How can we get a free backup for Windows 10. Well maybe not exactly free, but not having to pay anything additional to Office 365 licence and and Endpoint Manager licences. There is obviously many other benefits to this include mobility, but I will focus on the backup side of it initially.
We can leverage OneDrive know Folder move. OneDrive Know folder move will automatically move the user Desktop, Documents into their OneDrive folder to be synced. you can set this to be silent to the user or you can prompt them once it’s done.
First thing First. We need to get your Tennant ID from Azure AD. Navigate to https://aad.portal.azure.com/ and on the overview page you should see the Tenant ID. Select the copy icon and let’s make a note of it for later.
Tennant ID for Azure AD Tennant
You can set up Known Folder Move with Endpoint Manager Administrative templates as detailed in here. Much easier than using the CSP. Let get Started.
Where to Start
The key settings you will need to include to get you started are listed below
Silently sign in users to the OneDrive sync app with their Windows credentials
Enabled
Prompt users to move Windows known folders to OneDrive
Enabled
Silently move Windows known folders to OneDrive
Enabled
Enable automatic upload bandwidth management for OneDrive
Enabled
Use OneDrive Files On-Demand
Enabled
Settings to apply in Endpoint Manager for Known Folder move.
The setting should be enough to get you started with Know Folder move. Once applied, the setting will firstly, log in the user with there currently account, Secondly iw will Start Syncing to your AAD Tennant. Thirdly it will move the Document and Desktop folder the OneDrvie Folder. finally it will Enable Files on Demand.
Navigate to Endpoint Manager, and Navigate to Devices -> Configuration Profiles. Select Create Profile.
Select Windows 10 and later in the Platform, and Profile will be Administrative Templates.
Enter in a name and Description.
Once we’re in Administrative Templates, Select OneDrive in the list and it will filter to the settings we want.
Lets start with the setting Silently sign in users to the OneDrive sync app with their Windows credentials”. Set this to enabled
You will need to Tennant ID we noted earlier and find the Setting “Silently move Windows known folders to OneDrive”. Then set it to enabled, and enter in your Tennant ID.
Let’s apply it to out test desktop. Add in the Goung to assign it to. Once applied when the end user will sign in, all the configuration will be automatically completed. The user might receive a notification to say their folder have been moved depending on the setting in Silently Move Known Folder Settings.
Some other key Setting to consider
Block / Allow syncing OneDrive accounts for only specific organizations
If you don’t want your user to Sync other companies or Tennant OneDrive folder to the devices. This can be handy if you don’t want information from a partner been saved on your devices. It can also be handy to only allow the selected companies to Sync.
Enable automatic upload bandwidth management for OneDrive
this can be useful for when you enable Know folder move and realise that the factory are still using a ISDN connection at 2 MB, and you ave knocked them off the planet for a few days.
Just enabling these few settings. Even if you’re only using the E1 licences, you can leverage 1 TB of cloud storage. It can really help to save you spending cash on other backup solutions.
Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)
If you ask the Security team, the answer is a yes. We should set them.
Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.
Policy Setting Name
Windows 10
Access Credential Manager as a trusted caller
No One (Blank)
Access this computer from the network
Administrators; Remote Desktop Users
Act as part of the operating system
No One (Blank)
Allow log on locally
Administrators; Users
Back up files and directories
Administrators
Create a pagefile
Administrators
Create a token object
No One (Blank)
Create global objects
Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE
Create permanent shared objects
No One (Blank)
Debug programs
Administrators
Deny access to this computer from the network
NT AUTHORITY\Local Account
Deny log on through Remote Desktop Services
NT AUTHORITY\Local Account
Enable computer and user accounts to be trusted for delegation
No One (blank)
Force shutdown from a remote system
Administrators
Impersonate a client after authentication
Administrators, SERVICE, Local Service, Network Service
Load and unload device drivers
Administrators
Lock pages in memory
No One (blank)
Manage auditing and security log
Administrators
Modify firmware environment values
Administrators
Perform volume maintenance tasks
Administrators
Profile single process
Administrators
Restore files and directories
Administrators
Take ownership of files or other objects
Administrators
First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.
Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.
Now we check the local account and we get S-1-5-113.
Account
SID
Administrators
S-1-5-32-544.
Local Account
S-1-5-113
Local Service
S-1-5-19
Network Service
S-1-5-20
Service
S-1-5-6
So Lets set up a polcy. Lets open Endpoint Mananger.
Select “Windows 10 and Later” and Custom in the profile
Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.
Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.
Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)
Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.
Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.
You should also do the testing on a test machine. Just in case you lock your self out.
How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.
Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk. It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege
C:\Users\tim>accesschk.exe -a SeSystemtimePrivilege
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
SeSystemtimePrivilege (Change the system time):
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.
