Mac Enrollment

Similar Messages

• Mac Enrollment Issue on SCCM 2012 SP1

  Hi Guys,
  I am working on Mac enrollment(10.7) and facing issue during enrollment. Below is the error message when we try to run the enrollment command on Mac :
  “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error"
  Below are Log info:
  Enrollsrv.log : No error message is highlighted.
  Enrollweb.log:
  No error message is highlighted.
  Enrollservice.log:
  [7, PID:7304][10/28/2013 16:40:03] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
  ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [7, PID:7304][10/28/2013 16:40:03] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  [13, PID:7304][10/28/2013 17:11:01] :EnrollmentService application stop ...
  [3, PID:956][10/28/2013 17:45:37] :EnrollmentService application start ...
  [3, PID:956][10/28/2013 18:06:38] :EnrollmentService application stop ...
  [3, PID:4700][10/28/2013 18:45:39] :EnrollmentService application start ...
  [7, PID:4700][10/28/2013 19:06:40] :EnrollmentService application stop ...
  [3, PID:5872][10/28/2013 19:45:42] :EnrollmentService application start ...
  [13, PID:5872][10/28/2013 20:06:42] :EnrollmentService application stop ...
  Can someone shed info on resolution of the above issue?
  Also, is there any means by which we can troubleshoot the Mac enrollment issue step by step? Also what entries needs to be checked in all logs for successful enrollment?

  the following links may give you some hints:
  http://social.technet.microsoft.com/Forums/en-US/48bc7fcc-3d84-4042-abac-67f30d701121/mac-enrollment-issue?forum=configmanagerdeployment
  http://www.windows-noob.com/forums/index.php?/topic/7391-mac-enrollment-issue/

• Internet Clients & Mac Enrollment

  Hello,
  I'm having some issues with Internet Clients and Mac Enrollment, the latter via both the Intranet and Internet.  Going over all the certificate steps again, the only thing I didn't do is have two FQDN for the Web Cert since I'm using the same FQDN for
  both internal and external traffic.  We have the external DNS setup and ports opened on the firewall to communicate with it.  External DNS resolution is working when doing a DIG or an NSLOOKUP with the trailing '.' due to the default domain suffix
  search.
   Are there some added steps that I need to do when using the same FQDN for internal and external?

  All roles are on a single server.  I've ensured that the DP Cert is imported into the DP.
  The DP certificate is not an, or the, issue in this case, because it's only used during OS deployment. Please start looking at the client log files when the download error appears (like the CAS.log).
  About the MAC issues, please keep that separated from this post, for two reason:
  Troubleshooting can be done better per issue;
  You've got a post already for that (http://social.technet.microsoft.com/Forums/windowsserver/en-US/f473a2bb-3eba-42fd-88c0-3a232b18a556/configmgr-r2-mac-os-enrollment-issues?forum=configmanagerdeployment).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  Thanks.
  I combined both issues because I thought they may be related but I'll stick to the Windows Internet Clients for this one.
  We have a Palo Alto Firewall and have opened up several ports and applications and watched traffic.  The client still shows 'currently Internet' but the logs say the following:
  LocationServices.log
  LsRefreshManagementPointEx failed with 0x80004005
  Failed to refresh security settings over MP with error 0x80004005.
  Failed to send management point list Location Request Message to FQDN
  LSUpdateInternetManagementPoints: Failed to retrieve internet MPs from MP FQDNwith error 0x87d00231, retaining previous list.
  CcmMessaging.log
  Post to http://FQDN/ccm_system/request failed with 0x87d00231.
  Post to http://FQDN/ccm_system/request failed with 0x87d00231.
  Post to http://FQDN/ccm_system_windowsauth/request failed with 0x87d00231.Post to http://FQDN/ccm_system_windowsauth/request failed with 0x87d00231.
  OutgoingMessage(Queue='mp_[http]mp_locationmanager', ID={68E61B1F-05F4-4BD4-81E0-C9AF513635EE}): Will be discarded (expired).
  Ports needed for Internet-based Clients have been added from this: http://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_IBCMports

• Mac Enrollment Issue

  Hello,
  Having some trouble enrolling my first Mac device with SCCM 2012 SP1.
  I have installed the client and am trying to use the CMEnroll Tool with no success.
  Command I am using is this:
  CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u "domain\username"
  and on the client I recieve the error:
  Server connection failed. http response code is 500 and reason is internal server error.
  On the server in the EnrollmentServer.log I recieve this error:
  [6, PID:5748][02/01/2013 13:48:35] :WindowsIdentity is created for domain: domain user: username
  [6, PID:5748][02/01/2013 13:48:35] :validated user credentials
  [6, PID:5748][02/01/2013 13:48:35] :Handling RequestSecurityToken
  [6, PID:5748][02/01/2013 13:48:35] :claim identity name: domain\username
  [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777220
  [6, PID:5748][02/01/2013 13:48:35] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:  
  [6, PID:5748][02/01/2013 13:48:35] :Template: ConfigMgrMacClientCertificate
  [6, PID:5748][02/01/2013 13:48:35] :CA: System.Collections.Generic.List`1[System.String]
  [6, PID:5748][02/01/2013 13:48:35] :The CA server.domain is in forest cac.local
  [6, PID:5748][02/01/2013 13:48:35] :Impersonating caller: domain\username
  [6, PID:5748][02/01/2013 13:48:35] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
  [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: CA Chains count: 2
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
  [6, PID:5748][02/01/2013 13:48:50] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [6, PID:5748][02/01/2013 13:48:50] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  Any ideas?

