master-client(-management)

Take Windows Up to 11

Windows 10 1903 nice to know for IT Pros and Enterprise admins (curated link list)

With the release of Windows 10 1903 I want to start a curated link list for every Windows 10 release. A place where I can store interesting articles about new features, settings or bugs. I plan to update with new content as soon as I find it.
If you find something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Description Source
What’s new for IT Pros New and Updated Features of interest to IT Pros Link
What’s new in WUfB What’s new in Windows Update for Business in Windows 10 Link

Group Policies

Topic Description Source
New GPOs Group Policy Changes in Windows 10 1903 Preview Link
New GPOs New GPO settings in Windows 10 1903: enforce updates, Storage Sense, and logon Link
Security Baseline (Final) Security Baseline (Final) for Windows 10 1903 Link
Security Baseline 1903 Security Compliance Toolkit Link
WMI Filter Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.18362%" and ProductType = "1" Link

Autopilot, OSD, SCCM and MDT

Topic Description Source
WSUS category Windows 10 1903 has ist own WSUS product category, SCCM 1902 required to manage 1903 Link1 Link2
What’s new in ADK Changes to the ADK especially the known issues Windows SIM x64 error Link
Autopilot The latest news on Windows Autopilot Link
Autopilot Companion Example Companion App to change settings during White Glove deployments Link
Autopilot White Glove Windows Autopilot for white glove deployment Link

MDM

Topic Description Source
What’s new in MDM What’s new in MDM for Windows 10, version 1903 Link

Misc

Topic Description Source
Sandbox Enable Windows Sandbox on 1903 with and without PowerShell Link
Sandbox Configuration How to configure Windows Sandbox Link
Sandbox Mapped Folder If you use mapped folder in Windows Sandbox, note that the ReadOnly value should be in lowecase like “true” and not “True” Link | Reserved Storage | Windows 10 and reserved storage |Link
WSL What’s new for WSL in Windows 10 version 1903? Link

Monitoring Windows 10 Defender Attack Surface Reduction Rule Events with Microsoft Teams

Windows Defender attack surface reduction (ASR) rules are a feature included in Windows 10 Enterprise which allows you to secure some common attack vectors like malicious E-Mail attachments or office files. It is a great additional layer for your client security strategy.
ASR is part of the Advanced Threat Protection family and therefore a Windows 10 Enterprise E5 feature. But you are allowed to use some of the rules with a Windows 10 E3 subscription though without the monitoring and management capabilities of the ATP online portal.
Most of the ASR rules included in an E3 subscription are also part of the Windows Defender Security Baseline for Windows 10 (1809) since the version for Windows 10 1709.

Problem

So what’s the problem? In my opinion you want these rules to be enabled on all your endpoints, but without monitoring and management you will have some impact on your application landscape. Especially for some of the new rules which shipped with 1809 you will need to implement exceptions, like blocking Office programs from creating child processes. But how do you want to implement exceptions if you aren’t aware which applications need them?

You have three valid options:

  1. Disable the ASR rules in your environment
  2. Enable the ASR rules in Audit Mode, centralize the audit events, configure exceptions and enable blocking at a later time
  3. Enable ASR rules in block mode, centralize the block events and create exceptions promptly

Option one is obviously the worst decision you can make in terms of client security. Option two is a good way to go forward but I have worked in many projects where approaches like these were followed and in most cases the blocking was not activated before we, the externals, left. And as far as I know it was never activated at all in most cases except when it was a management goal. However, this is the recommended way to implement this technology according to Microsoft.
For me Option three is the way to go because of the Windows-as-a-Service model. A phased rollout of a feature upgrade like 1809 should give you enough time to implement exceptions for the ASR rules before you have a widespread issue if you get notified on time.

My Solution

My solution to this scenario is to forward all block (or audit) events to an event collector server where a PowerShell script runs as a scheduled task. The script checks if it is the first time the executable triggered this ASR rule and if so forwards the event details to a Microsoft Teams channel. You can use the Teams channel to monitor the events and decide if you want to create an exception for the executable or not.

