User Profile
Le_Michel
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
MBAM group policies to encrypt removable media
Hello, I need help to configure MBAM group policies to encrypt removable storage. It should work like this : - User type a password to unlock the drive - MBAM is used for recovey in case the user forgets the password. My issue is that when the user turns on Bitlocker, he is prompted to save password. But the user has no other location to save password since all local drives are also encrypted. MBAM recovery is enough if the user forgets the password. So there is no need for the user to save recovery information. Is there a way to disable this step ?MECM co-management enrollment not working
Hello, We are trying to enroll devices in intune using MECM Devices are Hybrid azure AD joined. Devices are member of the pilot collection : CoManagementHandler.log shows the following records : Auto enrollment agent is initialized. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not enrolled. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) AAD-Join Info: type = 1 DeviceId = 'DeviceID' TenantId = 'TenantID' JoinUserEmail = 'fooUser@company.com' TenantName = 'Name' EnrollmentUrl = 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Set device to not externally managed CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Value of CoManagementFlags retrieved: 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Checking MDM_ConfigSetting to get Intune Account ID CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Expected MDM_ConfigSetting instance is missing, can't retrieve Intune SA Account ID. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Co-Management is disabled. Expect MDM_ConfigSetting instance to be deleted. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Current workload settings is not compliant. Setting enabled = 0, workload = 8193. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Checking MDM_ConfigSetting to get Intune Account ID CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Expected MDM_ConfigSetting instance is missing, can't retrieve Intune SA Account ID. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Updating comanagement registry key to 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) CoManagement flags registry key updated. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Nothing is changed for RS2, keep executing. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Setting co-management RS3 flags CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Nothing is changed for RS3, ENDOK. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Value of CoManagementFlags retrieved: 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not provisioned CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Default CSP is Microsoft Enhanced RSA and AES Cryptographic Provider CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Default CSP Type is 24 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Calculating hash with 32772 algorithm using 'Microsoft Enhanced RSA and AES Cryptographic Provider' CSP. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) State ID and report detail hash are not changed. No need to resend. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) User 'S-1-5-21-SID' is logged on. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) Check if it's enrollment pending and if it's already enrolled.... CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) UserLogon: enrollment isn't pending. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) Released global agent cache. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) There is no scheduled tasks under "EnterpriseMgmt" Baselines are evaluated like this : Eventlog shows : MDM ConfigurationManager: Command failure status. Configuraton Source ID: (SourceID), Enrollment Type: (WMIBridge), CSP Name: (EnrollmentStatusTracking), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/ConfigMgr/LastError). MDM ConfigurationManager: Command failure status. Configuraton Source ID: (SourceID), Enrollment Type: (WMIBridge), CSP Name: (Policy), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/Policy/Config/Security/AllowAddProvisioningPackage). Can someone help ?Bitlocker compliance policies and MBAM
Hello, For the moment, we use MBAM to manage bitlocker encryption keys. We would like to use MEM compliance policy to audit encryption of our Windows devices (audit only - no remediation). I would like to know if configuring "Require encryption of data storage on device." or "Require BitLocker" will try to remediate a non-compliant device. I want to avoid a situation where device is encrypted after remediation and Keys are not stored into MBAM database.master_preferences and Clear Browsing Data on Exit
Hello, Edge Version 79.0.309.30 (Official build) beta (64-bit) I'm trying to create a custom master_preferences files to customize clear browser data on exit for new user profiles. My configuration file looks like this : {"distribution":{"msi":true,"system_level":true,"verbose_logging":true,"msi_product_id":"15DFC7CC-865D-3F20-A979-A7EF2F505E31","allow_downgrade":false}, "clear_data_on_exit":{"browsing_history":false,"cache":true,"cookies":true,"download_history":false,"form_data":true,"hosted_apps_data":true,"passwords":true,"site_settings":true}} When logging with a new user a having a look at the settings nothing is enabled for Clear Browsing Data on Exit. So I look into the user profile and find my Settings (Preferences files): ... "caretbrowsing":{"enabled":false},"clear_data_on_exit":{"browsing_history":false,"cache":true,"cookies":true,"download_history":false,"form_data":true,"hosted_apps_data":true,"passwords":true,"site_settings":true},"countryid_at_install":16965, ... Now, I manually change one of the settings : Then have a look at the preferences files "browser":{"available_dark_theme_options":"All","clear_data_on_exit":{"cookies":true},"dark_theme":false, ... <Skip some lines> "caretbrowsing":{"enabled":false},"clear_data_on_exit":{"browsing_history":false,"cache":true,"cookies":true,"download_history":false,"form_data":true,"hosted_apps_data":true,"passwords":true,"site_settings":true},"countryid_at_install":16965, So, we have to occurrences ofclear_data_on_exit in the preferences file. And only values from the first occurrence are taken into account. For me it looks like a bug (file parsing /update). Can you confirm that : - The syntax of my master_preferences is correct - The issue can be reproduced Kind regards, MichelGPO - Please Allow selective clear browsing data on close
When the group policy setting "Clear browsing data when Microsoft Edge closes" is enabled, it's not possible to specify what has to be cleared. All options are enabled. is it possible to change that group policy in order to allow to choose items to clear ? Kind regards, MichelStartLayout.XML for Office 32 bits or 64 bits
Hello. We usestartlayout.xml to define a partial Start Layout for corporate applications like Office 2016. Our main Office Version is Office 2016 - 32Bits but we have some requests for Office 2016 - 64 Bits. On computers where office 32 bits is replaced by the 64 bits version, tiles are missing from the start Menu. Is it possible to display the right tiles with an unique startlayout.xml ? If it's not the case, how can I apply the rightstartlayout.xml on the computers ? <start:Group Name="Office Applications"> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\MSACCESS.EXE" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\EXCEL.EXE" /> <start:DesktopApplicationTile Size="2x2" Column="4" Row="0" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\ONENOTE.EXE" /> <start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.16" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\POWERPNT.EXE" /> <start:DesktopApplicationTile Size="2x2" Column="4" Row="2" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\MSPUB.EXE" /> <start:DesktopApplicationTile Size="2x2" Column="0" Row="4" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\lync.exe" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="4" DesktopApplicationID="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office16\WINWORD.EXE" /> </start:Group>Missing office information
Hello, I'm not able to find any office information in Desktop analytics. I can see in demo that information about office updates are available But only Windows is shown on my workspace However Office Diagnostic data opt-in is successfull Do I miss something ? Regards, Michel