Solution: The Group Policy setting “Block unsigned theme installation” for System Center Mobile Device Manager 2008 is not correctly applied to Windows Mobile 6.1 mobile devices

image

Just a quick FYI on an issue we came across recently.  This should be a Knowledge Base article soon but I figured I’d post it here first to give all you faithful readers first notice.  If you’re trying to use the Group Policy setting “Block unsigned theme installation” for System Center Mobile Device Manager 2008 and it’s not working correctly then this one’s for you:

Issue: When you Enable the Group Policy setting Block unsigned theme installation by using Microsoft System Center Mobile Device Manger (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may not allow the installation of default built-in themes.

When you Disable the Group Policy setting Block unsigned theme installation by using Microsoft System Center Mobile Device Manger (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may continue to block the installation of unsigned themes.

Cause: This group policy setting affects Windows Mobile Security Policy 4103 SECPOLICY_UNSIGNEDTHEMES when applied to the device. The default value for this policy is SECROLE_USER_UNAUTH, however when the group policy setting is set to Disable the value SECROLE_USER_AUTH is applied.

When this policy is set to Enable the value SECROLE_NONE is applied. Theme files as well as other cab files do not receive special permissions as executable files do, even if they are placed in-rom, so this policy continues to affect these default theme files and blocks their installation.

Note: SECROLE_USER_UNAUTH corresponds to the decimal value 64, and SECROLE_USER_AUTH corresponds to 16.

Workaround: To work around the behavior when set to Enable, you must sign the default theme files you want to enable users to install. To work around the behavior when set to Disable follow the procedures below:

Important: The following workaround applies only to the English version of Microsoft System Center Mobile Device Manger 2008. There are no workarounds for other language versions of the product at this time.

Warning: Serious problems might occur if you modify system files incorrectly. These problems might require that you reinstall server software or components of server software. Microsoft cannot guarantee that these problems can be solved. Modify the system files at your own risk.

Important: The following workaround requires you to modify an important system file. Make sure that you back up the referenced file before you modify it. Make sure that you know how to restore the system file if a problem occurs. Do not proceed with the following procedure if you do not know how to back up and restore a file. Revert to the original file if you encounter any problems with the workaround.

The following steps modify the ADM template file that includes the Block unsigned theme installation Group Policy setting. When you have successfully modified the file, you can use the Block unsigned theme installation Group Policy setting to correctly update managed devices.

1.    On the computer on which you have installed the MDM Administrator Tools, navigate to the %windir%\INF folder.
2.    Type the following at a command prompt to make a backup copy of the mobile.adm file:

copy mobile.adm mobile.adm.bak

3.    In a text editor, such as Notepad, edit the mobile.adm file to change the VALUEOFF setting for Policy_BlockUnsignedThemes

Replace this:

        POLICY !!Policy_BlockUnsignedThemes
EXPLAIN !!Explain_BlockUnsignedThemes
VALUENAME "4103"
VALUEON NUMERIC 0
VALUEOFF NUMERIC 16
END POLICY

with this:

        POLICY !!Policy_BlockUnsignedThemes
EXPLAIN !!Explain_BlockUnsignedThemes
VALUENAME "4103"
VALUEON NUMERIC 0
VALUEOFF NUMERIC 64
END POLICY

4.    Save the file and exit the text editor.

To apply the new setting to managed devices, you must update the Block unsigned theme installation Group Policy setting in MDM. To refresh the setting in MDM, in the MDM Console run the following cmdlet:

Update-MobilePolicyCalculation <device>

Where <device> is the managed device on which you want to update the Group Policy setting. New settings are pushed down to managed devices during the next synchronization with MDM.

This information applies to:

•    Microsoft System Center Mobile Device Manager 2008
•    Microsoft Windows Mobile 6.1 mobile devices

Hope this helps,

J.C. Hornbeck | Manageability Knowledge Engineer