Thursday, 30 January 2020

Resolving Wifi display connection issues when deploying MDM baselines within Intune

I have been working with Windows 10 MDM within Intune for the past few months and after a conversation with my colleague I soon realised that this would make a good blog post, so I hope this quick tip saves you some time.

Security Baselines are great, simple to set up and deploy and a very quick way of ensuring your Windows 10 devices are secure. They are also a very quick way of crippling your estate if you are not careful with your testing beforehand, so I cannot stress this enough - test thoroughly before even attempting to deploy to any quantity of devices.

So just to recap, to deploy a security baseline is as simple as the following;

Log into the Microsoft Endpoint Manager admin center, navigate to Endpoint security > Security baselines


Under the Windows 10 Security Baselines heading select the MDM Security Baseline option

Select Create profile


Give your profile a suitable name, select Next


Now you will be able to see all of the settings available within the profile. We are just going to accept the defaults for demo purposes, however I stress again, test these settings thoroughly before attempting to deploy into production


Select the groups you wish to deploy the baseline to then click Next


Select Create to complete the deployment of the baseline



After a short test phase with my secure configuration, which includes MDM profiles, custom configuration and a security baseline, it was soon established that both the Windows + P (Select a display mode) and Windows + K (Quick connect) options were no longer available on devices. Not ideal for usability. 

It turns out this was related to the Windows 10 Device Restriction MDM profile setting General > Device discovery being set to Block


I had set this originally, following NCSC guidelines for Windows 10 MDM

Great, I thought, now connecting to wireless monitors shouldn't be a problem. But I soon found out that the connection was just timing out. I figured out that this time it was indeed the security baseline causing the issue, but which setting was it? My initial hunch was that it almost seemed firewall related, but when I viewed the local firewall settings on the device experiencing the issue, I could see the appropriate firewall rule was indeed configured



On further investigation I soon realised that the May 2019 MDM baseline contains a setting that by default prevents the merge of firewall rules within group policy and hence the settings contained in local group policy would not apply. It is documented here and affects the public profile

I therefore needed to create a Firewall exclusion and configured a new profile in the following manner;

Navigate to Devices > Windows 



Select Configuration Profiles and then Create Profile



Enter a suitable name, select Windows 10 and later for the platform and then Endpoint protection for the profile type



Navigate to Microsoft Defender Firewall under the Firewall rules heading select Add



Populate the settings based on the Wireless Display (TCP-In) Firewall rule





The profile should then be deployed to your devices enabling you to connect to Wi-Fi displays once more.

Thanks for reading this post!

No comments:

Post a comment