Blog

Windows Autologin stopped working

Do you ever find yourself troubleshooting why autologin has stopped working on Windows?

There is a series of devices that require to autologin. These are usually Kiosk devices, or Monitoring Boards, TVs etc etc.

Randomly the devices that needed autologin all stopped working. Around about the same time. We checked the usually suspects (Did someone lock the account again?) Did we apply a new security policy that blocked it? Did a Windows update break it.

Lets take a step back and remind ourselves how Auto Login works. The key requirements to make the Auto Login work are

A working username and password. (AD user or local user )
A Windows device. ()
The following registry keys set

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="timstechblurbs.local"
"AutoAdminLogon"="1"
"DefaultUserName"="AutomationUser"
"DefaultPassword"="ALongAndComplacatePAsswordNoOneCanRemeber"
"AltDefaultUserName"="AutomationUser"
"AltDefaultDomainName"="timstechblurbs.local"
"ForceAutoLogon"="1"

If we have all of these set the PC should auto login.

Where is the problem?

The Auto Logins stopped working. After re adding the keys, it didn’t help. The DefaultPassword key was deleted and the ForceAutoLogon was set to 0. Something is changing this.

We spun up ProcMon with Boot Logging enabled and started digging into the results. It looks like LoginUI is delete the Keys during shutdown

3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon is changed from 1 to 0 by LogonUI.exe
3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword is deleted by LogonUI.exe.
3/23/2023 9:26:36 AM	User Logoff Notification for Customer Experience Improvement Program
3/23/2023 9:26:38 AM	The Event log service was stopped. (This is an indicator that system is shut down)
3/23/2023 9:27:38 AM	The Event log service was started. (This is an indicator that system is started)

A Further check of the Event logs show and EAS Policy is responsible. But why. (These accounts don’t have mailboxes.)

We dig and dig, to find there is no mail, nor a reason to connect to Exchange online. We delete the policy and it comes back after a few hours.

How does Intune fit into this?

All the devices are enrolled in SCCM, and AAD Hybrid join and enrolled into Intune. In testing, we deleted a device from Intune and blocked enrolment. They AutoLogin keys stayed and the EAS Policy was removed.

After checking the Configuration Polices applied in Intune, we found no culprits. We already exclude the device from most of the Intune Polices.

However when checking the Compliance polices, we are setting minimum Password length. We have found our problem!!!

But wait. We aren’t applying the Compliance policy to any devices, and the autologin users usually aren’t Synced to AAD? Turns out our assumption was wrong. The user were Synced to AAD and the compliance policy was set to All users. There our problem.

How can we fix this

First things first. Lets exclude the Auto Login users from the compliance policy and sync the device. It can take hours / days for the policy to be removed from the device status.

Then added the autologin keys back to the device and waited in the hope that this problem is solved. Unfortunately the problem returned shortly after.

Turns out Intune does a very good job of caching settings on the device and will keep them there.

You either need to

Delete the device from Intune, and let it Re enrol.
Set up a new compliance policy removing the settings.
Manually intervene, find and delete the keys. and Script the fix.

I chose the 3rd option. There are too many computers to remove them from Intune. We don’t want a compliance policy set up that could be applied in the wrong place. I set up the fowling script to delete the keys, Add the autologin back and to Sync with Intune.

### 
# Reset the Device Auto Login after device is joined to AAD and Intune
# Ensure the Complance Policy is not set on the device. Otherwise the problem 
# will come back in a few days
###

param ([String] $LoginUser = "AutomationUser"
, [String] $LoginDomain = "timstechblurbs.local"
, [String] $LoginPassword = "ALongAndComplacatePAsswordNoOneCanRemeber")


$NodeCacheKeys = Get-ChildItem -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\' -recurse -erroraction silentlycontinue | Get-ItemProperty | where {$_.'NodeUri' -like "*/DeviceLock/*"}    

foreach ($key in $NodeCacheKeys)
{
        Write-Host $key.PSPath
        Remove-Item -Path $key.PSPath -Recurse -WhatIf
}

$PolicyKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\' -erroraction silentlycontinue 

Write-Host $PolicyKeys.PSPath
Remove-Item -Path $PolicyKeys.PSPath -Recurse 


$EASKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS\Policies' -erroraction silentlycontinue 

Write-Host $EASKeys.PSPath
Remove-Item -Path $EASKeys.PSParentPath -Recurse


Get-ScheduledTask -TaskName "Schedule to run OMADMClient by server" -ErrorAction Continue | Start-ScheduledTask

Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AltDefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name ForceAutoLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value  $LoginUser
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value $LoginPassword

5 October 2023

Protected: How do I get that licence key in?

This content is password protected. To view it please enter your password below:

Password:

15 May 2023

How to backup end user data for no additional cost in Windows 10.

How can we get a free backup for Windows 10. Well maybe not exactly free, but not having to pay anything additional to Office 365 licence and and Endpoint Manager licences. There is obviously many other benefits to this include mobility, but I will focus on the backup side of it initially.

We can leverage OneDrive know Folder move. OneDrive Know folder move will automatically move the user Desktop, Documents into their OneDrive folder to be synced. you can set this to be silent to the user or you can prompt them once it’s done.

First thing First. We need to get your Tennant ID from Azure AD. Navigate to https://aad.portal.azure.com/ and on the overview page you should see the Tenant ID. Select the copy icon and let’s make a note of it for later.

You can set up Known Folder Move with Endpoint Manager Administrative templates as detailed in here. Much easier than using the CSP. Let get Started.

Where to Start

The key settings you will need to include to get you started are listed below

Silently sign in users to the OneDrive sync app with their Windows credentials	Enabled
Prompt users to move Windows known folders to OneDrive	Enabled
Silently move Windows known folders to OneDrive	Enabled
Enable automatic upload bandwidth management for OneDrive	Enabled
Use OneDrive Files On-Demand	Enabled

Settings to apply in Endpoint Manager for Known Folder move.

The setting should be enough to get you started with Know Folder move. Once applied, the setting will firstly, log in the user with there currently account, Secondly iw will Start Syncing to your AAD Tennant. Thirdly it will move the Document and Desktop folder the OneDrvie Folder. finally it will Enable Files on Demand.

Navigate to Endpoint Manager, and Navigate to Devices -> Configuration Profiles. Select Create Profile.

Select Windows 10 and later in the Platform, and Profile will be Administrative Templates.

Enter in a name and Description.

Once we’re in Administrative Templates, Select OneDrive in the list and it will filter to the settings we want.

Lets start with the setting Silently sign in users to the OneDrive sync app with their Windows credentials”. Set this to enabled

You will need to Tennant ID we noted earlier and find the Setting “Silently move Windows known folders to OneDrive”. Then set it to enabled, and enter in your Tennant ID.

Run through the rest of the setting in the known folder move table above and we should end up with something like tis.

Let’s apply it to out test desktop. Add in the Goung to assign it to. Once applied when the end user will sign in, all the configuration will be automatically completed. The user might receive a notification to say their folder have been moved depending on the setting in Silently Move Known Folder Settings.

Some other key Setting to consider

Block / Allow syncing OneDrive accounts for only specific organizations

If you don’t want your user to Sync other companies or Tennant OneDrive folder to the devices. This can be handy if you don’t want information from a partner been saved on your devices. It can also be handy to only allow the selected companies to Sync.

Enable automatic upload bandwidth management for OneDrive

this can be useful for when you enable Know folder move and realise that the factory are still using a ISDN connection at 2 MB, and you ave knocked them off the planet for a few days.

Just enabling these few settings. Even if you’re only using the E1 licences, you can leverage 1 TB of cloud storage. It can really help to save you spending cash on other backup solutions.

30 November 2020

How to enrol your Android Devices into Endpoint Manager with a NFC tag
Do you have loads of devices to provision but not enough time to tap on each screen. If only there was another way.

Typically the enrolment process would be, boot up the device, then tap the screen spot many time until the camera loads, Scan the token, then connect to(and type in the password for) Wifi. Then start the enrolment process.