That is in short what I will show.

How to create an Exception for the Attack Surface Reduction Rules

At the moment you can only create exceptions for all ASR rules at once by using the group policy setting Exclude files and paths from Attack Surface Reduction Rules which you can find in Computer Configuration – Administrative Templates – Windows Components – Windows Defender Antivirus – Windows Defender Exploit Guard – Attack Surface Reduction.
Just enter the path of the executable that you want to exclude in the Name column and the 0 in the Value column.

ASR Exclusion

Event forwarding Client Configuration

Windows Event Forwarding is part of the Windows Remote Management (WinRM) and can be configured on several ways. I won’t go into details about configuring WinRM, because there are already plenty of good articles about that topic. Instead I will show you an easy configuration with Group Policy. Feel free to reach out to me if you need any assistance in configuring it otherwise.
To enable Event Forwarding via GPO on the clients we have to set the following settings:

  • Start the WinRM service and set it to automatic:
    Create a GPO and open Computer Configuration – Preferences – Control Panel Settings – Services, right click on it and select New – Service

ASR Exclusion

Then click on the three dots behind Service name and select the Windows Remote Management (WS-Management) or WinRM service. After that set Startup to Automatic and Service action to Start service. Then press OK to close the dialogue.

ASR Exclusion

  • Set the event collector server as Subscription Manager:
    Go to Computer Configuration / Policies / Administrative Templates / Windows Components / Event Forwarding and open the _Configure target Subscription Manager__ setting. Click on the Show button and add Server=\<FQDN> to the table.

ASR Exclusion

Event forwarding Server Configuration

Now we have to configure the Event Collector Server to receive the events. You can use any currently supported Windows OS as an event collector but I would recommend using a server OS according to its role.
In order to enable the server as event collector we have to enable the event collector service and create an event subscription.

Open up an administrative cmd and enter wecutil qc and proceed with y to quickly configure the Windows Event Collector service.

After that open up the Event Viewer and click on Subscriptions. In the right pane click on Create Subscription. Give the subscription a suitable name in the windows that open up and click on Select Computer Groups….

ASR Exclusion

Click on AD Domain Computers… and select an Active Directory group or the Active Directory objects you want to monitor. I used Domain Computers here so that all computers are able to send events. We already selected the computers to monitor by linking and filtering the group policy. After that press OK.

ASR Exclusion

Then press on Select Events…, switch to XML and insert the following to select the Windows Defender Attack Surface Reduction Rules block and audit events (Source):

ASR Exclusion

After that click on the Advanced… button and select Minimize Latency. Then click OK to save the subscription.

ASR Exclusion

Now go back to the administrative cmd and use the following command to set the content format of the subscription to events which is more efficient (see also).

ASR Exclusion

Configure the Team in Microsoft Teams

Go to Microsoft Teams and create or let create a new Team or reuse an existing team. I would recommend to have a dedicated team for this but do as you like.

When you have your team click on the three dots next to the team name select Add channel and create a channel for an ASR rule.

ASR Exclusion

After that click on the three dots next to the channel name and select Connectors.

ASR Exclusion

Search for Incoming Webhook and press the Add button.

ASR Exclusion

Confirm with the__Install__ button that you want to add it to your team.

ASR Exclusion

Give it a name for example Event Collector and upload a picture if you like. The picture will be used in every message sent by the script.

ASR Exclusion

Press on Configure and you will get presented an URL which you should copy.

ASR Exclusion

Repeat these steps for every ASR-rule and for the General channel.

Configure the Scheduled Task

After that copy the following script to your event server:

Now replace the placeholders in the GET-ASRData function (beginning in line 54) with the Webhook-URLs you created in the last step for each rule. Use the URL you create for the General channel for the default value (line 166)
If a new Windows 10 build will contain ASR rules the events will be sent to the General Channel in your teams with the new rule GUID as description. If you want to extend the script to support new rules just extend the $ASRData hash table (line 78) and add a new channel to your team.

