Tag: Endpoint Manager

Windows Autologin stopped working

Do you ever find yourself troubleshooting why autologin has stopped working on Windows?

There is a series of devices that require to autologin. These are usually Kiosk devices, or Monitoring Boards, TVs etc etc.

Randomly the devices that needed autologin all stopped working. Around about the same time. We checked the usually suspects (Did someone lock the account again?) Did we apply a new security policy that blocked it? Did a Windows update break it.

Lets take a step back and remind ourselves how Auto Login works. The key requirements to make the Auto Login work are

A working username and password. (AD user or local user )
A Windows device. ()
The following registry keys set

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="timstechblurbs.local"
"AutoAdminLogon"="1"
"DefaultUserName"="AutomationUser"
"DefaultPassword"="ALongAndComplacatePAsswordNoOneCanRemeber"
"AltDefaultUserName"="AutomationUser"
"AltDefaultDomainName"="timstechblurbs.local"
"ForceAutoLogon"="1"

If we have all of these set the PC should auto login.

Where is the problem?

The Auto Logins stopped working. After re adding the keys, it didn’t help. The DefaultPassword key was deleted and the ForceAutoLogon was set to 0. Something is changing this.

We spun up ProcMon with Boot Logging enabled and started digging into the results. It looks like LoginUI is delete the Keys during shutdown

3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon is changed from 1 to 0 by LogonUI.exe
3/23/2023 9:26:35 AM	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword is deleted by LogonUI.exe.
3/23/2023 9:26:36 AM	User Logoff Notification for Customer Experience Improvement Program
3/23/2023 9:26:38 AM	The Event log service was stopped. (This is an indicator that system is shut down)
3/23/2023 9:27:38 AM	The Event log service was started. (This is an indicator that system is started)

A Further check of the Event logs show and EAS Policy is responsible. But why. (These accounts don’t have mailboxes.)

We dig and dig, to find there is no mail, nor a reason to connect to Exchange online. We delete the policy and it comes back after a few hours.

How does Intune fit into this?

All the devices are enrolled in SCCM, and AAD Hybrid join and enrolled into Intune. In testing, we deleted a device from Intune and blocked enrolment. They AutoLogin keys stayed and the EAS Policy was removed.

After checking the Configuration Polices applied in Intune, we found no culprits. We already exclude the device from most of the Intune Polices.

However when checking the Compliance polices, we are setting minimum Password length. We have found our problem!!!

But wait. We aren’t applying the Compliance policy to any devices, and the autologin users usually aren’t Synced to AAD? Turns out our assumption was wrong. The user were Synced to AAD and the compliance policy was set to All users. There our problem.

How can we fix this

First things first. Lets exclude the Auto Login users from the compliance policy and sync the device. It can take hours / days for the policy to be removed from the device status.

Then added the autologin keys back to the device and waited in the hope that this problem is solved. Unfortunately the problem returned shortly after.

Turns out Intune does a very good job of caching settings on the device and will keep them there.

You either need to

Delete the device from Intune, and let it Re enrol.
Set up a new compliance policy removing the settings.
Manually intervene, find and delete the keys. and Script the fix.

I chose the 3rd option. There are too many computers to remove them from Intune. We don’t want a compliance policy set up that could be applied in the wrong place. I set up the fowling script to delete the keys, Add the autologin back and to Sync with Intune.

### 
# Reset the Device Auto Login after device is joined to AAD and Intune
# Ensure the Complance Policy is not set on the device. Otherwise the problem 
# will come back in a few days
###

param ([String] $LoginUser = "AutomationUser"
, [String] $LoginDomain = "timstechblurbs.local"
, [String] $LoginPassword = "ALongAndComplacatePAsswordNoOneCanRemeber")


$NodeCacheKeys = Get-ChildItem -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\' -recurse -erroraction silentlycontinue | Get-ItemProperty | where {$_.'NodeUri' -like "*/DeviceLock/*"}    

foreach ($key in $NodeCacheKeys)
{
        Write-Host $key.PSPath
        Remove-Item -Path $key.PSPath -Recurse -WhatIf
}

$PolicyKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\' -erroraction silentlycontinue 

Write-Host $PolicyKeys.PSPath
Remove-Item -Path $PolicyKeys.PSPath -Recurse 


$EASKeys = Get-ItemProperty -path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EAS\Policies' -erroraction silentlycontinue 

Write-Host $EASKeys.PSPath
Remove-Item -Path $EASKeys.PSParentPath -Recurse


Get-ScheduledTask -TaskName "Schedule to run OMADMClient by server" -ErrorAction Continue | Start-ScheduledTask

Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AltDefaultDomainName -Value $LoginDomain
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name ForceAutoLogon -Value "1"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value  $LoginUser
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value $LoginPassword

5 October 2023

How to enrol your Android Devices into Endpoint Manager with a NFC tag
Do you have loads of devices to provision but not enough time to tap on each screen. If only there was another way.

Typically the enrolment process would be, boot up the device, then tap the screen spot many time until the camera loads, Scan the token, then connect to(and type in the password for) Wifi. Then start the enrolment process.

With a NFC tag, you can save the token and the wifi configuration into the tag, then simply swipe the tag to start the enrolment.

There isn’t much information about this enrolment process for Endpoint Manager. But it can be really handy and save time for the enrolment. But where to start. Let’s check the Microsoft blog about this. https://docs.microsoft.com/en-us/archive/blogs/cbernier/nfc-based-android-enterprise-device-enrollment-with-microsoft-intune (The work in here represents my experience using NFC to enroll the devices. Full credit goes to Chris Baldwin from MS for his blog about the topic. It’s a really good blog post on UEM4all and the MS Site above. )

So what do we need.
1. Some NFC Tags. You can use most of the NFC tasks, but make sure they have plenty of space. I bought NTAG216 tags that have 888 writable bytes of data and are writable with a Zebra card printer. (Added bonus to make the cards pretty)
2. A NFC Reader / Writer. You can get these for the PC, or take advantage of the one in your phone. You can download the app NFC tool Pro for a few pounds on the play store.
3. Some data to write to the NFC Card.
Lets begin by formulating the data. There is lots of coding in these tag, and were borrowing it from the android developer documentation.

The first part is the same for all Endpoint Manager Enrolments.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver

The next part you need is the enrolment token. Go to the Enroment then page and copy the teszct string as is to put at the end of the string.

android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN>

Lets also also add in the WiFi configuration to speed things up (don’t forget to enrolling the device on a different Wifi to the ones you want to install). Include all the lines in the token otherwise it won’t wor correctly and you will get an Error. The options for Security are WPA, WEP or None. Once you have the NFC created, you might need to play with the quotes. It worked when I removed them Ann in this format.

android.app.extra.PROVISIONING_WIFI_SSID=”GUEST”
android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA
android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

We have the data so let’s load up the closest device. Lets load up NFC tool Pro. Open the Write Tab, The select Add Record. Navigate to the bottom of the screen and select Data.

In Content-type, type in application and in the next textbox type in com.android.managedprovisioning

In the Data field you need to put in your entire text string you have created.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://play.google.com/managed/downloadManagingApp?identifier=setup android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME=com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE=com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN=<CHANGE TO ENDPOINT MANAGER TOEKN> android.app.extra.PROVISIONING_WIFI_SSID=”GUEST” android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA android.app.extra.PROVISIONING_WIFI_PASSWORD=MYPASSWORD

Press OK once done.

Now let’s write the tag. Press the write button, and then hold the NFG tag on the back of you device for a few seconds until it says write completed.

Before you continue, you might want to save the profile in the NFC tools Pro. Select More Options and Save a Tag Profile. Then give it a good name, You will need to update the NFC tag each time you renew the profile.

Now we have our NFC Enrolment card, lets test it. Find a (another) device, factory rest it. On the first page tap the NFC tag on the device. You will go straight to the enrolling pages. You will have to accept the T&C’s during the enrolment. Let its do it thing & Viola. Device enrolled as device Owner.

If you get an error with the WiFi connection, play with the quotes around game the SSID and the password. For me to worked without the quotes.