With a NFC tag, you can save the token and the wifi configuration into the tag, then simply swipe the tag to start the enrolment.

There isn’t much information about this enrolment process for Endpoint Manager. But it can be really handy and save time for the enrolment. But where to start. Let’s check the Microsoft blog about this. https://docs.microsoft.com/en-us/archive/blogs/cbernier/nfc-based-android-enterprise-device-enrollment-with-microsoft-intune (The work in here represents my experience using NFC to enroll the devices. Full credit goes to Chris Baldwin from MS for his blog about the topic. It’s a really good blog post on UEM4all and the MS Site above. )

So what do we need.
1. Some NFC Tags. You can use most of the NFC tasks, but make sure they have plenty of space. I bought NTAG216 tags that have 888 writable bytes of data and are writable with a Zebra card printer. (Added bonus to make the cards pretty)
2. A NFC Reader / Writer. You can get these for the PC, or take advantage of the one in your phone. You can download the app NFC tool Pro for a few pounds on the play store.
3. Some data to write to the NFC Card.
Lets begin by formulating the data. There is lots of coding in these tag, and were borrowing it from the android developer documentation.

The first part is the same for all Endpoint Manager Enrolments.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver

The next part you need is the enrolment token. Go to the Enroment then page and copy the teszct string as is to put at the end of the string.

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN>

Lets also also add in the WiFi configuration to speed things up (don’t forget to enrolling the device on a different Wifi to the ones you want to install). Include all the lines in the token otherwise it won’t wor correctly and you will get an Error. The options for Security are WPA, WEP or None. Once you have the NFC created, you might need to play with the quotes. It worked when I removed them Ann in this format.

android.app.extra.PROVISIONING_WIFI_SSID=”GUEST”
android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA
android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

We have the data so let’s load up the closest device. Lets load up NFC tool Pro. Open the Write Tab, The select Add Record. Navigate to the bottom of the screen and select Data.

In Content-type, type in application and in the next textbox type in com.android.managedprovisioning

In the Data field you need to put in your entire text string you have created.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN> android.app.extra.PROVISIONING_WIFI_SSID=”GUEST” android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

Press OK once done.

Now let’s write the tag. Press the write button, and then hold the NFG tag on the back of you device for a few seconds until it says write completed.

Before you continue, you might want to save the profile in the NFC tools Pro. Select More Options and Save a Tag Profile. Then give it a good name, You will need to update the NFC tag each time you renew the profile.

Now we have our NFC Enrolment card, lets test it. Find a (another) device, factory rest it. On the first page tap the NFC tag on the device. You will go straight to the enrolling pages. You will have to accept the T&C’s during the enrolment. Let its do it thing & Viola. Device enrolled as device Owner.

If you get an error with the WiFi connection, play with the quotes around game the SSID and the password. For me to worked without the quotes.

Hopefully this will save you some time and effort earn enrolling the devices. Especially if you have lots to install.
16 November 2020

How can Storage Sense help in the fight against full C: Drives?

How much time do we spend casing users full C: drive. Especially when patch Tuesday has come along and we need to get patch KBxxxxx installed yesterday.

Storage sense to the Rescue!!!

Storage sense can be spilt into two handy features.

Deflating OneDrive on demand files
Cleaning Temp, Downloads and old unused files.

Let’s start with OneDrive files on Demand. Since build 17720, we were able to save space on the client machine by only download the well used files. That really handy when you have lots of large files, but only need to access once in a while. We can also control when our files are “dehydrated” and converted to cloud only files.

You need to find the right number of days before dehydrating the files. Somewhere between 1 and 365. If you have a lot of user without a regular internet connection, I would aim for value of over 6o. If you pretty well always online, I would aim for more 15 – 30 days. It also depends on the amount of data saved in OneDrive. It includes any data stored in synced Sharepoint folders as well. I decided on 30 Days.

The we choose a cadence. I went with 1 – Every day for the testing. I don’t normally notice when it runs. But it could equally be every week. So when we went live I set it to every 7 days.