  Have you followed the instructions on these links fully?<o:p></o:p>
  Create the Cert Template:<o:p></o:p>
  http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012<o:p></o:p>
  Go to Deploying the Client Certificate for Mac Computers 
  Setup SCCM and install client:
        http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

• IOS Beta Enrollment Program

  It seems when trying to go to the Software Beta Program enrollment page, it only shows enrollment for Macs. Where is the page for enrolling iOS devices? I read somewhere recently that the page would come up if you typed in https://appleseed.apple.com/sp/betaprogram/profile, it would show the iOS enrollment page but now all it does is redirect you to the Mac enrollment page which is https://appleseed.apple.com/sp/betaprogram/guide.

  Sounds like you're doing everything right here .. although I'm not sure what you mean by "upload my DPS app to it"
  Enterprise signed – You can create iPad apps for internal distribution only. An enterprise signed app (also called an in-house app or an ad hoc app) is distributed within the company rather than downloaded from the Apple Store.
  Enterprise signed viewer apps are available only to DPS Enterprise subscribers.
  You'll find some details about Entreprise signed viewers in the iPad Publishing Companion Guide .. which you'll find in the DPS dashboard.

• PKI, HTTP, HTTPS, DP, MP Configuration

  So my company is finally ready to start using SCCM 2012 R2 for Mac device management and I'm ready to configure the pre-requisites. We have the PKI setup, also have proper security groups and certificate templates set as listed and
  detailed here. We are using Windows Server 2012 R2 for PKI hierarchy, but no big difference between the 2008 R2 and 2012 R2 for SCCM needs. I'm now into actually setting up the SCCM infrastructure so it supports Mac devices, again as
  listed here.
  On the latter article, I've hit some road blocks or perhaps I'm not looking at right spots. 
  Step 4, item 3, listing b & item 4, bullet 2 -  
  http://technet.microsoft.com/en-us/library/jj591553.aspx#BKMK_ProceduresToInstallMacComputers 
  Select Allow
  Internet-only client connections or Allow
  intranet and Internet client connections. These options require that an Internet FQDN
  is specified in the site system properties, even if the site system server will not be accessible from the Internet.
  I want to use the same MP and DP for both intranet and internet clients, so my best pick is "Allow intranet and Internet client connections". But when I look into my MP/DP properties, I see no such option - 
  Now keep in mind my primary server does NOT have a DP role installed because I have another DP on the same AD site doing the job. So screenshots here are relatively from my Primary Site (MP) and DP.
  Anyone know what am I missing? I'm using SCCM 2012 R2. I'm pretty confident I can use the same MP and DP for both HTTP and HTTPS clients but the way it looks right now in my screenshots, it does not appear so. Did I miss a configuration somewhere?
  Appreciate your help. 

  Hello!
  My understanding is that an MP can only respond to either HTTP or HTTPS not both. I just finished building up my organizations Mac Enrollment services and I approached it by building a separate server
  with the following roles configured for HTTPS only:
  DP
  EP
  EPP
  MP
  I don’t think co-mingling is possible, but if it is, I would not recommend it.
  I believe you are missing the option of “Allow intranet and Internet client connections” because your site system is not configured with an FQDN.
  These links were helpful with my planning:
  http://technet.microsoft.com/en-us/library/jj591553.aspx
  http://technet.microsoft.com/en-us/library/gg682023.aspx
  http://technet.microsoft.com/en-us/library/gg682132.aspx
  http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/
  http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx
  http://technet.microsoft.com/en-us/library/gg699362.aspx
  http://systemcenter2012.com/blogs/vnext/archive/2013/02/15/how-to-install-and-configure-mac-client-on-sccm2012.aspx
  Let me know if you have any follow-up questions.
  -Tony

• Imaged (OSD) Windows 8.1 (HYPER-V) computers do not have a functional Client Certificates in personal store

  Hi! I have posted some of this in the ConfigMgr 2012 forum. As indicated above, I seem to have either a group policy/autoenrollment problem getting my Configmgr 2012 OSD images of windows 8.1 to enroll for a client cert.
  The imaged machines function fine when they are finished imaging, and the Configmgr 2012 client is fully functional. However the MMC-->Certs-->computer account-->personal. Shows no certs.
  Physical machines have the client cert. They are both created in the same OU. If I try to manually import the cert it works just fine, however I want autoenrollment to do this.
  the Autoenrollment GP's are setup and functional on the Default domain policy
  I recently created a new client cert from a duplicate of the workstation cert and it installed just fine doing a GPUpdate /force on my domain joined computers.
  I do not see any negative events in the eventvwr on the hyper v machines. I have built a few.
  suggestions?  thx

