search

JMarkstrom / yubikey-removal-behavior

Sample app to lock workstation or log out the user on removal of YubiKey.
https://medium.com/@jonasmarkstrom/locking-the-workstation-on-fido2-security-key-removal-part-2-80962c944c78
2 stars 1 forks source link

Windows 11 not working #2

Open jbruijntjes opened 2 months ago

jbruijntjes commented 2 months ago

I found the software deployment ok on Windows 11 but the ADMX template is not applying from Intune due to a version statement in the admx template

image

Any change we can also make this work on Windows 11?

JMarkstrom commented 2 months ago

Hello, You should be able to change that value. Also, please check: https://github.com/sciber-io/yubikey-locker If still a problem, I will investigate (but will take some time).

jbruijntjes commented 2 months ago

Ok, but the question is what to change it in? Should I change 10 to 11 or are there any predefined values that are accepted?

jbruijntjes commented 2 months ago

Just to get things clear, I am using: https://github.com/sciber-io/yubikey-locker with the ADMX of the initial version

jbruijntjes commented 2 months ago

Ok I found the values in the windows.admx on my system. So I think we can change it to: SUPPORTED_Windows_11_0_NOSERVER The only thing I do not get is that it is referencing to Scriber

And documentation says it need to ref to Windows (windows.admx)

  <definition name="SUPPORTED_Windows_11_0_SE" displayName="$(string.SUPPORTED_Windows_11_0_SE)">
      <or>
          <range ref="products:MicrosoftWindows" minVersionIndex="16" maxVersionIndex="16"/>
      </or>
  </definition>

  <!--At least Windows 11 22H2 no SERVER -->
  <definition name="SUPPORTED_Windows_11_0_22H2_NOSERVER" displayName="$(string.SUPPORTED_Windows_11_0_22H2_NOSERVER)">
      <or>
          <range ref="products:MicrosoftWindows" minVersionIndex="16" maxVersionIndex="16"/>
      </or>
  </definition>

  <!--At least Windows 11 22H2 -->
  <definition name="SUPPORTED_Windows_11_0_22H2" displayName="$(string.SUPPORTED_Windows_11_0_22H2)">
      <or>
          <range ref="products:MicrosoftWindows" minVersionIndex="16"/>
      </or>
  </definition>

  <!--At least Windows 11 no SERVER -->
  <definition name="SUPPORTED_Windows_11_0_NOSERVER" displayName="$(string.SUPPORTED_Windows_11_0_NOSERVER)">
      <or>
          <range ref="products:MicrosoftWindows" minVersionIndex="16"/>
      </or>
  </definition>
JMarkstrom commented 2 months ago

OK, I see. Give it a go and see if it works. If not, report it on the Sciber repo.

jbruijntjes commented 2 months ago

The only thing I do not get is that it is referencing to Scriber

And documentation says it need to ref to Windows (windows.admx)

https://download.microsoft.com/download/5/0/8/5081217f-4a2a-470e-a7fa-5976e40b0839/Group%20Policy%20ADMX%20Syntax%20Reference%20Guide.doc

Referencing Windows supportedOn elements Windows product names support information is provided in the Windows base file. You can reference these product names for your .admx file. In order to use the supported on information in the Windows base file, you must do the following: • Within your supportedOn element, add the "windows:" prefix to the ref attribute to reference the Windows base file. • Reference a defined supportedOn element from the Windows base file. If you use an invalid element name, the Group Policy Object Editor will not display any supported on information and will not display an error message. This XML fragment demonstrates referencing supported on text for your policy setting, using existing Windows product information.

So is this only for displaying the information or is it actually used by Intune? Doing my test now, just reuploaded the files in Intune and prepping my Windows 11 machine..will report back soon

jbruijntjes commented 2 months ago

Continuing here: https://github.com/sciber-io/yubikey-locker/issues/90