What about cleaning up the downloads folder? It always ends up as a dumping ground for me. Lets set it for 30 days. This is one point it is worth mentioning to the end users. I have some old programs and handy installers saved in OneDrive. So when I break my computer again I can rebuild It without finding all the software again. (I know, I should always take the last versos from he website. )

Now we know what we want to set. Let’s set it up in Endpoint Manager.

Select Windows 10 and Later, and Custom Profile.

Enter in a Name and Description.

Lets Start with “Allow Storage Sense Global.” Select Add on the next Page. Enter in the name for the setting. In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal. The Data Type should be Internet. Set the Value to 1 (Meaning Enabled). Press Save.

Lets repeat until we cover all of the settings in the table.

Name	Description	OR_UAM	Value
AllowStorageSenseGlobal	Turn Storage Sense is on	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal	1
AllowStorageSenseTemporaryFilesCleanup	Clen up Tempoary Files	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup	1
ConfigStorageSenseCloudContentDehydrationThreshold	Number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold	30
ConfigStorageSenseDownloadsCleanupThreshold	Minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold	0
ConfigStorageSenseRecycleBinCleanupThreshold	Minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold	30
ConfigStorageSenseGlobalCadence	Cadence	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence	1

Once Done, let’s save and deploy it to our test devices. Sync and reboot the test device.

How do I know is working?

Press Start and search Storage Sense. You can then see a break down off the settings. you can also see how much space you saved. (Once its been running for a few days)

In our testing it’s saved us about 20-30 % space on the devices.It has helped us keep the drives clean in the process and ensure we can get the update and software out to the clients.

You can see with files are set to Cloud Only files. On the left, the first file is a cloud only. The user simply double clicks, and it downaloads

Some very simple and easy setting to get some fresh space.

9 November 2020

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

Policy Setting Name	Windows 10
Access Credential Manager as a trusted caller	No One (Blank)
Access this computer from the network	Administrators; Remote Desktop Users
Act as part of the operating system	No One (Blank)
Allow log on locally	Administrators; Users
Back up files and directories	Administrators
Create a pagefile	Administrators
Create a token object	No One (Blank)
Create global objects	Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE
Create permanent shared objects	No One (Blank)
Debug programs	Administrators
Deny access to this computer from the network	NT AUTHORITY\Local Account
Deny log on through Remote Desktop Services	NT AUTHORITY\Local Account
Enable computer and user accounts to be trusted for delegation	No One (blank)
Force shutdown from a remote system	Administrators
Impersonate a client after authentication	Administrators, SERVICE, Local Service, Network Service
Load and unload device drivers	Administrators
Lock pages in memory	No One (blank)
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Perform volume maintenance tasks	Administrators
Profile single process	Administrators
Restore files and directories	Administrators
Take ownership of files or other objects	Administrators

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

Account	SID
Administrators	S-1-5-32-544.
Local Account	S-1-5-113
Local Service	S-1-5-19
Network Service	S-1-5-20
Service	S-1-5-6

