SOLVED

Enable 'Require domain users to elevate when setting a network's location'

%3CLINGO-SUB%20id%3D%22lingo-sub-2707017%22%20slang%3D%22en-US%22%3EEnable%20'Require%20domain%20users%20to%20elevate%20when%20setting%20a%20network's%20location'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2707017%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20security%20recommendations%20on%20my%20test%20machine%20I%20can%20see%20that%20it%20recommends%20me%20to%3C%2FP%3E%3CP%3E%22Enable%20'Require%20domain%20users%20to%20elevate%20when%20setting%20a%20network's%20location'%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20I%20tried%20creating%20a%20device%20configuration%20using%20settings%20catalog%20and%20administrative%20templates%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-09-01%2014_02_11-Windows-Defender-ATP-Security-Recommendations%20-%20Microsoft%20Endpoint%20Manager%20admin.png%22%20style%3D%22width%3A%20387px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307278iC4FB846A78AE34A7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%222021-09-01%2014_02_11-Windows-Defender-ATP-Security-Recommendations%20-%20Microsoft%20Endpoint%20Manager%20admin.png%22%20alt%3D%222021-09-01%2014_02_11-Windows-Defender-ATP-Security-Recommendations%20-%20Microsoft%20Endpoint%20Manager%20admin.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThen%20I%20got%20an%20error%3A%20Error%20type%202%3A%20Error%20code%3A%2065000%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-09-01%2014_03_24-Setting%20Details%E2%80%8B%20-%20Microsoft%20Endpoint%20Manager%20admin%20center.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307279i3B1C2D054099B2A7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%222021-09-01%2014_03_24-Setting%20Details%E2%80%8B%20-%20Microsoft%20Endpoint%20Manager%20admin%20center.png%22%20alt%3D%222021-09-01%2014_03_24-Setting%20Details%20-%20Microsoft%20Endpoint%20Manager%20admin%20center.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20checked%20the%20device%20and%20saw%20that%20the%20registry%20key%20was%20missing%20and%20created%20a%20proactive%20remediation%20script%20that%20creates%20the%20missing%20registry%20key%20on%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20still%20have%20the%20same%20error%2C%20and%20the%20security%20recommendations%20still%20shows%20me%20to%20activate%20it.%20Not%20sure%20what%20I%20can%20do%20as%20none%20of%20the%20recommended%20solution%20actually%20make%20the%20security%20recommendation%20go%20away%20and%20they%20Administrative%20templates%20always%20errors%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EOption%201%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20Set%20the%20following%20Group%20Policy%3A%3CBR%20%2F%3E%3CI%3EComputer%20Configuration%5CPolicies%5CAdministrative%20Templates%5CNetwork%5CNetwork%20Connections%5CRequire%20domain%20users%20to%20elevate%20when%20setting%20a%20network's%20location%3C%2FI%3E%3CBR%20%2F%3ETo%20the%20following%20value%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CI%3EEnabled%3C%2FI%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EOption%202%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20Set%20the%20following%20registry%20value%3A%3CBR%20%2F%3E%3CI%3EHKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%5CNetwork%20Connections%5CNC_StdDomainUserSetLocation%3C%2FI%3E%3CBR%20%2F%3ETo%20the%20following%20REG_DWORD%20value%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CI%3E1%3C%2FI%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH1%20id%3D%22toc-hId-1439972137%22%20id%3D%22toc-hId-1439972200%22%20id%3D%22toc-hId-1439972200%22%20id%3D%22toc-hId-1439972200%22%20id%3D%22toc-hId-1439972200%22%20id%3D%22toc-hId-1439972200%22%3E%26nbsp%3B%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2707017%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2707162%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20'Require%20domain%20users%20to%20elevate%20when%20setting%20a%20network's%20location'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2707162%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415515%22%20target%3D%22_blank%22%3E%40JimmyWork%3C%2FA%3E%26nbsp%3BThere%20was%20a%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-intune%2Ferror-65000-with-settings-catalog%2Fm-p%2F2554535%22%20target%3D%22_blank%22%3Esimilar%20post%3C%2FA%3E%20on%20Tech%20Community%20last%20month%2C%20does%20this%20offer%20any%20help%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2707401%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20'Require%20domain%20users%20to%20elevate%20when%20setting%20a%20network's%20location'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2707401%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20answering.%3CBR%20%2F%3EThe%20error%20code%20is%20the%20same%20but%20this%20is%20an%20old%20registry%20file%20and%20it%20is%20available%20in%20the%20Feeds.admx%20on%20the%20computer.%3CBR%20%2F%3E%3CBR%20%2F%3ERunning%20Windows%2010%20Enterprise%2021H1.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20create%20this%20as%20a%20single%20administrative%20template%20instead%20of%20a%20catalog%20settings%20I%20get%20Not%20Applicable.%3CBR%20%2F%3E%3CBR%20%2F%3ECreating%20the%20registry%20file%20also%20does%20not%20correspond%20to%20the%20security%20recommendations%20as%20they%20still%20report%20the%20settings%20is%20not%20turned%20on%20after%20multiple%20days.%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20checking%20the%20logs%20on%20the%20computer%20I%20can%20see%20the%20following.%3CBR%20%2F%3E%3CBR%20%2F%3EMDM%20ConfigurationManager%3A%20Command%20failure%20status.%20Configuration%20Source%20ID%3A%20(XXXXXXXXXXXXXXXXXXX)%2C%20Enrollment%20Name%3A%20(MDMDeviceWithAAD)%2C%20Provider%20Name%3A%20(Policy)%2C%20Command%20Type%3A%20(Add%3A%20from%20Replace%20or%20Add)%2C%20CSP%20URI%3A%20(.%2FDevice%2FVendor%2FMSFT%2FPolicy%2FConfig%2FADMX_NetworkConnections%2FNC_StdDomainUserSetLocation)%2C%20Result%3A%20(The%20system%20cannot%20find%20the%20file%20specified.).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi

 

From the security recommendations on my test machine I can see that it recommends me to

"Enable 'Require domain users to elevate when setting a network's location'"

 

First I tried creating a device configuration using settings catalog and administrative templates

2021-09-01 14_02_11-Windows-Defender-ATP-Security-Recommendations - Microsoft Endpoint Manager admin.png

Then I got an error: Error type 2: Error code: 65000

2021-09-01 14_03_24-Setting Details​ - Microsoft Endpoint Manager admin center.png

 

So I checked the device and saw that the registry key was missing and created a proactive remediation script that creates the missing registry key on the device.

 

But I still have the same error, and the security recommendations still shows me to activate it. Not sure what I can do as none of the recommended solution actually make the security recommendation go away and they Administrative templates always errors out.

 

Option 1 - Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location
To the following value: Enabled

Option 2 - Set the following registry value:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation
To the following REG_DWORD value: 1

 

 

4 Replies

@JimmyWork There was a similar post on Tech Community last month, does this offer any help?

Thank you for answering.
The error code is the same but this is an old registry file and it is available in the Feeds.admx on the computer.

Running Windows 10 Enterprise 21H1.

If I create this as a single administrative template instead of a catalog settings I get Not Applicable.

Creating the registry file also does not correspond to the security recommendations as they still report the settings is not turned on after multiple days.

When checking the logs on the computer I can see the following.

MDM ConfigurationManager: Command failure status. Configuration Source ID: (XXXXXXXXXXXXXXXXXXX), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_StdDomainUserSetLocation), Result: (The system cannot find the file specified.).

Short update

 

If I manually activate the GPO on the local computer then everything works.
When activating the GPO locally it creates the same registry file I create manually but it will still give the same error when using settings catalog device configuration or admin templates device configuration.

 

I have made a ticket with Microsoft regarding this because something is of, the file is there I can enable it manually but it's still errors out in device configuration etc.

best response confirmed by JimmyWork (Occasional Contributor)
Solution

This is now solved.

The device needs to be in the Windows 10 insider channel for this settings to be applied.

 

JimmyWork_0-1631004410683.png

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-networkconnections#ad...