Windows-itpro-docs: Give an example how to give user rights with MDM Policy CSP

Would really like some examples here, what is the CSP expecting User SIDs? in what format. I cannot consume these CSPs with the information provided.

Added examples and link to well known SIDs.

Your examples seem to be flawed. I can't get this to work using the SIDs. Are you sure this is the correct syntax?

I will help resolve this one 👍

@dan529 The dev team informed me that this feature is only supported in the next major Windows release, and you won't be able to use it before then unless you're using an Insider build.

So you saying this will only work with 1809?? Its working on 1803 currently but only one group added as a String (example Administrators) but if 2 groups are needed on the same Settings it doesn't work. Already tried with "name1;name2" "name1; name2" "name1,name2" "name1, name2" "Name1Name2" "Name1Name2" can someone provide more info on how to get the these settings working?? Thanks

Anyone following this issue?

Hey MS, just tell these people the truth that everything in this article doesn't work!

Here's what I did to get it to work.

1. The separator for the values like "Remote Desktop Users" and "Administrators" is 
   
   
   
   • Will that work as "Remote Desktop UsersAdministrator" ?
     
     -Absolutely NOT!
   
   
2. Go to https://coderstoolbox.net/string/#!encoding=xml&action=decode&charset=us_ascii
   -Set string conversion to XML, Decode, and US-ASCII
   -Input = 
   -This will spit back a rectangle box in the Output
   -Copy that rectangle box and put it in the middle as the separator - Remote Desktop UsersAdministrators
   
   
   
   • DO NOT COPY FROM HERE; IT WILL NOT WORK!!!
   
   

So here's the kicker!
-USE EDGE Browser. It WILL NOT WORK in Chrome

Ok so it actually converts the code here! Putting spaces to help:

• Input = & # 6 1 4 4 0 ;

@Illnasty, Thank you for your feedback. I'll look into this policy and make the necessary changes.

@Illnasty thanks for that mate. Mine is still not working. I'm decoding the code provided at the website and pasting in between AdministratorsRemote Desktop Users as a simple string and the OMA is ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork but still not working. Are you adding any more coding as per the page?? ie ?? thanks

So that I can get a better understanding, why doesn't \ work as the separator?

Hi patti. it give s catastrophic failure. i got it working too following @Illnasty solution. the code &#xF000 ; is not encoded, so if you use it between the groups (like admin &#xF000 ; Authenticated users) it wont work. you need to go to the website and encoded it to xml (then you are left with that square symbol) that is what you copy and paste in between the groups. Funny thing is that if you encode, copy the square and paste on the input line and decode, if are left with &#61440 ; and not &#xF000 ; anymore

@schenardie, thank you for the response. Now that I understand it better, and your response makes sense, it sounds like the code in the doc needs to be replaced and a note added about the \&#xF000 code not being encoded :)

Well to be honest it says on the documentation
"Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator" but that is not clear how you encode it. And also i got that working via GUI, if you try to import that via Graph API passing either encoded or decoded it doest work. Once it reaches Intune if you check via the GUI its something like ??and a square. So it cannot currently be automated.

If you could check that it would be great. It makes all the difference on fully automated environments. Thanks @shortpatti

@schenardie, you bet, I'll check with the engineering team about this one.

Also since we're at it. The empty input () works but it gives a catastrophic error as well on the event logs. If you can dig the right input which doesn't generate errors would be very helpful. Thanks again

Any news?

@schenardie I'm getting in touch with the engineering team. I'll let you know if there are any new developments.

@Heidilohr - Do you have any updates on this? Thanks.

Ok so it actually converts the code here! Putting spaces to help:

• Input = & # 6 1 4 4 0 ;

Just to remind users of Github; MarkDown code block fences ( ``` ) are useful to show code and not letting the web page convert it into symbols:

* Input= 

@officedocsbot assign @jvsam

For me it works if I use the CDATA syntax and the separator as described in the documentation. The settings are applied successfully on the client but the verification in Intune fails. I get an "Error" for all user rights settings in the "per setting status" of my profile. Can somebody confirm this behavior?

Example of a setting:
OMA URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
Value:
<![CDATA[Users&#xF000;Administrators]]>

@Ricardo-Cz I can confirm this behavior. I also used OMA URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn The policy is successfully applied, but in Intune it shows an error -2016281112 (Remediation failed)

Is there a way to get the policy to be applied and the status on Intune show
Succeeded using custom profiles??

@ManikaDhiman : Sorry to ping you about this in your otherwise busy schedule,
but maybe you could answer the unanswered questions here?

After fighting over few months with Intune Premier support, here is the answer we got from them :

Essentially the issue is caused because of the encoding of the user groups used when adding the users into the policy.
When Intune does a GET on the value set, it expects it to match what was sent in an ADD or REPLACE, in this case due to the encoding, it doesn’t which is why we see the remediation failed message:
This is documented in the following article - https://docs.microsoft.com/en-us/intune/custom-settings-windows-10#find-the-policies-you-can-configure

To work with Intune, the setting must support the Add, Replace, and Get operations. If the value returned by the Get operation doesn't match the value supplied by the Add or Replace operations, then Intune reports a compliance error.
This error can be safely ignored as it is expected.

While this is "understandable" from technical point of view, I am still surprised that they did not implemented some additional code to handle this.
From a customer point of view, I did nothing wrong and errors are reported anyway in Intune... For me, I still see this as a bug.

Beware of browsers for coding/decoding

Has anyone found a way to deploy the decoded character via graph api? (not using the CDATA, i dont really want to see the profile failing for settings which i know are implemented).

Thanks

@PanuSaukko - This is something that is not yet available in a way that can be deployed easily. I would suggest you put this as an idea in the Azure User Voice portal. This is the only best way to highlight and get this sorted out in a way this should be.

@nam31 - Please guide the user on how an idea can be submitted on the Azure User Voice channel.

Thanks.
Imran.

@PanuSaukko thank you for engaging with the community here for the docs.
I know the product teams are always looking for user feedback and how to make Azure better . They keep a close tab on user feedback and it would be awesome if you could add your voice in User Voice
You might find others have made a similar request that you can add to, or you can open a new one. Let us know here if you do so we can up-vote your request.

Thank you for your contribution to make the docs better! Much appreciated!

I entered the boilerplate MSFT recommendation:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-userrights#userrights-accessfromnetwork

Doesn't work, registry entries are 'Dirty'

Still looking for a way to manage these settings for compliance.