Understanding Custom Configuration Profiles (OMA-URI) in Microsoft Intune

Understanding Custom Configuration Profiles (OMA-URI) in Microsoft Intune

Custom Configuration Profiles in Microsoft Intune allow you to configure specific device settings that may not be available through predefined policy templates. By leveraging OMA-URI (Open Mobile Alliance Uniform Resource Identifier), Intune administrators can apply advanced settings to devices, such as setting registry values, configuring system behaviors, or applying device-specific configurations not offered out of the box by Intune.

OMA-URI is a method of communicating settings to devices using XML-based syntax. This allows you to configure settings on Windows, iOS, and Android devices, giving administrators the flexibility to apply advanced configurations that aren’t covered in the standard templates.

In this article, we’ll explain how to create Custom Configuration Profiles using OMA-URI, with an example PowerShell script for setting the screen lockout time on Windows devices.

What is OMA-URI?

OMA-URI is a way to define device settings using a unique identifier that refers to a specific setting within the device. This identifier, in combination with a corresponding value, allows the configuration of device policies directly from the Intune portal.

Each OMA-URI setting corresponds to a unique policy or configuration that Intune can apply to a device. These URIs often relate to settings at the registry level or specific device features.

Why Use OMA-URI in Intune?

• Flexibility: You can configure settings that aren’t available in the default Intune policy templates.
• Granularity: OMA-URI settings can be very specific, applying to individual components or settings of a device.
• Cross-platform Compatibility: OMA-URI can be used for iOS, Android, and Windows devices, making it a universal solution for advanced configuration needs.

Creating a Custom Configuration Profile with OMA-URI

1. Log in to the Microsoft Intune Admin Center at https://endpoint.microsoft.com.
2. Navigate to Devices → Configuration Profiles.
3. Click + Create Profile.
4. Choose the Platform (Windows 10 and later, Android, or iOS).
5. Under Profile Type, select Custom.
6. Enter a Profile Name (e.g., “Configure Lockout Time”).
7. Click Create.

Step-by-Step Example: Configuring Screen Lockout Time Using OMA-URI

In this example, we will configure the screen lock timeout on Windows devices, which locks the screen after a certain period of inactivity.

Step 1: Define the OMA-URI Setting

1. OMA-URI for Screen Lock Timeout: The OMA-URI for setting the screen lock timeout is as follows:

   ./Device/Vendor/MSFT/Policy/Config/LockScreen/IdleTimeBeforeLock
   

   This OMA-URI refers to the system setting that controls how long the device remains idle before it locks.

2. Value: The value you specify for this setting is the amount of time, in seconds, before the device locks after inactivity.
   • Example: Setting it to 300 will make the device lock after 5 minutes of inactivity (300 seconds).

Step 2: Add the OMA-URI Setting

1. In the Configuration Settings section, click + Add.
2. Select OMA-URI.
3. Provide the following details:
   • Name: Screen Lock Timeout (or another descriptive name).
   • Description: (Optional) A description of the setting (e.g., “Configures screen lock timeout after inactivity”).
   • OMA-URI: Use the URI from above:

     ./Device/Vendor/MSFT/Policy/Config/LockScreen/IdleTimeBeforeLock
     

   • Data type: Integer.
   • Value: Enter the lock timeout value in seconds (e.g., 300 for 5 minutes).
4. Click Save to add the setting.

Step 3: Assign the Profile to Devices

1. After configuring the settings, click Next to proceed to Assignments.
2. Assign the profile to the appropriate device groups or user groups.
3. Click Next and then Create to finalize the deployment.

Step 4: Monitor the Deployment

1. Go to Devices → Monitor → Device Configuration to view the deployment status.
2. Ensure that the policy is applied successfully to the target devices.

Example Script for Advanced Configurations Using PowerShell

In some cases, you may need to create a PowerShell script that makes use of OMA-URI to configure a more advanced setting on Windows devices. For example, you might want to configure the screen lock timeout by modifying the registry directly using a PowerShell script.

Here’s an example script that configures the screen lock timeout on a Windows device using a registry key:

# PowerShell script to set the screen lock timeout in Windows

$lockTimeout = 300  # Lock screen timeout in seconds (300 = 5 minutes)

# Registry key for screen timeout
$regKey = "HKCU:\Control Panel\Desktop"
$regValue = "ScreenSaveTimeOut"

# Set the screen lock timeout in the registry
Set-ItemProperty -Path $regKey -Name $regValue -Value $lockTimeout

# Enforce the lock screen timeout policy
$lockScreenKey = "HKCU:\Control Panel\Desktop"
Set-ItemProperty -Path $lockScreenKey -Name "ScreenSaverIsSecure" -Value 1  # Enable secure screen lock after inactivity

This script sets the screen timeout to 300 seconds (5 minutes) and enables the secure screen lock. It can be uploaded to Intune as a custom PowerShell script for deployment across all managed devices.

Uploading the PowerShell Script to Intune:

1. Navigate to Devices → Scripts → + Add.
2. Choose Windows 10 and later and upload your PowerShell script.
3. Configure the script to run in 64-bit mode.
4. Assign the script to the appropriate device groups.

Conclusion

Custom Configuration Profiles with OMA-URI in Microsoft Intune provide a powerful way to configure specific settings on managed devices that may not be available through default templates. Whether you’re managing Windows, iOS, or Android devices, OMA-URI allows you to enforce settings at a granular level.

By using OMA-URI with registry settings or PowerShell scripts, you can further customize device configurations such as screen lock time, ensuring your organization’s security policies are aligned with best practices.