C:\Users\tim>accesschk.exe -a *
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
SeCreateTokenPrivilege (Create a token object):
SeAssignPrimaryTokenPrivilege (Replace a process level token):
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeLockMemoryPrivilege (Lock pages in memory):
SeIncreaseQuotaPrivilege (Adjust memory quotas for a process):
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeMachineAccountPrivilege (Add workstations to domain):
SeTcbPrivilege (Act as part of the operating system):
SeSecurityPrivilege (Manage auditing and security log):
BUILTIN\Administrators
SeTakeOwnershipPrivilege (Take ownership of files or other objects):
BUILTIN\Administrators
SeLoadDriverPrivilege (Load and unload device drivers):
BUILTIN\Administrators
SeSystemProfilePrivilege (Profile system performance):
NT SERVICE\WdiServiceHost
BUILTIN\Administrators
SeSystemtimePrivilege (Change the system time):
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
SeProfileSingleProcessPrivilege (Profile single process):
BUILTIN\Administrators
SeIncreaseBasePriorityPrivilege (Increase scheduling priority):
BUILTIN\Administrators
SeCreatePagefilePrivilege (Create a pagefile):
BUILTIN\Administrators
SeCreatePermanentPrivilege (Create permanent shared objects):
SeBackupPrivilege (Back up files and directories):
BUILTIN\Administrators
SeRestorePrivilege (Restore files and directories):
BUILTIN\Backup Operators
BUILTIN\Administrators
SeShutdownPrivilege (Shut down the system):
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
SeDebugPrivilege (Debug programs):
BUILTIN\Administrators
SeAuditPrivilege (Generate security audits):
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeSystemEnvironmentPrivilege (Modify firmware environment values):
BUILTIN\Administrators
SeChangeNotifyPrivilege (Bypass traverse checking):
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
Everyone
SeRemoteShutdownPrivilege (Force shutdown from a remote system):
BUILTIN\Administrators
SeUndockPrivilege (Remove computer from docking station):
BUILTIN\Users
BUILTIN\Administrators
SeSyncAgentPrivilege (Synchronize directory service data):
SeEnableDelegationPrivilege (Enable computer and user accounts to be trusted for delegation):
SeManageVolumePrivilege (Perform volume maintenance tasks):
BUILTIN\Administrators
SeImpersonatePrivilege (Impersonate a client after authentication):
NT AUTHORITY\SERVICE
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeCreateGlobalPrivilege (Create global objects):
NT AUTHORITY\SERVICE
BUILTIN\Administrators
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
SeTrustedCredManAccessPrivilege (Access Credential Manager as a trusted caller):
SeRelabelPrivilege (Modify an object label):
SeIncreaseWorkingSetPrivilege (Increase a process working set):
BUILTIN\Users
SeTimeZonePrivilege (Change the time zone):
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
SeCreateSymbolicLinkPrivilege (Create symbolic links):
SeDelegateSessionUserImpersonatePrivilege (Obtain an impersonation token for another user in the same session):
BUILTIN\Administrators
SeBatchLogonRight:
BUILTIN\Performance Log Users
BUILTIN\Backup Operators
BUILTIN\Administrators
SeInteractiveLogonRight:
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
EAUKUKDH0VUMDEN\Guest
SeNetworkLogonRight:
BUILTIN\Backup Operators
BUILTIN\Users
BUILTIN\Administrators
Everyone
SeServiceLogonRight:
NT SERVICE\ALL SERVICES
SeDenyBatchLogonRight:
NT AUTHORITY\Local account and member of Administrators group
NT AUTHORITY\Local account
SeDenyInteractiveLogonRight:
BUILTIN\Guests
SeDenyNetworkLogonRight:
SeDenyServiceLogonRight:
NT AUTHORITY\Local account and member of Administrators group
NT AUTHORITY\Local account
SeRemoteInteractiveLogonRight:
BUILTIN\Remote Desktop Users
BUILTIN\Administrators
SeDenyRemoteInteractiveLogonRight:
BUILTIN\Guests
Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college
Where do you start with moving polcies to Intune, I don’t think there is a right or wrong answer. I decided to start with Audit Policies. For 2 reasons. I need to standardise the security event auditing on our devices and we need to update one region to help with SCCM UDA.
How to do it?
Lets look at what we have today. We have differences between the computer around the regions in what we audit. An example below.
Polciy
Europe
Americas
Asia
Pacific
Audit Logon
Success and Failure
Success and Failure
Success and Failure
Success and Failure
Audit File Share
Failure
Success and Failure
Success
Success
Audit Sensitive Privilege Use
Success and Failure
Success and Failure
Success and Failure
Success and Failure
Audit Other Policy Change Events
Success and Failure
Success and Failure
Failure
Success and Failure
We know SCCM likes us to audit Logon events to make sure you have good User Device Affinity. You also need to have a good history of the events, otherwise it can impact you UDA.
Checking the Microsoft Windows 10 1909 baseline, it likes to include these (But they do cause some noise in the event logs with impacts the SCCM UDA. Rock and a hard place anyone?)
