Slow client certificate prompt on IE - Windows 7, Windows 8
Hi
I would like to ask for help with client certificate authentication and IE. In our company we are using widely smart cards and client certificate authentication for intranet web sites. Everything worked fine until we have started upgrading Windows XP to
newer Windows 7 and Windows 8.
Users have started complaining about very slow certificate selection when web site is prompting for certificate - window containing certificates for selection (client certificates of current user) is appearing after about 30 seconds or even more. After selecting
proper certificate user is entering PIN and web site shows fine.
On Windows XP and IE window containing certificates appears immediately - on Windows 7 and Windows 8 after 30 seconds or more..Maybe the reason is because on current Windows user there are many certificates (20 or more) but it didn't matter on Windows
XP.Please help, because my users never let me to upgrade their Windows XP and they will have good argument - on previous operating system everything worked smoothly - now I have to wait for ages..
Thanks in advance
Regards
Hi,
I'm having this issue on Windows XP... it happened after i installed updates, it could be related with some security improvement...
If someone knows the KB number of the update related with this issue i would be very grateful!
Similar Messages
-
Environment:
Windows 2003 Server
IIS 6.0
Java Applets
JVM 1.6
I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
Is there a way to stop this or is this just a way of life.I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
to do it.
You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be -
Outlook client certificate prompt
Hi
i have exchange 2010 environment with 2 mailbox & 2 hub/cas server role.
when outlook client connects with exchange server he got certificate prompt. when i saw the certificate he got exchange mailbox certificate.
why he got certificate which is installed on mailbox server
this certificate is a certificate which is generated automatically during installation.
please help. its urgent & critical
thanks in advanced
Anuj GuptaHi,
According to your description, there is a sercurity alert when Outlook client connect to Exchange server. And I'd like to confirm the following information to narrow down the cause:
1. The detail name in the security alert
2. Does the issue happen on internal users or external users?
3. Are all your URLs configured with the name mail.domain.com or other name in the certificate?
Thanks,
Angela Shi
TechNet Community Support -
OTP 2FA Problems with DA 2012 R2 and Windows 8.1 Client - Not prompting or OTP Code
Hi
Just seeing if anyone has come across the same issue with their WIn 8.1 clients not prompting for 2FA once configured with DirectAccess 2012 R2?
I have created the 2x OTP certificates, enabled OTP via PowerShell and set up the RADIUS server but whatever happens the Win 8.1 client does not get prompted for 2FA - They connect seamlessly?
I have also configured the DAProbeUser on the RADIUS server
Any help appreciated
ThanksI was afraid that you'll said that
I hate to be the annoying guy but take a look at this KB article:
http://support.microsoft.com/kb/2787534
Applied to: Windows 8\2012,
Doesn't Apply to: Windows 8.1\2012 R2
and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
another annoying fact - No other update was released for these version yet.
this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
and allow me to add another fact.
when you configure DirectAccess via the remote access wizard it creates a WMI query called
DirectAccess - Laptop Only WMI Filter.
after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
Tamir Levy -
IOS prompts for a client certificate each time i change webpages on a site
The company intranet is published through a TMG 2010 box and we use client certificates as an extra level of authentication in addition to AD user / pass.
With any PC based browser you are prompted once for the certificate to use, however in IOS 5.1.1 on iphone and ipad we get a prompt each time you go to a new page, safari prompts for the certificate to use however the more times you change the page the more it relists the certificate in the selection window. The certificate you see in the screen shot is installed once. The first time I change the page, safari reprompts and lists 2 certificates (both the same) next time i change the page it then lists the certificate 3, then 4 then 5 times etc. The client certificate is issued directly from the root CA so this isnt the issue of IOS not supporting 2 or 3 tier certificates.
All other PC based browsers work fine and only prompt once then happily reuse that certificate when you change pages without reprompting.We're experiencing the same problem. We are also publishing internal web applications via TMG 2010, using forms based authentication with client SSL certificate authentication.
We see this problem on devices using iOS 5.1.1. Devices with iOS 6 are automatically selecting the client certificate. Unfortunately upgrading to iOS 6 is currently not an option. -
Document Library: Open in Explorer - Client Certificate Selection Prompt
Hello,
when a User in a Document Library clicked on "Open in Explorer" a Window Prompting where the user can choose a Certificate. If the user clicked on Abort (Abbrechen in German) the Library open correct in a Windows-Windows and the user can work.