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

NAme	OAM-URI	Setting / SID’s
URA – Load and unload device drivers	./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers	*S-1-5-32-544
URA – Generate security audits	./Device/Vendor/MSFT/Policy/Config/UserRights/GenerateSecurityAudits	S-1-5-20;S-1-5-19;
URA – Access this computer from the network	./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork	S-1-5-32-555;S-1-5-32-544
URA – Enable computer and user accounts to be trusted for delegation	./Device/Vendor/MSFT/Policy/Config/UserRights/EnableDelegation	</>
URA – Access Credential Manager as a trusted caller	./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller	</>
URA – Act as part of the operating system	./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem	</>
URA – Allow log on locally	./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn	S-1-5-32-545;S-1-5-32-544
URA – Back up files and directories	./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories	*S-1-5-32-544
URA – Create a pagefile	./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePageFile	*S-1-5-32-544
URA – Create a token object	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateToken	</>
URA – Create global objects	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateGlobalObjects	S-1-5-20;S-1-5-19;S-1-5-6;S-1-5-32-544
URA – Create permanent shared objects	./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePermanentSharedObjects	</>
URA – Create symbolic links	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateSymbolicLinks	</>
URA – Debug programs	./Device/Vendor/MSFT/Policy/Config/UserRights/DebugPrograms	*S-1-5-32-544
URA – Deny access to this computer from the network	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyAccessFromNetwork	S-1-5-32-546
URA – Deny log on as a service	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn	*S-1-5-32-546
URA – Deny log on through Terminal Services	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyRemoteDesktopServicesLogOn	*S-1-5-32-546
URA – Force shutdown from a remote system	./Device/Vendor/MSFT/Policy/Config/UserRights/RemoteShutdown	*S-1-5-32-544
URA – Impersonate a client after authentication	./Device/Vendor/MSFT/Policy/Config/UserRights/ImpersonateClient	S-1-5-20;S-1-5-19;S-1-5-6;S-1-5-32-544
URA – Increase scheduling priority’ is set to ‘Administrators	./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseSchedulingPriority	*S-1-5-32-544
URA – Load and unload device drivers	./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers	*S-1-5-32-544
URA – Lock pages in memory	./Device/Vendor/MSFT/Policy/Config/UserRights/LockMemory	</>
URA – Manage auditing and security log	./Device/Vendor/MSFT/Policy/Config/UserRights/ManageAuditingAndSecurityLog	*S-1-5-32-544
URA – Modify an object label	./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyObjectLabel	</>
URA – Modify firmware environment values	./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyFirmwareEnvironment	*S-1-5-32-544
URA – Perform volume maintenance tasks	./Device/Vendor/MSFT/Policy/Config/UserRights/ManageVolume	*S-1-5-32-544
URA – Profile single process	./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSingleProcess	*S-1-5-32-544
URA – Restore files and directories	./Device/Vendor/MSFT/Policy/Config/UserRights/RestoreFilesAndDirectories	*S-1-5-32-544
URA – Take ownership of files or other objects	./Device/Vendor/MSFT/Policy/Config/UserRights/TakeOwnership	*S-1-5-32-544
URA – Change the system time	./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime	S-1-5-32-544;S-1-5-6

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk. It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

C:\Users\tim>accesschk.exe -a SeSystemtimePrivilege
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
  SeSystemtimePrivilege (Change the system time):
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

C:\Users\tim>accesschk.exe -a *
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
  SeCreateTokenPrivilege (Create a token object):
  SeAssignPrimaryTokenPrivilege (Replace a process level token):
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeLockMemoryPrivilege (Lock pages in memory):
  SeIncreaseQuotaPrivilege (Adjust memory quotas for a process):
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeMachineAccountPrivilege (Add workstations to domain):
  SeTcbPrivilege (Act as part of the operating system):
  SeSecurityPrivilege (Manage auditing and security log):
        BUILTIN\Administrators
  SeTakeOwnershipPrivilege (Take ownership of files or other objects):
        BUILTIN\Administrators
  SeLoadDriverPrivilege (Load and unload device drivers):
        BUILTIN\Administrators
  SeSystemProfilePrivilege (Profile system performance):
        NT SERVICE\WdiServiceHost
        BUILTIN\Administrators
  SeSystemtimePrivilege (Change the system time):
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE
  SeProfileSingleProcessPrivilege (Profile single process):
        BUILTIN\Administrators
  SeIncreaseBasePriorityPrivilege (Increase scheduling priority):
        BUILTIN\Administrators
  SeCreatePagefilePrivilege (Create a pagefile):
        BUILTIN\Administrators
  SeCreatePermanentPrivilege (Create permanent shared objects):
  SeBackupPrivilege (Back up files and directories):
        BUILTIN\Administrators
  SeRestorePrivilege (Restore files and directories):
        BUILTIN\Backup Operators
        BUILTIN\Administrators
  SeShutdownPrivilege (Shut down the system):
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
  SeDebugPrivilege (Debug programs):
        BUILTIN\Administrators
  SeAuditPrivilege (Generate security audits):
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeSystemEnvironmentPrivilege (Modify firmware environment values):
        BUILTIN\Administrators
  SeChangeNotifyPrivilege (Bypass traverse checking):
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
        Everyone
  SeRemoteShutdownPrivilege (Force shutdown from a remote system):
        BUILTIN\Administrators
  SeUndockPrivilege (Remove computer from docking station):
        BUILTIN\Users
        BUILTIN\Administrators
  SeSyncAgentPrivilege (Synchronize directory service data):
  SeEnableDelegationPrivilege (Enable computer and user accounts to be trusted for delegation):
  SeManageVolumePrivilege (Perform volume maintenance tasks):
        BUILTIN\Administrators
  SeImpersonatePrivilege (Impersonate a client after authentication):
        NT AUTHORITY\SERVICE
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeCreateGlobalPrivilege (Create global objects):
        NT AUTHORITY\SERVICE
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeTrustedCredManAccessPrivilege (Access Credential Manager as a trusted caller):
  SeRelabelPrivilege (Modify an object label):
  SeIncreaseWorkingSetPrivilege (Increase a process working set):
        BUILTIN\Users
  SeTimeZonePrivilege (Change the time zone):
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE
  SeCreateSymbolicLinkPrivilege (Create symbolic links):
  SeDelegateSessionUserImpersonatePrivilege (Obtain an impersonation token for another user in the same session):
        BUILTIN\Administrators
  SeBatchLogonRight:
        BUILTIN\Performance Log Users
        BUILTIN\Backup Operators
        BUILTIN\Administrators
  SeInteractiveLogonRight:
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        EAUKUKDH0VUMDEN\Guest
  SeNetworkLogonRight:
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        Everyone
  SeServiceLogonRight:
        NT SERVICE\ALL SERVICES
  SeDenyBatchLogonRight:
        NT AUTHORITY\Local account and member of Administrators group
        NT AUTHORITY\Local account
  SeDenyInteractiveLogonRight:
        BUILTIN\Guests
  SeDenyNetworkLogonRight:
  SeDenyServiceLogonRight:
        NT AUTHORITY\Local account and member of Administrators group
        NT AUTHORITY\Local account
  SeRemoteInteractiveLogonRight:
        BUILTIN\Remote Desktop Users
        BUILTIN\Administrators
  SeDenyRemoteInteractiveLogonRight:
        BUILTIN\Guests

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

20 October 2020

How to move Windows 10 Security Audit Policies to Endpoint Manager / Intune

Where do you start with moving polcies to Intune, I don’t think there is a right or wrong answer. I decided to start with Audit Policies. For 2 reasons. I need to standardise the security event auditing on our devices and we need to update one region to help with SCCM UDA.

How to do it?

Lets look at what we have today. We have differences between the computer around the regions in what we audit. An example below.

Polciy	Europe	Americas	Asia	Pacific
Audit Logon	Success and Failure	Success and Failure	Success and Failure	Success and Failure
Audit File Share	Failure	Success and Failure	Success	Success
Audit Sensitive Privilege Use	Success and Failure	Success and Failure	Success and Failure	Success and Failure
Audit Other Policy Change Events	Success and Failure	Success and Failure	Failure	Success and Failure

We know SCCM likes us to audit Logon events to make sure you have good User Device Affinity. You also need to have a good history of the events, otherwise it can impact you UDA.

Checking the Microsoft Windows 10 1909 baseline, it likes to include these (But they do cause some noise in the event logs with impacts the SCCM UDA. Rock and a hard place anyone?)

Audit Credential Validation	Success and Failure
Audit Security Group Management	Success
Audit User Account Management	Success and Failure
Audit PNP Activity	Success
Audit Process Creation	Success
Audit Account Lockout	Failure
Audit Group Membership	Success
Audit Logon	Success and Failure
Audit Other Logon/Logoff Events	Success and Failure
Audit Special Logon	Success
Audit Detailed File Share	Failure
Audit File Share	Success and Failure
Audit Other Object Access Events	Success and Failure
Audit Removable Storage	Success and Failure
Audit Audit Policy Change	Success
Audit Authentication Policy Change	Success
Audit MPSSVC Rule-Level Policy Change	Success and Failure
Audit Other Policy Change Events	Failure
Audit Sensitive Privilege Use	Success and Failure
Audit Other System Events	Success and Failure
Audit Security State Change	Success
Audit Security System Extension	Success
Audit System Integrity	Success and Failure

Now we know what we want to audit, lets get started in Endpoint Manager. audit policies aren’t available in administrative templates (Yet). So we need to use the CSP. We can see the policies exist in ./Vendor/MSFT/Policy/Config/Audit. The CSP cover most of the audit points you will want, but we will only add the relevant ones.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile.

Select Add. Enter in the Name for the Audit Value, I add the criteria into the description.

In the OMA-URI add in ./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation

In the Data Type, Select Integer and the Value (0 Disabled, 1 Success, 2 Failure, 3 Success and Failure)

Then press Save. Repeat for the rest of the desire values.

Using the table below should get you to the 1909 Baseline.

Configuration	Set To	CSP	Data Type	Value
Audit Credential Validation	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation	Integer	3
Audit Security Group Management	Success	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement	Integer	1
Audit User Account Management	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement	Integer	3
Audit PNP Activity	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity	Integer	1
Audit Process Creation	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation	Integer	1
Audit Account Lockout	Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout	Integer	2
Audit Group Membership	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership	Integer	1
Audit Logon	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon	Integer	3
Audit Other Logon/Logoff Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents	Integer	3
Audit Special Logon	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon	Integer	1
Audit Detailed File Share	Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare	Integer	2
Audit File Share	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare	Integer	3
Audit Removable Storage	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage	Integer	3
Audit Audit Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange	Integer	0
Audit Authentication Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange	Integer	0
Audit MPSSVC Rule-Level Policy Change	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange	Integer	3
Audit Other Policy Change Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents	Integer	0
Audit Sensitive Privilege Use	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse	Integer	3
Audit Other System Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents	Integer	3
Audit Security State Change	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange	Integer	1
Audit Security System Extension	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension	Integer	1
Audit System Integrity	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity	Integer	3
Audit Non Sensitive Privilege Use	Not configured	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse	Integer	0
Audit Other Privilege Use Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents	Integer	0
Audit Authorization Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChange	Integer	0
Audit Application Group Management	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagement	Integer	3
Audit IPsec Driver	Not configured	./Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriver	Integer	0
Audit Other Object Access Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents

Press Save, and then assign it to your test Azure AD Group and press save.

Give it some time to apply. If you’re impatient like me, force a Sync through Settings > Accounts > Access work or school. Click your work or school account, then click Sync.

How do we know its worked? You can run the following command to see what’s change.

C:\>auditpol /get /category:*
System audit policy
  Category/Subcategory Setting
System
  Security System Extension Success 
  System Integrity Success and Failure
  IPsec Driver Success and Failure
  Other System Events Success and Failure
  Security State Change Success
Logon/Logoff
  Logon Success and Failure
  Logoff Success and Failure
  Account Lockout Failure
  IPsec Main Mode No Auditing
  IPsec Quick Mode No Auditing
  IPsec Extended Mode No Auditing
Special Logon Success
  Other Logon/Logoff Events No Auditing
  Network Policy Server No Auditing
  User / Device Claims No Auditing
  Group Membership Success
  Object Access
  File System No Auditing
  Registry No Auditing
  Kernel Object No Auditing
  SAM No Auditing
  Certification Services No Auditing
  Application Generated No Auditing
  Handle Manipulation No Auditing
  File Share Success and Failure
  Filtering Platform Packet Drop No Auditing
  Filtering Platform Connection No Auditing
  Other Object Access Events Success and Failure
  Detailed File Share Failure
  Removable Storage Success and Failure
  Central Policy Staging No Auditing
Privilege Use
  Non Sensitive Privilege Use No Auditing
  Other Privilege Use Events No Auditing
  Sensitive Privilege Use Success and Failure
  Detailed Tracking
  Process Creation Success
  Process Termination No Auditing
  DPAPI Activity No Auditing
  RPC Events No Auditing
  Plug and Play Events Success
  Token Right Adjusted Events No Auditing
Policy Change
  Audit Policy Change Success
  Authentication Policy Change Success
  Authorization Policy Change Success
  MPSSVC Rule-Level Policy Change Success and Failure
  Filtering Platform Policy Change No Auditing
  Other Policy Change Events Failure
Account Management
  Computer Account Management No Auditing
  Security Group Management Success
  Distribution Group Management No Auditing
  Application Group Management Success and Failure
  Other Account Management Events No Auditing
  User Account Management Success and Failure
  DS Access
  Directory Service Access No Auditing
  Directory Service Changes No Auditing
  Directory Service Replication No Auditing
  Detailed Directory Service Replication No Auditing
Account Logon
  Kerberos Service Ticket Operations Success and Failure
  Other Account Logon Events Success and Failure
  Kerberos Authentication Service Success and Failure
 Credential Validation Success and Failure

