OneDrive Personal – Processing changes

WARNING: This blog discuses change to file system permissions. Read and apply at your own risk!!!

I had issues with my OneDrive always stating it’s processing 457 changes. This same message was going on for weeks but I ignored it as I had other things to worry about first.

I finally got frustrated and started to play with settings, using my google-fu, resetting, etc.

What finally worked was resetting the permissions on my folders. Like other technical folks, I reimage or reset my PC often as I use it for testing or want a clean install few times a year. By doing so, obviously the NTFS permissions change as I get new local account with a new SID.

From the top root folder, go to Properties, select the Security tab, and choose the Advance settings

This image has an empty alt attribute; its file name is image-1.png

Change owner to your account and select the Replace all child object option. Double check to ensure you have everything correct and then click Apply. This will take a while based on how many files you have.

This image has an empty alt attribute; its file name is image.png

Intune – ADMX-backed admin templates (preview)

We all have been using Group Policies for decades for all of our on-prem domain joined machine. Now Microsoft has introduced, in preview, ADMX template style settings in Intune.

MS Docs for details. https://docs.microsoft.com/en-us/intune/administrative-templates-windows

  • Assumption is you have some Intune knowledge and know how to assign profiles.
  1. To access the Preview, go into your Azure Portal – Microsoft Intune -> Device configuration – Profiles
  2. Create a new profile

  3. Name your profile, choose Windows 10 or Later as the platform, and Profile type is Administrative Templates (Preview)

  4. In the profile, choose Settings and you will see all the policies available (there are few pages).

5. In the filter, search for a policy setting if needed like the screen shot below or sort the columns accordingly.

6. Select a setting like I have below and choose an option (similar to GPO). For the Excel save setting, I chose the default to be Excel 5.0/95 Workbook so I can see the change (as Excel XLS is default anyways).

7. In my test I have chosen several different settings.

8. Assign the profile accordingly to your test group.

9. Monitor deployment status

10. Once the settings are applied, check the device for results.

Events from email – disable/change

One of the annoying new features for me in Office 365/Outlook and outlook.com personal, is creation of an calendar event based on email content. Now this sounds great, if you need the additional automation. But for someone that wants to control what’s in the calendar little more, I need to disable or adjust. Unfortunately, this can’t be changed in the local Outlook app. You need to logon to Outlook web app.

Go into Settings (sprocket) -> Your app setting -> click Mail.

Once in the options, navigate to the Calendar section and click on Events from email. Here you can disable or configure.

2018-09-11_12-44-31

Longer Windows 10 servicing for enterprises and education

In case anyone missed the big announcement yesterday.

Helping customers shift to a modern desktop – Microsoft 365 Blog

In short:

Windows 10 Enterprise customers will get 30 month support (change from the 18 month). Those on current 1607, 1703, 1709, and 1803 will be extended to 30 months as well.

Future releases for Sept will have 30 months (starting with 1809) and spring releases (starting 1903) will still be 18 months for those that was faster cadences.

This is great news for Enterprise customers. For those on Pro version, might want to reconsider to move to Enterprise unless you can do the 18 month.

There are other announcements but this is the biggest as there were many concerns on the 18 month cycles.

Windows Defender ATP – Onboarding Windows 7 & 8

Supported OS for this post:

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise

Microsoft’s Windows Defender ATP (WDATP) now supports previous versions of Windows listed above.

If you use System Center Endpoint Protection for Win 7 and 8, you will need to ensure the January 2017 platform update is installed and the SCEP client Cloud Protection Services membership is to Advanced in the ConfigMgr antimalware policy that is applied to the systems.

For Windows 7 SP1 Enterprise and Pro ensure the following are installed

You will need the Workspace ID and key from the WDATP portal.


Download the MMA agent setup file: Windows 64-bit agent or Windows 32-bit agent.

Once you downloaded the agent(s), extract them (I use 7-ZIP) and place them in your ConfigMgr source folder so you can add as an Application. [I am not going to go into details how to add an Application into ConfigMgr]

The setup.exe or MSI command line parameters to pass are:

MMA-specific options Notes
NOAPM=1 Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE 1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_ID Workspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEY Workspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE Specify the cloud environment where the workspace is located
0 = Azure commercial cloud (default)
1 = Azure Government
OPINSIGHTS_PROXY_URL URI for the proxy to use
OPINSIGHTS_PROXY_USERNAME Username to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORD Password to access an authenticated proxy

Example:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1

Deploy the application to the collection that contains your target computers.

Once the agent is installed, you will see Microsoft Monitoring Agent in the Control Panel

Open the control panel applet and go to the second tab which is Azure Log Analytics (OMS). If there was a successful connection, you will see a green check box.

Within 30 minutes, you will see the computer show up on your WDATP portal.

Run the detection test on the Windows 7/8 computer

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= ‘silentlycontinue’;(New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe&#8217;, ‘C:\\test-WDATP-test\\invoice.exe’);Start-Process ‘C:\\test-WDATP-test\\invoice.exe’

Once the command is executed, in the Portal within a minute or so, you will see the Risk Score change to Medium

Digging into the machine, you will see the powershell command tagged as Suspicious.

If you do not see a green check box in MMA agent:

  • Check proxy and internet connectivity
  • Ensure the workspace ID and KEY are properly entered
  • Install the MMA agent manually on the machine and enter the information.
  • Check command line in your deployment for spelling, spaces, etc.

Configure server proxy and Internet connectivity settings

Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.

  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource Ports
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
winatp-gw-aus.microsoft.com 443
winatp-gw-aue.microsoft.com 443

Office Insider for Corporate/Commercial

Just as Microsoft has the Windows 10 Insider program to allow us to get the latest Windows 10 features that are in preview, the Office team has a similar program.

If you have a Personal Office subscription, you can go into any Office 2016/365 app and go to File -> Account and click the Insider option.

For commercial/corporate, this may not be available as it’s controlled by the installation done by the IT department.

For IT Admins who want to get the Office Insider for themselves, developers, testers, etc. the process is easy.

  1. Uninstall previous Office versions and reboot on any system prior to installing the Insider.
  2. Download the Office Deployment Toolkit
  3. Extract the Setup.exe and Configuration.xml file into it’s own directory.

2018-03-18_13-04-20

4. Edit the Configuration.xml with notepad or your favorite text editor to read as below

<Configuration>
 <Add OfficeClientEdition="32" Channel="InsiderFast">
   <Product ID="O365ProPlusRetail">
    <Language ID="en-us" />
   </Product>
  </Add> 
</Configuration>

5. from an elevated prompt, run Setup.exe /configure configuration.xml 

6.  After the installation is complete, open an Office app, such as Word, and go to File >          Account. Under the Product Information section, you should see text that includes              “Office Insider.”

ConfigMgr 1802 TP: Product Lifecycle Dashboard

The ConfigMgr team has been hard at work on adding features.  The Product Lifecycle dashboard (under Assets and Compliance\Overview\Asset Intelligence), can visually show you your installed products and support time frame.

Hopefully you don’t need this to tell you that you have less than 2 years to get off Windows 7.

2018-02-18_9-42-43