Hopefully this will save you some time and effort earn enrolling the devices. Especially if you have lots to install.
16 November 2020

How can Storage Sense help in the fight against full C: Drives?

How much time do we spend casing users full C: drive. Especially when patch Tuesday has come along and we need to get patch KBxxxxx installed yesterday.

Storage sense to the Rescue!!!

Storage sense can be spilt into two handy features.

Deflating OneDrive on demand files
Cleaning Temp, Downloads and old unused files.

Let’s start with OneDrive files on Demand. Since build 17720, we were able to save space on the client machine by only download the well used files. That really handy when you have lots of large files, but only need to access once in a while. We can also control when our files are “dehydrated” and converted to cloud only files.

You need to find the right number of days before dehydrating the files. Somewhere between 1 and 365. If you have a lot of user without a regular internet connection, I would aim for value of over 6o. If you pretty well always online, I would aim for more 15 – 30 days. It also depends on the amount of data saved in OneDrive. It includes any data stored in synced Sharepoint folders as well. I decided on 30 Days.

The we choose a cadence. I went with 1 – Every day for the testing. I don’t normally notice when it runs. But it could equally be every week. So when we went live I set it to every 7 days.

What about cleaning up the downloads folder? It always ends up as a dumping ground for me. Lets set it for 30 days. This is one point it is worth mentioning to the end users. I have some old programs and handy installers saved in OneDrive. So when I break my computer again I can rebuild It without finding all the software again. (I know, I should always take the last versos from he website. )

Now we know what we want to set. Let’s set it up in Endpoint Manager.

Select Windows 10 and Later, and Custom Profile.

Enter in a Name and Description.

Lets Start with “Allow Storage Sense Global.” Select Add on the next Page. Enter in the name for the setting. In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal. The Data Type should be Internet. Set the Value to 1 (Meaning Enabled). Press Save.

Lets repeat until we cover all of the settings in the table.

Name	Description	OR_UAM	Value
AllowStorageSenseGlobal	Turn Storage Sense is on	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal	1
AllowStorageSenseTemporaryFilesCleanup	Clen up Tempoary Files	./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup	1
ConfigStorageSenseCloudContentDehydrationThreshold	Number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold	30
ConfigStorageSenseDownloadsCleanupThreshold	Minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold	0
ConfigStorageSenseRecycleBinCleanupThreshold	Minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold	30
ConfigStorageSenseGlobalCadence	Cadence	./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence	1

Once Done, let’s save and deploy it to our test devices. Sync and reboot the test device.

How do I know is working?

Press Start and search Storage Sense. You can then see a break down off the settings. you can also see how much space you saved. (Once its been running for a few days)

In our testing it’s saved us about 20-30 % space on the devices.It has helped us keep the drives clean in the process and ensure we can get the update and software out to the clients.

You can see with files are set to Cloud Only files. On the left, the first file is a cloud only. The user simply double clicks, and it downaloads

Some very simple and easy setting to get some fresh space.

9 November 2020

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

Policy Setting Name	Windows 10
Access Credential Manager as a trusted caller	No One (Blank)
Access this computer from the network	Administrators; Remote Desktop Users
Act as part of the operating system	No One (Blank)
Allow log on locally	Administrators; Users
Back up files and directories	Administrators
Create a pagefile	Administrators
Create a token object	No One (Blank)
Create global objects	Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE
Create permanent shared objects	No One (Blank)
Debug programs	Administrators
Deny access to this computer from the network	NT AUTHORITY\Local Account
Deny log on through Remote Desktop Services	NT AUTHORITY\Local Account
Enable computer and user accounts to be trusted for delegation	No One (blank)
Force shutdown from a remote system	Administrators
Impersonate a client after authentication	Administrators, SERVICE, Local Service, Network Service
Load and unload device drivers	Administrators
Lock pages in memory	No One (blank)
Manage auditing and security log	Administrators
Modify firmware environment values	Administrators
Perform volume maintenance tasks	Administrators
Profile single process	Administrators
Restore files and directories	Administrators
Take ownership of files or other objects	Administrators

