From 73170b70170ad77b72c8463b31d25c4e40d0e480 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Wed, 26 Apr 2023 09:44:18 -0500 Subject: [PATCH 01/12] More changes --- .../windows-autopatch-windows-feature-update-overview.md | 2 +- .../windows-autopatch-windows-quality-update-overview.md | 5 ++++- .../operate/windows-autopatch-windows-update.md | 8 +++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index 10b2232d41..b9acd5fe87 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -85,7 +85,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). > [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

**To pause or resume a Windows feature update:** diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index 943537d1bc..e80b6025f4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 04/24/2023 +ms.date: 04/26/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Standard release | Test

First

Fast

Broad | 0

1

6

9 | 0

2

2

5 | 0

2

2

2 | | Expedited release | All devices | 0 | 1 | 1 | +> [!IMPORTANT] +> Expedited updates do not work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). See [expedite Windows quality updates in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-expedite-updates) for more information. + #### Turn off service-driven expedited quality update releases Windows Autopatch provides the option to turn off of service-driven expedited quality updates. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 9f3d420192..1ac53758b5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings description: This article explains how to customize Windows Updates in Windows Autopatch -ms.date: 03/08/2023 +ms.date: 04/26/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co - [Deadline-driven](#deadline-driven) - [Scheduled install](#scheduled-install) +> [!NOTE] +> Windows Autopatch leverages the [Update rings policy for Windows 10 and later in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings) leveraging the settings available in the [Update policy CSP](https://learn.microsoft.com/windows/client-management/mdm/policy-csp-update) behind the scenes. + #### Deadline-driven With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. @@ -92,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up ## Customize the Windows Update deployment cadence +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

+ **To customize the Windows Update deployment cadence:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). From 700abb7e19230d810dd3b3bf589b294e2a7a40cb Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Wed, 26 Apr 2023 07:55:13 -0700 Subject: [PATCH 02/12] Update windows-autopatch-windows-quality-update-overview.md --- .../windows-autopatch-windows-quality-update-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index e80b6025f4..87ca06f664 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -87,7 +87,7 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Expedited release | All devices | 0 | 1 | 1 | > [!IMPORTANT] -> Expedited updates do not work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). See [expedite Windows quality updates in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-expedite-updates) for more information. +> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates). #### Turn off service-driven expedited quality update releases From 5d3dfd62fe25a40fa065b471ee469b4115c42d1d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Wed, 26 Apr 2023 07:56:44 -0700 Subject: [PATCH 03/12] Update windows-autopatch-windows-update.md --- .../operate/windows-autopatch-windows-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 1ac53758b5..013613707f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -31,7 +31,7 @@ For each tenant, at the deployment ring level, there are two cadence types to co - [Scheduled install](#scheduled-install) > [!NOTE] -> Windows Autopatch leverages the [Update rings policy for Windows 10 and later in Microsoft Intune](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](https://learn.microsoft.com/mem/intune/protect/windows-10-update-rings) leveraging the settings available in the [Update policy CSP](https://learn.microsoft.com/windows/client-management/mdm/policy-csp-update) behind the scenes. +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). #### Deadline-driven From 58414d202a77b1c5c72563d3760b4b14cb45f79c Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Mon, 1 May 2023 13:49:06 -0500 Subject: [PATCH 04/12] Changes --- .../windows-autopatch-groups-manage-autopatch-groups.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 22620399b9..c883c01bdd 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -36,6 +36,8 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring2 - Windows Autopatch – Ring3 - Windows Autopatch – Last +- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. + - See [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for more details on how to remediate Azure Azure AD group ownership. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. @@ -43,6 +45,9 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**. - Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly. +> [!TIP] +> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more pre-requisites are failing. Once you remediate the issue to meet the pre-requisites, it can take up to an hour for your tenant to have the "Use preview" button active. + ## Create a Custom Autopatch group > [!NOTE] From 655026b9121a494688788dd9fe6f14176f00af24 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 1 May 2023 11:53:34 -0700 Subject: [PATCH 05/12] Update windows-autopatch-groups-manage-autopatch-groups.md --- .../windows-autopatch-groups-manage-autopatch-groups.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index c883c01bdd..7255860786 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -37,7 +37,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring3 - Windows Autopatch – Last - Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. - - See [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for more details on how to remediate Azure Azure AD group ownership. + - For more information, see [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. @@ -45,8 +45,8 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**. - Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly. -> [!TIP] -> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more pre-requisites are failing. Once you remediate the issue to meet the pre-requisites, it can take up to an hour for your tenant to have the "Use preview" button active. +> [!NOTE] +> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available. ## Create a Custom Autopatch group From 2ea4269a454b20b70b36b91dfdeb391e18c8eb5f Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 1 May 2023 14:32:50 -0700 Subject: [PATCH 06/12] Update windows-autopatch-groups-manage-autopatch-groups.md --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 7255860786..85e9177b85 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -37,7 +37,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring3 - Windows Autopatch – Last - Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. - - For more information, see [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. + - For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. From f161a3bb0d7bd4c35e142a9171f653170bd4977b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 1 May 2023 17:00:16 -0700 Subject: [PATCH 07/12] Update windows-autopatch-windows-update.md --- .../operate/windows-autopatch-windows-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 013613707f..50453deea1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings description: This article explains how to customize Windows Updates in Windows Autopatch -ms.date: 04/26/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to From 4f547ab4d791e99668d7fc9129d01c6c2c58a185 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 1 May 2023 17:00:46 -0700 Subject: [PATCH 08/12] Update windows-autopatch-windows-quality-update-overview.md --- .../windows-autopatch-windows-quality-update-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index 87ca06f664..f12b686427 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 04/26/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual From 091fcb0d032eaeb85e00e63a3571f993b2b8862e Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 1 May 2023 17:01:03 -0700 Subject: [PATCH 09/12] Update windows-autopatch-windows-feature-update-overview.md --- .../windows-autopatch-windows-feature-update-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index b9acd5fe87..95b3391bd5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual From 5dbf3b30044f5c4d7c69ba5d10e638c1d367b1cc Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Mon, 1 May 2023 22:05:11 -0700 Subject: [PATCH 10/12] Update event-4769.md Remove "## Table 4. Kerberos encryption types" format issue in Ticket Options table --- windows/security/threat-protection/auditing/event-4769.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 98746150c6..8389aed242 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -179,8 +179,7 @@ The most common values: | 28 | Enc-tkt-in-skey | No information. | | 29 | Unused | - | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | -| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | -| ## Table 4. Kerberos encryption types | | | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | | - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. From 5deaa8bfd7d63e212319b7a924012484c2d9e2b4 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 2 May 2023 10:06:26 -0400 Subject: [PATCH 11/12] Update event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 8389aed242..e09755689b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -179,7 +179,7 @@ The most common values: | 28 | Enc-tkt-in-skey | No information. | | 29 | Unused | - | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | -| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. From 58a0a12ee2aab1660b0a6572209329bc88b2efd9 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Tue, 2 May 2023 10:32:48 -0500 Subject: [PATCH 12/12] Update event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index e09755689b..ea8fbab15b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -251,7 +251,7 @@ The table below contains the list of the most common error codes for this event: | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | -| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes hanven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes haven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |