master-client(-management)

Take Windows Up to 11

Hardening of BeyondTrust Privilege Management for Windows (aka Avecto Defendpoint) Group Policies

04/02/2021 / / 0 Comments

Hey folks, in the last 8 years I have been helpimg a lot of companies to deploy what is now known as BeyondTrust Privilege Management for Windows (PMfW) and was formerly known as Avecto Defendpoint or Privilege Guard. In this post I want to show you how to harden your Group Policy based configurations against unwanted access.

Problem

The PMfW Agent uses a human readable XML configuration file which in most cases is deployed via Group Policy. The locally cached configuration is protected against unelevated access with NTFS permissions, but this does not apply to the default configuration of the Group Policy. The XML configuration file stored in the policy directory in the SYSVOL-Share of the Domain is readable for every authenticated user. A clever user or an attacker could use the read-only access to find a loophole in the configuration to elevate processes he is not allowed to or to gain full admin access to the computer. It is very unlikely, due to the Anti-Tampering mechanisms implemented into the Agent, but not impossible.

As you can see in the picture above the access to the local policy cache in %ProgramData%\Avecto is prohibited (1). But the user can load the XML configuration file from the GPO folder in the SYSVOL-Share and for example look up the application definitions of an Application Group (2).

Solution

If you are only using computer policies for PMfW, which is quite common, the solution is easy. Just replace the Authenticated Users entry in the Security Filtering of the relevant Group Policies with the Domain Computers group.

Changing the Security Filtering of a GPO is the same as setting NTFS permissions on the folder of the policy in the SYSVOL-Share. As you can see in the picture below accessing the GPO from the network is no longer possible for the user. However, the System Account of the device, which is automatically part of the Domain Computers group of the Active Directory Domain, is still able to access it during policy updates.

Deploy the Microsoft Store App via Intune from the Microsoft Store for Business

29/01/2021 / / 0 Comments

Problem

Hey folks, just a quick one. I recently ran into the situation that I had to deploy the Microsoft Store app to Windows 10 devices from which it was previously removed during OSD. The devices are modern managed via Intune so I thought it would be easy to deploy it as Microsoft Store for Business app but unfortunately, I couldn’t find the app in the store.

Solution

I googled around a bit and was able to find the name (microsoft-store) and the ID (9wzdncrfjbmp) of the app in the store, so I just browsed to an app in the store and replaced the name and the id in the URL:

https://businessstore.microsoft.com/en-us/store/details/microsoft-store/9wzdncrfjbmp

There was the Microsoft Store app in the business store, and I could add it to the private store of the company (Online or Offline). I choose offline to avoid any potential problems by installing a store app from the store without having the store installed. I went back to Intune and after a sync from the Business Store the app appeared, and I was able to deploy it successfully to the devices.

Windows 10 20H2 nice to know for me and IT Pros and Enterprise admins (curated link list)

23/10/2020 / / 0 Comments

Latest Update: January 13, 2020

Windows 10 20H2 is again a small fall release with a long support cycle of 30 months. It shares a lot with the spring release (NTK 2004) so check out my list for this release, too.
If you found something new before me or if I missed anything important, please send me a message via Twitter.

General

Topic Link Source
What’s new for IT Pros New and Updated Features of interest for IT Pros Microsoft
What’s new What’s new in Windows 10, version 2004 Microsoft
Release Status Known issues and notifications Microsoft
Removed features Features and functionality removed in Windows 10 Microsoft
Connection Endpoints Manage connection endpoints for Windows 10 Enterprise, version 20H2 Microsoft

Group Policies

Topic Link Source
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.19042%" and ProductType = "1" Sascha Stumpler
ADMX ADMX files for 20H2 Microsoft
Baseline (DRAFT) Security Baseline (DRAFT) for Windows 10 20H2 Microsoft
Baseline (FINAL) Security Baseline (FINAL) for Windows 10 20H2 Microsoft
Baseline Download Security Compliance Toolkit Microsoft