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

Account	SID
Administrators	S-1-5-32-544.
Local Account	S-1-5-113
Local Service	S-1-5-19
Network Service	S-1-5-20
Service	S-1-5-6

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

NAme	OAM-URI	Setting / SID’s
URA – Load and unload device drivers	./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers	*S-1-5-32-544
URA – Generate security audits	./Device/Vendor/MSFT/Policy/Config/UserRights/GenerateSecurityAudits	S-1-5-20;S-1-5-19;
URA – Access this computer from the network	./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork	S-1-5-32-555;S-1-5-32-544
URA – Enable computer and user accounts to be trusted for delegation	./Device/Vendor/MSFT/Policy/Config/UserRights/EnableDelegation	</>
URA – Access Credential Manager as a trusted caller	./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller	</>
URA – Act as part of the operating system	./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem	</>
URA – Allow log on locally	./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn	S-1-5-32-545;S-1-5-32-544
URA – Back up files and directories	./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories	*S-1-5-32-544
URA – Create a pagefile	./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePageFile	*S-1-5-32-544
URA – Create a token object	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateToken	</>
URA – Create global objects	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateGlobalObjects	S-1-5-20;S-1-5-19;S-1-5-6;S-1-5-32-544
URA – Create permanent shared objects	./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePermanentSharedObjects	</>
URA – Create symbolic links	./Device/Vendor/MSFT/Policy/Config/UserRights/CreateSymbolicLinks	</>
URA – Debug programs	./Device/Vendor/MSFT/Policy/Config/UserRights/DebugPrograms	*S-1-5-32-544
URA – Deny access to this computer from the network	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyAccessFromNetwork	S-1-5-32-546
URA – Deny log on as a service	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn	*S-1-5-32-546
URA – Deny log on through Terminal Services	./Device/Vendor/MSFT/Policy/Config/UserRights/DenyRemoteDesktopServicesLogOn	*S-1-5-32-546
URA – Force shutdown from a remote system	./Device/Vendor/MSFT/Policy/Config/UserRights/RemoteShutdown	*S-1-5-32-544
URA – Impersonate a client after authentication	./Device/Vendor/MSFT/Policy/Config/UserRights/ImpersonateClient	S-1-5-20;S-1-5-19;S-1-5-6;S-1-5-32-544
URA – Increase scheduling priority’ is set to ‘Administrators	./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseSchedulingPriority	*S-1-5-32-544
URA – Load and unload device drivers	./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers	*S-1-5-32-544
URA – Lock pages in memory	./Device/Vendor/MSFT/Policy/Config/UserRights/LockMemory	</>
URA – Manage auditing and security log	./Device/Vendor/MSFT/Policy/Config/UserRights/ManageAuditingAndSecurityLog	*S-1-5-32-544
URA – Modify an object label	./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyObjectLabel	</>
URA – Modify firmware environment values	./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyFirmwareEnvironment	*S-1-5-32-544
URA – Perform volume maintenance tasks	./Device/Vendor/MSFT/Policy/Config/UserRights/ManageVolume	*S-1-5-32-544
URA – Profile single process	./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSingleProcess	*S-1-5-32-544
URA – Restore files and directories	./Device/Vendor/MSFT/Policy/Config/UserRights/RestoreFilesAndDirectories	*S-1-5-32-544
URA – Take ownership of files or other objects	./Device/Vendor/MSFT/Policy/Config/UserRights/TakeOwnership	*S-1-5-32-544
URA – Change the system time	./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime	S-1-5-32-544;S-1-5-6

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk. It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

C:\Users\tim>accesschk.exe -a SeSystemtimePrivilege
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
  SeSystemtimePrivilege (Change the system time):
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

