Group Policy

Azure AD Sign-in via Google Chrome and Conditional Access

While testing MFA, Conditional Access and all the other good stuff Azure AD provides, I came across this scenario:

Conditional Access configured to require MFA if the user wasn’t on an Azure AD Hybrid PC, or coming from an internal IP.

User on an Azure AD Hybrid PC, but on an external IP.

User uses Chrome to access a Microsoft resource, and gets challenged despite being on the Azure AD Hybrid PC.

It seems that the sign-in process isn’t aware of the state of the computer when using Chrome- but there is an easy fix: deploy Windows 10 Accounts extensions for Chrome.

This is really easy to do via Group Policy.

  1. If you don’t already have them, get the ADMX Group Policy files for Google Chrome and deploy into your environment
  2. Under User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions, configure the policy ‘Configure the list of force-installed apps and extensions’:

3. Change the radio button to enabled, click ‘Show’ and enter the value for the add-in

ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

4. Do your normal process of configuring the Group Policy object to target the users you want, run a gpupdate and see the addin silently turn up in Chrome. The only user impact will be a visible Windows logo to the left of the Google Accounts area in the top bar of Chrome.

Peter van de Woude has documented how to do this via registry, so read his post if you want info on how to do that –  as well as how to then deploy via Intune and PowerShell script.

Worth doing if you use Azure AD connect, and highly recommended if you’re using Conditional Access. 

“This page wants to run the following add-on…” won’t go away in Internet Explorer

In the last few weeks, I found that a lot of users were complaining about IE11 on Windows 10, and the prompt “This page wants to run the following add-on” with the add-on name, and the allow button:

This webpage wants to run the following add-on ‘Adobe Flash Player’ from Microsoft Windows Third Party Application Compon…

However, clicking the ‘Allow’ button, or using the drop down arrow to choose ‘Allow for all sites’ did nothing, and the prompt would show again and again.

I ended up working out this was due to the Add-On List GPO to list IE add-ons that was being used to manage the add-ons I wanted disabled or enabled https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy

The policy explicitly states “The ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting will still determine whether add-ons not in this list are assumed to be denied.”

However, since a recent update (either Windows 10 1803, or a recent security patch  – unsure which!), anything not listed in the Add-On List was being blocked. 

Adding an update to the list and allowing it with the ‘1’ value fixes the issue for that particular add-in, but it shouldn’t be working this way.

I even tried disabling the Group Policy setting ‘Deny all add-ons unless specifically allowed in the Add-on List’ but that made no difference. That policy also states: ‘If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included in the ‘Add-on List’ policy setting.’

Something wacky’s going on – if I find out more I’ll update this post, but if you do use the ‘Add-On List’ GPO for Internet Explorer, be aware of this potential issue. You may need to list all your add-ins into the policy to avoid this.

I’ve also updated all my ADMX files for Win10 1803.

Update:

I believe I fixed this by auditing all the IE addins and making sure they were allowed. Somtimes an addin has a prerequisite of another adding being enabled, so you can’t always trust the message you see.

Automate Backup Of Word AutoRecover Files For More Recovery Options

“I’ve lost a document and can’t find it!” is a common phrase that nobody likes to hear. Most people are working in Microsoft Word for their documents, and although it has a bunch of nice features for autorecovering lost work, it doesn’t cover all scenarios.

There’s even a new feature which autosaves your work as you go; as long as the document is in SharePoint Online or OneDrive for Business.

However, it’s still easy for someone to accidentally close a document and say ‘no’ to saving changes, or other scenarios where documents get overwritten with the wrong information. A document management system (DMS) with versioning (such as SharePoint) can help, but I’ve yet to hear of a company that has 100% of their documents at all times in their DMS!

Anyway, after seeing many scenarios of lost work, I thought there might be another method I can implement to help capture lost data. Microsoft Word’s Autorecover function does work quite well, in keeping an ASD file updated at regular intervals (10 minutes by default) which are saved in C:\Users\username\AppData\Roaming\Microsoft\Word\ (by default). I changed this to 5 minutes rather than 10:

Microsoft Word Options > Save screen

Autorecover will update an ASD file in this folder for each document you have open, on the frequency configured above. That file can get closed or lost depending what the user clicks (again, closing and not saving a document is a scenario that will lose the ASD).

My idea was to back up these ASD files also on a 5 minute interval, giving another avenue to restore lost documents. Because the AutoRecover starts at a random time, a script running every 5 minutes would also start at a random time, and together there’d be a 5 to 10 minute window on copying out the backup files, which isn’t a huge amount of work to lose if someone had been working for hours.

