Scheduling a reboot via Windows 10 MDM

This week is also about configuring Windows 10 devices. This week is all about scheduling a reboot on a Windows 10 device by using Microsoft Intune and Windows 10 MDM. That can be useful for scheduling reboots on for example shared devices. Simply making sure that even those type of devices get a reboot every now and then, or making sure that specific configurations or installations are getting fully applied. This can be achieved by using the Reboot CSP. In this post I’ll have a look at the available policy settings and the configuration of those policy settings. I’ll end this post by having a look at the results of the configuration.

Available policy settings

The Reboot CSP can be used to configure reboot settings. That CSP contains only a few policy settings and methods (nodes). The required policy setting for this post is available as a policy setting (node) in this CSP. The root node of the Reboot CSP is ./Vendor/MSFT/Reboot and the table below describes the nodes below.

PolicyDescription
RebootNowThis node can be used to execute a reboot of the device. It will trigger a reboot within 5 minutes to allow the user to wrap up any active work. This method is used when triggering a Restart via the Intune console.
Schedule/SingleThis node can be used to execute a reboot of the device at a scheduled date and time. Setting a null (empty) date will delete an existing schedule. The date and time value is ISO8601, and both, the date and time, are required.
Example: 2019-10-01T22:00:00Z
Schedule/DailyRecurrentThis node can be used to execute a reboot of the device, each day, at a scheduled time starting at the configured time and date. Setting a null (empty) date will delete an existing schedule. The date and time value is ISO8601, and both, the date and time, are required.
Example: 2019-10-02T21:00:00Z

Configuring the policy settings

Now let’s continue by looking at the actual configuration of the different configurable policy settings of the Reboot CSP. That means configuring a single reboot schedule and a daily recurrent reboot schedule. This can be achieved by using a custom device configuration profile. The following four steps walk through the configuration of the single reboot schedule, by using the information of above (including the example values).

The daily recurrent reboot schedule can be achieved by following the same steps and simply adjusting the OMA-URI and the Value. The screenshots below show both configurations. Also, by using two different Data type configurations. After creating the profile, it can be assigned like any other device configuration profile.

  1. Open the Azure portal and navigate to Microsoft Intune Device configuration Profiles to open the Devices configuration – Profiles blade
  2. On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade
  3. On the Create profile blade, provide the following information and click Create
  • Name: Provide a valid name
  • Description: (Optional) Provide a valid description
  • Platform: Windows 10 and later
  • Profile type: Custom
  • Settings: See step 4
  1. On the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade)
  • Name: Single reboot schedule
  • Description: (Optional) Provide a valid description
  • OMA-URI: ./Vendor/MSFT/Reboot/Schedule/Single
  • Data type: Select String
  • Value: 2019-10-01T22:00:00Z

Note: The same configuration can be achieved by using the Date and time data type and selecting the date and time in the UI (as shown below). Keep in mind that it will translate the selected date and time to the UTC time, which in my case is currently a 2 hour difference. To remove the schedule, use 0000-00-00T00:00:00Z as a value.

Result on the device

After assigning the created device configuration profile(s), it’s time to have a look at the results on a device. The Reboot CSP will create a scheduled task for the configured reboot schedules (as shown below). Those scheduled tasks are available at Microsoft > Windows > EnteriseMgmt > {EnrollmentID} > Reboot.

As I’ve configured a single reboot schedule and a daily recurrent reboot schedule, the screenshot below shows a task RebootCSP daily recurrent reboot and a task RebootCSP scheduled reboot. Those tasks are used for performing the actual reboots by using deviceenroller.exe -ForcedReboot.

After successfully rebooting multiple devices, I’ve noticed the following to keep in mind:

  • The Last Run Time of the scheduled tasks never updates after a reboot, as if the scheduled task is recreated with a new Next Run Time.
  • The result of the custom device configuration profile in Microsoft Intune still shows a Remediation failed error message, while the configuration is successful.

More information

For more information about the Reboot CSP, have a look at the documentation about the Reboot CSP.

Triggering devices to upload (diagnostic) files to cloud storage

This week is all about triggering Windows 10 devices to upload (diagnostic) files to cloud storage. That can be very useful for gathering information and diagnosing potential issues. Starting with Windows 10, version 1903, Microsoft added additional functionality to the DiagnosticLog CSP. The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device and the additional functionality enables triggering devices to upload existing event logs, log files, and registry values to cloud storage. That actually opens the route to some really nice scenarios regarding the collection of information on MDM managed Windows 10 devices. I’ll start this post by providing some information about the required setting, followed by going through the steps of configuring that setting. I’ll end this post by showing the administrator experience.

Available policy settings and configuration options

Let’s start by having a look at the available policy settings. The required policy setting for this post is available as a policy setting in a new node of the DiagnosticLog CSP. The root node of the DiagnosticLog CSP is ./Vendor/MSFT/DiagnosticLog and the table below describes the relevant nodes below.

PolicyDescription
DiagnosticArchive This is the root node for the DiagnosticArchive functionality (only “Get” functionality).
DiagnosticArchive/ArchiveDefinitionThis policy setting can be used to set an XML snippet (as a string) describing what data to gather and where to upload it when done. That XML defines what the data that should be collected and that should be compressed into a zip file to be uploaded to Azure blob storage (“Add” and “Execute” functionality).
DiagnosticArchive/ArchiveResults This policy setting displays the results of the last archive run (only “Get” functionality).

The required policy setting for this post is the DiagnosticArchive/ArchiveDefinition node. That policy setting requires an XML formatted string as input. The format of the XML is shown below. The elements are all wrapped in the Collection element and it contains at least the an ID and SasUrl element. Those elements are required to make sure that the policy setting will be executed and that the collected data is sent to the correct location. The collected data will be uploaded in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip. That format is not configurable.