  Frank
  Here is the result of the policies on the computer called "nooffice" a hyper- V machine created on Win 8.1 pro running hyper v as admin of the local machine. 
  ANDOVER\Administrator on ANDOVER\NOOFFICE Data collected on: 9/16/2014 7:56:58 PM Summary During last computer policy refresh on 9/16/2014 4:42:11 AM No Errors Detected A fast link was detected More information... During last user policy refresh on 9/16/2014
  7:52:10 PM No Errors Detected A fast link was detected More information... Computer Details General Computer name ANDOVER\NOOFFICE Domain andover.com Site Default-First-Site-Name Organizational Unit andover.com/Windows 8.1 Computers Security Group Membership
  show BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ANDOVER\NOOFFICE$ ANDOVER\Domain Computers Authentication authority asserted identity Mandatory Label\System Mandatory Level
  Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 2 Second(s) 890 Millisecond(s) 9/16/2014 4:42:11 AM View Log Deployed Printer Connections Success 31 Millisecond(s) 9/16/2014 4:42:11 AM View
  Log Group Policy Files Success 532 Millisecond(s) 9/16/2014 4:42:11 AM View Log Internet Explorer Zonemapping Success (no data) 62 Millisecond(s) 9/15/2014 9:50:28 PM View Log Registry Success 2 Second(s) 78 Millisecond(s) 9/16/2014 4:42:10 AM View Log Security
  Success 1 Second(s) 187 Millisecond(s) 9/15/2014 9:50:29 PM View Log Software Installation Success 156 Millisecond(s) 9/15/2014 9:50:29 PM View Log Settings Policies Windows Settings Security Settings Account Policies/Password Policy Policy Setting Winning
  GPO Enforce password history 24 passwords remembered Default Domain Policy Maximum password age 42 days Default Domain Policy Minimum password age 1 days Default Domain Policy Minimum password length 7 characters Default Domain Policy Password must meet complexity
  requirements Enabled Default Domain Policy Store passwords using reversible encryption Disabled Default Domain Policy Account Policies/Account Lockout Policy Policy Setting Winning GPO Account lockout threshold 0 invalid logon attempts Default Domain Policy
  Local Policies/User Rights Assignment Policy Setting Winning GPO Allow log on locally Administrators, ANDOVER\Domain Users, ANDOVER\scomadmin, ANDOVER\SQL MP Monitoring Ac, ANDOVER\sqlmon, NETWORK, NETWORK SERVICE, SERVICE, SYSTEM Default Domain Policy Local
  Policies/Security Options Network Access Policy Setting Winning GPO Network access: Allow anonymous SID/Name translation Disabled Default Domain Policy Network Security Policy Setting Winning GPO Network security: Do not store LAN Manager hash value on next
  password change Enabled Default Domain Policy Network security: Force logoff when logon hours expire Disabled Default Domain Policy Restricted Groups Group Members Member of Winning GPO ANDOVER\ConfigMgr12 Service Accts Administrators Default Domain Policy
  System Services AdobeARMservice (Startup Mode: Disabled) Winning GPO Default Domain Policy Permissions No permissions specifiedAuditing No auditing specified Public Key Policies/Certificate Services Client - Auto-Enrollment Settings Policy Setting Winning
  GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Enabled Update and manage certificates that use certificate
  templates from Active Directory Enabled Public Key Policies/Automatic Certificate Request Settings Automatic Certificate Request Winning GPO Computer Default Domain Policy Domain Controller Default Domain Policy Enrollment Agent (Computer) Default Domain Policy
  IPSec Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object Editor. Public Key Policies/Trusted Root Certification Authorities Certificates Issued To Issued By Expiration Date Intended Purposes Winning
  GPO configmgr2012r2.andover.com andover-SERVER2012A-CA 11/1/2015 5:24:38 PM Server Authentication Default Domain Policy ConfigMgr2012R2.andover.com ConfigMgr2012R2.andover.com 5/2/2014 10:37:15 PM Server Authentication Default Domain Policy dejuliaw andover-SERVER2012A-CA
  7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate HYPERVDI.andover.com HYPERVDI.andover.com 4/20/2014 1:07:42 PM Server Authentication Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object
  Editor. Public Key Policies/Trusted Publishers Certificates Issued To Issued By Expiration Date Intended Purposes Winning GPO dejuliaw andover-SERVER2012A-CA 7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate For additional information about individual
  settings, launch the Local Group Policy Object Editor. Printer Connections Path Winning GPO \\Brother\binary_p1 Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the central store.Adobe Acrobat XI/Preferences/General
  Policy Setting Winning GPO Disable automatic updates Enabled Default Domain Policy Display PDFs in browser Disabled Default Domain Policy Adobe Acrobat XI/Preferences/Startup Policy Setting Winning GPO Protected View (Acrobat) Enabled Default Domain Policy
  ProtectedView Enable Protected View for all files Configuration Manager 2012/Configuration Manager 2012 Client Policy Setting Winning GPO Configure Configuration Manager 2012 Client Deployment Settings Enabled Default Domain Policy CCMSetup Policy Setting
  Winning GPO Configure Configuration Manager 2012 Site Assignment Enabled Windows 8.1 Policy Preferences Assigned Site AND Site Assignment Retry Interval (Mins) 30 Site Assignment Retry Duration (Hours) Diskeeper 12 Policy Setting Winning GPO Event Logging
  Enabled Default Domain Policy Service start and stop Enabled Defragmentation start and stop Enabled Volume information Enabled File information Enabled Directory information Enabled Paging file information Enabled MFT information Enabled Operations manager
  information Enabled Policy Setting Winning GPO Volume Shadow Copy Service (VSS) Options Enabled Default Domain Policy Automatic Defragmentation VSS Options VSS defragmentation method Manual Defragmentation VSS Options VSS defragmentation method Microsoft Applications/System
  Center Operations Manager (SCOM)/SCOM Client Monitoring Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled DoNotDebugErrors Enabled Policy Setting Winning GPO Configure Error Reporting for Windows Vista and
  later operating systems Enabled Default Domain Policy Error_Listener UseSSLCertificates Error_ListenerPort UseIntegratedAuthentication Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Office 10.0 Applications
  Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Windows Media Player Policy Setting Winning GPO Configure Error Notification
  Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring/Advanced Error Reporting settings Policy Setting Winning GPO Application reporting settings (all or none) Enabled Default Domain
  Policy Report all application errors Enabled Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system errors Enabled Default Domain Policy Report operating system
  errors Enabled Policy Setting Winning GPO Report unplanned shutdown events Enabled Default Domain Policy Report unplanned shutdown events Enabled Network/Background Intelligent Transfer Service (BITS) Policy Setting Winning GPO Limit the maximum network bandwidth
  for BITS background transfers Disabled Default Domain Policy Printers Policy Setting Winning GPO Isolate print drivers from applications Enabled Default Domain Policy System Policy Setting Winning GPO Specify settings for optional component installation and
  component repair Enabled Default Domain Policy Alternate source file path Never attempt to download payload from Windows Update Disabled Contact Windows Update directly to download repair content instead of Windows Server Update Services (WSUS) Enabled System/Internet
  Communication Management/Internet Communication settings Policy Setting Winning GPO Turn off Windows Error Reporting Disabled Default Domain Policy System/Remote Assistance Policy Setting Winning GPO Configure Offer Remote Assistance Enabled Local Group Policy