Clicked the User in the same Webapplication in a other Document Library on "Open in Explorer" no Certificate-Windows prompt. After the next Restart of the Client the Certificate-Windows prompt for the First Time. Is this a WebDav Problem or a wrong
IIS configuration? We use for all Webapplications https.
Thank you
SebastianHi Sebastian,
For troubleshooting your issue, please refer to the steps as below:
1.Open up your IIS manager, go to Sites and select the site which is having the issue.
2.Click on SSL Settings and set Client certificates to Ignore.
Best Regards,
Eric
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.
Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx -
PKI Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.
Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS
Support working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx -
Troubles with client certificates in Windows Phone 8.1 WebViews
Hi,
I'm having difficulties using a client certificate in Windows Phone 8.1 WebViews.
My code works fine in my Windows 8.1 App but i get a WebErrorStatus=[CertificateIsInvalid] in WebView.NavigationCompleted in WP.
I'm using this code to import my certificate :
await CertificateEnrollmentManager.ImportPfxDataAsync(certificateBase64, certificatePassword, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, "MyClientCertificate");
I have no problem using this cert in HttpClient with either Windows 8.1 or Windows Phone 8.1.
I don't understand why it doesn't work with the WebView control only on Windows Phone.Tried it with no success.
But I just found this : https://blogs.msdn.com/b/wsdevsol/archive/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app.aspx?Redirected=true
With the note at the bottom:
Note: For Windows Phone 8.1, you need to attach the Client Certificate programmatically. For Windows, once you install the Client Certificate to the app container
store and do not attach the client certificate with the HttpClient request, the HttpClient class will automatically detect that there is a single certificate installed in the app container store and forward it to the server. However in the case of Windows
Phone 8.1, there is no such “automatic” selection of the certificate and one MUST provide the certificate programmatically.
Since there seems to be nothing to attach a custom HttpBaseProtocolFilter to a WebView, it doesn't seem possible atm. -
Hi! I have posted some of this in the ConfigMgr 2012 forum. As indicated above, I seem to have either a group policy/autoenrollment problem getting my Configmgr 2012 OSD images of windows 8.1 to enroll for a client cert.
The imaged machines function fine when they are finished imaging, and the Configmgr 2012 client is fully functional. However the MMC-->Certs-->computer account-->personal. Shows no certs.
Physical machines have the client cert. They are both created in the same OU. If I try to manually import the cert it works just fine, however I want autoenrollment to do this.
the Autoenrollment GP's are setup and functional on the Default domain policy
I recently created a new client cert from a duplicate of the workstation cert and it installed just fine doing a GPUpdate /force on my domain joined computers.
I do not see any negative events in the eventvwr on the hyper v machines. I have built a few.
suggestions? thxFrank
Here is the result of the policies on the computer called "nooffice" a hyper- V machine created on Win 8.1 pro running hyper v as admin of the local machine.
ANDOVER\Administrator on ANDOVER\NOOFFICE Data collected on: 9/16/2014 7:56:58 PM Summary During last computer policy refresh on 9/16/2014 4:42:11 AM No Errors Detected A fast link was detected More information... During last user policy refresh on 9/16/2014
7:52:10 PM No Errors Detected A fast link was detected More information... Computer Details General Computer name ANDOVER\NOOFFICE Domain andover.com Site Default-First-Site-Name Organizational Unit andover.com/Windows 8.1 Computers Security Group Membership
show BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ANDOVER\NOOFFICE$ ANDOVER\Domain Computers Authentication authority asserted identity Mandatory Label\System Mandatory Level
Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 2 Second(s) 890 Millisecond(s) 9/16/2014 4:42:11 AM View Log Deployed Printer Connections Success 31 Millisecond(s) 9/16/2014 4:42:11 AM View
Log Group Policy Files Success 532 Millisecond(s) 9/16/2014 4:42:11 AM View Log Internet Explorer Zonemapping Success (no data) 62 Millisecond(s) 9/15/2014 9:50:28 PM View Log Registry Success 2 Second(s) 78 Millisecond(s) 9/16/2014 4:42:10 AM View Log Security
