How to bypass Settings catalog limitation

1 minute read

Intro

Configuring Intune MDM polices sometimes is tricky. Especially when you are migrating baseline Group Policies. First of all, do not migrate everything AS IS šŸ˜£. Take a look at the Microsoft Security Baseline, tweak it to your needs, apply it to some pilot group and then build-up.

But whatā€™s about Settings catalog limitation?

List of items

I want to configure Allow cookies on specific sites and with help of Settings catalog it seems fairly easy! šŸ˜Ž

1

2

3

There you can enter desired sites or import whole bunch of them. In my case Iā€™m going to import over 100 dummy sites šŸ˜.

4

Click Next, assign, create!

Wait what!? šŸ¤Ø

5

As you may guess now I know whatā€™s the issue but it was not so obvious from the startā€¦ There is a limit of 100 items on that listā€¦

Alright letā€™s create one policy with 100 and then another policy with the rest! šŸ’”

Nopeā€¦as soon as policies are digested by the device it reports with Conflict status!

What now? šŸ¤”

Custom policy

It must be possible to implement such long and probably even longer list! Iā€™ve started to search for OMA-Uri for that setting. And found it - ./Vendor/MSFT/Policy/Config/microsoft_edge~Policy~microsoft_edge~ContentSettings/CookiesAllowedForUrls

Now for creating custom policy

6

Enter desired name for policy and continue

7

Now what should I do with Value ??

Iā€™ve created policy with a few urls using Settings catalog and applied them to the device. Then I took a look at the events from DeviceManagement-Enterprise-Diagnostics-Provider and found out that value should look like

<enabled/><data id="CookiesAllowedForUrlsDesc" value="1 [*.]cemLT.pl 2 [*.]asdrW.pl"/>

Not bad.

But!

This separation between number, link and another item is not SPACE BAR ā—ā— It is special character encoded as &#xF000;, and with that it all should be glued

<enabled/><data id="CookiesAllowedForUrlsDesc" value="1&#xF000;[*.]cemLT.pl&#xF000;2&#xF000;[*.]asdrW.pl"/>

Knowing that, finally I can create my policy with 100 and more items!

Dummy items

For my dev environment Iā€™ve created this teeny-tiny script to generate some dummy urls for this policy:

$String = for($i=1;$i-lt 104;$i++){
 "$i&#xF000;[*.]$(-join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})).pl&#xF000;"
}
$String -join ''

Summary

I hope that Iā€™ve helped you with this tip! You wonā€™t find any information in MS Docs about such limitationā€¦

See you in next! šŸ˜‰ šŸ§ 

Leave a comment