  Permit remote control of this computer: Allow helpers to remotely control the computer Helpers: ANDOVER\Administrator ANDOVER\dejuliaw System/Windows Time Service/Time Providers Policy Setting Winning GPO Enable Windows NTP Server Enabled Default Domain Policy
  Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations: - Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software
  Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except
  HeapSpray Policy Setting Winning GPO EMET Agent Visibility Enabled EMET 5 Start Agent Hidden: Enabled Policy Setting Winning GPO Reporting Enabled EMET 5 Event Log: Enabled Tray Icon: Enabled Early Warning: Enabled Windows Components/Internet Explorer Policy
  Setting Winning GPO Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar Enabled Default Domain Policy Install new versions of Internet Explorer automatically Enabled Default Domain Policy Let users turn on and use
  Enterprise Mode from the Tools menu Enabled Default Domain Policy Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode http://server2012a:8000/reportieem.asp Policy Setting Winning GPO Turn
  on menu bar by default Enabled Default Domain Policy Turn on Suggested Sites Enabled Default Domain Policy Use the Enterprise Mode IE website list Enabled Default Domain Policy Type the location (URL) of your Enterprise Mode IE website list http://server2012a:8000/ieem.xml
  Windows Components/Internet Explorer/Internet Control Panel/Advanced Page Policy Setting Winning GPO Allow Internet Explorer to use the SPDY/3 network protocol Enabled Default Domain Policy Empty Temporary Internet Files folder when browser is closed Enabled
  Default Domain Policy Turn off loading websites and content in the background to optimize performance Disabled Default Domain Policy Windows Components/Internet Explorer/Internet Control Panel/Security Page Policy Setting Winning GPO Site to Zone Assignment
  List Enabled Default Domain Policy Enter the zone assignments here. Source GPO https://configmgr2012r2.andover.com 1 Default Domain Policy https://hypervdi.andover.com 1 Default Domain Policy http://webaccess.sullcrom.com 2 Default Domain Policy Windows Components/Internet
  Explorer/Internet Settings/Advanced settings/Browsing Policy Setting Winning GPO Turn off phone number detection Disabled Default Domain Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections Policy Setting Winning GPO Allow
  users to connect remotely by using Remote Desktop Services Enabled Local Group Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Licensing Policy Setting Winning GPO Set the Remote Desktop licensing mode Enabled Default Domain Policy
  Specify the licensing mode for the RD Session Host server. Per User Policy Setting Winning GPO Use the specified Remote Desktop license servers Enabled Default Domain Policy License servers to use: hypervdi.andover.com Separate license server names with commas.
  Example: Server1,Server2.example.com,192.168.1.1 Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security Policy Setting Winning GPO Require user authentication for remote connections by using Network Level Authentication Disabled Local
  Group Policy Windows Components/Windows Customer Experience Improvement Program Policy Setting Winning GPO Allow Corporate redirection of Customer Experience Improvement uploads Enabled Default Domain Policy Corporate SQM URL: http://SCOM2012.andover.com:51907/
  Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error reports Enabled Default Domain Policy Configure Error Reporting Enabled Default Domain Policy Do not display links to any Microsoft
  provided 'more information' web sites. Disabled Do not collect additional files Disabled Do not collect additional machine data Disabled Force queue mode for application errors Disabled Corporate upload file path: Replace instances of the word 'Microsoft'
  with: Policy Setting Winning GPO Disable Windows Error Reporting Disabled Default Domain Policy Display Error Notification Enabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning GPO
  Default application reporting settings Enabled Default Domain Policy Default: Report all application errors Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system
  errors Enabled Default Domain Policy Report unplanned shutdown events Enabled Default Domain Policy Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts
  and remote signed scripts Windows Components/Windows Update Policy Setting Winning GPO Allow signed updates from an intranet Microsoft update service location Enabled WSUS Specify intranet Microsoft update service location Enabled Local Group Policy Set the
  intranet update service for detecting updates: http://ConfigMgr2012R2.andover.com:8530 Set the intranet statistics server: http://ConfigMgr2012R2.andover.com:8530 (example: http://IntranetUpd01) Extra Registry Settings Display names for some settings cannot
  be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags 2 Default Domain
  Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags 20 Default Domain
  Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
  {6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
  Domain Policy Software\Policies\Microsoft\Microsoft Antimalware\DisableLocalAdminMerge 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.000 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.001
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.002 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cab 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cfg
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ci 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.config
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dia 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dsc 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.edb
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.grxml 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.iso 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Extensions\.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.jsl 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ldf 0 Local Group Policy
  Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.lzx 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.mdf
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ost 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.pst 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.que
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.txt 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wid 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wim
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wsb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%ALLUSERSPROFILE%\NTuser.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Paths\%appdata%\NirSoft Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%APPDATA%\Sysinternals Suite\ 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\User\registry.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\ccmcache 0 Local Group
  Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Paths\%windir%\Security\Database\*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.sdb
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Datastore.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.log
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\C:\Users\administrator.ANDOVER\AppData\Roaming\NirSoft
  Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cdb.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cidaemon.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\Clussvc.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Dsamain.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeCredentialSvc.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ExFBA.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\hostcontrollerservice.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Inetinfo.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.AntispamUpdateSvc.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ContentFilter.Wrapper.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Diagnostics.Service.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Directory.TopologyService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.EdgeSyncSvc.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4service.exe 0 Local
  Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Monitoring.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3.exe 0 Local Group Policy
  Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ProtectedServiceHost.exe 0 Local Group
  Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.RPCClientAccess.Service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Search.Service.exe 0
  Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Servicehost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Service.exe 0
  Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Worker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.TransportSyncManagerSvc.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.UM.CallRouter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDagMgmt.exe 0 Local Group
  Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDelivery.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeFrontendTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\MSExchangeHMHost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeHMWorker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeLESearchWorker.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxAssistants.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxReplication.exe 0 Local
  Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMigrationWorkflow.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeRepl.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\MSExchangeSubmission.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeThrottling.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransport.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransportLogSearch.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Msftefd.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\Msftesql.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\OleConverter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Powershell.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanEngineTest.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanningProcess.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Exclusions\Processes\TranscodingService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmWorkerProcess.exe
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UpdateService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\W3wp.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Quarantine\LocalSettingOverridePurgeItemsAfterDelay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Quarantine\PurgeItemsAfterDelay 30 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\RandomizeScheduleTaskTimes
  1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionPreventionSystem 0 Local Group
  Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIOAVProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Real-Time Protection\DisableRealtimeMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableRealTimeMonitoring
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideRealTimeScanDirection
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\RealTimeScanDirection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\AvgCPULoadFactor 50 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Scan\CheckForSignaturesBeforeRunningScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableArchiveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupFullScan 0 Local
  Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupQuickScan 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableEmailScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableHeuristics
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableRemovableDriveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableReparsePointScanning 1 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Scan\DisableRestorePoint 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningMappedNetworkDrivesForFullScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningNetworkFiles
  1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideAvgCPULoadFactor 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScanParameters 0 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Scan\LocalSettingOverrideScheduleDay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleQuickScanTime 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleTime
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanOnlyIfIdle 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanParameters 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleDay
  2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleQuickScanTime 421 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleTime 240 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature
  Updates\AuGracePeriod 480 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\DefinitionUpdateFileSharesSources Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\FallbackOrder InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC
  Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleDay 8 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleTime 120 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Signature Updates\SignatureUpdateCatchupInterval 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval 4 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\LocalSettingOverrideSpyNetReporting
  0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1 6 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\Threats\ThreatSeverityDefaultAction\2 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5
  2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\DisablePrivacyMode 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\Notification_Suppress 1 Local Group Policy Software\Policies\Microsoft\Microsoft
  Antimalware\UX Configuration\UILockdown 0 Local Group Policy Software\Policies\Microsoft\System Center\Health Service\Runtime CLR Version v4.0.30319 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Concurrent GC 0
  Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Workstation GC 1 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Worker Process Logon Type 2 Default Domain Policy Preferences Windows
  Settings Files File (Target Path: c:\windows\safesenders.txt) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.safesenders.txt Winning GPO
  Office 2013 Result: SuccessGeneral Action Update PropertiesSource file(s) \\SERVER2012A\safesender\safesenders.txt Destination file c:\windows\safesenders.txt Suppress errors on individual file actions Disabled AttributesRead-only Disabled Hidden Disabled
  Archive Enabled Group Policy Objects Applied GPOs Default Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Software Installation {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Deployed Printer Connections Security
  Internet Explorer Zonemapping Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (154), SYSVOL (154) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry
  Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (4), SYSVOL (4) WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Registry Enforced No Disabled None Security Filters Revision AD (14),
  SYSVOL (14) WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Files Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
