For PAW or other guarded host scenario, to leverage Azure HGS for device health attestation

Reproduceable on Windows Server 2016 and Server 2019 (any many other versions with german language)

-open mmc.exe and import the certificates snap in two times (user and computer)
-open the "Personal Certificates"->"Certificates" Folder
-Then click on "All Tasks" -> "Import..." -> Next -> Browse
-Open the file type ComboBox

Some random characters appear.

https://social.technet.microsoft.com/Forums/office/en-US/f0736be4-7ff1-496a-9275-d5a8faf25b1d/memory-corruption-issue-on-certificates-mmc-snapin?forum=win10itprogeneral

Azure PAW service, so the customer PAW devices can be managed by Microsoft, and customer can run multiple workloads on the secure device.

For example, in Windows Server 2016 1607, the SD SDDL for w32time service (sc sdshow w32time) is:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)

Now, in Windows Server 2019 1809, the SD SDDL for w32time service is:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833)

What is the identity for this unsolvable SID?
S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833

If you modify the security setting "Network security: Configure encryption types allowed for Kerberos" to only allow AES and not RC4, you get this error when initializing the Host Guardian Service

New-HgsGmsa : Active Directory operation failed with the following error:
Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
target.'.

This happens with gMSA accounts and is described in this blog post
https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/

The New-ADServiceAccount command within HgsServer.psm1 should be modified to pass the KerberosEncryptionTypes parameter.

As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.

This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...

Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.

This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!

It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.

Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

PowerShell Get-Acl and Set-Acl (to set permissions on folders/files) currently in Windows Server are extremely hard to use and do not offer nearly the same level of functionality in older commands like ICACLS.EXE. It would be great if you could manage ACLs for folders and files using an easier to use set of PowerShell cmdlets, like we can do with SMB shares. Something like Get-ItemAccess, Grant-ItemAccess, Revoke-ItemAccess, Deny-ItemAccess and Remove-ItemAccess would be great!

In order to better control access and provide insight to my management and my auditors - I'd like to be able to monitor who has access to what resources

The following PowerShell command should NOT configure the Enrollment Policy Web Service, because it has the -WhatIf parameter:
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -Force -SSLCertThumbprint 'f0262dcf287f3e250d1760508c4ca87946006e1e' -KeyBasedRenewal:$false -WhatIf

However, it does configure it. The same goes for Uninstall-AdcsEnrollmentPolicyWebService

This is bad practice for PowerShell cmdlets. It is also preventing us creating a DSC resource to configure this feature.

SIR BILL GATES IS OUR IDEAL PERSON.HE IS CREATED SO MANY EASY WAY FOR OUR LIFESTYLE.OTHERWISE IF HE WILL BE CREATING A DECENT MICROSOFT AC BUS FOR ALL CLASSES PEOPLE.ITS WILL BE A BEST IMPACT FOR OUR LIFE STYLE.& WE NEED TO A LOT OF THAT BUS IN INDIA.

WE ARE INDIAN&WE LOVES OUR WORLD SO MUCH.NOW,THE WORLD IS SO MUCH FAST & CLEAN.IN THIS TIME,MICROSOFT IS A GREAT WAY FOR OUR LIFESTYLE.MICROSOFT WILL BE CREATING&MAKING A LOT OF DECENT AIRPLANE FOR OUR EASIER LIFESTYLE.ITS WILL BE A BEST IMPACT FOR OUR WHOLE WORLD.THAT AIRPLANE WILL BE USING FOR PASSENGERS,CONTAIN PRODUCTS,SUPPLYING(WATER,FOOD,CLOTHES,MEDICINE,ETC)&PATIENT FOR EMERGENCY.I MEAN ITS A VARIOUS WAYS LIKE STEP 1=PASSENGER AIRPLANE,STEP 2=WATER AIRPLANE,STEP 3=PATIENT AIRPLANE,STEP 4=SUPPLYING ALL LEGAL (PRODUCTS,FOOD,MEDICINE).

NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE

Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.

also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!