Success 1 Second(s) 187 Millisecond(s) 9/15/2014 9:50:29 PM View Log Software Installation Success 156 Millisecond(s) 9/15/2014 9:50:29 PM View Log Settings Policies Windows Settings Security Settings Account Policies/Password Policy Policy Setting Winning
GPO Enforce password history 24 passwords remembered Default Domain Policy Maximum password age 42 days Default Domain Policy Minimum password age 1 days Default Domain Policy Minimum password length 7 characters Default Domain Policy Password must meet complexity
requirements Enabled Default Domain Policy Store passwords using reversible encryption Disabled Default Domain Policy Account Policies/Account Lockout Policy Policy Setting Winning GPO Account lockout threshold 0 invalid logon attempts Default Domain Policy
Local Policies/User Rights Assignment Policy Setting Winning GPO Allow log on locally Administrators, ANDOVER\Domain Users, ANDOVER\scomadmin, ANDOVER\SQL MP Monitoring Ac, ANDOVER\sqlmon, NETWORK, NETWORK SERVICE, SERVICE, SYSTEM Default Domain Policy Local
Policies/Security Options Network Access Policy Setting Winning GPO Network access: Allow anonymous SID/Name translation Disabled Default Domain Policy Network Security Policy Setting Winning GPO Network security: Do not store LAN Manager hash value on next
password change Enabled Default Domain Policy Network security: Force logoff when logon hours expire Disabled Default Domain Policy Restricted Groups Group Members Member of Winning GPO ANDOVER\ConfigMgr12 Service Accts Administrators Default Domain Policy
System Services AdobeARMservice (Startup Mode: Disabled) Winning GPO Default Domain Policy Permissions No permissions specifiedAuditing No auditing specified Public Key Policies/Certificate Services Client - Auto-Enrollment Settings Policy Setting Winning
GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Enabled Update and manage certificates that use certificate
templates from Active Directory Enabled Public Key Policies/Automatic Certificate Request Settings Automatic Certificate Request Winning GPO Computer Default Domain Policy Domain Controller Default Domain Policy Enrollment Agent (Computer) Default Domain Policy
IPSec Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object Editor. Public Key Policies/Trusted Root Certification Authorities Certificates Issued To Issued By Expiration Date Intended Purposes Winning
GPO configmgr2012r2.andover.com andover-SERVER2012A-CA 11/1/2015 5:24:38 PM Server Authentication Default Domain Policy ConfigMgr2012R2.andover.com ConfigMgr2012R2.andover.com 5/2/2014 10:37:15 PM Server Authentication Default Domain Policy dejuliaw andover-SERVER2012A-CA
7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate HYPERVDI.andover.com HYPERVDI.andover.com 4/20/2014 1:07:42 PM Server Authentication Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object
Editor. Public Key Policies/Trusted Publishers Certificates Issued To Issued By Expiration Date Intended Purposes Winning GPO dejuliaw andover-SERVER2012A-CA 7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate For additional information about individual
settings, launch the Local Group Policy Object Editor. Printer Connections Path Winning GPO \\Brother\binary_p1 Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the central store.Adobe Acrobat XI/Preferences/General
Policy Setting Winning GPO Disable automatic updates Enabled Default Domain Policy Display PDFs in browser Disabled Default Domain Policy Adobe Acrobat XI/Preferences/Startup Policy Setting Winning GPO Protected View (Acrobat) Enabled Default Domain Policy
ProtectedView Enable Protected View for all files Configuration Manager 2012/Configuration Manager 2012 Client Policy Setting Winning GPO Configure Configuration Manager 2012 Client Deployment Settings Enabled Default Domain Policy CCMSetup Policy Setting
Winning GPO Configure Configuration Manager 2012 Site Assignment Enabled Windows 8.1 Policy Preferences Assigned Site AND Site Assignment Retry Interval (Mins) 30 Site Assignment Retry Duration (Hours) Diskeeper 12 Policy Setting Winning GPO Event Logging
Enabled Default Domain Policy Service start and stop Enabled Defragmentation start and stop Enabled Volume information Enabled File information Enabled Directory information Enabled Paging file information Enabled MFT information Enabled Operations manager
information Enabled Policy Setting Winning GPO Volume Shadow Copy Service (VSS) Options Enabled Default Domain Policy Automatic Defragmentation VSS Options VSS defragmentation method Manual Defragmentation VSS Options VSS defragmentation method Microsoft Applications/System
Center Operations Manager (SCOM)/SCOM Client Monitoring Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled DoNotDebugErrors Enabled Policy Setting Winning GPO Configure Error Reporting for Windows Vista and
