How to use PowerShell to run any MDM CSP locally

I often run into the need to test a custom setting on a physical device. Although enrolling into Intune and pushing a CSP doesn’t take too long, for testing/troubleshooting a ton of settings we’ll want to see immediate results. And as much as I am a fan of Windows Configuration Designer (WCD) it doesn’t support custom settings!

For a bit of background (and to quote the CSP reference page), “A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device.” CSPs are the “backend” of most device settings in mobile device management platforms (Intune, Workspace One, MobileIron, etc.), but the platform has a user interface around them for our ease of use. In general, CSPs leverage SyncML or WAP to configure devices over-the-air.

We want to do this locally, so we’re left with running a custom script to invoke the WMI Bridge Provider. The WMI Bridge Provider maps the configuration service provider settings (CSPs) to WMI. Since most of the policies are documented we can review which of the functions we want to run and then configure a PowerShell script to run it.

For this example, I’ll be creating a PowerShell script to run the RemoteWipe CSP with the doWipeProtected command. Unfortunately, on the WMI Bridge page for the MDM_RemoteWipe class we find that doWipe is the only available command:

But that can’t be true, since we know there are more available methods through the CSP. Our next step would be to check the WMI component itself – by running wbemtest (as an admin) and enumerating the classes of namesapce root\cimv2\mdm\dmmap. The name space is shown in the MDM_RemoteWipe Bridge WMI Provider page:

Requirements from MDM_RemoteWipe page
Start with running wbemtest as admin
Connect to namespace root\cimv2\mdm\dmmap
Click Enum Classes…
(For the Superclass info popup, leave it blank and click OK)
Scroll down to MDM_RemoteWipe and double click
Find the doWipeProtectedMethod – now we know it exists!

Great! Now we’ve found the method we’re looking for. On the MDM Bridge Provider page for the RemoteWipe method we have an example we can base our script off of:

And all we really need to do is change the $methodname variable to doWipeProtectedMethod (like we saw in the wmi explorer).

Our final script will look like:

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_RemoteWipe"
$methodName = "doWipeProtectedMethod"

$session = New-CimSession

$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In")

$instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'"
$session.InvokeMethod($namespaceName, $instance, $methodName, $params)
catch [Exception]
write-host $_ | out-string

Looks great, so can we run it? Nope!

PowerShell scripts that invoke the WMI Bridge Provider for device settings need to be run as a local system user. To do that we’ll need to use the psexec tool, which we can find here.

Now that we have psexec, we’ll run: psexec -i -s cmd

This image has an empty alt attribute; its file name is wmibridgeprovider_9.png

And then from the new cmd window, we’ll change the directory and run the PowerShell script:

And in just a moment, the device is reset!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *