Category: Microsoft Endpoint Manager

Windows Autologin stopped working

Do you ever find yourself troubleshooting why autologin has stopped working on Windows?

There is a series of devices that require to autologin. These are usually Kiosk devices, or Monitoring Boards, TVs etc etc.

Randomly the devices that needed autologin all stopped working. Around about the same time. We checked the usually suspects (Did someone lock the account again?) Did we apply a new security policy that blocked it? Did a Windows update break it.

Lets take a step back and remind ourselves how Auto Login works. The key requirements to make the Auto Login work are

A working username and password. (AD user or local user )
A Windows device. ()
The following registry keys set

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="timstechblurbs.local"
"AutoAdminLogon"="1"
"DefaultUserName"="AutomationUser"
"DefaultPassword"="ALongAndComplacatePAsswordNoOneCanRemeber"
"AltDefaultUserName"="AutomationUser"
"AltDefaultDomainName"="timstechblurbs.local"
"ForceAutoLogon"="1"

If we have all of these set the PC should auto login.

Where is the problem?

The Auto Logins stopped working. After re adding the keys, it didn’t help. The DefaultPassword key was deleted and the ForceAutoLogon was set to 0. Something is changing this.

We spun up ProcMon with Boot Logging enabled and started digging into the results. It looks like LoginUI is delete the Keys during shutdown

3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon is changed from 1 to 0 by LogonUI.exe
3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword is deleted by LogonUI.exe.
3/23/2023 9:26:36 AM	User Logoff Notification for Customer Experience Improvement Program
3/23/2023 9:26:38 AM	The Event log service was stopped. (This is an indicator that system is shut down)
3/23/2023 9:27:38 AM	The Event log service was started. (This is an indicator that system is started)

A Further check of the Event logs show and EAS Policy is responsible. But why. (These accounts don’t have mailboxes.)

We dig and dig, to find there is no mail, nor a reason to connect to Exchange online. We delete the policy and it comes back after a few hours.

How does Intune fit into this?

All the devices are enrolled in SCCM, and AAD Hybrid join and enrolled into Intune. In testing, we deleted a device from Intune and blocked enrolment. They AutoLogin keys stayed and the EAS Policy was removed.

After checking the Configuration Polices applied in Intune, we found no culprits. We already exclude the device from most of the Intune Polices.

However when checking the Compliance polices, we are setting minimum Password length. We have found our problem!!!

But wait. We aren’t applying the Compliance policy to any devices, and the autologin users usually aren’t Synced to AAD? Turns out our assumption was wrong. The user were Synced to AAD and the compliance policy was set to All users. There our problem.

How can we fix this

First things first. Lets exclude the Auto Login users from the compliance policy and sync the device. It can take hours / days for the policy to be removed from the device status.

Then added the autologin keys back to the device and waited in the hope that this problem is solved. Unfortunately the problem returned shortly after.

Turns out Intune does a very good job of caching settings on the device and will keep them there.

You either need to

Delete the device from Intune, and let it Re enrol.
Set up a new compliance policy removing the settings.
Manually intervene, find and delete the keys. and Script the fix.

I chose the 3rd option. There are too many computers to remove them from Intune. We don’t want a compliance policy set up that could be applied in the wrong place. I set up the fowling script to delete the keys, Add the autologin back and to Sync with Intune.

### 
# Reset the Device Auto Login after device is joined to AAD and Intune
# Ensure the Complance Policy is not set on the device. Otherwise the problem 
# will come back in a few days
###

param ([String] $LoginUser = "AutomationUser"
, [String] $LoginDomain = "timstechblurbs.local"
, [String] $LoginPassword = "ALongAndComplacatePAsswordNoOneCanRemeber")


$NodeCacheKeys = Get-ChildItem -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\' -recurse -erroraction silentlycontinue | Get-ItemProperty | where {$_.'NodeUri' -like "*/DeviceLock/*"}    

foreach ($key in $NodeCacheKeys)
{
        Write-Host $key.PSPath
        Remove-Item -Path $key.PSPath -Recurse -WhatIf
}

$PolicyKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\' -erroraction silentlycontinue 

Write-Host $PolicyKeys.PSPath
Remove-Item -Path $PolicyKeys.PSPath -Recurse 


$EASKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS\Policies' -erroraction silentlycontinue 

Write-Host $EASKeys.PSPath
Remove-Item -Path $EASKeys.PSParentPath -Recurse


Get-ScheduledTask -TaskName "Schedule to run OMADMClient by server" -ErrorAction Continue | Start-ScheduledTask

Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AltDefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name ForceAutoLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value  $LoginUser
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value $LoginPassword

October 5, 2023

Protected: How do I get that licence key in?

This content is password protected. To view it please enter your password below:

Password:

May 15, 2023
How to enrol your Android Devices into Endpoint Manager with a NFC tag
Do you have loads of devices to provision but not enough time to tap on each screen. If only there was another way.

Typically the enrolment process would be, boot up the device, then tap the screen spot many time until the camera loads, Scan the token, then connect to(and type in the password for) Wifi. Then start the enrolment process.

With a NFC tag, you can save the token and the wifi configuration into the tag, then simply swipe the tag to start the enrolment.

There isn’t much information about this enrolment process for Endpoint Manager. But it can be really handy and save time for the enrolment. But where to start. Let’s check the Microsoft blog about this. https://docs.microsoft.com/en-us/archive/blogs/cbernier/nfc-based-android-enterprise-device-enrollment-with-microsoft-intune (The work in here represents my experience using NFC to enroll the devices. Full credit goes to Chris Baldwin from MS for his blog about the topic. It’s a really good blog post on UEM4all and the MS Site above. )

So what do we need.
1. Some NFC Tags. You can use most of the NFC tasks, but make sure they have plenty of space. I bought NTAG216 tags that have 888 writable bytes of data and are writable with a Zebra card printer. (Added bonus to make the cards pretty)
2. A NFC Reader / Writer. You can get these for the PC, or take advantage of the one in your phone. You can download the app NFC tool Pro for a few pounds on the play store.
3. Some data to write to the NFC Card.
Lets begin by formulating the data. There is lots of coding in these tag, and were borrowing it from the android developer documentation.

The first part is the same for all Endpoint Manager Enrolments.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver

The next part you need is the enrolment token. Go to the Enroment then page and copy the teszct string as is to put at the end of the string.

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN>

Lets also also add in the WiFi configuration to speed things up (don’t forget to enrolling the device on a different Wifi to the ones you want to install). Include all the lines in the token otherwise it won’t wor correctly and you will get an Error. The options for Security are WPA, WEP or None. Once you have the NFC created, you might need to play with the quotes. It worked when I removed them Ann in this format.

android.app.extra.PROVISIONING_WIFI_SSID=”GUEST”
android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA
android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

We have the data so let’s load up the closest device. Lets load up NFC tool Pro. Open the Write Tab, The select Add Record. Navigate to the bottom of the screen and select Data.

In Content-type, type in application and in the next textbox type in com.android.managedprovisioning

In the Data field you need to put in your entire text string you have created.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN> android.app.extra.PROVISIONING_WIFI_SSID=”GUEST” android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

Press OK once done.

Now let’s write the tag. Press the write button, and then hold the NFG tag on the back of you device for a few seconds until it says write completed.

Before you continue, you might want to save the profile in the NFC tools Pro. Select More Options and Save a Tag Profile. Then give it a good name, You will need to update the NFC tag each time you renew the profile.

Now we have our NFC Enrolment card, lets test it. Find a (another) device, factory rest it. On the first page tap the NFC tag on the device. You will go straight to the enrolling pages. You will have to accept the T&C’s during the enrolment. Let its do it thing & Viola. Device enrolled as device Owner.

If you get an error with the WiFi connection, play with the quotes around game the SSID and the password. For me to worked without the quotes.

Hopefully this will save you some time and effort earn enrolling the devices. Especially if you have lots to install.
November 16, 2020

How can Storage Sense help in the fight against full C: Drives?

How much time do we spend casing users full C: drive. Especially when patch Tuesday has come along and we need to get patch KBxxxxx installed yesterday.

Storage sense to the Rescue!!!

Storage sense can be spilt into two handy features.

Deflating OneDrive on demand files
Cleaning Temp, Downloads and old unused files.

Let’s start with OneDrive files on Demand. Since build 17720, we were able to save space on the client machine by only download the well used files. That really handy when you have lots of large files, but only need to access once in a while. We can also control when our files are “dehydrated” and converted to cloud only files.

You need to find the right number of days before dehydrating the files. Somewhere between 1 and 365. If you have a lot of user without a regular internet connection, I would aim for value of over 6o. If you pretty well always online, I would aim for more 15 – 30 days. It also depends on the amount of data saved in OneDrive. It includes any data stored in synced Sharepoint folders as well. I decided on 30 Days.

The we choose a cadence. I went with 1 – Every day for the testing. I don’t normally notice when it runs. But it could equally be every week. So when we went live I set it to every 7 days.

What about cleaning up the downloads folder? It always ends up as a dumping ground for me. Lets set it for 30 days. This is one point it is worth mentioning to the end users. I have some old programs and handy installers saved in OneDrive. So when I break my computer again I can rebuild It without finding all the software again. (I know, I should always take the last versos from he website. )

Now we know what we want to set. Let’s set it up in Endpoint Manager.

Select Windows 10 and Later, and Custom Profile.

Enter in a Name and Description.

Lets Start with “Allow Storage Sense Global.” Select Add on the next Page. Enter in the name for the setting. In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal. The Data Type should be Internet. Set the Value to 1 (Meaning Enabled). Press Save.

Lets repeat until we cover all of the settings in the table.

Name	Description	OR_UAM	Value
AllowStorageSenseGlobal	Turn Storage Sense is on	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal	1
AllowStorageSenseTemporaryFilesCleanup	Clen up Tempoary Files	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup	1
ConfigStorageSenseCloudContentDehydrationThreshold	Number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold	30
ConfigStorageSenseDownloadsCleanupThreshold	Minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold	0
ConfigStorageSenseRecycleBinCleanupThreshold	Minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold	30
ConfigStorageSenseGlobalCadence	Cadence	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence	1

Once Done, let’s save and deploy it to our test devices. Sync and reboot the test device.

How do I know is working?

Press Start and search Storage Sense. You can then see a break down off the settings. you can also see how much space you saved. (Once its been running for a few days)

In our testing it’s saved us about 20-30 % space on the devices.It has helped us keep the drives clean in the process and ensure we can get the update and software out to the clients.

You can see with files are set to Cloud Only files. On the left, the first file is a cloud only. The user simply double clicks, and it downaloads

Some very simple and easy setting to get some fresh space.

November 9, 2020

How to move Windows 10 Security Audit Policies to Endpoint Manager / Intune

Where do you start with moving polcies to Intune, I don’t think there is a right or wrong answer. I decided to start with Audit Policies. For 2 reasons. I need to standardise the security event auditing on our devices and we need to update one region to help with SCCM UDA.

How to do it?

Lets look at what we have today. We have differences between the computer around the regions in what we audit. An example below.

Polciy	Europe	Americas	Asia	Pacific
Audit Logon	Success and Failure	Success and Failure	Success and Failure	Success and Failure
Audit File Share	Failure	Success and Failure	Success	Success
Audit Sensitive Privilege Use	Success and Failure	Success and Failure	Success and Failure	Success and Failure
Audit Other Policy Change Events	Success and Failure	Success and Failure	Failure	Success and Failure

We know SCCM likes us to audit Logon events to make sure you have good User Device Affinity. You also need to have a good history of the events, otherwise it can impact you UDA.

Checking the Microsoft Windows 10 1909 baseline, it likes to include these (But they do cause some noise in the event logs with impacts the SCCM UDA. Rock and a hard place anyone?)

Audit Credential Validation	Success and Failure
Audit Security Group Management	Success
Audit User Account Management	Success and Failure
Audit PNP Activity	Success
Audit Process Creation	Success
Audit Account Lockout	Failure
Audit Group Membership	Success
Audit Logon	Success and Failure
Audit Other Logon/Logoff Events	Success and Failure
Audit Special Logon	Success
Audit Detailed File Share	Failure
Audit File Share	Success and Failure
Audit Other Object Access Events	Success and Failure
Audit Removable Storage	Success and Failure
Audit Audit Policy Change	Success
Audit Authentication Policy Change	Success
Audit MPSSVC Rule-Level Policy Change	Success and Failure
Audit Other Policy Change Events	Failure
Audit Sensitive Privilege Use	Success and Failure
Audit Other System Events	Success and Failure
Audit Security State Change	Success
Audit Security System Extension	Success
Audit System Integrity	Success and Failure

Now we know what we want to audit, lets get started in Endpoint Manager. audit policies aren’t available in administrative templates (Yet). So we need to use the CSP. We can see the policies exist in ./Vendor/MSFT/Policy/Config/Audit. The CSP cover most of the audit points you will want, but we will only add the relevant ones.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile.

Select Add. Enter in the Name for the Audit Value, I add the criteria into the description.

In the OMA-URI add in ./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation

In the Data Type, Select Integer and the Value (0 Disabled, 1 Success, 2 Failure, 3 Success and Failure)

Then press Save. Repeat for the rest of the desire values.

Using the table below should get you to the 1909 Baseline.

Configuration	Set To	CSP	Data Type	Value
Audit Credential Validation	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation	Integer	3
Audit Security Group Management	Success	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement	Integer	1
Audit User Account Management	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement	Integer	3
Audit PNP Activity	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity	Integer	1
Audit Process Creation	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation	Integer	1
Audit Account Lockout	Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout	Integer	2
Audit Group Membership	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership	Integer	1
Audit Logon	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon	Integer	3
Audit Other Logon/Logoff Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents	Integer	3
Audit Special Logon	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon	Integer	1
Audit Detailed File Share	Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare	Integer	2
Audit File Share	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare	Integer	3
Audit Removable Storage	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage	Integer	3
Audit Audit Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange	Integer	0
Audit Authentication Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange	Integer	0
Audit MPSSVC Rule-Level Policy Change	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange	Integer	3
Audit Other Policy Change Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents	Integer	0
Audit Sensitive Privilege Use	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse	Integer	3
Audit Other System Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents	Integer	3
Audit Security State Change	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange	Integer	1
Audit Security System Extension	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension	Integer	1
Audit System Integrity	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity	Integer	3
Audit Non Sensitive Privilege Use	Not configured	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse	Integer	0
Audit Other Privilege Use Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents	Integer	0
Audit Authorization Policy Change	Not configured	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChange	Integer	0
Audit Application Group Management	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagement	Integer	3
Audit IPsec Driver	Not configured	./Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriver	Integer	0
Audit Other Object Access Events	Not configured	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents

Press Save, and then assign it to your test Azure AD Group and press save.

Give it some time to apply. If you’re impatient like me, force a Sync through Settings > Accounts > Access work or school. Click your work or school account, then click Sync.

How do we know its worked? You can run the following command to see what’s change.

C:\>auditpol /get /category:*
System audit policy
  Category/Subcategory Setting
System
  Security System Extension Success 
  System Integrity Success and Failure
  IPsec Driver Success and Failure
  Other System Events Success and Failure
  Security State Change Success
Logon/Logoff
  Logon Success and Failure
  Logoff Success and Failure
  Account Lockout Failure
  IPsec Main Mode No Auditing
  IPsec Quick Mode No Auditing
  IPsec Extended Mode No Auditing
Special Logon Success
  Other Logon/Logoff Events No Auditing
  Network Policy Server No Auditing
  User / Device Claims No Auditing
  Group Membership Success
  Object Access
  File System No Auditing
  Registry No Auditing
  Kernel Object No Auditing
  SAM No Auditing
  Certification Services No Auditing
  Application Generated No Auditing
  Handle Manipulation No Auditing
  File Share Success and Failure
  Filtering Platform Packet Drop No Auditing
  Filtering Platform Connection No Auditing
  Other Object Access Events Success and Failure
  Detailed File Share Failure
  Removable Storage Success and Failure
  Central Policy Staging No Auditing
Privilege Use
  Non Sensitive Privilege Use No Auditing
  Other Privilege Use Events No Auditing
  Sensitive Privilege Use Success and Failure
  Detailed Tracking
  Process Creation Success
  Process Termination No Auditing
  DPAPI Activity No Auditing
  RPC Events No Auditing
  Plug and Play Events Success
  Token Right Adjusted Events No Auditing
Policy Change
  Audit Policy Change Success
  Authentication Policy Change Success
  Authorization Policy Change Success
  MPSSVC Rule-Level Policy Change Success and Failure
  Filtering Platform Policy Change No Auditing
  Other Policy Change Events Failure
Account Management
  Computer Account Management No Auditing
  Security Group Management Success
  Distribution Group Management No Auditing
  Application Group Management Success and Failure
  Other Account Management Events No Auditing
  User Account Management Success and Failure
  DS Access
  Directory Service Access No Auditing
  Directory Service Changes No Auditing
  Directory Service Replication No Auditing
  Detailed Directory Service Replication No Auditing
Account Logon
  Kerberos Service Ticket Operations Success and Failure
  Other Account Logon Events Success and Failure
  Kerberos Authentication Service Success and Failure
 Credential Validation Success and Failure

If it hasn’t worked, check the event long. Look in the event log. Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider. Look for any errors. Most of my errors were either missing a character or adding a space to the end of the OMA-URI.

September 30, 2020

How to Troubleshoot EAS Conditional Access rules

We have decided it’s time to block our EAS connections. We have some some MAM polices set up for About a year and in test. We were about to roll the, out at the start of this year to Europe and Affrica.. Then an IT restructure happened and the scope changed to global. Then the elephant in the world Happened. Covid (I’ll cover MAMin another post)

It’s an easy process to set up the rules have to be careful not to lock yourself out of the your Office 365. We have lost of rules set up but these one are fairly standard fromMS

I set up the policy a few months ago and started test. I got the expected block message which was great news. Happy with the work I had done I stated to Implement these on some of my test users.

I added some more users into then rule expecting it to take 24 hours to apply. Told the users what to expect and then waited for the angry messages of where are my contacts at. A colleague reached out and advised that he was still able to access his email with the Native client.

What could it be? Timing? Forgot to press save. I check the logs. One connection is allowed and one is blocked. He is still getting the mail. Maybe I missed the group. Nope it’s included. He is in the group as you would expect.

what have I missed?

let em check the rules again. for the 100th time

page 2

hang on. What’s this tick. Apply only to non compliant devices… when did that get ticked? Why would I tick that.

Lets take a look at the logs. Oh dear. That’s explains it.

I turn it off. Let’s see if that helps. And it does

Moral of the story. The page you think is empty probably has an unexpected Nd important setting tickEd

August 12, 2020
How do you get Azure Graph and power bi to be friends?

I like to dabble in a bit of Power Bi. I am hardly a data visualisation expert but I know enough to make a decent report. I am working on updating an old Intune report I customised based off the first release of the Intune Data Warehouse. It works. It’s not beautiful and it’s huge. I keep getting asked to trim it down since it’s one of the top processing hogs of my company’s Premium subscription.

One of my biggest issue is, I can’t get decent user information for the report. The data warehouse has UPN and that’s about it that’s useful. Originally I resorted to a PowerShell script to export users, company and a few extension attributes. Created a scheduled task and ran with it. It has worked since 2017. But I feel I should modernise this process given the data driven world we live in. (And the compute team want to move the server)

Time to roll up my sleeves and try the Graph explorer. It’s some trial and error but you can find what you need. extension attributes are complicated. But you can get there. And I did. All excited I created my Odata connection in PowerBi then …… doest work. Wrong password …. Agin…. cough should of set up passwordless… Try Agin…. nope. After some googling. PowerBi doesn’t support the Authenticaion for the graph api.

Grrrrrrr.

What to do? I can write another scheduled task and power shell scrip… or create an azure site to proxy the graph website.

Or maybe I will call it done for the week and enjoy the rest of this oddly hot London day with my son and wife in the paddling pool.

I’m sure you can guess which option I chose. The water was lovely.

August 7, 2020