ZENworks, iprint appliance and Windows 24H2

Hello everyone, for those of you having issues with Windows 24H2, ZENworks and iPrint, with LSA (ZENWORKS) and Auth issues with the iprint client and iCM from a Windows Domain, (Auth was not being passed from the Windows Login to iCM in Windows 24H2)  figured out MPR was disabled by default, and in ZENworks LSA was blocking part of the ZENworks client, This registry file, will turn Windows MPR back on and will will turn LSA off, so the ZENworks client is not blocked, so this fix kills 2 birds with one stone and fixes the issue:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableMPR"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000000

  • Verified Answer

    +1

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableMPR"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "RunAsPPL"=dword:00000000

  • 0   in reply to 

    In regards to ZENworks, neither of those settings are recommended.

    EnableMPR is not required for ZCM Auth with Domains or eDIr.  Either use the ZCM Credential Provider or Kerberos.  MS has announced the functionality you are re-enabling has been deprecated and will be permanently removed in a TBD future update.

    "RunAsPPL" was a cosmetic issue for ZCM with a single installation warning but did not impact functionality.  It is fixed in the latest 23.4 and 24.4 patches by having a signed DLL.  As with the first setting, it is against MS security recommendations.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Hi Craig, the EnableMPR is for the iprint appliance side only, until they Fix this in the client, or opentext does something so Auth is passed. (I probably shouldn't have put it here, but since I am using the iprint appliance and ZENworks, the reg entries solved 2 problems for me.

    "RunAsPPL" was a cosmetic issue for ZCM with a single installation warning but did not impact functionality.  It is fixed in the latest 23.4 and 24.4 patches by having a signed DLL.  As with the first setting, it is against MS security recommendations.

    Craig,I appreciate that, and I sincerely say, you have helped me so much and have always been been so helpful in so many ways, whenever we have ZENwork issues. Unfortunately, I can't always apply the newest ZCM patches because we are in a large environment and it is VERY disruptive, as well, I have never had the upgrade of ZENworks nor the client go smooth, there's always an issue no matter how much time I spend repacking the upgrade of the ZENworks client once I upgrade ZENworks. I often don't have much luck with the upgrtade of ZENworks either. I end up usually building a new server in the summer, and then installing a clean version of ZCM on the newest version, and the client that matches that version. As an example, you were so helpful last time helping me repack the client, and I was truly appreciative. But even after we spent all that time repacking the client, I had to do a clean install on many of the clients, as for some reason the upgrade didn't work accross the board. I still think what we did was helpful, but it just didn't seem to work across the board. Due to that sometimes I need solutions that work until I have that time to go successfully to the new version. I appreciate that LSA is fixed in the newest version of ZENworks/the Client, it's good it will be fixed when I can upgrade ZENwroks. From what I can tell it is not fixed in the iPrint appliance nor the client, and iPrint iCM needs it enabled if Windows login is going to pass the credentials to iCM. I tried the newest iprint appliance and client version and it still was not fixed, so for now, I need EnableMPR. 

    The only reason I put it in here is for people like me who can't upgrade yet, but need a solution. I look forward to being able to upgrade to the newest version of ZENworks in the summer, or in a test Environment. 

     You are a rockstar, and I look forward to your sage knowledge going forward still, I have nothing but respect for you. I know my solution isn't perfect, but I need a solution until the summer. This is the best I have for now.

  • 0 in reply to 

      On that note, My ZENworks 2020.2 Installation is a VM, that I could propagate to a test environment. I will start some test upgrades to the newest version. I had a really hard time with Ceritficates and mobile devices on 2020.3 so I'm hoping thats not still an issue. Any advice on the smoothest upgrade path from 2020.2 to the newest ZEN is always appreciated, I always read over the docs, but I always feel like I miss something.

  • 0   in reply to 

    No worries...Sharing is good....My main reason to respond is to make sure nobody thinks those settings are required by ZENworks since some may consider them "Security" issues, despite the settings you mentioned were default Windows behavior since at least Windows NT 4.0 until Windows 24H2 came out....

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thanks Craig :)