Open up the Computer Management and go to Task Scheduler \ Task Scheduler Library and create a New Task.

ASR Exclusion

Give it a name like ASR-Teams, select Run whether a user is logged on or not and select a user account to run the task. In order to use the webhooks the account needs access to the internet, so the System Account might not work if you have to use a Proxy server.

ASR Exclusion

Switch to the Triggers tab, click on New… and choose a reoccurring schedule.

ASR Exclusion

On the Actions tab, click on New… and use the following lines (replace with your location of the script):

Executable:

Arguments:

(If you add the -Verbose parameter a transcript/logfile will be created in the path specified in $FilePath paramater. The default value is %programdata%\master-client)

After that check the Conditions and the Settings tab and press OK.

ASR Exclusion

ASR Exclusion

Now we should have anything in order and as soon as your clients start sending ASR related events to the server you should get them forwarded to Microsoft Teams.

ASR Exclusion

Conclusion

You can now enable the new ASR rules right from the beginning of your Windows 10 1809 deployment and you will get informed if any executable is blocked in Microsoft Teams.

This is a simple proposal how to enable the ASR feature without a high user impact. If you have other tools in place to centralize events and monitor your endpoints use them instead.

Thanks

Thanks to Terence Beggs and SCConfigMgr for the idea and the PowerShell code regarding the Microsoft Teams forwarding.

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors.

“Something went wrong” error when enabling Windows 10 facial authentication

Problem

When I was at a customer’s site lately and tried to enable the Windows Hello face recognition feature I encountered an error. After pressing the Get started button on the Windows Hello setup page Sorry, something went wrong was displayed without further explanations.

Windows Hello Setup
Windows Hello Setup Error

When I checked the Windows Event Log I could find a DistributedCOM error with the EventID 10016 which stated that the application did not have the local activation permission for the COM application.

Windows eventlog error DCOM

After that I looked up the APPID from the event in the Component Services and found out that it was the RuntimeBroker which controls the execution of the AppX(Universial)-Apps. Thinking about that I remembered that we had limited the access to the camera to certain AppX-Apps via Group Policy.

Component Services

I opened regedit as an Administrator and removed the value

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera

and tested again. Then it worked! So I just needed to find out which AppX needs access to the camera. I looked up the installed AppX with the PowerShell command:

Get-AppxPackage | select Name | sort

There it was the Microsoft.BioEnrollment_cw5n1h2txyewy AppX which looked like the app I was searching for. I reset my registry changes with a Group Policy update and added the AppX name to the value of:

HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera_UserInControlOfTheseApps

Registry privacy camera

After that I tested again and it still worked to setup the facial recognition.

Camera working

Solution

Adding the AppX Microsoft.BioEnrollment_cw5n1h2txyewy to the Put user in control of these specific apps or the Force allow these specific apps fields of the Let Windows apps access the camera setting in the GPO under Computer Settings\Administrative Templates\Windows Components\App Privacy resolved the issue and users are able to use their face to authenticate on Windows.

GPO settings camera privacy

Windows 10 1803 ADMX Files SearchOCR error $(string.Win7Only) not found

Problem

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue
Update: Included feedback from @Jtracy_ItPro regarding multiple orphaned ADML files.

I just updated the Windows 10 ADMX files in the Central Policy Store of my lab domain with the Windows 10 1803 ADMX files. After that I got the error that the resource $(string.Win7Only) referenced in attribute displayName could not be found when accessing the Administrative Templates with the Group Policy Editor.

ADMX Error

I checked the mentioned searchocr.admx and the corresponding searchocr.adml file and found out that the modified dates differed by around three years (2015 and 2018).
Looking at the extracted 1803 ADMX files from the download revealed that they only include the SearchOcr.ADML files not the corresponding ADMX.

ADMX 1803

The c:\Windows\PolicyDefinitions folder of a running instance of Windows 10 1803 does not contain the two files.