Here’s the PowerShell script I wrote.  It first sets a few variables that can be configured, then does a cleanup of previous backups. If they’re > 2 days old, backup folders are purged or we’d have an ever growing amount of backups. The 2 day value in (Get-Date).AddDays(-2) can be changed.

Then, it runs a filecheck to make sure there’s ASF files to back up. If not, the script breaks. If files exist though, it then creates the Backup folder, creates a sub folder based on the date/time and then copies the ASD files into that folder.

The format of the folders is set at the very start of the script, and again can be changed to a different format if you prefer.

 

(note that the File copy section was taken from here). Save the above as a .PS1 script and you’re good to go.

That worked well after a lot of testing, but the next problem was getting it to run on everyone’s computer. Using a Scheduled Task means we can configure it to run however often we like and whenever we like, as well as being able to push out the task via Group Policy. However, you can’t run PowerShell scripts silently just by running a PS1 file when triggered from Scheduled Tasks.

Scheduled Task pushed out via Group Policy

There is a great workaround here which uses a VBS file to then trigger the above PS1 script. the VBS component itself runs silently which in turn runs the PS1 script silently. Here’s a copy of the script in case the link goes dead, but please read the original link for more details:

Set objShell = CreateObject("Wscript.Shell") 
Set args = Wscript.Arguments 
For Each arg In args 
 Dim PSRun
 PSRun = "powershell.exe -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File " & arg
 objShell.Run(PSRun),0
Next

The final catch is then opening an ASD file when you want to recover something. To open a recovered file, in Word go to File > Info > Manage Document > Recover Unsaved Document (if the Info link is greyed out, open a new blank document first). If you had to navigate away from the default location it shows to open the ASD file, you will probably see this error:


Microsoft Word cannot open this file because it is an unsupported file type

As pointed out here, for some reason Word doesn’t like opening the file unless it’s in the special ‘UnsavedFiles’ location. Luckily you can just copy the ASD file into this folder (which by default is C:\Users\%username%\AppData\Local\Microsoft\Office\UnsavedFiles” ) and then open it as per the above method.

Keep in mind, both the PS1 and VBS files also need to be available to the user, which you may want to also push out by Group Policy. Just make sure the file called by the Scheduled Task exists, or the users will see an error saying the file can’t be found, every single time the script runs.

Update 20th August 2020

Few more updates, support for PowerPoint, changed the backup location to the ‘Recover Unsaved Documents’ location so staff don’t need to remember a particular location. Feel free to post any questions about it.

Thanks Aaron for sanity checking the script!

#get-date format https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-date?view=powershell-6
$date = get-date -uformat %Y%m%d%H%M


$SourceDir= "$env:APPDATA\Microsoft\Word\"
$backupdir = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\"
$targetDir = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\Word\$date"

$SourceDirExcel= "$env:APPDATA\Microsoft\Excel\"
$backupdirExcel = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\"
$targetDirExcel = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\Excel\$date"

$SourceDirPowerPoint= "$env:APPDATA\Microsoft\PowerPoint\"
$backupdirPowerPoint = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\"
$targetDirPowerPoint = "$env:LOCALAPPDATA\Microsoft\Office\UnsavedFiles\PowerPoint\$date"

Get-ChildItem $backupdir -Recurse | Where CreationTime -lt  (Get-Date).AddDays(-7)  | Remove-Item -Force -recurse
Get-ChildItem $backupdirexcell -Recurse -hidden | Where CreationTime -lt  (Get-Date).AddDays(-7)  | Remove-Item -Force -recurse

#Clean up old backup files if they exist
remove-item "C:\Users\$env:username\AppData\Roaming\Microsoft\Word\Backup\" -Recurse -Force
remove-item "C:\Users\$env:username\AppData\Roaming\Microsoft\Excel\Backup\" -Recurse -Force



$Filecheck = get-childitem $sourcedir -filter *.asd -recurse
$FilecheckExcel = get-childitem $sourcedirExcel -filter *.xar -Hidden -recurse
$FilecheckPowerPoint = get-childitem $sourcedirPowerPoint -filter *.tmp -recurse

If ($Filecheck -ne $null) {

md $targetDir

Copy-Item $file -Destination $targetdir -Recurse -force

}

If ($FilecheckExcel -ne $null) {

md $targetDirExcel

set-location -path $sourceDirExcel

Copy-Item $file -Destination $targetdir -Recurse -force
}

If ($FilecheckPowerPoint -ne $null) {

md $targetDirPowerPoint

Copy-Item $file -Destination $targetdir -Recurse -force

}

Outlook 2016 Secondary Mailbox Cached Mode

After migrating to Outlook 2016 from 2010, I noticed this inconsistency.