<Collection>
     <ID>{id}</ID>
     <SasUrl>{web address}/{container}{key}</SasUrl>
     <RegistryKey>{registry key}</RegistryKey>
     <Command>{command}</Command>
     <FoldersFiles>{file or folder}</FoldersFiles>
     <Events>{event viewer}</Events>
</Collection>

The usage of the different elements in the XML formatted string is described in the table below.

ElementDescription
IDThe ID element is used to specify a unique GUID value that defines the run of the DiagnosticLog CSP. The ID can be generated by using the New-Guid cmdlet. A new ID is required to trigger a new collection.
Example value: 91d667ae-18d3-46c6-ae43-0bb6d6ac25f4
SasUrl The SasUrl element is used to specify the storage location for the collected data. The SasUrl can be copied from Blob service SAS URL of the storage container, with the addition of the storage container name (make sure to escape special characters).
Example value: <![CDATA[https://{storageaccount}.blob.core.windows.net/{storagecontainer}?sv=2018-03-28&ss=b&srt=o&sp=c&se=2019-10-30T04:19:14Z&st=2019-09-17T19:19:14Z&spr=https&sig=qpVr6NFegQfjIWYV4uwsAqbT1FtgzCtz8P%2Bbrhl6%2FQM%3D]]>
RegistrykeyThe Registrykey element (there can be multiple) can be used to specify a registry key that should be exported and collected.
Example value: HKLM\Software\Policies\Microsoft
FoldersFilesThe FoldersFiles element (there can be multiple) can be used to specify a file or folder that should exported and collected.
Example value: C:\Windows\Temp\MDM*.*
Command The Command element (there can be multiple) can be used to specify a command that should be executed.
Example value: %windir%\system32\mdmdiagnosticstool.exe -out C:\Windows\Temp\MDM\
Events The Events element (there can be multiple) can be used to specify an Event Log that should exported and collected (specify the name of the log).
Example value: Microsoft-Windows-User Device Registration/Admin

Constructing and configuring the policy setting

Now let’s continue by constructing the XML formatted string and by having a look at the configuration. The first step is constructing the XML format string that will be used during the configuration. The main use case of this post is gathering troubleshooting information. For that reason the XML formatted string is constructed with information to gather the policy registry key, to run the MDM diagnostics tool, to gather the result of the MDM diagnostic tool and to gather additional event logs. A nice combination to show all the different options. The example constructed for this post is provided below. It contains the earlier mentioned example values. The only elements that should still be added are the ID and the SasUrl. Those elements are environment specific.

<Collection>
    <ID>{GUID}</ID>
    <SasUrl><![CDATA[{web address}/{container}{key}]]></SasUrl>
    <RegistryKey>HKLM\Software\Policies\Microsoft</RegistryKey>
    <Command>%windir%\system32\mdmdiagnosticstool.exe -out C:\Windows\Temp\MDM\</Command>
    <FoldersFiles>C:\Windows\Temp\MDM\*.*</FoldersFiles>
    <Events>Microsoft-Windows-User Device Registration/Admin</Events>
</Collection>

After constructing the XML it’s time for the actual configuration of the policy setting. The following four steps walk through the actual configuration steps of a custom device configuration profile. That device configuration profile can be used to configure the ArchiveDefinition policy setting. After creating the device configuration profile, simply assign the profile like any other device configuration profile.

  1. Open the Azure portal and navigate to Microsoft Intune Device configuration Profiles to open the Devices configuration – Profiles blade
  2. On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade
  3. On the Create profile blade, provide the following information and click Create
  • Name: Provide a valid name
  • Description: (Optional) Provide a valid description
  • Platform: Windows 10 and later
  • Profile type: Custom
  • Settings: See step 4
  1. On the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade)
  • Name: Provide a valid name
  • Description: (Optional) Provide a valid description
  • OMA-URI: ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition
  • Data type: Select String
  • Value: {XML}

Administrator experience

Let’s end this post by having a look at the administrator experience. Below on the first row on the left is an example of the collected data in the storage account. It provides an overview of the devices that collected and uploaded the requested data. All conform the mentioned naming standard. Below on the first row on the right is an example of the same data, but downloaded and extracted. The XML provides an overview of the results of the different actions to gather data. The folders contain the data of the different actions. The number of folders matches the number of actions in the provided XML. The lines even match (line 1 is folder 1, etc.).

Below on the second row is an example of how the information is logged in the registry. The MdmDiagnostics key contains a value that contains the results of the latest run, the Results value, and a value that contains the initial XML, the XML value. That key also contains a key per diagnostics collection run. The ID of the latest run is registered in the earlier mentioned values.

More information

For more information about triggering devices to upload files to cloud storage, see the DiagnosticLog CSP for triggering devices to upload files to cloud section in the DiagnosticLog CSP documentation.

The different ways of enrolling devices in Windows Analytics

After a week of silence, due to the MVP Summit, this week another new blog post. This week is all about enrolling devices in to Windows Analytics. An updated version, with a slightly different angle, of a post of about two years ago. This time I’ll summarize the different methods to achieve the same goal and the changes since Windows 10, version 1803. I’ll start this post with an overview of the required settings, followed by an overview of the different configuration methods. I’ll end this post by going through my preferred method, for a cloud scenario, and the administrator experience.

Settings to configure

Now let’s start by looking at the settings that are required to enroll devices in to Windows Analytics. Those settings are the commercial ID, the telemetry level (and with that enabling Windows telemetry) and allowing the device name in the telemetry data (since Windows 10, version 1803). The following table describes the settings that are required, including a description, and starting point for my preferred method, for a cloud scenario, of configuring these settings.

