Revise your OneDrive (Sync) restrictions when shifting to a Modern Workplace!

OneDrive client is unable to sync your folders.

What is a modern workplace these days without having your personal- or group data synced to OneDrive and taking the full advantage Microsoft’s cloud storage has to offer!? One of the most asked feature is silently configuring your OneDrive client to automatically synchronize your (personal) data.

Silent configuration

Over time the silent configuration of OneDrive for Business has been improved. In the early days we were designated using semi-automatic methods using registry keys and scripts by Per Larsen, old school group policies, or by custom OMA-URI policies to do the magic. Nowadays OneDrive can easily be configured using Administrative Templates (31 settings) via Microsoft Intune. (almost the same as GPO but wrapped in a modern UI called Microsoft Intune 😉)

SETTING NAME 
Prevent users from redirecting their Windows known folders to their PC 
Silently move Windows known folders to OneDrive 
Silently sign in users to the OneDrive sync client with their Windows cred.. 
STATE 
Enabled 
Enabled 
Enabled 
Device 
Device 
Device 
\OneDrive 
\OneDrive 
\OneDrive
OneDrive for Business client configuration using Microsoft Intune Administrative Templates.

Modern Workplace

Last week I was preparing a modern workplace demo fully automated and managed by cloud. This puts Windows Autopilot on the menu including automatic enrollment & management, encryption, policies, software deployment and…silently configuration of OneDrive for Business client.

Challenge

But what if silent configuration isn’t working as expected? This might become challenging where traditional and modern workplace comes together, you can end up in a situation where they do not fit. This will be the case when you’re preventing managed computers to sync OneDrive which are joined to a specific (Active Directory) domain(s).

It’s a no-brainer to opt-in for automatically (silently) configure the OneDrive for Business client. But in this case the OneDrive for Business client configuration was far from silent if you asked me! We ran into a challenge where OneDrive for Business client won’t be configured silently. Even when we tried to configure OneDrive sync manually, we didn’t succeed and ran into the following error “Sorry, OneDrive can’t add your folder right now“. So I reached out and contacted support 😉

OneDrive is restricted from syncing to only specified AD domains only.

Root cause

After some research I came across a blog of Chen Tian Ge who used Fiddler to take down a similar scenario. So after installed Fiddler myself, it was clear to me what caused the problem. I had found the undisputed proof. The reason for the failure is the fact the customer had implemented OneDrive sync client restrictions by using (AD) domain GUID. The modern workplace of course, did not meet the domain GUIDs requirement because it belongs to an Azure AD domain instead of AD joined domain.

Reproducing the root cause using sync restrictions based on (AD) domain GUID’s.

Restrict OneDrive syncing to specific domains

This feature works fine for computers which are joined to an Active Directory (AD) domain, but causes challenges when shifting to a modern workplace joined to Azure Active Directory (Azure AD).

OneDrive 
Home 
Sharing 
Sync 
Storage 
Device access 
Compliance 
Notifications 
Data migration 
Sync 
Use these settings to control syncing of files in OneDrive and SharePoint. 
Download the sync client 
Fix sync problems 
Show the Sync button on the OneDrive website 
Allow syncing only on PCs joined to specific domains 
Enter each domain as a GUID on a new line. 
cd004ec9-8i7d-3rc6-8wd7-d3vintfe50si1e 
-B2df-cd3a2e 134a09 
Block sync on Mac OS 
Block syncing of specific file types
Restrict OneDrive from syncing to specific (AD) domains.

Conditional Access

The underlying reason for implementing these controls is to make sure companies remain control of where your corporate data is going through. Lastly, preventing from ending up at unmanaged or non-compliant devices. Allow syncing only on computers joined to specific domains works for AD joined devices but doesn’t fit for a (native) modern workplace which is Azure AD Joined.

New 
e Info 
Name 
Assignments 
Users and groups C) 
All users 
Cloud apps or actions O 
1 app included 
Conditions 
4 conditions selected 
Access controls 
Grant O 
3 controls selected 
Session i 
O controls selected 
Enable policy 
X 
Cloud apps or actions 
Select what this policy applies to 
x 
Cloud apps 
Include 
O None 
Exclude 
> 
O All cloud apps 
@ Select apps 
Select 
Office 365 SharePoint Online 
Office 365 SharePoint On... . 
Selecting SharePoint Online will also 
affect apps such as Microsoft Teams, 
Planner, Delve, MyAnalytics, and 
Newsfeed _
Azure AD Conditional Access provides tailored controls to address your corporate needs.

Azure AD Conditional Access control capabilities in Azure AD offer simple ways for you to secure resources in the cloud. The OneDrive for Business client works with the Conditional Access control policies to ensure syncing is only done with managed and/or compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by Microsoft Intune.

Alongside Conditional Access, Microsoft Cloud App Security (MCAS) can be used to implement complementary data leak prevention (DLP) policies to make sure you stay in control no matter where your corporate data goes. 

