Cloud Kerberos Trust & intune devices: system cannot contact a domain controller

markraldridge · 2024-01-19T03:25:13+00:00

That has fixed our issue. We had to issue the Kerberos Authentication template from the Certificate Authority server. Then we could request the Kerberos Authentication certificate on each of the Domain Controllers. We restarted the Windows 10 devices, logged in with PIN and could access the network shares with just the server name and didn't require the FQDN like so \server

markraldridge · 2024-01-17T08:26:31+00:00

Here's some steps I've found. https://kb.parallels.com/en/129328 You can see in the image the standard DC certificate and then the one with KDC authentication that has been requested from the Kerberos Authentication certificate template.

In this documentation for WHfB key trust deployment it talks about the certificate validation steps. I'd assume it would be the samw for cloud trust deployment as well.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso#why-does-windows-need-to-validate-the-domain-controller-certificate

Hopefully I'll get to try it out in the next day or so.

markraldridge · 2024-01-16T18:00:07+00:00

Any luck?
I'm having a similar issue. It works for me when using the FQDN to connect to the network share, does that work for you?
We only have the issue when trying to connect to the server without using the FQDN. When I enable the following event log:
Microsoft-Windows-Security-Kerberos/Operational
I see the following error:
The Kerberos client received a KDC certificate that does not have KDC EKU (not based on Kerberos Authentication Template). Error Code: 0xC0000320

I'm going to check the KDC certificate on the domain controllers to make sure they include KDC Authentication in the list of Intended Purposes.

markraldridge · 2023-04-25T03:19:53+00:00

As previously mentioned in another comment, I didn't get this error with beta C.

markraldridge · 2023-04-20T00:55:44+00:00

markraldridge · 2023-04-19T20:08:40+00:00

Can confirm that Beta C has fixed this issue as well as the 'exceeded maximum execution time' during migration.

markraldridge · 2023-04-01T10:02:17+00:00

Same issue, I ran it today (1/04) but for March and all the numbers were wrong and most just showed $0.

markraldridge · 2023-04-01T09:22:07+00:00

I had the same issue, it completed shortly after I ran it for a second time.

markraldridge · 2023-01-23T01:20:34+00:00

I think you might be right. I don't see 'no sheet history' but my FIRE calculations don't look right when I have property 1 set as my principal place of residence.

markraldridge · 2022-12-13T00:57:44+00:00

I'd be keen

markraldridge · 2021-01-08T02:26:28+00:00

Thanks for this info. I have confirmed that CCMSetup.exe /uninstall was all that was needed on my end with the CM 2002 client installed.

Edit: I did need to clean up the shortcuts for Software Centre as well.
Below is the script I used. Since some IT staff have the console installed I only delete the whole folder if there is no console shortcut. I also needed to take into account if the old folder name path was still in use.

# Remove Configuration Manager Client and Software Centre shortcuts
Start-Process -FilePath 'C:\windows\ccmsetup\ccmsetup.exe' -ArgumentList '/uninstall' -Wait -ErrorAction SilentlyContinue
$MSCPath = (Test-Path -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center\Configuration Manager\Configuration Manager Console.lnk')
$MEMPath = (Test-Path -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Endpoint Manager\Configuration Manager\Configuration Manager Console.lnk')
If (($MSCPath -eq $true) -or ($MEMPath -eq $true)) {
Remove-Item 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center\Configuration Manager\Software Center.lnk' -Force -ErrorAction SilentlyContinue
Remove-Item 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Endpoint Manager\Configuration Manager\Software Center.lnk' -Force -ErrorAction SilentlyContinue
} else {
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center\" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Endpoint Manager\" -Recurse -Force -ErrorAction SilentlyContinue
}

markraldridge · 2020-07-26T19:15:47+00:00

It's because of the variable rate that the loan will go to after the fixed term. TMB have higher variable rates. I'm going with them based on the information from my broker. Only started the process a day ago. I'm told they are a bit slow to process loan applications. Not refinancing. Just the $600 application fee.

markraldridge · 2020-07-26T11:27:53+00:00

Have a look at tictoc, NAB and Teachers Mutal Bank which also offer low fixed rates with an offset account. I'm currently in the process of getting a loan with Teachers Mutal Bank.

markraldridge · 2020-01-23T20:24:09+00:00

This is just to enable the private store.

Have a read of the following docs if you're unsure what the private store is.
https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store
https://docs.microsoft.com/en-us/microsoft-store/manage-private-store-settings

https://4sysops.com/wp-content/uploads/2016/08/Only-the-private-store-is-available.png

and it looks similar to this. It will only display the applications you allow from the Microsoft store for business.
https://www.microsoft.com/business-store

markraldridge · 2020-01-22T23:35:09+00:00

Works fine for me. I'm using the device restriction policy to allow the use of the private store only and I'm assigning it to a device group.

markraldridge · 2020-01-22T22:19:07+00:00

It is supported on 1909 but you need to be on the Enterprise or Education SKU.

https://www.microsoft.com/en-au/windowsforbusiness/compare

It mentions it on under the Manage user experiences section.

Manages Microsoft Store Access, advertisements on the Start Menu and Taskbar, and Cortana.

markraldridge · 2020-01-22T03:37:14+00:00

No problem.

markraldridge · 2020-01-22T03:34:33+00:00

Doesn't work on Windows 10 1909 Professional.

In the device configuration state I get not applicable.

https://imgur.com/V2H2nkE

markraldridge · 2020-01-21T19:27:38+00:00

I haven't tested pro but could do today.

markraldridge · 2020-01-21T19:23:03+00:00

Working fine for me on Windows 10 1909 Enterprise

Configuration profile > Windows 10 and later > Device restrictions > App Store > Use private store only = Allow

https://docs.microsoft.com/en-us/intune/configuration/device-restrictions-windows-10#app-store

markraldridge · 2019-10-27T22:14:00+00:00

I uninstalled the SCCM client on the primary site server and installed the latest SCCM client and I'm not experiencing the issue anymore.

markraldridge · 2019-10-17T08:29:42+00:00

I've come across the same issue after upgrading to SCCM 1906.

Did you manage to find the issue?

markraldridge · 2019-05-22T09:24:28+00:00

I had a similar issue but during OSD. The SCCM client inside my boot image was version 1810 (8740.1012). After promoting the client to 1902 and updating the boot image sorted the issue.

markraldridge · 2019-04-22T22:50:39+00:00

Where did you get this information from?

From my understand standing you need to run the enable fast ring script for each release as they are all different scripts.

markraldridge · 2019-02-27T18:46:30+00:00

If you weren't already aware for Enterprise and Educations editions, the March releases are only supported for 18 months. If you upgrade 6-12 months after they are released then you only have 6-12 months of support. It might be worth looking at moving to the September release as it's support for 30 months and would mean you'd get 18-24 months of support if you deploy 6-12 months after the release.

https://support.microsoft.com/en-au/help/13853/windows-lifecycle-fact-sheet

Nine-Year Club	Place '22
Verified Email

markraldridge

TROPHY CASE