Policy Description

AllowTelemetry

Values: 0 (Security), 1 (Basic), 2 (Enhanced), or 3 (Full)

This setting should be used to enable Windows telemetry. Windows Analytics requires a minimum Windows telemetry level of enhanced (optional together with the policy LimitEnhancedDiagnosticDataWindowsAnalytics to limit the telemetry data to the minimal required).

AllowDeviceNameInDiagnosticData

Values: 0 (Disabled) or 1 (Enabled)

This setting should be used to allow the device name in the Windows telemetry that is sent to Windows Analytics. That will enable that the different solutions within Windows Analytics can actually be used for really tracking update compliance.

CommercialID

Values: [YourCommercialID]

This setting should be used to specify the workspace id that should be used for Windows Analytics. The commercial ID can be found in the Settings of the different Windows Analytics solutions.

Note: The first two policies are available in the node ./Vendor/MSFT/Policy/Config/System and the third policy is available in the node ./Vendor/MSFT/DMClient/Provider/MS DM Server.

Configuration options

Let’s continue with looking at the different configuration methods. Every configuration option has pros and cons, which can differ per scenario.

1 WA-ConfigMgrWhen using Configuration Manager, the Configuration Manager client can be used to enroll a device in to Windows Analytics. This can be achieved by using the Windows Analytics section in the Client Settings. This configuration method can configure the commercial ID and the telemetry level. This can be a useful method in an on-premises, or a co-management scenario. Only allowing the device name in the telemetry data would require an additional configuration method.
2 WA-GPOWhen using Group Policy, Administrative Templates can be used to enroll a device in to Windows Analytics. This can be achieved by using the Data Collection and Preview Builds section in the Windows Components section of the Administrative Templates. This configuration method can configure the commercial ID, the telemetry level and the device name. This can be useful in any on-premises, or cloud scenario (by using a third-party tool like PolicyPak: MDM Edition). Only reporting on a setting-level will be limited in a cloud scenario.
3 When using Configuration Manager or Microsoft Intune, PowerShell scripts can be used to enroll a device in to Windows Analytics. This can be achieved by using the New-Item and the New-ItemProperty cmdlets to directly create the required registry keys. This configuration method can configure the commercial ID, the telemetry level and the device name. This can be useful in any on-premises, or cloud scenario. Only reporting on a setting-level will be limited.
4 WA-MDMWhen using Microsoft Intune, Windows 10 MDM can be used to enroll a device into Windows Analytics. This can be achieved by using custom OMA-URI settings. This configuration method can configure the commercial ID, the telemetry level and the device name. This can be useful in a co-management, or cloud scenario.

Preferred configuration option

Let’s continue by looking at my preferred configuration option, at least in a cloud scenario. Besides using Group Policy, this is the most reliable and complete option for configuring the required settings. It allows setting-level configuration and reporting. The following 3 steps walk through the required actions.

1 Open the Azure portal and navigate to Microsoft Intune > Device configuration > Profiles to open the Devices configuration – Profiles blade;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

WA-CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b;

Explanation: This configuration will make sure that a custom profile is created that can be used to add the required Windows Analytics settings.

3b

WA-AddRowOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: Specify a the required policy setting;
  • Data type: Select Integer;
  • Value: Specify the required value;

Note: Simply repeat this step for every policy setting that should be configured.

WA-MDM

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

Administrator experience

Let’s end this post by looking at the administrator experience. Of course I can simply show the configurations on the device, but I thought that showing a device including the device name in a solution would show the complete picture. It proofs that Windows telemetry is enabled, that it’s sending data to the correct workspace and that it’s sending the device name (even for devices with Windows 10, version 1803 and newer). See below for that example.

WA-Result

More information

For more information about Windows Analytics and Microsoft Intune, please refer to the following articles:

Single full-screen Kiosk Browser app in kiosk mode

This week is all about configuring a single full-screen app in kiosk mode and more specifically, configuring the Kiosk Browser app as a single full-screen app in kiosk mode. A couple of years ago, I also did a post about setting up kiosk mode on Windows 10. This time it’s not about using OMA-URI’s, this time is all about using the available options within the portal. Spoiler alert, it became a whole lot easier! Deployment scenarios that this adds on to are, for example, AutoPilot self-deploying mode and enrollment via a device enrollment manager. In this post I’ll go through a few prerequisites for the configuration, followed by the actual configuration of the Kiosk Browser app in kiosk mode. I’ll end this post by looking at the end-user experience.

Prerequisites

Before being able to configure kiosk mode with the Kiosk Browser app, the following prerequisites must be in place and available.

  • Deploy the de Kiosk Browser app. The best method to deploy the app is by using the Microsoft Store for Business integration with Microsoft Intune. That combination will enable the ability to assign the app as a required app to devices and users;
  • Get the Application User Model ID (AUMID) of the Kiosk Browser app. The easiest method is using the provided PowerShell script, which will provide the following AUMID for the Kiosk Browser app: Microsoft.KioskBrowser_8wekyb3d8bbwe!App;

Configuration

Now that the prerequisites are known, it’s time to look at the actual configuration. Within this configuration I will show the steps to create a kiosk profile that will create a full-screen Kiosk Browser app with an autologon user. The following four steps will walk through the required configuration. After that simply assign the created profile to a user (for example the device enrollment manager) or device group (for example the AutoPilot self-deploying devices).