  AD (54), SYSVOL (54) WMI Filter SCUP Signing Certificate [{B8EC6602-BC25-4A62-8F13-D225E5AAB46D}] Link Location andover.com Extensions Configured {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
  Users Revision AD (4), SYSVOL (4) WMI Filter Windows 8.1 Policy Preferences [{3F103DE1-A223-48FA-84B2-5584A129CC7E}] Link Location andover.com/Windows 8.1 Computers Extensions Configured Software Installation Registry Enforced No Disabled None Security Filters
  NT AUTHORITY\Authenticated Users Revision AD (41), SYSVOL (41) WMI Filter Windows 8.1 WMI Filter WSUS [{90680992-AACB-487B-B5CD-6E936F4A3C6F}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
  Users Revision AD (2), SYSVOL (2) WMI Filter Denied GPOs WMI Filters Name Value Reference GPO(s) Windows 8.1 WMI Filter True Windows 8.1 Policy Preferences User Details General User name ANDOVER\Administrator Domain andover.com Security Group Membership show
  ANDOVER\Domain Users Everyone NOOFFICE\ConfigMgr Remote Control Users BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization LOCAL ANDOVER\Group Policy Creator Owners ANDOVER\Mobile
  Enrollment ANDOVER\Mac Enrollment ANDOVER\Domain Admins ANDOVER\SCVMMAdmins ANDOVER\CSAdministrator ANDOVER\RTCUniversalServerAdmins ANDOVER\RTCUniversalGlobalReadOnlyGroup ANDOVER\Enterprise Admins ANDOVER\RTCUniversalGlobalWriteGroup ANDOVER\Organization
  Management ANDOVER\Schema Admins ANDOVER\RTCUniversalServerReadOnlyGroup ANDOVER\RTCUniversalUserReadOnlyGroup ANDOVER\CSServerAdministrator Authentication authority asserted identity ANDOVER\ConfigMgr Remote Control Users ANDOVER\Denied RODC Password Replication
  Group Mandatory Label\High Mandatory Level Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 16 Second(s) 892 Millisecond(s) 9/16/2014 7:52:10 PM View Log Group Policy Registry Success 140 Millisecond(s)
  9/15/2014 9:50:32 PM View Log Group Policy Shortcuts Success 500 Millisecond(s) 9/15/2014 9:50:32 PM View Log Registry Success 281 Millisecond(s) 9/15/2014 9:50:31 PM View Log Settings Policies Windows Settings Security Settings Public Key Policies/Certificate
  Services Client - Auto-Enrollment Settings Policy Setting Winning GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked
  certificates Enabled Update and manage certificates that use certificate templates from Active Directory Enabled Log expiry events, and, for user policy, only show expiry notifications when the percentage of remaining certificate lifetime is 10% Default Domain
  Policy Additional stores to log expiry events Default Domain Policy Display user notifications for expiring certificates in user and computer MY store Disabled Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the
  central store.Microsoft Outlook 2013/Outlook Options/Preferences/Junk E-mail Policy Setting Winning GPO Specify path to Blocked Senders list Enabled Office 2013 Specify full path and filename to Blocked Senders list \\SERVER2012A\safesender\blockedsender.txt
  Policy Setting Winning GPO Specify path to Safe Recipients list Enabled Office 2013 Specify full path and filename to Safe Recipients list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Specify path to Safe Senders list Enabled Office
  2013 Specify full path and filename to Safe Senders list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Trigger to apply junk email list settings Enabled Office 2013 Microsoft Word 2013/Word Options/Customize Ribbon Policy Setting Winning
  GPO Display Developer tab in the Ribbon Enabled Office 2013 Microsoft Word 2013/Word Options/Save Policy Setting Winning GPO Save AutoRecover info Enabled Office 2013 Save AutoRecover info every (minutes) 3 Start Menu and Taskbar Policy Setting Winning GPO
  Go to the desktop instead of Start when signing in or when all the apps on a screen are closed Enabled Default Domain Policy Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations:
  - Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all
  mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except HeapSpray Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error
  reports Enabled Default Domain Policy Disable Windows Error Reporting Disabled Default Domain Policy Do not send additional data Disabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning
  GPO Configure Report Archive Enabled Default Domain Policy Archive behavior: Store parameters only Maximum number of reports to store: 500 Windows Components/Windows Error Reporting/Consent Policy Setting Winning GPO Configure Default consent Enabled Default
  Domain Policy Consent level Send all data Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts and remote signed scripts Extra Registry Settings Display
  names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags
  2 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags
  20 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
  {6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
  Domain Policy Preferences Windows Settings Shortcuts Shortcut (Path: C:\Users\administrator\Desktop\Remote Desktop.url) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings
  when resolving conflicts.Remote Desktop Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Remote Desktop.url Target URL https://hypervdi.andover.com/RDWeb/Pages/en-US/Default.aspx
  Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 150 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Application Catalog.url) The following settings have applied to this object. Within this category, settings nearest
  the top of the report are the prevailing settings when resolving conflicts.Application Catalog Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Application Catalog.url
  Target URL https://configmgr2012r2.andover.com/cmapplicationcatalog/ Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 135 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Report Server.url) The following settings have
  applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Report Server Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut
  path C:\Users\administrator\Desktop\Report Server.url Target URL http://configmgr2012r2/Reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\SCOM Reports.url)
  The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.SCOM Reports Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
  type URL Shortcut path C:\Users\administrator\Desktop\SCOM Reports.url Target URL http://scom2012/reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 44 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Reporting.url)
  The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Reporting Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
  type URL Shortcut path C:\Users\administrator\Desktop\Reporting.url Target URL http://configmgr2012r2/Reports/Pages/Folder.aspx Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Group Policy Objects Applied GPOs Default
  Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Group Policy Shortcuts {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
  Users Revision AD (102), SYSVOL (102) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (2), SYSVOL (2)
  WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Registry Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
  AD (55), SYSVOL (55) WMI Filter Denied GPOs Java Files [{906C2069-E35E-4DAD-8A06-E234C1F5072E}] Link Location andover.com Extensions Configured {7150F9BF-48AD-4DA4-A49C-29EF4A8369BA} Group Policy Infrastructure Enforced No Disabled None Security Filters NT
  AUTHORITY\Authenticated Users Revision AD (98), SYSVOL (98) WMI Filter Windows 7 WMI Filter Reason Denied False WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Enforced No Disabled None Security Filters Revision AD (0), SYSVOL
  (0) WMI Filter Reason Denied Empty WMI Filters Name Value Reference GPO(s) Windows 7 WMI Filter False Java Files

