How to setup local security policy with Intune on Windows 10 1709 with Graph API – Mobile-First Cloud-First
In Windows 10 1709 there is a lot of new CSP policies and on of them is LocalPoliciesSecurityOptions in this blogpost I will show how to:
This will be done on AzureAD joined Windows 10 device with Intune.
Create a Device configuration profile for Windows 10 and later – Custom OMA-URI Settings
The easy way to create a Custom OMA-URI Settings profile is with the Microsoft Graph API – I have used one of the samples from github
####################################################
function Get-AuthToken {
[cmdletbinding()]
param ( [Parameter(Mandatory=$true)] $User
)
$userUpn = New-Object “System.Net.Mail.MailAddress” -ArgumentList $User
$tenant = $userUpn.Host
Write-Host “Checking for AzureAD module…”
$AadModule = Get-Module -Name “AzureAD” -ListAvailable
if ($AadModule -eq $null) {
Write-Host “AzureAD PowerShell module not found, looking for AzureADPreview”
$AadModule = Get-Module -Name “AzureADPreview” -ListAvailable}
if ($AadModule -eq $null) { write-host write-host “AzureAD Powershell module not installed…” -f Red write-host “Install by running ‘Install-Module AzureAD’ or ‘Install-Module AzureADPreview’ from an elevated PowerShell prompt” -f Yellow write-host “Script can’t continue…” -f Red write-host exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest versionif($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.dll”
$adalforms = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll”}
else {
$adal = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.dll”
$adalforms = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll”}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = “d1ddf0e4-d672-4dae-b554-9d5bdfd93547”
$redirectUri = “urn:ietf:wg:oauth:2.0:oob”
$resourceAppIdURI = “https://graph.microsoft.com”
$authority = “https://login.microsoftonline.com/$Tenant”
try {
$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession$platformParameters = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters” -ArgumentList “Auto”
$userId = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier” -ArgumentList ($User, “OptionalDisplayableId”)
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{ ‘Content-Type’=’application/json’ ‘Authorization’=”Bearer ” + $authResult.AccessToken ‘ExpiresOn’=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host Write-Host “Authorization Access Token is null, please re-run authentication…” -ForegroundColor Red Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red write-host $_.Exception.ItemName -f Red write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
[cmdletbinding()]
param ( $JSON
)
$graphApiVersion = “Beta” $DCP_resource = “deviceManagement/deviceConfigurations”
Write-Verbose “Resource: $DCP_resource”
try {
if($JSON -eq “” -or $JSON -eq $null){
write-host “No JSON specified, please specify valid JSON for the Android Policy…” -f Red
}
else {
Test-JSON -JSON $JSON
$uri = “https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)”
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType “application/json”}
}
catch {
$ex = $_.Exception $errorResponse = $ex.Response.GetResponseStream() $reader = New-Object System.IO.StreamReader($errorResponse) $reader.BaseStream.Position = 0 $reader.DiscardBufferedData() $responseBody = $reader.ReadToEnd(); Write-Host “Response content:`n$responseBody” -f Red Write-Error “Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)” write-host
break
}
}
####################################################
Function Test-JSON(){
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true}
catch {
$validJson = $false
$_.Exception}
if (!$validJson){
Write-Host “Provided JSON isn’t in valid JSON format” -f Red
break}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime – $DateTime).Minutesif($TokenExpires -le 0){
write-host “Authentication Token expired” $TokenExpires “minutes ago” -ForegroundColor Yellow
write-host# Defining User Principal Name if not present
if($User -eq $null -or $User -eq “”){
$User = Read-Host -Prompt “Please specify your user principal name for Azure Authentication”
Write-Host}
$global:authToken = Get-AuthToken -User $User
}
}# Authentication doesn’t exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq “”){
$User = Read-Host -Prompt “Please specify your user principal name for Azure Authentication”
Write-Host}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User}
#endregion
####################################################
$Windows = @”
{
“@odata.type”: “#microsoft.graph.windows10CustomConfiguration”,
“lastModifiedDateTime”: “2017-01-01T00:00:35.1329464-08:00”, “assignmentStatus”: “Assignment Status value”, “assignmentProgress”: “Assignment Progress value”, “assignmentErrorMessage”: “Assignment Error Message value”, “description”: “Windows 10 – Custom – LocalPoliciesSecurity”, “displayName”: “Windows 10 – Custom – LocalPoliciesSecurity”, “version”: 1024, “omaSettings”: [ { “@odata.type”: “microsoft.graph.omaSettingInteger”, “displayName”: “Accounts_EnableGuestAccountStatus”, “description”: “0 – local Administrator account is disabled”, “omaUri”: “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus”, “value”: 0 } , { “@odata.type”: “microsoft.graph.omaSettingInteger”, “displayName”: “Accounts_EnableGuestAccountStatus”, “description”: “0 – local Administrator account is disabled”, “omaUri”: “LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus”, “value”: 0 } , { “@odata.type”: “microsoft.graph.omaSettingString”, “displayName”: “Accounts_RenameAdministratorAccount”, “description”: “Default: Administrator”, “omaUri”: “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount”, “value”: “Local-Admin” } , { “@odata.type”: “microsoft.graph.omaSettingString”, “displayName”: “Accounts_RenameGuestAccount”, “description”: “Default: Guest”, “omaUri”: “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount”, “value”: “OSD-Guest” } ]
}
“@
####################################################Add-DeviceConfigurationPolicy -Json $Windows
When it is first deployed to the Windows 10 1709 device – in the settings app
Account – Access work or school – Connected to “Tenant name” Azure AD – Info
You can see there is applied a policy in the Security area
In the Advanced Diagnostic report – click Create report
And there will be created a MDMDiagReport.html
Then you can find the LocalPoliciesSecurityOptions
There is a lot of other new setting in the Local Policies Security Options – try them out and see which settings that makes sense in your environment.
Windows 10 1709 is still a Insider version and APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.