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3

KioskProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Kiosk (Preview);
  • Settings: See step 4a and 4b.
4a

KioskMode-AddRowOn the Kiosk (Preview) blade, select Kiosk to open the Kiosk blade. On the Kiosk blade, click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Kiosk (Preview) blade);

  • Kiosk configuration name: Provide a valid name;
  • Kiosk Mode: Select Single full-screen app kiosk;
  • Universal Windows Platform (UWP) app identifier: Select Enter UWP app AUMID;
  • Application user model ID (AUMID) of app: Microsoft.KioskBrowser_8wekyb3d8bbwe!App;
  • User account type: Select Autologon.
4a

KioskBrowser-ConfigOn the Kiosk (Preview) blade, select Kiosk web browser to open the Kiosk web browser blade. On the Kiosk web browser blade, provide the following information and click OK;

  • Default home page URL: https://petervanderwoude.nl;
  • Home button: Select Not configured;
  • Navigation buttons: Select Not configured;
  • End session button: Select Not configured;
  • Refresh browser when user exceeds idle time limit: (Optional) Provide a time limit;
  • Blocked websites: (Optional) Add blocked websites;
  • Website exceptions: (Optional) Add excluded websites.

Note: As I’m not providing any buttons, there is no real use for blocking any websites.

Note: Even though the configuration was a success, the device configuration would always show the status Failed on the setting Full screen kiosk app status.

End-user experience

Now let’s end this post by looking at the end-user experience. The first thing I would like to show, is the default user that is created when using autologon as the user account type. That user is a local user named Kiosk and that local user not configured with a password. Once that user is automatically logged on and somebody would press Ctrl+Alt+Del, the person would see the screen as shown below.

MSI-KioskUser

The second thing that I would like to show is the end result of the complete configuration. When the configuration is applied to the device, the Kiosk user will autologon to the device and the Kiosk Browser app will start with the configured home page and without the ability to navigate or any other interaction, as shown below.

MSI-KioskBrowserLD

The third and last thing that I would like to show is the end result when the configuration is changed. Changed in a way that the navigation buttons are shown, the home button is shown and the end session button is shown. That result is shown below. With that configuration is might be useful to create a list with blocked websites.

MSI-KioskBrowser

More information

For more information related to configuring kiosk mode on Windows 10 and the KioskBrowser area in the Policy CSP, please refer to the following articles:

Prevent users from ending tasks via Windows 10 MDM

This blog post uses the TaskManager node of the Policy CSP, to prevent the end task functionality on Windows 10 devices. This node is added in Windows 10, version 1809, which is currently still in preview.

This week a short blog post about a newly introduced setting in Windows 10, version 1809, which is currently still in preview. That’s the setting to prevent non-administrator users from ending tasks via Task Manager. That can be a useful addition to a Windows AutoPilot deployed device on which the users are configured as standard users. Simply preventing users from performing activities that an administrator might not like them to do. In this post I’ll show the available settings, followed by the configuration and the end-user experience.

Settings

Let’s start by having a look at the available settings. The TaskManager area is a new node within the Policy CSP. That area currently contains only one policy setting, which is AllowEndTask. That policy setting can be configured to an Integer value of 0, which means that the end task functionality is blocked in Task Manager, or to an Integer value of 1, which means that the end task functionality is available in Task Manager. By default, the end task functionality is available. Also, keep in mind that this configuration is only applicable to non-administrator users.

Configuration

Now let’s continue by having a look at the configuration to prevent non-administrator users from ending tasks via Task Manager. In other words, create a device configuration profile with the previously mentioned custom policy setting. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a user or device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.
3b

EndTask-ConfigOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/TaskManager/AllowEndTask;
  • Data type: Select Integer;
  • Value: 0.

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by looking at the end-user experience. Below is an example of a Windows 10 device running the latest available Windows Insider Preview build and deployed via Windows AutoPilot. In that example it’s visible on the left that the TaskManager policy is configured and it’s visible on the right that the end task option is actually grayed out for the user. In other words, the user is unable to end a task via Task Manager.

EndTask-MSIntune

More information

For more information about the available Task Manager settings in the Policy CSP, please refer to the documentation about Policy CSP – TaskManager.

Enable Windows Automatic Redeployment from the login screen

This week a short post about enabling Windows Automatic Redeployment form the login screen. It’s a follow up on enabling password reset and PIN reset from the login screen, as it enables another feature on the login screen, and a nice addition in combination with Windows AutoPilot. Windows Automatic Redeployment might be a familiar feature, but I couldn’t find much written information about it yet. In this post I’ll provide a brief introduction to Windows Automatic Redeployment, followed by the required configuration and the end-user experience.

Introduction

Now let’s start with a brief introduction about Windows Automatic Redeployment. Starting with Windows 10, version 1709, administrators can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings, by resetting Windows 10 devices from the login screen at any time. That reset will apply the original settings and device management enrollment, so the devices are ready to use once the reset is completed. The device management enrollment is related to Azure Active Directory and Microsoft Intune (or other third-party MDM-providers).

In other words, Windows Automatic Redeployment allows administrators to reset devices to a known good managed state while preserving the management enrollment. After Windows Automatic Redeployment is triggered, the devices are ready for use by standard users.

Configuration

The configuration actually only contains one specific setting. To get that specific setting, the first step explains the location of the setting and the second step explains the usage of the setting.

Step 1: Get the required setting

The first step is to get the required setting. The Policy CSP contains CredentialProvider policies. One of those policies is DisableAutomaticReDeploymentCredentials. That policy is introduced in Windows 10, version 1709, and is used to enable or disable the visibility of the credential provider that triggers the reset on a device. This policy does not actually trigger the reset. This policy enables the administrator to authenticate and trigger the reset on the device. This setting supports the following values:

  • 0 – Enable the visibility of the credentials for Windows Automatic Redeployment;
  • 1 – Disable visibility of the credentials for Windows Automatic Redeployment.