Solution

Update 2: On 7/13/2018 Microsoft released Version 2.0 of the 1803 ADMX files without the issue

As long as I cannot find the 1803 version of the SearchOcr.admx I restored the old SearchOcr.adml file(s) from my backup and the error went away. Or even better remove the SearchOcr.ADML from every language that you want to import to the Central Policy Store.

@Jtracy_ItPro pointed out to me that the SearchOcr.adml is not the only orphaned ADML in the ADMX pack. The following list ADML files are orphaned in the 1803 ADMX pack as well

  • fileservervssagent.adml
  • microsoft-windows-geolocation-wlpadm.adml
  • microsoft-windows-messaging-grouppolicy.adml
  • searchocr.adml
  • terminalserver-winip.adml
  • userdatabackup.adml
  • wwansvc-admin-group-policy-data.adml

Any of these files can cause similar errors if you already have an older version of the ADMX and ADML in your Central Policy Store.

Therefore I wrote a small PowerShell function to find any orphaned ADMLs in a PolicyDefinitions folder.

You can use this function to find and remove any orphaned ADML before importing the files to the Central Policy Store

PowerShell Hyper-V Tags Module

PSHVTag

I have written the PSHVTag Module because I am using many Hyper-V virtual machines in my lab environments. And I have to start and stop the different labs very often. A VM usually needs some time to fully start up before I can start the next one. For example, my Gateway VM has to be up and running before I can start the Domain Controller behind it. And the DC has to be up and running before I can start the ConfigMgr server etc..

Instead of creating a complex database his I wanted to make it very simple to describe a service hierarchy. Therefore, I thought it would be very simple to do this just by adding a simple tag line to the notes filed of every VM in such an environment.

With this module it is very easy to start a complex VM-Service like SCCM with all its dependencies with just a simple PowerShell command.
You can also use the VM Topology object to select virtual machines and use them with any other Hyper-V PowerShell command like Export-VM.

While creating the module I thought it would be nice to have a graph of my lab environments. Consequently, I added a function based on the PSGraph module to it, which allows you to map your environments (see example below).

VMTopology

What is a VM-Topology

A VM-Topology is represented by a custom PowerShell class. An instance is built from all virtual machines of one host with a tag line in their notes field.

It can comprise multiple VM-Environments in which virtual machines can provide VM-Services. The environment also reflects the dependencies between these services.

Example Graph

This graph shows a simple VM-Topology containing one environment, one service provided by one VM and one required service provided by one VM.

VMTopology

The Tag

The Tag, used to create a VM-Topology consists of three elements and is stored as a single line in the notes field of a Hyper-V VM. Only one tag line is allowed per VM.

Elements

Environment

This tag element defines the VM-Environment the virtual machine belongs to. One VM has to belong to one environment and can belong to multiple environments. But it has to provide the same services in all environments and it has to depend on the same services in all environments.

Service

The service element defines the services provided by the VM for the environments it belongs to. A virtual machine can provide one or more services.

DependsOn

The DependsOn element includes all services a VM requires to be up in running before it can fully operate. For example, an Azure AD Connect server depends on the domain and internet access.

Syntax

The syntax is similar to HTML tags. The tag element name (Env, Service, DependsOn) is put between angle brackets to indicate the start of the tag and is closed by the tag element name prefixed with a / between angle brackets.

Multiple instances of an element are separated by a comma.

A tag line looks like the example below.

<Env>Environment1,Environment</Env><Service>Service1,Service2</Service><DependsOn>RequiredService1,RequiredService2</DependsOn>

You can create a tag by using the Set-VMTag command.

Start a VM-Service with all dependencies

The main reason for me writing this module was starting virtual machines in a dedicated order. Therefore, I wrote the function Start-VMService.

For instance to start the DefGateway01, DomainController01, DomainController02, AzureADConnect01 and AzureADConnect02 virtual machines from the example topology in the picture at the beginning of this article on the localhost in this order you can use the following command:

Stop a VM-Service

It is also possible to stop a VM-Service and all its dependencies with the Stop-VMService function.

