Is there a CSP for Intune to configure Screensaver Timeout? - mdm

I've been looking for a while through the Intune and CSP documentation for a way to configure the screensaver timeout on our managed Windows 10 devices.
I'd like to set it to X minutes where X is 5 in some cases and 15 in others.
Doesn't look like it exists yet, from what I can see.
I expected it to be under Policy CSP or Personalization CSP but I couldn't locate it there.

Profiles > Endpoint Security -> Local device security options -> Interactive Login -> Minutes of lock screen inactivity until screen saver activates

Related

How to set Powershell's Default Browser eg when opening MS auth popup

OK so this is a tough one, because googling "set powershell Default Browser" only returns results for setting the system default browser in Powershell. What I want to do is change which browser Powershell uses to open an auth prompt when I attempt to use the Exchange Online Management module. I need to change it because I set "use always" when I chose Edge the first time it popped up, then received a message that Edge is blocked by your administrator. (Weirdly, Edge is not blocked normally, only in this context.) I'm running powershell as local PC admin. (Could this be an Azure/m365 policy blocking edge launch from powershell? Intune managed device. ) I need to change it to Chrome.
Using PS7 as 5 just told me "browser unsupported" (guessing it defaults to IE)
Thanks
Tried numerous google search varying wording, still getting same results about system default browser.
Checked properties of powershell, no browser settings apparent unless I'm blind.

Prompting of credentials on Edge browser despite already logged in on client PCs

Some background:
We were accessing our RSA Archer application on IE 11 via SSO, and all has been well. But we are required to move on to Edge browser, and that's where we started having the Windows Security credential prompt coming out, whenever we tried to access the application on Edge browser.
The strange thing is, the application is able to load up on Edge properly, in the logged in state, and then the prompt will appear. We can just click on Cancel to close the prompt and we are able to use the application normally. All end users on their client PCs encountered the same problem.
We want to remove the credentials prompt. The RSA support team has confirmed it is not an issue of their product, since there's no problem over at IE. What we have done on our end on the servers:
Enabled SSL on our load balanced environment
Updated the web.config file of the application with the entry below:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
Configure IIS settings to allow Anonymous Authentication instead of Windows Authentication for the application pages.
Will greatly appreciate some assistance or suggestions on how to move forward. Thanks!
Addon after investigation:
After finally being able to investigate via the development tool for this, we discovered that apparently, the behavior of some components / javascripts were different on IE / Edge.
On IE, if the components / javascripts took too long to load, it will fail (status 304) and retry again until it succeeded (status 200).
On Edge, instead of failing, it will go into "Pending", and then the credentials prompts pops out, and usually there's more than one prompt. We suspect the number is based on the number of pending components / javascripts that are in "Pending". Clicking on Cancel on the prompt will caused the components to not load (status 304), and no retry will happen like in the case of IE.
Able to advise what's wrong? Is there a timeout in the Edge settings?
Open Edges developer tools and go to the Network tab and see which request (URL) is prompting you for credentials. Then you can see what IIS has configured for its security.

How to debug the Citrix ICA error "The session limit has been reached"?