Autopilot, OSD, MEMCM, Intune and MDT

Topic Link Source
MDM What’s new in mobile device enrollment and management Microsoft
MDM-CSP Policy CSP – LocalUsersAndGroups Microsoft
LCU+SSU Combined Servicing Stack and Cumulative Updates Microsoft
Renamed BUILTIN Accounts Windows 10 2004/20H2 and renamed Administrator accounts are recreated Michael Niehaus

Misc

Topic Link Source
Important Issues Knowledgebase: Important Issues for Windows 10, version 20H2 build 19042 DirTeam, Sander Berkouwer
MMC error After updating to Windows 10, version 20H2, you might receive an error when accessing the sign-in options or users MMC snap-in Microsoft

Windows 10 2004 nice to know for me and IT Pros and Enterprise admins (curated link list)

28/05/2020 / / 2 Comments

Latest Update: January 13, 2020

Windows 10 2004 is the first big release since 1903 (NTK 1903) and compared to the small update of Windows 10 1909 (NTK 1909) this brings a lot of changes.
If you found something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Link Source
What’s new for IT Pros New and Updated Features of interest for IT Pros Microsoft
What’s new What’s new in Windows 10, version 2004 Microsoft
Release Status Known issues and notifications Microsoft
Removed features Features and functionality removed in Windows 10 Microsoft
Connection Endpoints Manage connection endpoints for Windows 10 Enterprise, version 2004 Microsoft

Group Policies

Topic Link Source
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.19041%" and ProductType = "1" Sascha Stumpler
New settings 17 new ADMX settings Jörgen Nilsson
ADMX ADMX files for 2004 Microsoft
Baseline (DRAFT) Security Baseline (DRAFT) for Windows 10 2004 Microsoft
Baseline (FINAL) Security Baseline (FINAL) for Windows 10 2004 Microsoft
Baseline Download Security Compliance Toolkit Microsoft

Autopilot, OSD, MEMCM, Intune and MDT

Topic Link Source
Autopilot Autopilot features in 2004 Michael Niehaus
MDT BIOS Making MDT work with Windows ADK 2004 for BIOS Machines Johan Arwidmark
MDT Hotfix Windows 10 deployments fail with MDT on computers with BIOS type firmware Microsoft
Servicing New custom actions during and after a feature update Microsoft
Dynamic Update New switches to exclude Drivers and Cumulative Updates Microsoft
New MDM What’s new in MDM for Windows 10, version 2004 Microsoft
MUI Better Language Handling Michael Niehaus
MDT Updates OSD MDT and installing updates during a task sequence Michael Niehaus
Renamed BUILTIN Accounts Windows 10 2004/20H2 and renamed Administrator accounts are recreated Michael Niehaus

Windows Subsystem for Linux 2 aka WSL2

Topic Link Source
Cool WSL tips Cool WSL (Windows Subsystem for Linux) tips and tricks you (or I) didn’t know were possible Scott Hanselman
Docker in WSL2 How to set up Docker within Windows System for Linux (WSL2) on Windows 10 Scott Hanselman
Remote debugging Remote Debugging a .NET Core Linux app in WSL2 from Visual Studio on Windows Scott Hanselman
Update to WSL2 Manually update Linux Kernel to WSL2 Craig Loewen, MS
Access WSL VHDX Access WSL2 .vhdx on External Drive Within a Windows 10 System Image Ed Burns

Misc

Topic Link Source
MSIX MSIX Installation possible without Sideloading Microsoft
Upgrade HVCI Update to Windows 10, version 2004 might encounter an update compatibility hold due to HVCI Microsoft
Wifi 2004 supports Wi-Fi 6 and WPA3 Microsoft
Identity Identity-related Features in Windows 10 version 2004 DirTeam.com
Reset Reset PC from the cloud Microsoft
Reserved Storage DISM Reserved Storage Command-line Options Microsoft
Notepad Notepad enhancements in Windows 10 2004 Microsoft
VMware Workstation VMware Workstation 15.5.5 supports Hyper-V and therefor Credential Guard and WSL on the hosting system VMware
VMware Workstation VMware Workstation and Hyper-V Microsoft
Citrix Issues Citrix Known Issues with 20H1 Insider Preview including a problem with ICA connections Citrix
OneDrive Issues using OneDrive On-Demand after updating to 2004 Microsoft
AppX the list of removeable apps did not change
Windows 10 1903 Built-In Apps: What to Keep		 Anton Romanyuk, Microsoft