For examplem in order to stop the five virtual machines for AzureAD, Domain and Gateway you can use the following command:

How to use a VM-Topology with other commands

You can use the VM-Topology to select virtual machines by VM-Service or VM-Environment and use them with commands like Export-VM.

For example, in order to export all virtual machines from the VM-Environment LAB on the localhost use the following:

Installing the Module

The module is available in the PowerShell Gallery or on GitHub.

Inspect

Install

Future Updates

  • When I started this module I wanted to create a GUI which shows the state of the different objects in real time and allows you to start and stop services with a click on a button. I think this will be one of the next additions to this module.
  • I am also planning to add functions to manipulate single tag items instead of setting or replacing the whole tag at once.
  • Furthermore, I want to add support for multiple Hyper-V hosts to allow spanning VM-Topologies over several hosts.

Feedback

Hopefully some of you will find this module as useful as I do. And maybe you will have some good ideas for new features. Please let me know and use the project page on Github for feedback.

Install Microsofts January Meltdown / Spectre Updates during SCCM or MDT Build and Capture Task Sequence

Problem

I tried to create images of Windows 7 and Windows 10 (1607, 1703, 1709) with a SCCM Build and Capture Task Sequence. I deployed the January Windows Updates to the imaging clients so that the images should include the fixes for the Meltdown and Spectre vulnerabilities. But unfortunately this did not work. The reason is that the Antivirus compatibility Registrykey mentioned in this article had not been set before the updates were installed.

Update: After testing Build and Capture of Windows 10 with MDT I have added the necessary steps to the article.
Update 2: Thanks to @manelrodero for pointing out that a reboot is not required between setting the key and the Install Update step.
Update 3: Microsoft announced that this is not longer necessary beginning with the Cumulative Update 03-2018

Solution

You just have to add the registry in your Build and Capture sequence right before the update step performs the update scan.

SCCM

  1. Add a Run Command Line Step to your Build and Capture Task Sequence before the Install Updates step containing the following line
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /T REG_DWORD /D "0x00000000" /F

QualityCompat Key
2. Make sure that the box Evaluate software updates from cached scan results is not checked in the first Install Updates step.

Install Updates step

MDT

  1. Add a Run Command Line Step to your Build and Capture Task Sequence before the Windows Update (Pre-Application Installation) step containing the following line
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /T REG_DWORD /D "0x00000000" /F

QualityCompat Key

Use SCCM to bypass Device Guard / Applocker

Some days ago, my colleague Matthias (@mg_wtf) told me that he had just changed the executable of a package he had been testing in the ccmcache directory and had started the installation from the SCCM Software Center and it worked.

I checked several instances of SCCM Current Branch (up to 1710) and Technical Preview (up to 1711) and could verify the behavior in all of them. The agent validates the content only when downloading it. After that it assumes that it remains unchanged in the ccmcache directory. Edits of the files are very unlikely because only administrators are allowed to do that.

Update 2017/11/28 see section: Is this a big issue?

How I tested it

I installed and updated an instance of Windows 10 Enterprise 1703 and configured SCCM as a managed installer for Applocker and Device Guard as described here and here.

The Applocker policy allowed standard users only to execute applications from the Program Files or Windows folder and any APPX-Application. Everything else was blocked.

<AppLockerPolicy Version="1">
  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="6c236a39-90f4-46bf-974a-b06995049062" Name="%WINDIR%\CCM\CcmExec.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\CCM\CcmExec.exe" />
      </Conditions>
    </FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
      <RedstoneExtensions>
        <SystemApps Allow="Enabled"/>
      </RedstoneExtensions>
</RuleCollectionExtensions>
  </RuleCollection>
  <RuleCollection Type="ManagedInstaller" EnforcementMode="Enabled">
    <FilePathRule Id="25656246-4c57-4f2f-bf72-baa5eb8c355b" Name="%WINDIR%\CCM\CcmExec.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\CCM\CcmExec.exe" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
</AppLockerPolicy>

After that I executed the MyMalwareInstaller.exe as an administrator. This installation created a registry key and installed the c:\mymalware.exe.