Audit Credential Validation
Success and Failure
Audit Security Group Management
Success
Audit User Account Management
Success and Failure
Audit PNP Activity
Success
Audit Process Creation
Success
Audit Account Lockout
Failure
Audit Group Membership
Success
Audit Logon
Success and Failure
Audit Other Logon/Logoff Events
Success and Failure
Audit Special Logon
Success
Audit Detailed File Share
Failure
Audit File Share
Success and Failure
Audit Other Object Access Events
Success and Failure
Audit Removable Storage
Success and Failure
Audit Audit Policy Change
Success
Audit Authentication Policy Change
Success
Audit MPSSVC Rule-Level Policy Change
Success and Failure
Audit Other Policy Change Events
Failure
Audit Sensitive Privilege Use
Success and Failure
Audit Other System Events
Success and Failure
Audit Security State Change
Success
Audit Security System Extension
Success
Audit System Integrity
Success and Failure
Now we know what we want to audit, lets get started in Endpoint Manager. audit policies aren’t available in administrative templates (Yet). So we need to use the CSP. We can see the policies exist in ./Vendor/MSFT/Policy/Config/Audit. The CSP cover most of the audit points you will want, but we will only add the relevant ones.
Press Save, and then assign it to your test Azure AD Group and press save.
Give it some time to apply. If you’re impatient like me, force a Sync through Settings > Accounts > Access work or school. Click your work or school account, then click Sync.
How do we know its worked? You can run the following command to see what’s change.
C:\>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension Success System Integrity Success and Failure IPsec Driver Success and Failure Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success and Failure Account Lockout Failure IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server No Auditing User / Device Claims No Auditing Group Membership Success Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share Success and Failure Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events Success and Failure Detailed File Share Failure Removable Storage Success and Failure Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use Success and Failure Detailed Tracking Process Creation Success Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Plug and Play Events Success Token Right Adjusted Events No Auditing Policy Change Audit Policy Change Success Authentication Policy Change Success Authorization Policy Change Success MPSSVC Rule-Level Policy Change Success and Failure Filtering Platform Policy Change No Auditing Other Policy Change Events Failure Account Management Computer Account Management No Auditing Security Group Management Success Distribution Group Management No Auditing Application Group Management Success and Failure Other Account Management Events No Auditing User Account Management Success and Failure DS Access Directory Service Access No Auditing Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Account Logon Kerberos Service Ticket Operations Success and Failure Other Account Logon Events Success and Failure Kerberos Authentication Service Success and Failure Credential Validation Success and Failure
If it hasn’t worked, check the event long. Look in the event log. Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider. Look for any errors. Most of my errors were either missing a character or adding a space to the end of the OMA-URI.
We have decided it’s time to block our EAS connections. We have some some MAM polices set up for About a year and in test. We were about to roll the, out at the start of this year to Europe and Affrica.. Then an IT restructure happened and the scope changed to global. Then the elephant in the world Happened. Covid (I’ll cover MAMin another post)
It’s an easy process to set up the rules have to be careful not to lock yourself out of the your Office 365. We have lost of rules set up but these one are fairly standard fromMS
I set up the policy a few months ago and started test. I got the expected block message which was great news. Happy with the work I had done I stated to Implement these on some of my test users.
I added some more users into then rule expecting it to take 24 hours to apply. Told the users what to expect and then waited for the angry messages of where are my contacts at. A colleague reached out and advised that he was still able to access his email with the Native client.
What could it be? Timing? Forgot to press save. I check the logs. One connection is allowed and one is blocked. He is still getting the mail. Maybe I missed the group. Nope it’s included. He is in the group as you would expect.
what have I missed?
let em check the rules again. for the 100th time
page 2
hang on. What’s this tick. Apply only to non compliant devices… when did that get ticked? Why would I tick that.
Lets take a look at the logs. Oh dear. That’s explains it.
I turn it off. Let’s see if that helps. And it does
Moral of the story. The page you think is empty probably has an unexpected Nd important setting tickEd
I like to dabble in a bit of Power Bi. I am hardly a data visualisation expert but I know enough to make a decent report. I am working on updating an old Intune report I customised based off the first release of the Intune Data Warehouse. It works. It’s not beautiful and it’s huge. I keep getting asked to trim it down since it’s one of the top processing hogs of my company’s Premium subscription.
One of my biggest issue is, I can’t get decent user information for the report. The data warehouse has UPN and that’s about it that’s useful. Originally I resorted to a PowerShell script to export users, company and a few extension attributes. Created a scheduled task and ran with it. It has worked since 2017. But I feel I should modernise this process given the data driven world we live in. (And the compute team want to move the server)
Time to roll up my sleeves and try the Graph explorer. It’s some trial and error but you can find what you need. extension attributes are complicated. But you can get there. And I did. All excited I created my Odata connection in PowerBi then …… doest work. Wrong password …. Agin…. cough should of set up passwordless… Try Agin…. nope. After some googling. PowerBi doesn’t support the Authenticaion for the graph api.
Grrrrrrr.
What to do? I can write another scheduled task and power shell scrip… or create an azure site to proxy the graph website.
Or maybe I will call it done for the week and enjoy the rest of this oddly hot London day with my son and wife in the paddling pool.
I’m sure you can guess which option I chose. The water was lovely.
