by Intune? ›

To check if your Windows computer is enrolled in Intune:
  1. Go to Windows Settings.
  2. Click on Accounts.
  3. Click on Access work or school and look for one of these: This means that your computer is joined to Azure AD and enrolled in Intune. Click on it, and then click on Info.
Nov 13, 2023

What is the difference between MDM and Intune? ›

In summary, while Microsoft 365 MDM is a basic mobile device management solution included with specific Microsoft 365 plans, Microsoft Intune is a more feature-rich standalone MDM solution that offers a broader range of management and security capabilities for devices accessing both Microsoft 365 services and other ...

What are the three MDM policies? ›

There are three main categories of mobile device usage: Bring Your Own Device (BYOD) Company Owned/Business Only (COBO) Company Owned/Personally Enabled (COPE)

How do I import a policy into Intune? ›

In the Microsoft Intune admin center, select Devices > Group Policy analytics. Select Import, select your saved XML file > Next. You can select multiple files at the same time. Check the sizes of your individual GPO XML files.

What is OMA URI for Android? ›

Android Enterprise custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to control features on Android Enterprise devices. These settings are typically used by mobile device manufacturers to control these features.

How do I delete custom settings? ›

Click Custom settings. On the left, click an organizational unit the custom setting applies to. Check the box next to each custom setting you want to delete, then click Delete selected.

What is a configuration service provider? ›

A configuration service provider (CSP) is a component of Windows client operating systems that shows IT professionals device configuration choices and allows them to apply the settings across multiple Windows OSes.

What are configuration profiles in Intune? ›

Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to configuration profiles. When you configure device features using configuration profile, you can help your end users be productive on their devices faster.

Top Articles
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 6148

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.