Windows 10 1909 nice to know for IT Pros and Enterprise admins (curated link list)

11/10/2019 / / 1 Comment

Latest Update: November 29, 2019

Even though Windows 10 1909 is only a small update compared to 1903 (NTK 1903) I have created this list with interesting links for IT Pros regarding this release. A place where I can store articles about new features, settings or bugs. I will update the post with new content as soon as I find it.
If you find something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Description Source
What’s new for IT Pros New and Updated Features of interest to IT Pros Link
What’s new What’s new in Windows 10, version 1909 Link
Release Status Known issues and notifications Link
Removed features Features and functionality removed in Windows 10 Link

Group Policies

Topic Description Source
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.18363%" and ProductType = "1" Link
ADMX ADMX files for 1909 Link
Security Baseline (Final) Security Baseline (Final) for Windows 10 1903 Link
Security Baseline 1909 Security Compliance Toolkit Link

Autopilot, OSD, SCCM and MDT

Topic Description Source
No new ADK Windows 10 1903 ADK is used with 1909 Link
Servicing not Updates Even though the 1903 to 1909 Enablement package is a very small update it is classified as an upgrade and can be found in the servicing node Link

Misc

Topic Description Source
Supported CPUs Windows Processor Requirements Link
Delivery Options Windows 10, version 1909 delivery options Link

Deploy and configure Lenovo Vantage with Microsoft Intune

11/07/2019 / / 2 Comments

When you decide to use Modern Client Management with Intune you have to do some things differently than in the classic onprem world. One key consideration regarding Windows Devices in a modern management scenario is the handling of drivers and BIOS updates.

You have four valid options:

  • Do not update drivers (not a good idea)
  • Create your own packages and deploy them as Application or Script
  • Let Windows Update for Business handle it
  • Use the hardware vendor tool

I would recommend to useone of the last two options or both in combination. I have been using the combination of Lenovo Vantage (f.k.a. System Updater) and Windows Update for several years and have gainedgood experiences with that.

Each major vendor of Business PCs provides such a tool and some are better than others. If you want to use the tool of the hardware vendor you have to be clear about the fact that this can be a security risk as Dell has shown here and here.

In this article I want you to show how to deploy and configure the Lenovo Vantage with Intune to your Windows 10 Lenovo devices using Microsoft Store for Business, Win32 applications, ADMX ingesting and Azure AD dynamic group memberships.

Create a dynamic group of Lenovo devices in Azure AD

In order to deploy Lenovo Vantage to all managed Lenovo Windows 10 devices create a new group in your Azure AD. Go to groups in the Device Management Portal or the Azure AD Portal and click on New Group.

Choose Group Type Security and a distinct Group name. The membership type should be dynamic (requires Azure AD Premium P1 or higher).

Azure AD create Dynamic group

Then select Dynamic device members, switch the slider to Advanced rule and insert the following

After a while all MDM Lenovo Windows 10 devices will show up in the group.

Add Lenovo Vantage to the Microsoft Store for Business and sync it to Intune

The Lenovo Vantage app can be deployed with Intune as Microsoft Store for Business (MSfB) App.

If not already in place you have to enable the sync between MSfB and Intune. How to do that is not part of this post but it is described here or here.

After you have done that go to the Microsoft Store for Business (MSfB) and search for the Lenovo Vantage app and click on the Get the App Button to add it to your company store.

MSfb Lenovo Vantage

After that head back to the Intune console and check if you can find it in Client apps – Apps. (If not select Client apps – Microsoft Store for Business and click on the Sync button and it should appear shortly afterwards.)

Intune Apps Lenovo Vantage

Click on the app, select Assignments and press the Add group button. Select the Assignment type Required and add the group you have created in the first part to the Included Groups. Click on the save button to assign the Lenovo Vantage app to all Lenovo devices enrolled in Intune.

Intune Apps Lenovo Vantage Assignment

Create and deploy a Win32 app for Lenovo System Interface Foundation in Intune

The Lenovo Vantage software consists of two parts. The first one is the App-X app deployed in the last section. The second part is the SystemInterfaceFoundation.exe which installs the Win32 software needed to interact with Windows on a system level.

First of all, you have to download the Lenovo Vantage sources for Large Enterprises and the Intune Microsoft Win32 Content Prep Tool.

Extract the SystemInterfaceFoundation.exe in a directory of its own from the ZIP file. Then start the IntuneWinAppUtil.exe.

In the window which opens insert the path to the folder containing the SystemInterfaceFoundation.exe as source folder. After that put in SystemInterfaceFoundation.exe setup file. The last value should be the directory where you want the output to be saved. This will create a SystemInterfaceFoundation.intunewin file in the output directory.

IntuneWinAppUtil

Now we have the source file for the Win32 app in Intune. Head back to the Intune portal and open Client apps – Apps and click on the Add button. Select Windows app (Win32) as App type and then click on App package file and upload the intunewin file created in the last step.

Add-App-IntuneWin

Enter a value for every field marked with a red asterisk in the App information menu.

Add-App-IntuneWin-Configure

In the Program menu enter the following install and uninstall command and select System for install behavior:

Add-App-IntuneWin-Program

Choose both OS architectures and Windows 10 1607 as minimum OS under Requirements.

Add-App-IntuneWin-Requirements

Add a Registry detection for the following key and choose Yes for the 32-bit application setting.

Add-App-IntuneWin-Detection

Then press the Add button at the bottom to save the application.

After the app is ready (this can take a while) click on Assignments and Add group. Select Required and the group from the first part and Save.

Ingest the Lenovo Vantage ADMX

Intune allows you to deploy and configure settings with custom ADMX files. As a first step we have to ingest the ADMX file so that the local configuration service provider recognizes the settings. If you want to learn more about ADMX ingesting check these articles out: TechCommunity, Blogs Technet or Peter van der Woude

In Intune go to Device Configuration – Profiles – Create Profile.

Intune-DevCon-Profile-Add

Give it a name like Lenovo Vantage ADMX select Windows 10 as platform and Custom as profile type. Then click Add button and insert the following values:

(The last three parts of the OMA-URI can be changed if liked.)

Select String as data type and copy the complete content of LenovoCompanion.admx (part of the Lenovo Vantage sources for Large Enterprises) to the value field.

Intune-DevCon-Profile-Admx-Ingestion

After that press OK and Save the profile. Click on Assignments and then on Select groups to include and choose the group with the Lenovo devices.

Configure Lenovo Vantage ADMX settings

After the deployment of the ADMX ingestion we are ready to configure the Lenovo Vantage software.

The last part of this article is to find the settings you want to set and insert them as a custom OMA-URI setting. This part is the hardest. You can use the policy console locally or in a domain to verify the settings by copying the ADMX and ADML file to the local (%windir%\PolicyDefinitions) or the central policy store (\<sysvol>\policies\PolicyDefinitions). Alternatively, you can use getadmx.com.

The custom OMA-URI must have the following format:

./Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX}

I will give you an example: I would like to enable Critical Updates. The {AppName} and {SettingType} are already defined by the OMA-URI value used by ingesting the ADMX. In the configuration from above {AppName} = LenovoVantage and {SettingType} = Policy.

In order to get the {CategoryPathFromADMX} we have to find the setting ID. The easiest way is to search in the ADML

GPO-Find-setting-IN-ADML

The ID of the setting is 70E80D9F_37C7_4C93_8C68_3EB61E57D2EE and now we have to search the parent category in the ADMX file.

GPO-FindINADMX

The parent category is CAT_180BD888-5525-4C12-82CC-85AB86885844 and now we have to check if it itself has a parent category.

GPO-Find-category-IN-ADMX

Apparently, the category has another parent category, CAT_BEA4CF23_6B19_4DC7_9F10_2DDE18EA21B5 for which we have to search again

GPO-Find-Category-IN-ADMX2

This one does not have a parent and we finally have all data for the URI, which looks as follows:

./Device/Vendor/MSFT/Policy/Config/LenovoVantage~Policy~CAT_BEA4CF23_6B19_4DC7_9F10_2DDE18EA21B5~CAT_180BD888-5525-4C12-82CC-85AB86885844/70E80D9F_37C7_4C93_8C68_3EB61E57D2EE

After that we are able to configure the setting. In Intune open Device configuration – Profiles and select Create profile.