Step 2: Configure the required setting

The second step is to actually configure the required setting to enable the option to automatically redeploy Windows from the login screen. In other words, the second step is to configure a device configuration profile with at least a custom OMA-URI setting. The following three steps walk through the creation of a new device configuration profile, including the required OMA-URI setting. After that simply assign the created profile to a user group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.
3b

MSIntune_WAROn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials;
  • Data type: Select Integer;
  • Value: 0.

End-user experience

Let’s end this post by looking at the end-user experience. I’ll do that by showing how to trigger Windows Automatic Redeployment, followed by a screenshot of the start of the process and a screenshot of the end of the process.

To trigger the Windows Automatic Redeployment, press the combination of Ctrl +Windows key+ R on the login screen. As shown below, this will provide the user with the option to provide an administrator account to automatically redeploy Windows.

Windows_Redeploy_01

Once administrator credentials are provided the redeployment process will be triggered. As shown below, when the process is finished a success message will be shown.

Windows_Redeploy_02

Now the device is ready to go. Keep in mind that the device is still Azure AD joined and Microsoft Intune managed with the original account. So, the main use case for this reset is for information workers and students.

More information

For more information about Windows Automatic Redeployment, please refer to this article about resetting devices with Windows Automatic Redeployment.

Enable password reset from the login screen

This week is about something similar as last week. This week is all about the password reset option on the login screen. In other words, the Reset password option. Starting with Windows 10, version 1709, it’s possible to enable the Reset password option from the login screen for Azure AD joined devices. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. My style and more details. In this post I’ll provide a short introduction about Azure AD self-service password reset (SSPR), followed by walking through the required configurations for SSPR and the Reset password option. I’ll end this post by looking at the end-user experience.

Introduction

Now let’s start this post with an introduction about Azure AD SSPR. With SSPR users can reset their passwords on their own when and where they need to. At the same time, administrators can control how a user’s password gets reset. That means that the user no longer needs to call a help desk just to reset their password. SSPR includes (the focus of this post is number 2):

  1. Self-service password change: The user knows their password but wants to change it to something new;
  2. Self-service password reset: The user is unable to sign in and wants to reset their password by using one or more of the following validated authentication methods:
    • Send a text message to a validated mobile phone;
    • Make a phone call to a validated mobile or office phone;
    • Send an email to a validated secondary email account;
    • Answer their security questions.
  3. Self-service account unlock: The user is unable to sign in with their password and has been locked out. The user wants to unlock their account without administrator intervention by using their authentication methods.

Configuration

Let’s continue by having a look at the required configuration, to enable the Reset password option from the login screen. As the configuration of the actual settings requires SSPR to be enabled, I divided the configuration into two steps. The first step is to enable SSPR and the second step is to configure the Reset password option.

Step 1a: Enable SSPR

The first step is to enable SSPR, as it’s the starting point for enabling the Reset password option from the login screen. Without SSPR enabled, and still configuring the Reset password option, the user will receive a message that SSPR is not enabled for the user and that the user should contact the administrator. The following seven steps walk through the relatively simple configuration to enable SSPR.

1 Open the Azure portal and navigate to Azure Active Directory > Password reset;
2

AAD_PR_PropertiesOn the Password reset – Properties blade, select All and click Save;

3

AAD_PR_AuthOn the Password reset – Authentication methods blade, select the number of required methods to reset and the available methods to user and click Save;

Note: Make sure that you have at least as many methods available to users as you have required to reset.

4

AAD_PR_RegistrationOn the Password reset – Registration blade, configure whether or not to require users to register when signing in and click Save;

5

AAD_PR_NotificationsOn the Password reset – Notifications blade, configure the notification settings and click Save;

6

AAD_PR_CustomizationsOn the Password reset – Customization blade, configure the customization settings and click Save;

7

AAD_PR_OnPremOn the Password reset – On-premises integration blade, and configure the password write back configuration and click Save;

Note: This is required when using an on-premises directory and also requires the configuration of step 1b.

Step 1b: (Optional) Configure password writeback

Another part of the first step is the optional configuration of password writeback. This should be configured to write the passwords from Azure AD back to the on-premises directory. To achieve this, use the following seven steps to reconfigure Azure AD Connect.

1 On the Azure AD Connect server, start Azure AD Connect to open the Microsoft Azure Active Directory Connect wizard;
2 On the Welcome page, click Configure;
3 On the Additional tasks page, select Customize synchronization options and click Next;
4 On the Connect to Azure AD page, provide the required credentials and click Next;
5 On the Connect Directories page, click Next;
6 On the Domain/OU Filtering page, click Next;
7

MAADC_OptionalFeaturesOn the Optional Features page, select Password writeback and click Next;

Note: I’ve also got Device writeback configured, which causes the next page to appear.

8 (Optional) On the Writeback page, click Next;
9 On the Configure page, click Configure and once completed click Exit;

Step 2: Enable Reset password option

The second step is to configure the required setting to enable the Reset password option from the login screen. In other words, the second step is to configure a device configuration profile with at least a custom OMA-URI setting. The required setting is part of the Authentication node of the Policy CSP. It’s the AllowAadPasswordReset policy. That policy allows administrators to enable the self-service password reset feature on the windows logon screen. An integer value of 0 means not enabled and an integer value of 1 means enabled.

The following three steps walk through the creation of a new device configuration profile, including the required OMA-URI setting. After that simply assign the created profile to a user group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.
3b

MSI_AllowPasswordResetOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name; 
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset;
  • Data type: Select Integer;
  • Value: 1.