Get out of the old, get in with the new

Shifting from a traditional to a modern workplace isn’t just a matter of migrating the current, but a real transformation. Controls which worked well for many years in a traditional environment are often outdated by modern solution(s) that often work better and meet the revised needs/standards according a modern workplace.

Happy & safe syncing!

Sources

Featured

Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10

Microsoft continues to deliver it’s password-less promise and introduces native FIDO2-based authentication to Windows 10 & Azure AD.

“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Bill Gates, RSA 2004

Continue reading “Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10”

Microsoft Defender ATP’s diary: From a SecAdmin’s Perspective

This blog post is an introduction of a series of blogs to cover the game changing risk-based approach Microsoft Defender ATP offers to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

As mentioned in “The evolution of Microsoft Threat Protection” by Debraj Ghosh, PM of Microsoft Threat Protection, security comes
in general with two responsibilities: 1) Security Operations (SecOps) and 2) Security Administrations (SecAdmins).

SecOps act by incident response via a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations.

SecAdmins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

In this series of blogs I will focus exclusively on the responsibility of a SecAdmin and all aspects that Microsoft Defender ATP has to offer in regards. Therefore we kick off this serie starting with Configuration Management and Threat & Vulnerability Management.

Continue reading “Microsoft Defender ATP’s diary: From a SecAdmin’s Perspective”

Moving away from passwords with Windows 10, Windows Hello for Business & Microsoft Intune

In 2004, long before we went online massively concepts like phishing or ransomware were on the rise, Bill Gates, predicted at the RSA Conference that year the demise of passwords saying “they just don’t meet the challenge for anything you really want to secure.”

For years, we’ve been discussing the vulnerabilities of passwords (80 percent of security breaches are down to stolen passwords & credentials) and the need to ditch them for more robust & secure solutions. Many initiatives have been launched like Microsoft’s CardSpace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals. All with the explicit goal of eliminating passwords.

Continue reading “Moving away from passwords with Windows 10, Windows Hello for Business & Microsoft Intune”

Windows Defender ATP: Onboarding your Windows 10 endpoints, do it the right way!

In the early days of onboarding Windows 10 endpoints to Windows Defender ATP you had to define a custom device configuration policy via Intune, in order to enable and register your Windows Defender ATP agents at scale.

Onboard Windows Defender ATP via custom device configuration policy.

Continue reading “Windows Defender ATP: Onboarding your Windows 10 endpoints, do it the right way!”

Unleash your Azure CSP subscription for Cloud Management Gateway deployments

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet ‘without’ additional (on-premise) infrastructure.

Merged_Azure_CSP_and_Visual_Studio_subscription

Create & deploy cloud services with an associate Azure subscription.

However, there is a limitation when deploying CMG using Azure CSP subscription.

This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.

As CSP model is becoming more and more popular as Azure subscription, this scenario is a potential blocker for many customers having a CSP subscription which wants to deploy a CMG. The Microsoft product teams are aware of this situation and I’m sure they will solve this the sooner or later.

Converting your CSP subscription to an eligible Azure subscription is no option here (managed by CSP Partner). Therefore I would like to take you how to deploy a CMG while you’re on a CSP subscription. Yes it’s possible! In this blog I’ll describe what it takes to achieve this. Continue reading “Unleash your Azure CSP subscription for Cloud Management Gateway deployments”

Troubleshooting Cloud Management Gateway: Quick & effectively /w CMG Connector Analyzer

In Configuration Manager Current Branch 1806, Microsoft introduced the Cloud Management Gateway Connector Analyzer. A highly valued feature which is a great starting point to troubleshoot your Cloud Management Gateway (CMG) in case you ran in to any issues. In short, it’s a more than welcome and helpful feature!

In a nutshell the Cloud Management Gateway Connection Analyzer validates you Cloud Management Gateway deployment on 6 points, namely:

  1. Validates whether CMG is in a ready state;
  2. Validates whether CMG services are running;
  3. Validates whether CMG is using a up to date configuration;
  4. Validates connection state between CMG Connection Point and CMG;
  5. Validates whether site systems are associated with CMG;
  6. Validates whether Management Point is available and/or well configured;

This blog post provides a first aid guidance to troubleshoot you Cloud Management Gateway(s).

Client Authentication Method

The Cloud Management Gateway Connection Analyzer can be found in the Cloud Services section part of the Administration pane. There are two clients authentication options to connect to the Cloud Management Gateway.

  • Azure AD User (this can be a regular Azure AD user);
  • Client certificate (currently use the Certificate File option as the console is by default started in a user context instead of system context);

CMG_sign_in

Once connected successfully with a valid Azure AD Account or Client Certificate we can start the connection analyzer to verify the Cloud Management Gateway is working properly.

Cloud Management Gateway Ready State

By deploying the Cloud Management Gateway as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. The cloud services authenticates and forwards Configuration Manager client requests to the CMG connection point. The status of the cloud services has the following statuses:

  • ServiceState 0 – Started
  • ServiceState 3 – UndergoingMaintenance
  • ServiceState 4 – Starting
  • ServiceState 5 – Stopping
  • ServiceState 6 – Stopped
  • ServiceState 7 – ReadyRole

The illustration below indicates the CMG service is in ready state and therefore available.