Intune-DevCon-Profile-Add

Give it a name like Lenovo Vantage ADMX select Windows 10 as platform and Custom as profile type. Then click the Add button and insert the following values (Data type String):

Intune-Set-Admx-Setting

Press OK and Create to save the changes and then select Assignments to deploy it to the group we have created at the beginning.

If you open Lenovo Vantage on a managed device you should now see the Critical Updates option enabled and greyed out.

Vantage Updates

A Deployment Guide is included in the Lenovo Vantage sources for Large Enterprises. It has a section explaining which settings to disable in an enterprise environment and I used this as a baseline. I added two settings to enable Critical Updates and Recommended Updates and exported the configuration. I am using the scripts from @vanvfields to export and import the configuration to Intune.

Just download the Import-DeviceConfig.ps1 and save my configuration below as JSON file.

Then run the Import-DeviceConfig.ps1. It will ask you for your Intune Admin credentials in first step and then to grant permissions for the Graph API to Intune if not already present. Afterwards, you just need to insert the path of the JSON file and it will create the configuration profile in Intune for you.

Conclusion

This article shows how to deploy the Lenovo Vantage App event to Windows Autopilot devices and how to enforce its configuration on modern managed clients.

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors.

Windows 10 1903 nice to know for IT Pros and Enterprise admins (curated link list)

21/05/2019 / / 1 Comment

Latest Update: November 22, 2019

With the release of Windows 10 1903 I want to start a curated link list for every Windows 10 release. A place where I can store interesting articles about new features, settings or bugs. I plan to update with new content as soon as I find it.
If you find something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Description Source
What’s new for IT Pros New and Updated Features of interest to IT Pros Link
What’s new in WUfB What’s new in Windows Update for Business in Windows 10 Link
Release Status Known issues and notifications Link
Connection Endpoints Manage connection endpoints for Windows 10 Enterprise, version 1903 Link

Group Policies

Topic Description Source
New GPOs Group Policy Changes in Windows 10 1903 Preview Link
New GPOs New GPO settings in Windows 10 1903: enforce updates, Storage Sense, and logon Link
Security Baseline (Final) Security Baseline (Final) for Windows 10 1903 Link
Security Baseline 1903 Security Compliance Toolkit Link
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.18362%" and ProductType = "1" Link
ADMX Download of 1903 ADMX files Link
Start Menu crash Continue experiences on this device Group Policy setting kills the Start Menu Link

Autopilot, OSD, SCCM and MDT

Topic Description Source
WSUS category Windows 10 1903 has ist own WSUS product category, SCCM 1902 required to manage 1903 Link1 Link2
What’s new in ADK Changes to the ADK especially the known issues Windows SIM x64 error Link WSIM Update
Autopilot The latest news on Windows Autopilot Link
Autopilot Companion Example Companion App to change settings during White Glove deployments Link
Autopilot White Glove Windows Autopilot for white glove deployment Link
High CPU SCCM WoL Proxy High CPU consumption of SCCM wake-up proxy due to DHCP data storage changes Link
MBR2GPT PE error MBR2GPT.exe will not run successfully in 1903 PE because ReAgent.dll is missing Link
Autopilot needs longer Why does “Preparing your device for mobile management” take longer with Windows 10 1903? Link
Autopilot ESP Bitlocker Since June 26th update of 1903 Autopilot will wait after OOBE (ESP) to begin encrypting Link
Autopilot Known issues Windows Autopilot known issues in Windows 10 1903 Link

Apps

Topic Description Source
Apps, AppX Windows 10 1903 Built-In Apps: What to Keep Link
Builtin AppX Understand the different apps included in Windows 10 Link

MDM

Topic Description Source
What’s new in MDM What’s new in MDM for Windows 10, version 1903 Link
MSfB Apps not deployed Take Action to Ensure MSfB Apps deployed through Intune Install on Windows 10 1903 Link