Apologies in advance for somewhat vague information. I am new to Citrix XenApp/XenDesktop technology and am just looking for generic troubleshooting information.
At my place of employment we have kiosks that are configured to connect to a SaaS webapp. These kiosk have either the Citrix XenApp or XenDesktop installed.
One of the icons launches the IE browser that connects to the SaaS app using a preconfigured user account. Sometimes, however, instead of launching the browser, the system displays the "The session limit has been reached. Please contact your system administrator." error shown in below image.
The people administering these kiosks think that this message comes from the SaaS web application but that application does not enforce any limits on how many session are open for a given account under a given time.
Also considering how Citrix XenApp/XenDesktop works I would think (but maybe I am wrong) that if the SaaS app did reject a user login, we would be displayed an error message in Internet Explorer instead of this ICA prompt.
So I think that the issue here could be that the message is not about login sessions made to the background SaaS app but either about Citrix sessions or perhaps previous IE browsers somehow running in the background(?)
However our company's Citrix team looked at this and noticed that "Citrix was still active" when this prompt was displayed. The conclusion was then that Citrix is for that reason not the cause here.
So I wanted here to ask some questions on what things I could consider as causes and where I could look in the hopes of getting started on this issue.
This would be for XenApp / XenDesktop 7.18.
The questions I have:
Does XenApp / XenDesktop have log files that can be consulted for
debugging issues like this?
Is it possible to get XenApp / XenDesktop to run in debug mode (to
output more details to the log files)?
Does Citrix have configuration settings that could lead it to
have an issue like this?
A. First check the event logs and see when you facing this issue so does any event logs generated.
B. Also you can check the ICA configuration tool for session settings and checked if session settings are set to NEVER.
C. The ICA listener configuration tool is located at Start > All Programs > Citrix > Administration Tools > ICA Listener Configuration.
You are on the right track with the SaaS application itself reporting the error. If this Citrix session was already active when the icon was clicked again and the preconfigured user was already logged into the SaaS application, that would account for this error. To investigate, logout the Citrix session and try clicking the icon again, or check SaaS application to see if that preconfigured users is already connected.
Is the same user used for all these kiosks or is each kiosk supposed to have a unique user? Can this preconfigured user log in multiple times?

'DefaultAppPool' is being automatically disabled due to a series of failures

Having a tough time with this issue. Not sure how but my ApplicationPoolIdentity is broken.
Currently I'm running IIS 8 on Windows 8 with Visual Studio 2012. When trying to debug an application from Visual Studio, or just navigating to the site in a browser I get the following error logged and a 503 error.
Application pool 'DefaultAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
If I check out the Application error logs, I find the following error from the User Profile Service.
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - The system cannot find the path specified.
Upon looking into the details I find that the User Profile Service is trying to load up a profile with the Id
S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Now I opened up the registry to try and find the profile with that UserId. However there's nothing in the Profile list that helps.
So digging around a little more I've found that this issue can be resolved by either
A) Set the Load User Profile of the Application Pool to false.
B) Use a different account for the application pool.
C) Fix the account.
Seeing how this is the built in account, I'd prefer to fix the issue rather than fix the sympton.
What I have tried
aspnet_regiis -i
Removing IIS from windows and reinstalling.
Attempted to follow the guide here but I don't know the account password :P
My hunch
Somehow the ApplicationPoolIdentity got messed up. Is there any physical folders for the built-in accounts? I know that the Network and Local service profiles physical directories exist at C:\Windows\ServiceProfiles\. It is possible to recreate the ApplicationPoolIdentity profile? Or am I way off on what the real issue is?
C) Here is what i did to fix the account
Go in regedit at key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is a setting called "Default". You have to make sure that the data value point to an existing directory on the drive.
By default it contains "%SystemDrive%\Users\Default". In my company the default is changed to a custom profile. Somehow, someone deleted that user profile. So when the defaultAppPool user tryed to create an accound for himself, it was unable to do so because windows cannot provide him with a default user profile.
You can also diagnose this error when looking at the Event Viewer under the Application folder. You will get a message of that type:
Windows cannot find the local profile and is logging you on with a
temporary profile. changes you make to this profile will be lost when
you log off.

Why is services.exe changing the Event Log retention policy?

I have a server running Windows 2003 R2 Enterprise Ediditon with Service Pack 2. I reset the Application Event Log Retention policy within EventVwr (right-click on Application, click the radio button next to "Overwrite events as needed".) A few hours later, somehow this setting got reset to "Overwrite events older than 7 days." This happened several times, so I started up RegMon to monitor what was changing this setting. The setting is located at HKLM\System\CurrentControlSet\Services\EventLog\Applicatin\Retention. I found out that services.exe is changing this setting on a regular basis. Can anyone tell me why services.exe would be automatically changing the Event Log retention policy, and how I can make it stop doing that?
The usual cause for this would be that the machine is part of a domain and Group Policy is being pushed down and applied by something running within services.exe.
That said - you'd probably be better asking this question at serverfault.com =)