Latter just shows a Messagebox with the executing user.

As defined in the Applocker policy the Administrator was allowed to start the MyMalware.exe

I switched to a standard user account without administrative rights and tried to execute the mymalware.exe. As expected this was blocked by AppLocker.

Hereafter I undid all the changes made by the installer and deployed a Test application via SCCM. This install did nothing else than creating the registry key specified as Application Detection Method.

Then I overwrote test1.exe in the Config Manager Client Cache directory (%windir%\ccmcache) with the MyMalwareInstaller.exe and deleted the detection key from the registry.

After executing the Application Deployment Evaluation Cycle the Software Center allowed me to install the application again. I clicked on the Install button and the SCCM client executed the mymalwareinstaller.exe instead of the checked in executable!

Then I switched back to the standard user and now he was able to execute the MyMalware.exe because it was installed by the SCCM client as Managed Installer.

You could argue both of these executables are not signed by a trusted publisher and SCCM even warns you about this when you import the application

However I tested this too and the client executes an unsigned executable instead of a signed one!

Is this a big issue?

Arguments in favor of No:

  • An attacker first needs to achieve administrative rights
  • The Applocker/Device Guard Managed Installer feature is still a beta feature
  • In this scenario it would be a lot easier for an attacker to copy his executable to the Program Files folder to let it run in the context of a standard user. But in tighter controlled environments this might be the loophole.
  • Update 2017/11/28: Dune Desormeaux from MS pointed out to me that they don’t claim that Device Guard protects against local admin rights.

Arguments in favor of Yes:

  • It is a possibility to execute code in the context of the SYSTEM account
  • Many Third-party Application Control systems leverage technologies similar to the Applocker/Device Guard Managed Installer
  • In an Advanced persistent threat scenario attackers could use this to gain persistent access to a system after an initial exploit even if application whitelisting is configured
  • If the attacker restores the content in the ccmcache and the detection rule after the successful execution of his code it is very hard to trace the way of the infection

Solution

In my opinion the best solution would be that the SCCM client checks the content hash before every execution from the cache instead of only directly after the download.

Before that happens, you should take this into account before using the SCCM client as a trusted source in an application control system.

Group Policy Security Baselines and Windows as a Service – a Layered Approach

How to align the rollout of the Microsoft Security Baselines Group Policies with the Windows 10 servicing model

Update: Added WMI-Filter for Windows 10 1903

The Problem

Microsoft released security baselines in form of a Group Policy backup set for its operating systems in the recent years. Many enterprises are using these baselines as a security foundation. Enterprises have to adopt new settings on a lot higher frequency with the change of the servicing model and the additional release speed of Windows 10. New security baselines are now available with every release of Windows 10 every 6 months.

Note: If you want to learn more about Windows as a Service look here

The nature of Group Policies where small changes can have a huge impact on your client landscape made it necessary for enterprises to build solid change processes around them to document and verify any change. These processes are normally slow and inflexible which makes it very hard to combine them with the fast speed of new security baselines.

Another challenge for enterprises is the complexity of testing each baseline setting against a variety of several hundred applications. The traditional way was to do this in an OS upgrade project.
First, the complete baseline was activated and then redefined them during application testing. But with Windows 10 branch upgrades there are no upgrade projects and to validate a baseline with over 50 changed settings against your client landscape on a regular basis is not a feasible scenario for many companies.

Solution

In order to help the security settings keeping track with the speed of the baseline releases I am using a layered approach.

What does “layered” mean?

I distinguish between two sorts of Group Policies, the Baseline-GPOs and Custom-GPOs. The main difference between these two are that Baseline-GPOs are not changed by me at all. Every setting which differs from the baselines is made in a Custom-GPO.

