XML Lock Down Settings Broken After Creators Update for Win10 Mobile – ConfigMgr

Overview

Assigned Access XML lock down policies in ConfigMgr/Intune hybrid allow you to lock down mobile devices.  They can be used so that only the required options are available, and can be used to personalize the device too. For more details on setting that up see this page.

With the release of Creators Update for Windows 10 mobile, you could no longer use the settings page name to lock down settings items. Instead, you now have to use the URI for each settings element. These were the list of page names that could be used in the past and this is the list of new URIs.

The issue

The problem we had, was that mobile’s were updating to 1703 and above and this caused the settings items to go missing. This included the Quick Actions that many of the users make use of. Microsoft had released the list of URIs, however we found that this didn’t include some of the options that we needed (this may have changed since).

The customer decided that they would like to remove the settings lock down and allow the users full access to amend the settings. Unfortunately, removing the lines from the <Settings> section was not enough.

For example, take the below fairly simple XML lockdown policy. If you had previously specified that the users could only access Network-Cellular, Network-Wifi, etc. specified in the <Settings> section, and decided to remove all of these, the settings would still be locked down. Only a wipe of the phone would remove these previously locked down settings, or adding every single settings URI.

<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0">
    <Default>
        <ActionCenter enabled="true"/>
        <Apps>
            <!-- Settings -->
            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
                <PinToStart>
                    <Size>Large</Size>
                    <Location>
                        <LocationX>0</LocationX>
                        <LocationY>0</LocationY>
                    </Location>
                </PinToStart>
            </Application>
        </Apps>
        <Buttons/>
        <CSPRunner>
        </CSPRunner>
        <MenuItems/>
        <Settings>
            <System name="ms-settings:network-cellular"/>
            <System name="ms-settings:network-wifi"/>
            <System name="ms-settings:datausage"/>
            <System name="ms-settings:network-mobilehotspot"/>
            <System name="ms-settings:network-vpn"/>
        </Settings>
        <StartScreenSize>Small</StartScreenSize>
    </Default>
</HandheldLockdown>

Resolution

In order to resolve this issue, I found that you can overwrite the previously set <Settings> section with the <CSPRunner> section. For example, the previous XML would become the below. Notice the <Settings> have been commented out with <!– and –> and the <Data> section within <CSPRunner> is left blank which is the part that wipes out the previous <Settings>.

<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0">
    <Default>
        <ActionCenter enabled="true"/>
        <Apps>
            <!-- Settings -->
            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
                <PinToStart>
                    <Size>Large</Size>
                    <Location>
                        <LocationX>0</LocationX>
                        <LocationY>0</LocationY>
                    </Location>
                </PinToStart>
            </Application>
        </Apps>
        <Buttons/>
        <CSPRunner>
            <SyncML xmlns="SYNCML:SYNCML1.2">
                <SyncHdr>
                    <VerDTD>1.2</VerDTD>
                    <VerProto>DM/1.2</VerProto>
                    <SessionID>1</SessionID>
                    <MsgID>1</MsgID>
                </SyncHdr>
                <SyncBody>
                    <Replace>
                        <CmdID>1</CmdID>
                        <Item>
                            <Meta>
                                <Format xmlns="syncml:metinf">chr</Format>
                            </Meta>
                            <Target>
                                <LocURI>./Vendor/MSFT/Policy/Settings/PageVisibilityList</LocURI>
                            </Target>
                            <!-- leave Data empty intentionally to overwrite existing settings policy to empty -->
                            <Data></Data>
                        </Item>
                    </Replace>
                </SyncBody>
            </SyncML>
        </CSPRunner>
        <MenuItems/>
        <Settings>
            <!--<System name="ms-settings:network-cellular"/>
            <System name="ms-settings:network-wifi"/>
            <System name="ms-settings:datausage"/>
            <System name="ms-settings:network-mobilehotspot"/>
            <System name="ms-settings:network-vpn"/>-->
        </Settings>
        <StartScreenSize>Small</StartScreenSize>
    </Default>
</HandheldLockdown>