Note: For testing purposes it’s also possible to configure the Reset password option by using the HKLM\SOFTWARE\Policies\Microsoft\AzureADAccount registry key with the value, type and data of AllowPasswordReset, REG_DWORD and 1.

End-user experience

Now let’s end this post by walking through the end-user experience. On the login screen a new option is available when selecting password as the sign-in option, the Reset password option.

RP_01

When the user selects Reset password, the user will be redirected to the Azure AD self-service password reset service.

RP_02

The User ID is already prepopulated and when the user clicks on Next, the user should choose a verification method. In my case a text to my mobile phone.

RP_03

When the user provides the correct mobile phone number and clicks on Next, the user must provide the actual verification code of the text message.

RP_04

When the user provides the correct verification code and clicks on Next, the user must provide a new password.

RP_05

When the user provides a new password and clicks Next, the user will be provided with the message that the password has been reset. When the user than clicks on Finish, the user will be redirected to the login screen.

RP_06

More information

For more information about SSPR, Windows 10 and the Reset password option, please refer to the following articles:

Deep dive ingesting third-party ADMX-files

A bit more than a week ago I got the suggestion to do a blog post about the ingestion of custom and/or third-party ADMX-files. Not without a reason. The suggestion was triggered by the latest Spectre and Meltdown vulnerabilities and the ability to manage site isolation via policies for Google Chrome. That was enough motivation for me to look into it. In this post I’ll provide an introduction to ingesting ADMX-files, followed by a step-by-step overview of how to ingest custom and/or third-party ADMX-files and how to configure the related settings. As a configuration example I’ll use the manage site isolation setting for Google Chrome. I’ll end this post with showing the configuration result.

Introduction

Starting with Windows 10, version 1703, it’s possible to ingest ADMX-files and to set those ADMX-backed policies for Win32 apps and Desktop Bridge apps, by using Windows 10 MDM. The ADMX-files that define policy information, can be ingested to the device by using OMA-URI. The ingested ADMX-files are then processed into MDM policies. When the ADMX policy settings are ingested, the registry keys, to which each policy is written, are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the locations documented here.

Configuration

Now let’s have a look at the configuration. The configuration contains two important steps. The first step is to ingest the ADMX-file and the second step is to configure the required setting. I will configure both settings on the device level.

Step 1: Ingest the ADMX-file

The first step is to ingest the ADMX-file. As this post is using Google Chrome as an example, make sure to download the Chrome policies here. Before starting with ingesting this ADMX-file, it’s important to first construct the OMA-URI setting and value.

Setting

The OMA-URI should look like this ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}. In this URI the following variables should be provided:

AppName: This should be the name of the app that will be configured, but can theoretically be anything. In this example I’ll use Chrome;
SettingType: This should always be policy with ingesting ADMX-files. So, in this example I’ll use Policy;
FileUid or AdmxFileName: This should be the name of the ADMX-file, but can theoretically be anything. In this example I’ll use ChromeADMX.

Value

The value is a lot easier. That’s simply the content of the downloaded chrome.admx, which is available in the folder policy_templates\windows\admx. So, to make this really simple, open chrome.admx in an editor and press Ctrl+A, followed by Ctrl+C.

Configuration

Now let’s put the OMA-URI setting and value together, in Microsoft Intune, in a Device configuration profile. To do this, simply follow the three steps below and keep in mind that the OMA-URI setting (step 3b) is nothing more than just putting together the variables as mentioned in the Setting section.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

MSI_DC_CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Windows 10 – Chrome configuration;
  • Description: (Optional);
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b;
3b

MSI_DC_AddRowOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Chrome ADMX Ingestion;
  • Description: (Optional);
  • OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx;
  • Data type: Select String;
  • Value: [Complete content of the chrome.admx];

Step 2: Configure the required setting

The second step is to configure the required setting. Finding the correct values for configuring the required setting, is similar to finding the correct values for any other ADMX-backed policy. So, make sure to be familiar with my post about Deep dive configuring Windows 10 ADMX-backed policies. Before starting with the configuration, it’s important to first construct the OMA-URI setting and value.

Setting

The OMA-URI should look like this ./Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX}. Make sure to pay attention to the use of tildes in this URI. In this URI the following variables should be provided:

AppName: This should be the name of the app, as configured with the ingestion of the ADMX-file. In this example I used Chrome;
SettingType: This should be the same as configured with the ingestion of the ADMX-file. In this example I used Policy;
Chrome_CatCategoryPathFromADMX: This should be the complete category path, which actually starts with number 3 in the picture below. That shows googlechrome as the parent category. That category should be followed until the category definition of the ADMX-file, as shown with number 1 in the picture on the right. Number 2 in that same picture, shows that there is no additional parent category;
Chrome_SettingSettingFromADMX: This should be the name of the setting, which is shown with number 2 in the picture on the right. That shows SitePerProcess as the actual name of the setting. Number 2 in that same picture shows the actual registry that will be configured and which we can use to verify the result.

Value

The value is again a lot easier. In this example I simply want to enable the policy, which can be done by using <enabled/>. For more complicated settings, refer to my earlier mentioned post.

Configuration

Now let’s put the OMA-URI setting and value together, in Microsoft Intune, in the previously created Device configuration profile. To do this, simply follow the four steps below and assign the profile to an user group. Just like with ingesting the ADMX-file, keep in mind that the OMA-URI setting (step 4) is nothing more than just putting together the variables as mentioned in the Setting section.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;;
2 On the Devices configuration – Profiles blade, select the earlier created Windows 10 – Chrome configuration profile to open the Windows 10 – Chrome configuration blade;
3 On the Windows 10 – Chrome configuration blade, select Properties > Settings to open the Custom OMA-URI Settings blade;
4

MSI_DC_AddRow1On the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK on the Custom OMA-URI blade and Save on the Windows 10 – Chrome configuration blade);

  • Name: Chrome – ADMX – SitePerProcess;
  • Description: (Optional);
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/SitePerProcess;
  • Data type: Select String;
  • Value: <enabled/>;

Result

Let’s end this post with the result of the device configuration. The easiest location to look for a success would be Google Chrome itself, but instead I would like to show that the configuration actually arrived on the device. Below on the left is a screenshot of the Settings panel (Accounts > Access work or school > {tenant} > Info). That screenshot clearly shows the custom policy of Chrome~Policy~googlechrome. The applied custom policy doesn’t get any clearer than that. Below on the right is a screenshot of the Registry Editor. That screenshot clearly show the applied configuration, which can be matched with the registry setting in the ADMX-file (see number 2 in the picture with SettingFromADMX).

Chrome_Settings Chrome_Registry

More information

For more information about ingesting ADMX-files, refer to this article Win32 and Desktop Bridge app policy configuration.

Managing User Account Control settings via Windows 10 MDM

This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP), to manage User Account Control (UAC) settings on Windows 10 devices. This area was added in Windows 10, version 1709, which is currently available as Insider Preview build.

This week a blog post about managing User Account Control (UAC) settings via Windows 10 MDM. The ability to manage UAC-settings is new in Windows 10 MDM. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP, which also contains settings to manage UAC. This is the same area, in the Policy CSP, as my last post, but this time a different group of settings. The frequent readers of my blog might recognize some bits and pieces, but that’s simply because I liked the subjects used in my previous post. That also enables me to provide more details in this post. In this post I’ll look at the available UAC-settings, in the Policy CSP, and I’ll provide information about how those settings relate to actual local group policy settings. I’ll also provide some configuration guidelines for Microsoft Intune hybrid and Microsoft Intune standalone and I’ll end this post with 4 different locations that show the actual device configuration.

Available settings

Let’s start by looking at the available UAC-settings. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. That area contains 20+ settings. Those settings are related to accounts, interactive logon, network security, recovery console, shutdown and UAC. In this post I’m specifically looking at the settings related to UAC. The table below show the available UAC-settings, the available values and a short description. For even more information about the UAC-settings, please refer to the articles in the More information section of this post.

Setting Value Description
UserAccountControl_ AllowUIAccessApplicationsToPromptForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether User Interface Accessibility (UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
UserAccountControl_ BehaviorOfTheElevationPromptForAdministrators 0 – Elevate without prompting
1 – Prompt for credentials on the secure desktop
2 – Prompt for consent on the secure desktop
3 – Prompt for credentials
4 – Prompt for consent
5 – Prompt for consent for non-Windows binaries
This setting allows the administrator to control the behavior of the elevation prompt for administrators.
UserAccountControl_ BehaviorOfTheElevationPromptForStandardUsers 0 – Automatically deny elevation requests
1 – Prompt for credentials on the secure desktop
3 – Prompt for credentials
This setting allows the administrator to control the behavior of the elevation prompt for standard users.
UserAccountControl_ DetectApplicationInstallationsAndPrompt ForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of application installation detection for the computer.
UserAccountControl_ OnlyElevateExecutableFilesThatAreSigned AndValidated 0 – Disabled

1 – Enabled

This setting allows the administrator to enforce public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege.
UserAccountControl_ OnlyElevateUIAccessApplicationsThatAreInstalled InSecureLocations 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system
UserAccountControl_ RunAllAdministratorsInAdminApprovalMode 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of all User Account Control (UAC) policy settings for the computer.
UserAccountControl_ SwitchToTheSecureDesktopWhenPrompting ForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether the elevation request prompt is displayed on the interactive user’s desktop or the secure desktop.
UserAccountControl_UseAdminApprovalMode 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of Admin Approval Mode for the built-in Administrator account..
UserAccountControl_ VirtualizeFileAndRegistryWriteFailuresToPer UserLocations 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether application write failures are redirected to defined registry and file system locations.

Note: Keep in mind that every mentioned settings starts with ./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions and that any spaces used within the setting, show in the table above, should be removed.

Local group policy settings

The nice thing is that the mentioned UAC-settings, in the LocalPoliciesSecurityOptions area of the Policy CSP (./Vendor/MSFT/Policy/Config), are all related to actual local group policy settings. Those local group policy settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Nice and easy. The table below shows how the available UAC-settings, actually translate to local group policy settings.

Policy CSP Local group policy setting
UserAccountControl_ AllowUIAccessApplicationsToPromptForElevation User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
UserAccountControl_ BehaviorOfTheElevationPromptForAdministrators User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
UserAccountControl_ BehaviorOfTheElevationPromptForStandardUsers User Account Control: Behavior of the elevation prompt for standard users
UserAccountControl_ DetectApplicationInstallationsAndPrompt ForElevation User Account Control: Detect application installations and prompt for elevation
UserAccountControl_ OnlyElevateExecutableFilesThatAreSigned AndValidated User Account Control: Only elevate executables that are signed and validated
UserAccountControl_ OnlyElevateUIAccessApplicationsThatAreInstalled InSecureLocations User Account Control: Only elevate UIAccess applications that are installed in secure locations
UserAccountControl_ RunAllAdministratorsInAdminApprovalMode User Account Control: Run all administrators in Admin Approval Mode
UserAccountControl_ SwitchToTheSecureDesktopWhenPrompting ForElevation User Account Control: Switch to the secure desktop when prompting for elevation
UserAccountControl_UseAdminApprovalMode User Account Control: Admin Approval Mode for the built-in Administrator account
UserAccountControl_ VirtualizeFileAndRegistryWriteFailuresToPer UserLocations User Account Control: Virtualize file and registry write failures to per-user locations

Configure settings

After getting to know the available settings, let’s have a closer look at the configuration of the settings. The settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below. Within the configuration guidelines, I’m using the UAC-setting to enable the behavior of Admin Approval Mode for the built-in Administrator account as an example. That requires the following OMA-URI setting and value:

OMA-URI setting: ./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
OMA-URI value: 1

Environment Configuration guidelines
Microsoft Intune hybrid IntuneH_UACSettingThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI setting and value.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices/ users.

Microsoft Intune standalone (Azure portal) IntuneS_UACSettingThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile and within the new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI setting and value.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices/ users.

Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can become available via the UI of Microsoft Intune standalone and/or hybrid.

Device configuration

Like last week I’ll end this post by simply looking at the device configuration. However, this week I’ll take it one step further. This time I’ll also add some WMI and registry information. Now let’s start with, below on the left, an export of the MDM Diagnostics Information, which clearly shows the default configuration and the new configurations via MDM. Below on the right is an overview of the Local Group Policy Editor, which clearly shows the actual configuration of the new configurations via MDM. In both cases the example UAC-setting, to control the behavior of Admin Approval Mode for the built-in Administrator account, is shown in the small red circle.

UAC_MDMDiagReport_Settings UAC_LGPO_Settings

Now let’s also have a look at the information in WMI and the registry. Below on the left is an overview of the policy result node in WMI Explorer, which clearly shows the results of the configurations via MDM. Below on the right is an overview of the local group policy settings in the Registry Editor, which clearly shows the local group policy settings configured via MDM. Also, like before, in both cases the example UAC-setting, to control the behavior of Admin Approval Mode for the built-in Administrator account, is shown in the small red circle.

UAC_WMI_Settings UAC_Registry_Settings

More information

For more information about the LocalPoliciesSecurityOptions area of the Policy CSP, and about the available UAC-settings,please refer to the following articles:

Managing local policies security options for accounts via Windows 10 MDM

This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP) to manage local policies security options on Windows 10 devices. This area was added in Windows 10, version 1709, which is currently available as Insider Preview build.

This week a blog post about managing local policies security options via Windows 10 MDM. More specifically, local policies security options settings related to accounts. For example, to block the usage of Microsoft accounts. I might address the other areas of the local policies security options in later blog posts, but that will be more of the same. The ability to manage local policies security options is something new in Windows 10 MDM. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. In this post I’ll look at the available settings in the Policy CSP and I’ll provide information about how those settings related to actual local policies security options. I’ll also provide some configuration guidelines for Microsoft Intune hybrid and Microsoft Intune standalone and I’ll end this post with the some examples of the actual device configuration.

Available settings

Now let’s start by having a look at the available settings. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. That area contains 20+ settings. Those settings are related to accounts, interactive logon, network security, recovery console, shutdown and user account control. In this post I’m specifically looking at the settings related to accounts. The table below show the available settings related to accounts and the available values.

Setting Value Description
Accounts_BlockMicrosoftAccounts 0 – Disabled
1 – Enabled
This setting allows the administrator to prevent users from adding new Microsoft accounts on this computer.
Accounts_EnableAdministratorAccountStatus 0 – Disabled
1 – Enabled
This setting allows the administrator to enable the local Administrator account.
Accounts_EnableGuestAccountStatus 0 – Disabled
1 – Enabled
This setting allows the administrator to enable the Guest account.
Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly 0 – Disabled
1 – Enabled
This setting allows the administrator to configure whether local accounts that are not password protected can be used to log on from locations other than the physical computer console.
Accounts_RenameAdministratorAccount <string> This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Administrator.
Accounts_RenameGuestAccount <string> This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Guest.

Local group policy setting

The nice thing is that the mentioned account related settings, in the LocalPoliciesSecurityOptions area of the Policy CSP (./Vendor/MSFT/Policy/Config), are all related to actual local group policy settings. Those settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Nice and easy. The table below shows how the available settings, related to accounts, actually translate to local group policy settings.

Local group policy setting Policy CSP
Accounts: Block Microsoft accounts Accounts_BlockMicrosoftAccounts
Accounts: Administrator account status Accounts_EnableAdministratorAccountStatus
Accounts: Guest account status Accounts_EnableGuestAccountStatus
Accounts: Limit local account use of blank password to console logon only Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly
Accounts: Rename administrator account Accounts_RenameAdministratorAccount
Accounts: Rename guest account Accounts_RenameGuestAccount

Configure settings

After getting to know the available settings, let’s have a closer look at the configuration of the settings. The settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.

Environment Configuration guidelines
Microsoft Intune hybrid

IntuneH_BlockMSAccount The configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI settings and values.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices/ users.

Microsoft Intune standalone (Azure portal)

IntuneS_BlockMSAccountThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile and within the new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI settings and values.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices/ users.

Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can become available via the UI of Microsoft Intune standalone and/or hybrid.

Device configuration

Usually I’ll end these type of posts with the end-user experience. However, in this case it’s better to simply look at the device configuration instead. On the left is an export of the MDM Diagnostics Information, which clearly shows the default configuration and the new configurations via MDM. On the right is an overview of the Local Group Policy Editor, which clearly shows the new actual configuration of the new configuration via MDM.

MDMDiagReport_Settings LGPO_Settings

More information

For more information about the LocalPoliciesSecurityOptions area of the Policy CSP, please refer to this article about Policy CSP – LocalPoliciesSecurityOptions.