Active-Directory on Nicola Suter

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Architecture
#

This tool is designed to work best with the following components although it can be useful for other purposes(?) :

Azure AD Joined and Intune enrolled Windows 10 devices
Synced user account from Active Directory to Azure Active Directory (Azure AD Connect)
On-premises file servers

Howto
#

Export existing group policy
#

To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.

Surface Hub Miracast Connection Error

Fri, 05 Jan 2018 10:48:59 +0000

Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.

Default Configuration
#

On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:

But the connection attempt was still interrupted after a timeout.

Looking trough Group Policy
#

After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:

In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:

As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Thu, 19 Oct 2017 17:51:57 +0000

After Upgrading to Windows 10 1709 (Fall Creators Update) I couldn’t access my Synology NAS anymore. Therefore I started troubleshooting the Windows 10 1709 Cannot Access SMB2 Share Guest Access error:

An error occurred while reconnecting X: to \\nas\data Microsoft Windows Network: You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Cause
#

Starting with Windows 10 1709, Windows prevents you from accessing network shares with guest access enabled. Guest access means connecting to network shares without authentication, using the built-in “guest” account.

This has no reference to the SMB1 protocol which was disabled in the latest Windows 10 release.

Resolution
#

To enable guest access again, configure the following GPO:

Computer configuration > administrative templates > network > Lanman Workstation: "Enable insecure guest logons" = Enabled

Registry Key
#

The according registry key is located under:

Manage Local Administrator Rights Using Group Policy

Sat, 14 Oct 2017 13:37:49 +0000

If you imagine that your users or administrators have uncontrolled local administrator rights it’s a nightmare. They have (certainly) full control over their computer, and could do a lot of harm. So managing local administrator rights is definitely a must.

Manage Local Administrator Rights
#

The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with “Restricted Groups”.

Adding a group or users to a local group
#

If you want to add a certain group to a built-in group add the group to the restricted groups under the “This group is a member of” sections:

When the GPO is no longer applied, the restricted group is being removed from the clients.

Overwrite local group members
#

When you wan’t take full control over a local group, you can choose the “Members of this group” option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.

Active-Directory on Nicola Suter

Automating network drive mapping configuration with Intune

Architecture #

Howto #

Export existing group policy #

Surface Hub Miracast Connection Error

Default Configuration #

Looking trough Group Policy #

Windows 10 1709 Cannot Access SMB2 Share Guest Access

Cause #

Resolution #

Registry Key #