I recently got motivated to research a bit about new MDM settings available in the latest Windows 10 Insider Build (17074) and how to configure them. Settings available in preview Windows 10 versions normally do not have a lot of technical documentation for it or there is even no documentation for a particular feature and corresponding setting at preview release time.
In this post I would like to show how to get the right pieces of information to configure an ADMX-backed policy setting in Windows 10 via Intune OMA-URIs with no technical documentation for it. We need to get all implementation details by our self. My goal is to show some of the inner workings how parts of the MDM policies are implemented and how we can get a deeper understanding of them.
I’ll demonstrate my analysis with some new Windows 10 latest Insider build settings (at time of writing build version 17074) derived from MSSecurityGuide to control SMBv1 on the device. The two settings are:
These settings control the SMB 1.0/CIFS File Sharing Support
How do we get to know this new available settings?
First we have a look at the registry. There is a new place where you can find MDM Policy CSP settings. Group Policy settings are stored in the Policies registry key and MDM Policy CSP settings can be found in the PolicyManager key here:
As we see in the screenshot below there are two different sub keys. One current key and a default key.
Within the current key we find all settings configured for this device by Policy CSP via MDM like Intune. Within the default key we find all available settings for the particular Windows 10 release.
As mentioned the latest Windows 10 version (at time of writing build version 17074) has a sub key for MSSecurityGuide with additional sub keys for ConfigureSMBV1ClientDriver and ConfigureSMBV1Server.
If we have a look at the details, for example of ConfigureSMBV1ClientDriver we see the value name admxMetadataDevice. This gives us a hint that this particular policy is an ADMX-backed policy.
How do we configure it if we don’t know the input values for it?
The way Microsoft implemented the feature ADMX-backed policies is as follows:
A defined set of the default policies which come with the OS in the path C:\Windows\PolicyDefinitions are parsed at OS build time and stored in the MDM store as converted MDM policies. The second way is to ingest custom ADMX files after OS shipment which are then also parsed and stored in the MDM store as MDM policies. I wrote an ADMX file ingestion article for a custom OneDrive ADMX file here: Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive.
For a thorough understanding everyone should read the Background section of the Microsoft docs article Understanding ADMX-backed policies.
With all that in mind we need to find the original ADMX file for the policy and then we can derive the actual values for configuration because ADMX-backed policies are configured by a schema derived from the ADMX xml file structure.
Luckily I know that the MSSecurityGuide is provided by Microsoft through the Microsoft Security Compliance Toolkit 1.0 and within that package is the Windows 10 Version 1709 Security Baseline.zip. This includes the SecGuide.admx in the subfolder Templates.
Due to public knowledge how to configure ADMX-backed policies we can derive the configuration input values from the SecGuide.admx file. To derive the input values we need to study the article Understanding ADMX-backed policies especially the sections ADMX-backed policy examples and Sample SyncML for various ADMX elements.
To create the OMA-URI we append the registry key MSSecurityGuide and the sub key ConfigureSMBV1ClientDriver to ./Vendor/MSFT/Policy/Config/
Now we need to follow the Sample SyncML for various ADMX elements for proper Enum usage as input value to disable the SMBv1 Client driver
- find enum
- get name from id attribute
- choose value for disable
construct the xml data element with derived values for id and value:
<data id="Pol_SecGuide_SMB1ClientDriver" value="4"/>
The result is the following custom OMA-URI setting:
Name: ConfigureSMBV1ClientDriver OMA-URI: ./Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver Data type: string Value: <enabled/> <data id="Pol_SecGuide_SMB1ClientDriver" value="4"/>
According to How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server the SMBv1 Server can be controlled by this registry key:
Registry entry: SMB1 REG_DWORD: 0 = Disabled
To disable the SMBv1 Server we need to set the registry value SMB1 = 0 and this is the disabled value in the SecGuide.admx xml file.
The result is the following custom OMA-URI setting:
Name: ConfigureSMBV1Server OMA-URI: ./Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1Server Data type: string Value: <disabled/>
Now we configure this as a custom OMA-URI in Intune and target it to our user group with Windows 10 Insider builds
How to verify if the settings are correctly deployed?
First of all we can generate a MDM Advanced Diagnostics Report:
Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”
open the Report MDMDiagReport.html it in Edge and look for:
Second we can check the registry for MDM applied settings:
Third we can verify the SMBv1 LanmanServer > Parameters > SMB1 = 0:
We can query the Windows feature if not enabled via PowerShell:
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
We can verify the SMBv1 Client and Server component via PowerShell:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
sc.exe query MRXSMB10
Congratulations you successfully disabled the SMBv1 protocol as recommended in the Security Baseline for Windows 10!
SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709
If a Windows 10 Version was upgraded from an earlier edition like RS2 to RS3, SMBv1 is not deactivated, the install state is migrated. SMBv1 will not be installed for fresh RS3 installations. The setting above would enforce uninstall of SMBv1 for migrated devices.
Sorry, me again…
Nice find, just being curious can we also use ADMX ingest to achieve the same, so ingest ADMX content with oma-uri and create an OMA-URI to set the policy >
Second questsion, to disable an ADMX backed policy the value is always [disabled/] ?
Yes you can! See my blog post “Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive” for an example:
There I ingest the custom OneDrive.admx file and configure it via OMA-URI in the end.
Regarding the second question, if we follow the documentation then yes that’s true:
-> section “Disabling a policy” -> [disabled/]
Feel free to ask anytime! This helps others also when reading the comments. You‘re welcome!