• I just enrolled in CC and I can get the app on my desk but when I navigate from home to apps to download apps, it just goes around and around in a blue circle (I'm on a mac).  help

  I just enrolled in Creative Cloud and I can get the app installed on my desk but when I navigate from Home to  Apps to download apps, it just goes around and around in blue circle (freezing).  Im on a MAC. 
  Thank you!

  Mac Spinning Wheel https://forums.adobe.com/message/5470608
  or
  A chat session where an agent may remotely look inside your computer may help
  Creative Cloud chat support (all Creative Cloud customer service issues)
  http://helpx.adobe.com/x-productkb/global/service-ccm.html

• Mac Client Enrollment Not Working

  I'm trying to enroll a MAC OSX 10.9.2 client.  My environment is Server 2012 R2 and Configuration Manager 2012 R2.  I get the following error when running the CMEnroll command:
  SSL Connection failed.  HTTP Response code is 500 and reason is Internal Server Error
  Server returned:  CertificateRequest Error
  These are the errors from the EnrollmentService.log
  [3, PID:3596][03/07/2014 12:23:52] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE
  [3, PID:3596][03/07/2014 12:23:52] :CALayer: SubmitRequest CA: cauthority.ctl.intranet\CTL Prod Issuing CA Errormessage: Denied by Policy Module 2 ErrorCode: 2
  [3, PID:3596][03/07/2014 12:23:52] :Only one CA is specified in profile. Failed to enroll with the specified CA: cauthority.ctl.intranet\CTL Prod Issuing CA
  [3, PID:3596][03/07/2014 12:23:52] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
  [3, PID:3596][03/07/2014 12:23:52] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
  [3, PID:3596][03/07/2014 12:23:52] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert
  Does anyone know what's going on?

  Hi,
  The failed requests on the CA might give you some useful information. And here is a similar thread with yours:
  http://social.technet.microsoft.com/Forums/en-US/142fc77d-4eed-4f3a-a57c-dcacf8cbbf63/sccm-2012-sp1-mac-client-enroll-problem?forum=configmanagergeneral
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Enrolling Mac Developer Program Problem

  Hello,
  I'm in the UK and tried to enrol for the Mac Developer Program via https://developer.apple.com/programs/
  I selected "Mac Developer Program" for $99/year and came to https://developer.apple.com/programs/mac/
  I pressed the "Enroll now" button and came to https://developer.apple.com/programs/start/standard/
  I pressed "Continue" and came to https://developer.apple.com/programs/start/standard/create.php
  I was already logged in with my existing Apple ID and
  pressed "Continue" with Existing Apple ID which brought me to https://developer.apple.com/enroll/selectEnrollmentType.php?t=cm
  Because we want to use our partnership business name, I pressed "Company" and came to https://appleid.apple.com/account/manage
  I don't know why I'm here now. I see no reason to edit my account details.
  How do I continue?
  Thanks for any help!