Misc

Topic Description Source
Sandbox Enable Windows Sandbox on 1903 with and without PowerShell Link
Sandbox Configuration How to configure Windows Sandbox Link
Sandbox Mapped Folder If you use mapped folder in Windows Sandbox, note that the ReadOnly value should be in lowecase like “true” and not “True” Link
Run in Sandbox Run file in Windows Sandbox from right-click and Context menu Link
Reserved Storage Windows 10 and reserved storage Link
WSL What’s new for WSL in Windows 10 version 1903? Link
Provisioning error on Wi-Fi for AAD Known issue: Provisioning error on Wi-Fi for Azure AD joined Windows 10 version 1903 Link
HV DHCP Default Switch Hyper-V Default Switch not handing out DHCP addresses for VMs or Mobile Hotspot Link
SBS Essentials connector broken Windows 10 1903 feature update breaks the SBS, Essentials client connector Link
Always On VPN RASMAN service issue The Remote Access Connection Manager (RASMAN) service may stop with error “0xc0000005” Link
VSM enabled by default Virtualization-Based Security: Enabled by Default on capable hardware since OS Build 18362.387 Link

Monitoring Windows 10 Defender Attack Surface Reduction Rule Events with Microsoft Teams

08/04/2019 / / 0 Comments

Windows Defender attack surface reduction (ASR) rules are a feature included in Windows 10 Enterprise which allows you to secure some common attack vectors like malicious E-Mail attachments or office files. It is a great additional layer for your client security strategy.
ASR is part of the Advanced Threat Protection family and therefore a Windows 10 Enterprise E5 feature. But you are allowed to use some of the rules with a Windows 10 E3 subscription though without the monitoring and management capabilities of the ATP online portal.
Most of the ASR rules included in an E3 subscription are also part of the Windows Defender Security Baseline for Windows 10 (1809) since the version for Windows 10 1709.

Problem

So what’s the problem? In my opinion you want these rules to be enabled on all your endpoints, but without monitoring and management you will have some impact on your application landscape. Especially for some of the new rules which shipped with 1809 you will need to implement exceptions, like blocking Office programs from creating child processes. But how do you want to implement exceptions if you aren’t aware which applications need them?

You have three valid options:

  1. Disable the ASR rules in your environment
  2. Enable the ASR rules in Audit Mode, centralize the audit events, configure exceptions and enable blocking at a later time
  3. Enable ASR rules in block mode, centralize the block events and create exceptions promptly

Option one is obviously the worst decision you can make in terms of client security. Option two is a good way to go forward but I have worked in many projects where approaches like these were followed and in most cases the blocking was not activated before we, the externals, left. And as far as I know it was never activated at all in most cases except when it was a management goal. However, this is the recommended way to implement this technology according to Microsoft.
For me Option three is the way to go because of the Windows-as-a-Service model. A phased rollout of a feature upgrade like 1809 should give you enough time to implement exceptions for the ASR rules before you have a widespread issue if you get notified on time.

My Solution

My solution to this scenario is to forward all block (or audit) events to an event collector server where a PowerShell script runs as a scheduled task. The script checks if it is the first time the executable triggered this ASR rule and if so forwards the event details to a Microsoft Teams channel. You can use the Teams channel to monitor the events and decide if you want to create an exception for the executable or not.

That is in short what I will show.

How to create an Exception for the Attack Surface Reduction Rules

At the moment you can only create exceptions for all ASR rules at once by using the group policy setting Exclude files and paths from Attack Surface Reduction Rules which you can find in Computer Configuration – Administrative Templates – Windows Components – Windows Defender Antivirus – Windows Defender Exploit Guard – Attack Surface Reduction.
Just enter the path of the executable that you want to exclude in the Name column and the 0 in the Value column.

ASR Exclusion

Event forwarding Client Configuration

Windows Event Forwarding is part of the Windows Remote Management (WinRM) and can be configured on several ways. I won’t go into details about configuring WinRM, because there are already plenty of good articles about that topic. Instead I will show you an easy configuration with Group Policy. Feel free to reach out to me if you need any assistance in configuring it otherwise.
To enable Event Forwarding via GPO on the clients we have to set the following settings:

  • Start the WinRM service and set it to automatic:
    Create a GPO and open Computer Configuration – Preferences – Control Panel Settings – Services, right click on it and select New – Service

ASR Exclusion

Then click on the three dots behind Service name and select the Windows Remote Management (WS-Management) or WinRM service. After that set Startup to Automatic and Service action to Start service. Then press OK to close the dialogue.

ASR Exclusion

  • Set the event collector server as Subscription Manager:
    Go to Computer Configuration / Policies / Administrative Templates / Windows Components / Event Forwarding and open the _Configure target Subscription Manager__ setting. Click on the Show button and add Server=\<FQDN> to the table.

ASR Exclusion

Event forwarding Server Configuration

Now we have to configure the Event Collector Server to receive the events. You can use any currently supported Windows OS as an event collector but I would recommend using a server OS according to its role.
In order to enable the server as event collector we have to enable the event collector service and create an event subscription.

Open up an administrative cmd and enter wecutil qc and proceed with y to quickly configure the Windows Event Collector service.

After that open up the Event Viewer and click on Subscriptions. In the right pane click on Create Subscription. Give the subscription a suitable name in the windows that open up and click on Select Computer Groups….

ASR Exclusion

Click on AD Domain Computers… and select an Active Directory group or the Active Directory objects you want to monitor. I used Domain Computers here so that all computers are able to send events. We already selected the computers to monitor by linking and filtering the group policy. After that press OK.

ASR Exclusion

Then press on Select Events…, switch to XML and insert the following to select the Windows Defender Attack Surface Reduction Rules block and audit events (Source):

ASR Exclusion

After that click on the Advanced… button and select Minimize Latency. Then click OK to save the subscription.

ASR Exclusion

Now go back to the administrative cmd and use the following command to set the content format of the subscription to events which is more efficient (see also).

ASR Exclusion

Configure the Team in Microsoft Teams

Go to Microsoft Teams and create or let create a new Team or reuse an existing team. I would recommend to have a dedicated team for this but do as you like.

When you have your team click on the three dots next to the team name select Add channel and create a channel for an ASR rule.

ASR Exclusion

After that click on the three dots next to the channel name and select Connectors.

ASR Exclusion

Search for Incoming Webhook and press the Add button.

ASR Exclusion

Confirm with the__Install__ button that you want to add it to your team.

ASR Exclusion

Give it a name for example Event Collector and upload a picture if you like. The picture will be used in every message sent by the script.

ASR Exclusion

Press on Configure and you will get presented an URL which you should copy.

ASR Exclusion

Repeat these steps for every ASR-rule and for the General channel.

Configure the Scheduled Task

After that copy the following script to your event server:

Now replace the placeholders in the GET-ASRData function (beginning in line 54) with the Webhook-URLs you created in the last step for each rule. Use the URL you create for the General channel for the default value (line 166)
If a new Windows 10 build will contain ASR rules the events will be sent to the General Channel in your teams with the new rule GUID as description. If you want to extend the script to support new rules just extend the $ASRData hash table (line 78) and add a new channel to your team.

Open up the Computer Management and go to Task Scheduler \ Task Scheduler Library and create a New Task.

ASR Exclusion

Give it a name like ASR-Teams, select Run whether a user is logged on or not and select a user account to run the task. In order to use the webhooks the account needs access to the internet, so the System Account might not work if you have to use a Proxy server.

ASR Exclusion

Switch to the Triggers tab, click on New… and choose a reoccurring schedule.

ASR Exclusion

On the Actions tab, click on New… and use the following lines (replace with your location of the script):

Executable:

Arguments:

(If you add the -Verbose parameter a transcript/logfile will be created in the path specified in $FilePath paramater. The default value is %programdata%\master-client)

After that check the Conditions and the Settings tab and press OK.

ASR Exclusion

ASR Exclusion

Now we should have anything in order and as soon as your clients start sending ASR related events to the server you should get them forwarded to Microsoft Teams.

ASR Exclusion

Conclusion

You can now enable the new ASR rules right from the beginning of your Windows 10 1809 deployment and you will get informed if any executable is blocked in Microsoft Teams.