CMG_ready_state

CMG_cloudmgr.log

The illustration below indicates the CMG service is not in a ready state.

CMG_ready_state_maintenance

To troubleshoot CMG Ready state, use CloudMgr.log.

Cloud Management Gateway Services

The illustration below indicates the CMG service is running.

CMG_service_running

The illustration below indicates the CMG service is not running and therefore not available.

CMG_service_failed

In this case the CMG cloud services might be not running. To troubleshoot CMG services, use CMG-<cloud_service_name>-ProxyService_IN_0-CMGService.log (or CMG-<cloud_service_name>-ProxyService_IN_1-CMGService.log in case of 2 or more VM instances) and SMS_Cloud_ProxyConnector.log.

Cloud Management Gateway Configuration

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_in_sync

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_not_in_sync

This is an easy one, just makes sure the CMG configuration data is in sync by enforcing “Synchronize configuration” under Cloud Services section part of the Administration pane.

Cloud Management Gateway Connection Point

The CMG connection point is the site system role for communicating with the CMG. By default the CMG connection point establishes TCP-TLS connections (10140-10155) to connect to CMG cloud service in Azure. In case of 2 or more VM instances, the second VM instance uses port 10141, up to the sixteenth on port 10155.

CMG_tcp_connections_established

Make sure <cloud_service_name>.cloudapp.net:10140 is reachable and can be resolved (name resolution) properly. To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

The illustration below indicates the CMG configuration point is able to communicate with CMG in Azure.

CMG_connection_point_status

The illustration below indicates the CMG configuration point is not able to communicate with CMG in Azure.

CMG_connection_point_status_not_connected

To troubleshoot CMG services, use SMS_Cloud_ProxyConnector.log.

Site System roles assigned to Cloud Management Gateway

Make sure you have configured the management point and/or software update point site systems linked to your CMG to accept CMG traffic from clients which are on the internet.

CMG_site_system_role_assigned

When there is no site system role assigned (whether management point or software update point) clients on the internet won’t be able to take benefit of the concerning service(s).

CMG_no_site_system_role_assigned

Make sure you’ve assigned at least one management point or more to service clients on the internet.

Management Point Availability & Configuration

The CMG connect point forwards client communications to on-premise site system role(s) (management point(s) and/or software update point(s). In this case the site system roles should be available

CMG_management_point_status

In case you’ve bind a wrong web server certificate to you management point or software update point (IIS) or the certificate isn’t trusted (certificate chain) incoming client communications from CMG cloud service won’t be accepted.

CMG_pki_configuration

In the table below an overview of a few scenarios whereby the management point isn’t available for various reasons.

Error Solution
Failed to get ConfigMgr token with Azure AD token. Status code is ‘503’ and status description is ‘CMGConnector_ServiceUnavailable’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘ServiceUnavailable’.

Make sure IIS services is running properly.

Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Internal server error. For more information, see the management point logs for more details to see why internal server error returns.

Make sure you bind the right web server certificate to IIS or make sure the correct root- and/or intermediate CA is added.

Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘401’ and status description is ‘CMGConnector_Unauthorized’

A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Unauthorized’.
Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘500’ and status description is ‘CMGService_No_Connector’.

A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. There is no CMG connection point that is connecting to the CMG service. For more information, see the SMS_CLOUD_PROXYCONNECTOR.log on the CMG connection point.

Make sure firewall or proxies aren’t blocking network traffic. Click here for a complete overview of ports required by CMG.

Cloud Management Gateway Log files

The following table lists the log files that contain information related to the cloud management gateway.

Log name Description Computer with log file
CloudMgr.log Records details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service.

You can configure the logging level be editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGER

The installdir folder on the primary site server or CAS.
CMGSetup.log1 Records details about the second phase of the cloud management gateway deployment (local deployment in Azure)

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGHttpHandler.log1 Records details about the cloud management gateway http handler binding with Internet Information Services in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGService.log1 Records details about the cloud management gateway service core component in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
SMS_Cloud_

ProxyConnector.log

Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point. Site system server

1 These are local Configuration Manager log files that cloud service manager sync from Azure storage every five minutes. The cloud management gateway pushes logs to Azure storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect both local and remote logs. The actual file names include the service name and role instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log

  • For troubleshooting deployments, use CloudMgr.log and CMGSetup.log
  • For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
  • For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.

Sources

Please find below the resources I’ve used to writeup this blog post.

Microsoft, Plan for the cloud management gateway in Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway

Microsoft, Log files in System Center Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files#cloud-management-gateway

Further I want to pay attentions of a great blog post series of how to set up your Cloud Manage Gateway by fellow MVP Zeng Yinghua

SCConfigMgr, How to setup Co-Management

http://www.scconfigmgr.com/2017/11/23/how-to-setup-co-management-part-1/