  Please can anyone help?
  I think I've tried everything.
  I don't know how to continue.
  What might be the problem here?
  Thanks.

• ConfigMgr R2 - Mac OS Enrollment Issues

  Hello everyone,
  First, a few details on where I'm at:
  Single ConfigMgr 2012 R2 Site w/ PKI 
  Requisite roles are installed and HTTPS is enabled to allow 'internet and intranet' clients
  Apple iMac with OSX 10.9
  Mac is added to Active Directory
  R2 Client is installed on Mac
  Entered server name into Safari, installed Root Certificate and allowed it to 'Always Trust'
  Ran 'Configuration Manager' tool in Preferences, go to enroll, enter credentials, and I get:
  "Server is not trusted. Do you want to continue?"  I choose yes and get the following:
  "Error: Enrollment error (0x8018002a)"
  If I look in the System Keychain on the Mac I see the 'SCCM' public and private keys.  Running 'CMDiagnostic' doesn't show me any blatant errors.
  If I take the Mac and connect to the Internet outside of our Domain I simply get 'Unable to contact the server for this request.'  If I type in the FQDN of the server into Safari at that point it does not resolve.  If I do an NSLOOKUP with the
  trailing '.' or do a DIG of the address outside of the Domain, I do get it to resolve.
  Any ideas?  Next steps?

  What guide are you following?  Installing the certificate through Safari isn't related to client enrollment.
  What do you see for errors on enrollment point that is trying to issue the certificate?
  http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_CertificateEnrollment
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.
  I have to be honest, I had a consultant here to help with this last week and he never got it working so I'm now trying to go over everything he did to try and figure out what is going on.
  Those logs you asked for, those look to be for the Certificate Registration Point but I don't have that role installed.  When I look at the Mac OS Enrollment instructions I only see the Enrollment Point and Enrollment Proxy Point which are installed.

• MAC OS X Certificate Enrollment

  I want to use this configuration for MAC OS X certificate enrollment. What is required on the Windows PKI side for this to work? Do I need NDES or something else?
  Thank you.
  MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

  The Macintosh OS lacks any long term certificate life-cycle management and the difficulty of enrollment and lack of renewal generally makes this un-scalable. Third party products fill the gap - such as AirWatch or Mobile Iron.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• Enrolled Macs' "Sleep" option is greyed out

  Hello,
  As soon as a Mac is enrolled into our OS X Server it becomes unable to "Sleep." The Sleep option under the Apple menu is greyed out and even closing the lid will not put the Mac to sleep. This has been a big issue because it is killing our machines' battery life.
  There are no management settings enabled for any of the Macs, under Profile Manager and they are not in any device groups. There are also no management settings enable for the users of the machines nor are the users in any groups. As soon as they are enrolled, the Sleep option is greyed out and nothing will allow them to sleep.
  This was happening with the Server version right before Version 4. We updated hoping Version 4 would resolve this issue but it did not. All help is greatly appreciated!
  OS X Server Version 4 (14S333)
  Mac Mini Server purchased in mid 2014
  2.6ghz Quad Core i7 Processor
  16gb of RAM

  It appears Apple needs to fix a problem with the "Login Window" Payload in Profile Manager.
  To enable sleep on a mac until the settings are pushed out again use terminal and enter the following:
  sudo pmset -a disablesleep 0
  You will also need to do this if you remove the "Login Window" Payload from the settings you push out, since the mac won't revert to the working settings.
  I notified Apple about this thread.
  PS I was able to manually change the config profile (downloaded from Profile Manager) with text editor to get it working the way I wanted, but I only have one client computer. If you do this, there were 2 entries. I found them by searching the config for "sleep". Change the entries from true to false. You can then install the modified settings profile.

• Is it useful to enrol in Cisco courses if your aim are mac networks?

  Pardon my lack of information... I am currently taking an advanced CCNA networks course (4 levels), we learnt a lot about protocols, routers and switches and all of them work within Cisco's rule's and regulations. Question is; does Apple work with Cisco's protocols, devices and systems and vice versa? if so, what would the next Cisco course you'd advice me to enrol in that'd be relevant to Macs and Xserves? what Cisco courses must I avoid incase they were focused on Windows systems but not macs?

  Hi
  AFAIK and in my experience most of Cisco's products are configured using the command line which (for me) makes them platform independent. Ultimately a network device (macs, PCs, printers etc) simply nodes connected to a network regardless of what hardware the infrastructure consists of.
  Besides Apple's OS includes Cisco's IPSec VPN Client as a built-in option.
  To answer this question:
  "'What Cisco courses must I avoid in case they were focused on Windows systems but not macs?"
  I would say none at all.
  HTH?
  Tony

• I have signed up for the apple beta software program for public users and when i sign in to the appleseed page i only get an option to enroll my Mac. But what i want is to enroll my iphone for the public releases. How can i go forward with this?

  need to have the option enroll ios on the apple beta software program page

  That's the wrong email message. There's a separate one that was sent out for iOS.