Another difference between the Baseline-GPOs and the Custom-GPOs is that the baselines are filtered via WMI-Filter to the corresponding Build version of Windows 10. In contrast the Custom-GPOs are filtered to apply on all Windows 10 clients.

The WMI-Filters

We need a WMI Filter for Windows 10 and for every active Build currently used. Microsoft supports the last three Build versions so you should have a maximum of three (maybe four) active builds and WMI-Filters.

WMI Filter for Windows 10 1709

Windows 10
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0%" and ProductType = "1"

Windows 10 1607
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.14393%" and ProductType = "1"

Windows 10 1703
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.15063%" and ProductType = "1"

Windows 10 1709
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.16299%" and ProductType = "1"

Windows 10 1803
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.17134%" and ProductType = "1"

Windows 10 1809
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.17763%" and ProductType = "1"

Windows 10 1903
Select * from Win32_OperatingSystem WHERE Version LIKE "10.0.18362%" and ProductType = "1"

The WMI-Filters contain a query about the Windows Version and the ProductType. The latter is defined as follows

  • 1 – Client Computer
  • 2 – Domain Controller
  • 3 – Member Server

With these filters we make sure that the Windows 10 GPOs will only apply on Windows 10 client devices (of the defined Build Version).

The Baseline-GPOs

You can download the Baseline-GPOs from here.

I have written a short PowerShell function to import all baselines at once. You just have to export them in one folder and add ‘-Version’ (e.g. ‘-1709’) to the folder name.

extracted baseline

Then change the ExportPath to your folder path in the following script and execute it. You will need to import the Group Policy WMI filter cmdlet module prior to successfully running the script.

The script will create or update the GPOs and name them as you can see in the picture below. Additionally it will set the corresponding WMI-Filter if it includes the Build number (e.g. 1709)

Imported Windows security baselines

Create the Custom-GPOs

You can create a Custom-GPO for each corresponding type of baseline (Defender, Computer, …) or as I did in the example below just one Custom-GPO for all baselines.

Custom GPO

Linking the GPOs

After having everything in place we can now link the GPOs to the OU(s). In the next picture, you can see the GPO Link order of my Windows 10 OU.

Linked Group Policies

The Custom-GPOs have to be linked with a lower order number or to a Sub-OU to apply at last and overwrite the Baseline-GPO if needed.

Example

A common baseline setting which many of my customers perceive as too strict is the UAC configuration in the baseline for Standard Users which is set to Automatically deny elevation requests.

UAC Baseline

In the Custom-GPO I changed that setting to Prompt for credentials on the Secure Desktop

UAC custom setting

As you can see in the screenshot of a Group Policy Result of a Windows 10 1709 client the baselines are applied as described and the UAC setting is overwritten by the Custom-GPO.

Group Policiy Result

What is the advantage?

Instead of integrating and validating every single new baseline setting you only have to import the new Baseline-GPOs and the corresponding WMI-Filter.

Microsoft released the baselines when the Windows 10 Build became available in the Semi-Annual-Channel (formerly known as Current Branch for Business). With the release of the Fall Creators Update the final version of baselines even became available with the release to the Semi-Annual-Channel(targeted) (formerly known as Current Branch). So, it is very unlikely that you have deployed a large number of clients with the newest build before the baselines are available.

Therefore, when you start to upgrade your clients to the newest build you will automatically test the new baselines along with the new OS Version without an effect on your productive clients.

If you have to change a setting in your Custom-GPOs because of the new baselines it is very unlikely that this setting will have a negative effect on your existing clients. Because it is either a new setting which isn’t applicable for the old builds or it isn’t set in the old baselines. If the latter is the case you will set it back to the default value in most cases which already worked.

It also makes it easier to find out which of your settings differ from the baselines. You do not have to compare different GPOs with the baselines. You only have to look at your Custom-GPOs or in a Group Policy Result Report which of the settings are applied from a Custom-GPO.