If it hasn’t worked, check the event long. Look in the event log. Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider. Look for any errors. Most of my errors were either missing a character or adding a space to the end of the OMA-URI.

30 September 2020

How to Troubleshoot EAS Conditional Access rules

We have decided it’s time to block our EAS connections. We have some some MAM polices set up for About a year and in test. We were about to roll the, out at the start of this year to Europe and Affrica.. Then an IT restructure happened and the scope changed to global. Then the elephant in the world Happened. Covid (I’ll cover MAMin another post)

It’s an easy process to set up the rules have to be careful not to lock yourself out of the your Office 365. We have lost of rules set up but these one are fairly standard fromMS

I set up the policy a few months ago and started test. I got the expected block message which was great news. Happy with the work I had done I stated to Implement these on some of my test users.

I added some more users into then rule expecting it to take 24 hours to apply. Told the users what to expect and then waited for the angry messages of where are my contacts at. A colleague reached out and advised that he was still able to access his email with the Native client.

What could it be? Timing? Forgot to press save. I check the logs. One connection is allowed and one is blocked. He is still getting the mail. Maybe I missed the group. Nope it’s included. He is in the group as you would expect.

what have I missed?

let em check the rules again. for the 100th time

page 2

hang on. What’s this tick. Apply only to non compliant devices… when did that get ticked? Why would I tick that.

Lets take a look at the logs. Oh dear. That’s explains it.

I turn it off. Let’s see if that helps. And it does

Moral of the story. The page you think is empty probably has an unexpected Nd important setting tickEd

12 August 2020
How do you get Azure Graph and power bi to be friends?

I like to dabble in a bit of Power Bi. I am hardly a data visualisation expert but I know enough to make a decent report. I am working on updating an old Intune report I customised based off the first release of the Intune Data Warehouse. It works. It’s not beautiful and it’s huge. I keep getting asked to trim it down since it’s one of the top processing hogs of my company’s Premium subscription.

One of my biggest issue is, I can’t get decent user information for the report. The data warehouse has UPN and that’s about it that’s useful. Originally I resorted to a PowerShell script to export users, company and a few extension attributes. Created a scheduled task and ran with it. It has worked since 2017. But I feel I should modernise this process given the data driven world we live in. (And the compute team want to move the server)

Time to roll up my sleeves and try the Graph explorer. It’s some trial and error but you can find what you need. extension attributes are complicated. But you can get there. And I did. All excited I created my Odata connection in PowerBi then …… doest work. Wrong password …. Agin…. cough should of set up passwordless… Try Agin…. nope. After some googling. PowerBi doesn’t support the Authenticaion for the graph api.

Grrrrrrr.

What to do? I can write another scheduled task and power shell scrip… or create an azure site to proxy the graph website.

Or maybe I will call it done for the week and enjoy the rest of this oddly hot London day with my son and wife in the paddling pool.

I’m sure you can guess which option I chose. The water was lovely.

7 August 2020