Confirming that MDM Policies have been applied

It is really difficult to feel confident about the move from GPO to MDM Policy, when you don’t know how to confirm that a policy has been successfully applied. I can’t tell you how many times over the past two years, people have raised concerns that they can’t see our MDM policies in the Group Policy editor 🙂

This post is all about sharing what I’ve learned over the past two years about how to confirm that an MDM policy has been successfully applied using tools that are built into the Windows 10 client.

For the most part (there are some exceptions like Firewall and Applocker), there are three tools built into the Windows 10 client that you can use to confirm that an MDM policy has been applied:

  1. Event Viewer
  2. Registry Editor
  3. MDM Report

Using the Event Viewer

When you push a policy from the MDM of your choice, logs for the event are stored in the following log:

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Using the Registry Editor

In order to use the registry editor to monitor the application of MDM policies, I first wanted to share a diagram that shows at a very high level how policies are processed.

MDM policies are processed by the OMA-DM client and ultimately the destination registry settings that are impacted by the application of MDM policies are identical (there are of course exceptions) to the destination registry settings for Group Policy.

The Intermediate Registry Setting for a policy can be found in the following location:

HKLM:\Software\Microsoft\PolicyManager\Current (tells you which policies have been applied, but not always the value for the policy that was applied)

and

HKLM:\Software\Microsoft\PolicyManager\Provider\<provider ID for your device-MDM relationship> (tells you which policies have been applied, and the value of the policy)

The Destination Registry Setting for ADMX policies can be found in the following location:

HKLM:\Software\Microsoft\PolicyManager\Default

RegKeyPathRedirect

RegValueNameRedirect

I have had the most luck identifying the Destination Registry Setting for non-ADMX policies by searching the internet, but in another post, I will share a list of non-ADMX destination registry setting locations that I have already identified.

The most important thing to remember is that your destination registry settings can be modified by user’s directly if they are Administrators or via GPO so if you don’t reapply MDM policies the actual value of the policy on your clients can drift. In our situation, we have chosen to leverage an API feature of our MDM which allows us to identify drift in the destination registry settings and reapply the MDM policy to remediate.

Using the Advanced Diagnostic Report

The MDM Report can also be used to verify that MDM settings have been applied. To use the MDM report on a device, perform the following steps:

  1. Search for Access work or school
  2. Click on the resource that ends with “MDM” then click Info
  3. Scroll down to the bottom of the page
  4. Click Create Report
  5. Click Export
  6. The report can be retrieved from C:\Users\Public\Documents\MDM Diagnostics

I hope that you found this post useful. Feel free to comment or message me if you have any additional questions or if you have additional information that you would like to share on this topic.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: