Hello. Long time no see. Finally I’m back with a new post. This time I created a nice little list with Windows 10 1803 New MDM Policy CSP Settings for the next Windows 10 release. If you’re not familiar with Policy CSP Settings - that are GPO Settings configureable over an Intune OMA-Uri Policy. Here’s a great introducation to Policy CSP Settings.
My favorite policy CPS’s available with Windows 10 1803 # The following CSP’s are available on Windows 10 1803 and later:
ControlPolicyConflict: MDMWinsOverGP
This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
Microsoft docs LanmanWorkstation: EnableInsecureGuestLogons
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server
Microsoft docs RestrictedGroups: ConfigureGroupMembership
This security setting allows an administrator to define the members of a security-sensitive (restricted) group.
Microsoft docs You can find the entire list (CSV) on Github.
The scripts to retrieve and compare the available Policy CSP’s for a Windows version are available on GitHub. Feel free to leave feedback or improvement changes.
Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.
Default Configuration # On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:
But the connection attempt was still interrupted after a timeout.
Looking trough Group Policy # After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:
In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:
As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.
After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:
An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
Cause # Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in “guest” account.
This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.
Resolution # To enable guest access again, configure the following GPO:
Computer configuration > administrative templates > network > Lanman Workstation: "Enable insecure guest logons" = Enabled
Registry Key # The according registry key is located under:
Recently I was troubleshooting ADFS connection issues when I discovered a nice little Cmdlet called “Test-NetConnection”. With this Cmdelet you can verify TCP connectivity, in my case from a client to the ADFS server.
The Test-NetConnection cmdlet displays diagnostic information for a connection. It supports ping test, TCP test, route tracing, and route selection diagnostics. Depending on the input parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.
Find a full documentation on the Microsoft Docs Page.
About the script # With this Script you are able to specify server names and port numbers to check in a CSV File. The Script generates an CSV output file as a report. You can use this script for troubleshooting or engineering purposes to verify if TCP ports are opened.
Simply add the hostname and TCP port to the “CheckList.csv” and the script checks the specified servers and ports.
The script will generate an output file for the same path containing the suffix “Report_” with the test results.
CheckList.csv: Report_CheckList.csv generated after script execution:
If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.
Manage Local Administrator Rights # The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with “Restricted Groups”.
Adding a group or users to a local group # If you want to add a certain group to a built-in group add the group to the restricted groups under the “This group is a member of” sections: When the GPO is no longer applied, the restricted group is being removed from the clients.
Overwrite local group members # When you wan’t take full control over a local group, you can choose the “Members of this group” option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.
 Recently I was working on a PowerShell script with many custom functions. When I started to use PowerShell custom objects I wanted to be able to pass them to a function. So I faced the challenge of validating my object for all required properties and came up with this solution, using the ValidateScript block to test the object:
Customizing the ValidateScript # As you can see I use a ValidateScript for the parameter validation to test the object for the required properties. The properties can be specified in an array: $requiredProperties=@("Property1","Property2","Property3", "Property4") When we call the Function with an appropriate object:
$config= [PSCUSTOMOBJECT]@{ property1= "Value"; property2= "Value"; property3= "Value"; property4= "Value"; } We receive the following output:
PS H:\> New-Example -InputObject $config Succesfully passed ValidateScript Result # If we remove one or more properties from our custom object, an error is thrown:
PS H:\> $config= [PSCUSTOMOBJECT]@{ property1= "Value"; property2= "Value"; property3= "Value"; } New-Example -InputObject $config New-Example : Cannot validate argument on parameter 'InputObject'. Property: 'Property4' missing At line:10 char:26 + New-Example -InputObject $config + ~~~~~~~ + CategoryInfo : InvalidData: (:) [New-Example], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,New-Example If you want to go a step further you could extend the ValidateScript to…
Prevent passing properties with a NULL or empty value # $_.PSObject.Properties | ForEach-Object { if (([string]::IsNullOrEmpty($_.Value))){ Throw [System.Management.Automation.ValidationMetadataException] "Property '$($_.Name)' has either a NULL or empty value" } } If we call our function again with the added IsNullOrEmpty validation NULL or emtpy values throw an exception:
Managing printers with PowerShell instead of VBScript? Sometimes it’s necessary to add and remove specific printers to a computer. For example during a client deployment or when a user logs on. This post covers how to manage printers with PowerShell.
The following PowerShell commands are supported with PowerShell version 4 and newer.
Installing a local network printer # Installing a local printer (without a printserver) consists of the following steps:
Add the printer driver to your system’s driverstore Install the printer driver from the driverstore Add a printer port to communicate with the printer Last but not least add the printer Add the printer driver to the driverstore # Before you can install the printer driver you need to import the printer driver to your system’s driverstore.
This can be achieved with the built in Windows “pnputil” utility.
The following code adds all drivers from the specified path to the driverstore:
Get-ChildItem %PathToYourDriverFolder% -Filter *.inf -Recurse | % {pnputil.exe /a $_.FullName}
Install the printer driver from the driverstore # This step is quite simple, you just need to know the name of the printer driver you want to install. For example “HP Universal Printing PCL 6”.
Disable Java Auto Update without registry modification?
Recently i had to install Oracle Java on a Terminal server and was curious, if it’s possible to configure the package that the auto update feature is disabled without any registry configuration?
Custom configuration # On the Oracle website i found a great article about the possibility to pass a configuration file to the installer:
Here’s the syntax to install Java silently with a custom configuration:
jre-8u121-windows-x64.exe -s INSTALLCFG="C:\Install\Java\java.settings.cfg" AUTO_UPDATE=Disable EULA=Disable NOSTARTMENU=Enable SPONSORS=Disable
You can find a full reference of all configuration items here: https://docs.oracle.com/javase/8/docs/technotes/guides/install/config.html
Please be careful when using the REMOVEOUTOFDATEJRES=1 option, because when you install the same Java version in a different architecture (x86 & x64), the other architecture with the same version is being removed during the installation!
You can find more information on the About section of my blog. Stay tuned for more posts.