later operating systems Enabled Default Domain Policy Error_Listener UseSSLCertificates Error_ListenerPort UseIntegratedAuthentication Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Office 10.0 Applications
Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Windows Media Player Policy Setting Winning GPO Configure Error Notification
Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring/Advanced Error Reporting settings Policy Setting Winning GPO Application reporting settings (all or none) Enabled Default Domain
Policy Report all application errors Enabled Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system errors Enabled Default Domain Policy Report operating system
errors Enabled Policy Setting Winning GPO Report unplanned shutdown events Enabled Default Domain Policy Report unplanned shutdown events Enabled Network/Background Intelligent Transfer Service (BITS) Policy Setting Winning GPO Limit the maximum network bandwidth
for BITS background transfers Disabled Default Domain Policy Printers Policy Setting Winning GPO Isolate print drivers from applications Enabled Default Domain Policy System Policy Setting Winning GPO Specify settings for optional component installation and
component repair Enabled Default Domain Policy Alternate source file path Never attempt to download payload from Windows Update Disabled Contact Windows Update directly to download repair content instead of Windows Server Update Services (WSUS) Enabled System/Internet
Communication Management/Internet Communication settings Policy Setting Winning GPO Turn off Windows Error Reporting Disabled Default Domain Policy System/Remote Assistance Policy Setting Winning GPO Configure Offer Remote Assistance Enabled Local Group Policy
Permit remote control of this computer: Allow helpers to remotely control the computer Helpers: ANDOVER\Administrator ANDOVER\dejuliaw System/Windows Time Service/Time Providers Policy Setting Winning GPO Enable Windows NTP Server Enabled Default Domain Policy
Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations: - Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software
Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except
HeapSpray Policy Setting Winning GPO EMET Agent Visibility Enabled EMET 5 Start Agent Hidden: Enabled Policy Setting Winning GPO Reporting Enabled EMET 5 Event Log: Enabled Tray Icon: Enabled Early Warning: Enabled Windows Components/Internet Explorer Policy
Setting Winning GPO Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar Enabled Default Domain Policy Install new versions of Internet Explorer automatically Enabled Default Domain Policy Let users turn on and use
Enterprise Mode from the Tools menu Enabled Default Domain Policy Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode http://server2012a:8000/reportieem.asp Policy Setting Winning GPO Turn
on menu bar by default Enabled Default Domain Policy Turn on Suggested Sites Enabled Default Domain Policy Use the Enterprise Mode IE website list Enabled Default Domain Policy Type the location (URL) of your Enterprise Mode IE website list http://server2012a:8000/ieem.xml
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page Policy Setting Winning GPO Allow Internet Explorer to use the SPDY/3 network protocol Enabled Default Domain Policy Empty Temporary Internet Files folder when browser is closed Enabled
Default Domain Policy Turn off loading websites and content in the background to optimize performance Disabled Default Domain Policy Windows Components/Internet Explorer/Internet Control Panel/Security Page Policy Setting Winning GPO Site to Zone Assignment
List Enabled Default Domain Policy Enter the zone assignments here. Source GPO https://configmgr2012r2.andover.com 1 Default Domain Policy https://hypervdi.andover.com 1 Default Domain Policy http://webaccess.sullcrom.com 2 Default Domain Policy Windows Components/Internet
Explorer/Internet Settings/Advanced settings/Browsing Policy Setting Winning GPO Turn off phone number detection Disabled Default Domain Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections Policy Setting Winning GPO Allow
users to connect remotely by using Remote Desktop Services Enabled Local Group Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Licensing Policy Setting Winning GPO Set the Remote Desktop licensing mode Enabled Default Domain Policy
Specify the licensing mode for the RD Session Host server. Per User Policy Setting Winning GPO Use the specified Remote Desktop license servers Enabled Default Domain Policy License servers to use: hypervdi.andover.com Separate license server names with commas.
Example: Server1,Server2.example.com,192.168.1.1 Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security Policy Setting Winning GPO Require user authentication for remote connections by using Network Level Authentication Disabled Local
Group Policy Windows Components/Windows Customer Experience Improvement Program Policy Setting Winning GPO Allow Corporate redirection of Customer Experience Improvement uploads Enabled Default Domain Policy Corporate SQM URL: http://SCOM2012.andover.com:51907/
Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error reports Enabled Default Domain Policy Configure Error Reporting Enabled Default Domain Policy Do not display links to any Microsoft
provided 'more information' web sites. Disabled Do not collect additional files Disabled Do not collect additional machine data Disabled Force queue mode for application errors Disabled Corporate upload file path: Replace instances of the word 'Microsoft'
with: Policy Setting Winning GPO Disable Windows Error Reporting Disabled Default Domain Policy Display Error Notification Enabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning GPO
Default application reporting settings Enabled Default Domain Policy Default: Report all application errors Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system
errors Enabled Default Domain Policy Report unplanned shutdown events Enabled Default Domain Policy Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts
and remote signed scripts Windows Components/Windows Update Policy Setting Winning GPO Allow signed updates from an intranet Microsoft update service location Enabled WSUS Specify intranet Microsoft update service location Enabled Local Group Policy Set the
intranet update service for detecting updates: http://ConfigMgr2012R2.andover.com:8530 Set the intranet statistics server: http://ConfigMgr2012R2.andover.com:8530 (example: http://IntranetUpd01) Extra Registry Settings Display names for some settings cannot
be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags 2 Default Domain
Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags 20 Default Domain
Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
{6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
Domain Policy Software\Policies\Microsoft\Microsoft Antimalware\DisableLocalAdminMerge 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.000 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.001
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.002 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cab 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cfg
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ci 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.config
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dia 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dsc 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.edb
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.grxml 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.iso 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Extensions\.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.jsl 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ldf 0 Local Group Policy
Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.lzx 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.mdf
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ost 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.pst 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.que
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.txt 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wid 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wim
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wsb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%ALLUSERSPROFILE%\NTuser.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Paths\%appdata%\NirSoft Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%APPDATA%\Sysinternals Suite\ 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\User\registry.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\ccmcache 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Paths\%windir%\Security\Database\*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.sdb
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Datastore.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.log
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\C:\Users\administrator.ANDOVER\AppData\Roaming\NirSoft
Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cdb.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cidaemon.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\Clussvc.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Dsamain.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeCredentialSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ExFBA.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\hostcontrollerservice.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Inetinfo.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.AntispamUpdateSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ContentFilter.Wrapper.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Diagnostics.Service.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Directory.TopologyService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.EdgeSyncSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4service.exe 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Monitoring.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3.exe 0 Local Group Policy
Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ProtectedServiceHost.exe 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.RPCClientAccess.Service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Search.Service.exe 0
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Servicehost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Service.exe 0
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Worker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.TransportSyncManagerSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.UM.CallRouter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDagMgmt.exe 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDelivery.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeFrontendTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\MSExchangeHMHost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeHMWorker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeLESearchWorker.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxAssistants.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxReplication.exe 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMigrationWorkflow.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeRepl.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\MSExchangeSubmission.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeThrottling.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransport.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransportLogSearch.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Msftefd.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\Msftesql.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\OleConverter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Powershell.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanEngineTest.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanningProcess.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\TranscodingService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmWorkerProcess.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UpdateService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\W3wp.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Quarantine\LocalSettingOverridePurgeItemsAfterDelay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Quarantine\PurgeItemsAfterDelay 30 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\RandomizeScheduleTaskTimes
1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionPreventionSystem 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIOAVProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Real-Time Protection\DisableRealtimeMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableRealTimeMonitoring
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideRealTimeScanDirection
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\RealTimeScanDirection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\AvgCPULoadFactor 50 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\CheckForSignaturesBeforeRunningScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableArchiveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupFullScan 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupQuickScan 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableEmailScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableHeuristics
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableRemovableDriveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableReparsePointScanning 1 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\DisableRestorePoint 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningMappedNetworkDrivesForFullScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningNetworkFiles
1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideAvgCPULoadFactor 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScanParameters 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\LocalSettingOverrideScheduleDay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleQuickScanTime 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleTime
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanOnlyIfIdle 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanParameters 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleDay
2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleQuickScanTime 421 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleTime 240 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature
Updates\AuGracePeriod 480 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\DefinitionUpdateFileSharesSources Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\FallbackOrder InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleDay 8 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleTime 120 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Signature Updates\SignatureUpdateCatchupInterval 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval 4 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\LocalSettingOverrideSpyNetReporting
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1 6 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Threats\ThreatSeverityDefaultAction\2 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5
2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\DisablePrivacyMode 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\Notification_Suppress 1 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\UX Configuration\UILockdown 0 Local Group Policy Software\Policies\Microsoft\System Center\Health Service\Runtime CLR Version v4.0.30319 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Concurrent GC 0
Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Workstation GC 1 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Worker Process Logon Type 2 Default Domain Policy Preferences Windows
Settings Files File (Target Path: c:\windows\safesenders.txt) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.safesenders.txt Winning GPO
Office 2013 Result: SuccessGeneral Action Update PropertiesSource file(s) \\SERVER2012A\safesender\safesenders.txt Destination file c:\windows\safesenders.txt Suppress errors on individual file actions Disabled AttributesRead-only Disabled Hidden Disabled
Archive Enabled Group Policy Objects Applied GPOs Default Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Software Installation {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Deployed Printer Connections Security
Internet Explorer Zonemapping Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (154), SYSVOL (154) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry
Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (4), SYSVOL (4) WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Registry Enforced No Disabled None Security Filters Revision AD (14),
SYSVOL (14) WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Files Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
AD (54), SYSVOL (54) WMI Filter SCUP Signing Certificate [{B8EC6602-BC25-4A62-8F13-D225E5AAB46D}] Link Location andover.com Extensions Configured {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (4), SYSVOL (4) WMI Filter Windows 8.1 Policy Preferences [{3F103DE1-A223-48FA-84B2-5584A129CC7E}] Link Location andover.com/Windows 8.1 Computers Extensions Configured Software Installation Registry Enforced No Disabled None Security Filters
NT AUTHORITY\Authenticated Users Revision AD (41), SYSVOL (41) WMI Filter Windows 8.1 WMI Filter WSUS [{90680992-AACB-487B-B5CD-6E936F4A3C6F}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (2), SYSVOL (2) WMI Filter Denied GPOs WMI Filters Name Value Reference GPO(s) Windows 8.1 WMI Filter True Windows 8.1 Policy Preferences User Details General User name ANDOVER\Administrator Domain andover.com Security Group Membership show
ANDOVER\Domain Users Everyone NOOFFICE\ConfigMgr Remote Control Users BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization LOCAL ANDOVER\Group Policy Creator Owners ANDOVER\Mobile
Enrollment ANDOVER\Mac Enrollment ANDOVER\Domain Admins ANDOVER\SCVMMAdmins ANDOVER\CSAdministrator ANDOVER\RTCUniversalServerAdmins ANDOVER\RTCUniversalGlobalReadOnlyGroup ANDOVER\Enterprise Admins ANDOVER\RTCUniversalGlobalWriteGroup ANDOVER\Organization
Management ANDOVER\Schema Admins ANDOVER\RTCUniversalServerReadOnlyGroup ANDOVER\RTCUniversalUserReadOnlyGroup ANDOVER\CSServerAdministrator Authentication authority asserted identity ANDOVER\ConfigMgr Remote Control Users ANDOVER\Denied RODC Password Replication
Group Mandatory Label\High Mandatory Level Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 16 Second(s) 892 Millisecond(s) 9/16/2014 7:52:10 PM View Log Group Policy Registry Success 140 Millisecond(s)
9/15/2014 9:50:32 PM View Log Group Policy Shortcuts Success 500 Millisecond(s) 9/15/2014 9:50:32 PM View Log Registry Success 281 Millisecond(s) 9/15/2014 9:50:31 PM View Log Settings Policies Windows Settings Security Settings Public Key Policies/Certificate
Services Client - Auto-Enrollment Settings Policy Setting Winning GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked
certificates Enabled Update and manage certificates that use certificate templates from Active Directory Enabled Log expiry events, and, for user policy, only show expiry notifications when the percentage of remaining certificate lifetime is 10% Default Domain
Policy Additional stores to log expiry events Default Domain Policy Display user notifications for expiring certificates in user and computer MY store Disabled Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the
central store.Microsoft Outlook 2013/Outlook Options/Preferences/Junk E-mail Policy Setting Winning GPO Specify path to Blocked Senders list Enabled Office 2013 Specify full path and filename to Blocked Senders list \\SERVER2012A\safesender\blockedsender.txt
Policy Setting Winning GPO Specify path to Safe Recipients list Enabled Office 2013 Specify full path and filename to Safe Recipients list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Specify path to Safe Senders list Enabled Office
2013 Specify full path and filename to Safe Senders list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Trigger to apply junk email list settings Enabled Office 2013 Microsoft Word 2013/Word Options/Customize Ribbon Policy Setting Winning
GPO Display Developer tab in the Ribbon Enabled Office 2013 Microsoft Word 2013/Word Options/Save Policy Setting Winning GPO Save AutoRecover info Enabled Office 2013 Save AutoRecover info every (minutes) 3 Start Menu and Taskbar Policy Setting Winning GPO
Go to the desktop instead of Start when signing in or when all the apps on a screen are closed Enabled Default Domain Policy Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations:
- Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all
mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except HeapSpray Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error
reports Enabled Default Domain Policy Disable Windows Error Reporting Disabled Default Domain Policy Do not send additional data Disabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning
GPO Configure Report Archive Enabled Default Domain Policy Archive behavior: Store parameters only Maximum number of reports to store: 500 Windows Components/Windows Error Reporting/Consent Policy Setting Winning GPO Configure Default consent Enabled Default
Domain Policy Consent level Send all data Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts and remote signed scripts Extra Registry Settings Display
names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags
2 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags
20 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
{6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
Domain Policy Preferences Windows Settings Shortcuts Shortcut (Path: C:\Users\administrator\Desktop\Remote Desktop.url) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings
when resolving conflicts.Remote Desktop Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Remote Desktop.url Target URL https://hypervdi.andover.com/RDWeb/Pages/en-US/Default.aspx
Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 150 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Application Catalog.url) The following settings have applied to this object. Within this category, settings nearest
the top of the report are the prevailing settings when resolving conflicts.Application Catalog Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Application Catalog.url
Target URL https://configmgr2012r2.andover.com/cmapplicationcatalog/ Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 135 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Report Server.url) The following settings have
applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Report Server Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut
path C:\Users\administrator\Desktop\Report Server.url Target URL http://configmgr2012r2/Reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\SCOM Reports.url)
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.SCOM Reports Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
type URL Shortcut path C:\Users\administrator\Desktop\SCOM Reports.url Target URL http://scom2012/reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 44 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Reporting.url)
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Reporting Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
type URL Shortcut path C:\Users\administrator\Desktop\Reporting.url Target URL http://configmgr2012r2/Reports/Pages/Folder.aspx Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Group Policy Objects Applied GPOs Default
Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Group Policy Shortcuts {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (102), SYSVOL (102) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (2), SYSVOL (2)
WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Registry Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
AD (55), SYSVOL (55) WMI Filter Denied GPOs Java Files [{906C2069-E35E-4DAD-8A06-E234C1F5072E}] Link Location andover.com Extensions Configured {7150F9BF-48AD-4DA4-A49C-29EF4A8369BA} Group Policy Infrastructure Enforced No Disabled None Security Filters NT
AUTHORITY\Authenticated Users Revision AD (98), SYSVOL (98) WMI Filter Windows 7 WMI Filter Reason Denied False WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Enforced No Disabled None Security Filters Revision AD (0), SYSVOL
(0) WMI Filter Reason Denied Empty WMI Filters Name Value Reference GPO(s) Windows 7 WMI Filter False Java Files -
Client certificate based authentication
We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
/WEB-INF
/resources
- private.jar
- private.jnlp
/resources
- icon.png
- public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
<servlet-name>ResourceProvider</servlet-name>
<url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources awailiable from browser</web-resource-name>
<url-pattern>/resources/secret/browser/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>somerole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>somerole</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
<information>
<icon href="icon.png"/>
</information>
<resources>
<j2se version="1.6+"/>
<jar href="secret/javaws/secretkey/private.jar" />
<jar href="public.jar" />
</resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help! -
help!
Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
Back up all data.