This is a simple proposal how to enable the ASR feature without a high user impact. If you have other tools in place to centralize events and monitor your endpoints use them instead.

Thanks

Thanks to Terence Beggs and SCConfigMgr for the idea and the PowerShell code regarding the Microsoft Teams forwarding.

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors.

Windows Hello Something went wrong

“Something went wrong” error when enabling Windows 10 facial authentication

07/08/2018 / / 0 Comments

Problem

When I was at a customer’s site lately and tried to enable the Windows Hello face recognition feature I encountered an error. After pressing the Get started button on the Windows Hello setup page Sorry, something went wrong was displayed without further explanations.

Windows Hello Setup
Windows Hello Setup Error

When I checked the Windows Event Log I could find a DistributedCOM error with the EventID 10016 which stated that the application did not have the local activation permission for the COM application.

Windows eventlog error DCOM

After that I looked up the APPID from the event in the Component Services and found out that it was the RuntimeBroker which controls the execution of the AppX(Universial)-Apps. Thinking about that I remembered that we had limited the access to the camera to certain AppX-Apps via Group Policy.

Component Services

I opened regedit as an Administrator and removed the value

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera

and tested again. Then it worked! So I just needed to find out which AppX needs access to the camera. I looked up the installed AppX with the PowerShell command:

Get-AppxPackage | select Name | sort

There it was the Microsoft.BioEnrollment_cw5n1h2txyewy AppX which looked like the app I was searching for. I reset my registry changes with a Group Policy update and added the AppX name to the value of:

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera_UserInControlOfTheseApps

Registry privacy camera

After that I tested again and it still worked to setup the facial recognition.

Camera working

Solution

Adding the AppX Microsoft.BioEnrollment_cw5n1h2txyewy to the Put user in control of these specific apps or the Force allow these specific apps fields of the Let Windows apps access the camera setting in the GPO under Computer Settings\Administrative Templates\Windows Components\App Privacy resolved the issue and users are able to use their face to authenticate on Windows.

GPO settings camera privacy

Windows 10 1803 ADMX Files SearchOCR error $(string.Win7Only) not found

07/05/2018 / / 0 Comments

Problem

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue
Update: Included feedback from @Jtracy_ItPro regarding multiple orphaned ADML files.

I just updated the Windows 10 ADMX files in the Central Policy Store of my lab domain with the Windows 10 1803 ADMX files. After that I got the error that the resource $(string.Win7Only) referenced in attribute displayName could not be found when accessing the Administrative Templates with the Group Policy Editor.

ADMX Error

I checked the mentioned searchocr.admx and the corresponding searchocr.adml file and found out that the modified dates differed by around three years (2015 and 2018).
Looking at the extracted 1803 ADMX files from the download revealed that they only include the SearchOcr.ADML files not the corresponding ADMX.

ADMX 1803

The c:\Windows\PolicyDefinitions folder of a running instance of Windows 10 1803 does not contain the two files.

Solution

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue

As long as I cannot find the 1803 version of the SearchOcr.admx I restored the old SearchOcr.adml file(s) from my backup and the error went away. Or even better remove the SearchOcr.ADML from every language that you want to import to the Central Policy Store.

@Jtracy_ItPro pointed out to me that the SearchOcr.adml is not the only orphaned ADML in the ADMX pack. The following list ADML files are orphaned in the 1803 ADMX pack as well

  • fileservervssagent.adml
  • microsoft-windows-geolocation-wlpadm.adml
  • microsoft-windows-messaging-grouppolicy.adml
  • searchocr.adml
  • terminalserver-winip.adml
  • userdatabackup.adml
  • wwansvc-admin-group-policy-data.adml

Any of these files can cause similar errors if you already have an older version of the ADMX and ADML in your Central Policy Store.

Therefore I wrote a small PowerShell function to find any orphaned ADMLs in a PolicyDefinitions folder.

You can use this function to find and remove any orphaned ADML before importing the files to the Central Policy Store

« Older posts

© 2023 master-client(-management)

Theme by Anders NorenUp ↑