C:\Users\tim>accesschk.exe -a *
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ® 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
  SeCreateTokenPrivilege (Create a token object):
  SeAssignPrimaryTokenPrivilege (Replace a process level token):
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeLockMemoryPrivilege (Lock pages in memory):
  SeIncreaseQuotaPrivilege (Adjust memory quotas for a process):
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeMachineAccountPrivilege (Add workstations to domain):
  SeTcbPrivilege (Act as part of the operating system):
  SeSecurityPrivilege (Manage auditing and security log):
        BUILTIN\Administrators
  SeTakeOwnershipPrivilege (Take ownership of files or other objects):
        BUILTIN\Administrators
  SeLoadDriverPrivilege (Load and unload device drivers):
        BUILTIN\Administrators
  SeSystemProfilePrivilege (Profile system performance):
        NT SERVICE\WdiServiceHost
        BUILTIN\Administrators
  SeSystemtimePrivilege (Change the system time):
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE
  SeProfileSingleProcessPrivilege (Profile single process):
        BUILTIN\Administrators
  SeIncreaseBasePriorityPrivilege (Increase scheduling priority):
        BUILTIN\Administrators
  SeCreatePagefilePrivilege (Create a pagefile):
        BUILTIN\Administrators
  SeCreatePermanentPrivilege (Create permanent shared objects):
  SeBackupPrivilege (Back up files and directories):
        BUILTIN\Administrators
  SeRestorePrivilege (Restore files and directories):
        BUILTIN\Backup Operators
        BUILTIN\Administrators
  SeShutdownPrivilege (Shut down the system):
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
  SeDebugPrivilege (Debug programs):
        BUILTIN\Administrators
  SeAuditPrivilege (Generate security audits):
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeSystemEnvironmentPrivilege (Modify firmware environment values):
        BUILTIN\Administrators
  SeChangeNotifyPrivilege (Bypass traverse checking):
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
        Everyone
  SeRemoteShutdownPrivilege (Force shutdown from a remote system):
        BUILTIN\Administrators
  SeUndockPrivilege (Remove computer from docking station):
        BUILTIN\Users
        BUILTIN\Administrators
  SeSyncAgentPrivilege (Synchronize directory service data):
  SeEnableDelegationPrivilege (Enable computer and user accounts to be trusted for delegation):
  SeManageVolumePrivilege (Perform volume maintenance tasks):
        BUILTIN\Administrators
  SeImpersonatePrivilege (Impersonate a client after authentication):
        NT AUTHORITY\SERVICE
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeCreateGlobalPrivilege (Create global objects):
        NT AUTHORITY\SERVICE
        BUILTIN\Administrators
        NT AUTHORITY\NETWORK SERVICE
        NT AUTHORITY\LOCAL SERVICE
  SeTrustedCredManAccessPrivilege (Access Credential Manager as a trusted caller):
  SeRelabelPrivilege (Modify an object label):
  SeIncreaseWorkingSetPrivilege (Increase a process working set):
        BUILTIN\Users
  SeTimeZonePrivilege (Change the time zone):
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\LOCAL SERVICE
  SeCreateSymbolicLinkPrivilege (Create symbolic links):
  SeDelegateSessionUserImpersonatePrivilege (Obtain an impersonation token for another user in the same session):
        BUILTIN\Administrators
  SeBatchLogonRight:
        BUILTIN\Performance Log Users
        BUILTIN\Backup Operators
        BUILTIN\Administrators
  SeInteractiveLogonRight:
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        EAUKUKDH0VUMDEN\Guest
  SeNetworkLogonRight:
        BUILTIN\Backup Operators
        BUILTIN\Users
        BUILTIN\Administrators
        Everyone
  SeServiceLogonRight:
        NT SERVICE\ALL SERVICES
  SeDenyBatchLogonRight:
        NT AUTHORITY\Local account and member of Administrators group
        NT AUTHORITY\Local account
  SeDenyInteractiveLogonRight:
        BUILTIN\Guests
  SeDenyNetworkLogonRight:
  SeDenyServiceLogonRight:
        NT AUTHORITY\Local account and member of Administrators group
        NT AUTHORITY\Local account
  SeRemoteInteractiveLogonRight:
        BUILTIN\Remote Desktop Users
        BUILTIN\Administrators
  SeDenyRemoteInteractiveLogonRight:
        BUILTIN\Guests

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

20 October 2020