Double-click anywhere in the line below on this page to select it:
com.apple.idms.appleid.prd
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
Credit for this idea to Christian Braukmueller of SAP. -
Manually sign the netware client certificate
We have Netware 6.5 SP8 and we want to upgrade our Windows 7 clients to "Netware client 2 SP3 for Windows 7 IR4". I have 2 questions:
1) what is command line to digitally sign the client certificate? Or another way to ask it, what is the DOS command line to digitally sign the client certificate so that I do not have the popup box confirming the installation of the certificate?
2) I can export the certificate from a computer, but what type of certificate is it? When I go into the certmgr.msc utility to export the certificate, there is a list of types to choose from and I don't which type to select?
Thanks....On 01/11/2013 14:46, ncharleyhog wrote:
> We have Netware 6.5 SP8 and we want to upgrade our Windows 7 clients to
> "Netware client 2 SP3 for Windows 7 IR4". I have 2 questions:
>
> 1) what is command line to digitally sign the client certificate? Or
> another way to ask it, what is the DOS command line to digitally sign
> the client certificate so that I do not have the popup box confirming
> the installation of the certificate?
>
> 2) I can export the certificate from a computer, but what type of
> certificate is it? When I go into the certmgr.msc utility to export the
> certificate, there is a list of types to choose from and I don't which
> type to select?
Section 2.6.1 of the Novell Client 2 SP3 for Windows Administration
Guide[1] includes the following (note the two Microsoft links in the
last paragraph):
--begin--
For the Novell Client, the certificate used for Authenticode signing is
the Verisign public certificate for Novell, Inc. The best way to obtain
the correct certificate for use in the Trusted Publishers list is to
install the Novell Client on a Windows machine, then select the Always
trust software from Novell, Inc. option when prompted. Then use the
Microsoft Certificate Management Console (certmgr.msc) to export the
Novell, Inc. certificate visible in this Windows machine's Trusted
Publishers certificate list.
The exported certificate can be used to pre-distribute Novell, Inc. as a
Trusted Publishers certificate on Windows machines using any of the
methods Microsoft makes available for pre-loading certificates used by
Authenticode-signed software. This includes Microsoft support for
distributing certificates during unattended installations of Windows, or
through the use of Group Policies.
For more information on the options provided by Microsoft Windows for
distributing software publisher certificates, see the "Deploying
Authenticode Digital Certificates in an Enterprise" section of Using
Authenticode to Digitally Sign Driver Packages for Windows Server 2003
(Authenticode.doc,
http://www.microsoft.com/whdc/driver...henticode.mspx), and the
Microsoft Windows Group Policy documentation
(http://www.microsoft.com/grouppolicy/).
---end---
HTH.
[1]
http://www.novell.com/documentation/...a/bqgnrgi.html
Simon
Novell Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks. -
When I attempt to access my IRA account on line, I get a message saying that the web site requires a client certificate. The certificates listed in the drop down dialog box don't get accepted, even though one is indicated as valid and good until October 2014. I contacted the IRA account managment company and they sais it's an Apple issue. Any ideas?
Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
Back up all data.
Double-click anywhere in the line below on this page to select it:
com.apple.idms.appleid.prd
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
Credit for this idea to Christian Braukmueller of SAP. -
Project Server 2010 Web services access with Client Certificate Authentication
We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
Maybe you are looking for
-
Report Condition - calculation using "in"
Hi, In the conditions of a report, I would like to define a condition A in ('abc','def',...). Any time that I have tried it in the past it has been a problem (depending on how I wrote the condition, I would either get an error message or it would onl
-
Excel Reports - Preserve Template Format
Two part question here: Part 1: Is there an easy way to use the NI Report Generation Toolkit or any of the Excel subvis in the _Office addons subdirectory to preserve the existing formatting of a cell that you are writing data to? For example, I have
-
Finder not loading mapped drives from Synology correctly
I have a Synology DS413J. I have two folders on my DS413J mapped: Apples Oranges I want these folders to always load (hidden - which is broken too) when I boot my Mac Mini. I have these two folders loaded in Users & Groups / Login Items with a check
-
Downloaded an album and half of the songs wont play.
I downloaded The Fault in Our Stars album and most of the songs wont play, it just skips to a song that actually works.
-
Error message: not authorized to play them on your computer
Error message: Some of the music in the itunes library weren't copied to the ipod because you are not authorized to play them on this computer. I have a Toshiba computer, Vista and I don't even know where to begin. Help anyone. Thanks.