If you use secondary mailboxes in Outlook, you’re probably going to want them in Online Mode rather than Cached Mode. With Cached Mode on, you’ll have an OST file created for each extra mailbox you add, and you’ll hit performance issues if you have over 500 folders over all mailboxes added to the account.

One of the ways to avoid these performance issues is turning off ‘Download shared folders’ in the mailbox settings:

‘Download shared folders’ disabled

This can be done manually, or company wide with the Group Policy setting “Disable shared mail folder caching” found in User Configuration / Administrative Templates / Microsoft Outlook 2016 / Outlook Options / Delegates. Enabling this will disable and grey out the option as per the screenshot above.

However, I was previously doing this through a registry setting ‘CacheOthersMail’ under HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\cached mode with the value set to 0. This worked on Outlook 2010 fine I believe, but in 2016 it did something slightly strange. Although clicking on a secondary mailbox’s folders showed they were in Online Mode with the status bar status of ‘Online’, the ‘Download shared folders’ tickbox was still enabled. I’ve confirmed this on both CTR and MSI versions of Office 2016.

At first I thought nothing of this, as it seemed to be working as intended. However, after a while I worked out that having it configured this way lead to performance issues, and people who had over 500 folders had cases where the inbox would stop updating. Changing the tickbox setting resolved the issue, despite the secondary mailboxes before and after this showing as ‘Online’. I didn’t dig into this any further so I can’t explain what was actually going on, but at a guess it was still doing some sort of sync or connection on each folder despite it being in Online Mode.

My advice is – make sure the ‘Download shared folders’ tickbox is off rather than just checking that the folders show as being ‘Online’. If you really need a secondary mailbox in cached mode but want to disable it by default, you could add it as a seperate mailbox account which will have it’s own cached mode settings.

 

 

Controlling Microsoft Store Access

If you’re managing a fleet of computers in a business, you may not want users being able to access everything in the Microsoft Store. Having users a few clicks away from installing ‘Slotomainia’ or ‘Ninja World’ might not be what you want readily available on a business computer. You may also not want other services that can contribute to data leakage, or shadow IT type solutions that users decide to adopt.

As long as you are running Windows 10 Enterprise or Education, you could completely disable the Microsoft Store functionality by either using Applocker to maintain a whitelist of allowed packaged apps, or using Group Policy to enable the “Turn off Store application” under Computer Configuration > Administrative Templates > Windows Components.

For Windows 10 Pro and Home users, this won’t work so you’ll have to try other methods such as uninstalling Windows Store on each PC with the PowerShell command Get-AppxPackage ​*windowsstore*​ | Remove-AppxPackage

Disabling the Microsoft Store entirelybut you may find that there is a requirement to use a few of the Microsoft Store apps by your users. For this option (again just for Enterprise and Education, and you’ll need Office 365 or Azure AD), you can instead have a Private Store. This is enabled again in Group Policy, using the setting “Only display the private store within the Microsoft Store app” again under Computer Configuration > Administrative Templates > Windows Components.

The Microsoft Store will look pretty bare at this stage (I see the 5 apps in the screenshot below by default), so you’ll want to add or remove some apps. This is done online, Enterprise customers go to https://businessstore.microsoft.com and education customers go to https://educationstore.microsoft.com. You’ll need to sign in with an account that’s an Azure AD or Office 365 Global Administrator, but can then grant access to others.

To add an app, under ‘Shop for my group’ you can search or click through options to find the app you’re after – I’ve chosen Microsoft To-Do for this example. Going onto the app’s page will give you a button that says ‘Get the app’. Once you click that, you’ll see the message “Microsoft To-Do has been purchased and added to your inventory.” After you’ve done that, go to the “Manage” tab and then the “Products and Services” option on the right hand side. Find the app, click the ellipsis (…) and choose “Add to private store”

You will finally see a message saying that the app has been added to your store, but may take up to 36 hours* to show.

There’s also the option to assign an app to a user, this is only needed if it’s a licensed or paid for app that you want to give only to certain users – you may have bought 10 copies of a particular Windows Store app and need to control who has access to it.

It’s worth having a look through the other options on this page as you can control settings such as letting users make purchases,  what your organisation will be called in the Microsoft Store app and if you get invoices for the store via email.

Overall the Private Microsoft Store is rather easy to set up, lets you give users self-service access to apps that you allow, and gives you an easy way of letting someone install a Microsoft Store app in the future without having to enable the entire store.

*Update 2nd August 2018

There’s been a great improvement to the 36 hour wait, it’s now within 15 minutes! More details here