Create LAPS managed user with SCCM Configuration Item

Microsoft has released LAPS (Local Administrator Password Solution) to easily allow different complex passwords for the local Administrator account on every client. It also allows to manage another user than the Built-in Administrator with the Well-Known SID (-500). But it does not create such a user.

In this article, I show you how to configure a SCCM Configuration Item to create such a user with a dynamic password.

Update: I removed an issue in the remediation script which did not always delete the password expiration time in a multi domain environment.

I won’t go into the details of configuring LAPS in your environment, there are already some really good articles about that topic.

The validation script

The validation script checks the following:

  • is LAPS enabled?
  • is LAPS installed?
  • is an Admin Account Name specified in the GPO?
  • Does the Admin Account exist?

The remediation script

The remediation script creates a local user with the name specified in the Group Policy and sets a random complex password. After that it deletes the expiration time attribute (ms-Mcs-AdmPwdExpirationTime) from the Active Directory computer object so that LAPS will set a new password on the next policy update. Finally, it triggers a policy update.

It does not add the user to the Administrator group. I recommend to do this with Group Policy.

Group Policy setting

If you want to manage another local user than the Built-in Administrator you have to configure the following policy setting in your Group Policies:

Computer Configuration\Policies\Administrative Templates\LAPS\Name of the administrator account to manage

Set it to enabled and enter the name of the local account you want to create.

LAPS GPO setting

Configuration Manager

Create Configuration Item

In the SCCM console go to Assets and Compliance - Compliance Settings - Configuration Items and click on the Create Configuration Item .

Specify a name and select Windows Desktops and Servers (custom) as type.

Select the Operating system versions you want to support (requires PowerShell).

Click on the New… button.

Specify a name for the setting and select as Setting type Script and as Data type String.

Click on the upper Edit Script… button in the Discovery script area. Then select PowerShell, and copy paste the following script to the script area.

Do the same with the lower Edit Script… button in the Remediation Script area with the following script.

Change to the Compliance Rules Tab and click on the New… button.

Define a Name for the rule select Rule type Value. The value returned by the specified script should be Equals the following values True.

Make sure you select the Run the specified remediation script when this setting is noncompliant checkbox.

You can choose the severity of this rule. For me Warning is high enough.

After that you can complete the creation of the Configuration Item.

Create Configuration Baseline

Now you have to create a Configuration Baseline in Assets and Compliance - Compliance Settings - Configuration Baselines .

Choose a Name for the baseline and Add the configuration item you have created earlier.

Deploy Configuration Baseline

After that you can Deploy the Configuration Baseline to a collection.

Please make sure to select the Remediate noncompliant rules when supported and the Allow remediation outside maintenance window check boxes.

Besides,you have to select how often this rule will be checked. I selected once per day.

Test the Configuration Baseline

After successfully deploying the baseline you should check the Configurations Tab in the Configuration Manager Properties Control Panel on one of your clients.

If the rule was not already evaluated press the Evaluate button.

After successfully evaluating the rule it will be shown as Compliant and the user was created.

The LAPS agent now has a target user and will soon change the password of the user and save this new password to the Active Directory object of the computer.

Hints

  • Check the DcmWmiProvider.log if you get any errors executing the baseline. There you can see the real PowerShell error.
  • If you see a message there like the one in the screenshot below you have to configure PowerShell execution policy to Bypass in the Computer Agent section in the Client settings or you have to sign the scripts with a Code-Signing-Certificate.


SCCM CB client push is not working on devices with TP agent

Problem

If you have installed the SCCM agent of a recent Technical Preview Build on a client it is not possible to push the current branch agent to it. I tested this with TP 1706 / CB 1702 and with TP 1707 / CB 1706.

This does not work even if the options Always install the client and Uninstall existing Configuration Manager client before the client is installed are selected.

As you can see in the log the request is skipped because a newer agent version is already installed.

Solution

You have to manually uninstall the Technical Preview agent before pushing from the CB console

%windir%\ccmsetup\ccmsetup.exe /uninstall
« Older posts