Release Notes
We continually work to ensure our products deliver a reliable, high-quality experience. The items listed below are currently under investigation. If you require additional assistance, please contact us at UPA_Support@fullarmor.com.
Unable to save Windows Remote Assistance Helpers list entries properly
Issue: The system does not save the Windows > Administrative Templates > System > Remote Assistance Helpers list entries properly in a Universal Policy. Therefore GPMC is unable to report it when you export to AD.
Workaround: Use GPEdit to save the Helper list entries in the GPO.
If you reimport a domain, an existing WMI filter receives a red x mark
Issue: If you reimport a domain, an existing WMI filter receives an x mark to indicate a failed import. This is because a domain import operation attempts to import all WMI filters, including any that are unchanged and identical in both locations and do not need an update.
Workaround: Ignore, none required
Post upgrade automatic domain imports fail
Issue: Post upgrade, automatic domain imports fail that result in missing UPA 3.6 policies and settings already available in the domain.
Workaround: Perform a manual domain import. For more information, see Importing Trusted and Untrusted Domains.
Unable to configure Allow and Deny access control permissions in the File System policy settings of a Universal Policy
Issue: When you attempt to configure File System access control permissions within the same Universal Policy, you are unable to choose both Allow and Deny permissions at the same time. You can only choose either, within a single Universal Policy.
Workaround: Create two Universal Policies with identical File System policy settings.
Configure the following:
- Allow access to required permissions in the File System policy settings of the first Universal Policy.
- Deny access to required permissions in the File System policy settings of the second Universal Policy
Example: If you grant Allow access to Read and List Folder Contents permissions in the first Universal Policy, you may only grant Deny access to the Write permission in the second Universal Policy and vice versa.
Unable to browse to a certificate in a sub folder to add Software Restriction Policies to a Universal Policy
Issue: You require a certificate to add Software Restriction Policies to a Universal Policy. Go to Software Restriction Policies > Additional Rules > + New > New Certificate Rule > Certificate Subject field to browse the directory where the certificate is held. This action is not allowed when the certificate is located in a subfolder.
Workaround: Move the required certificate to a top level folder in the directory, instead of a sub folder, to be able to successfully browse to it.
Email notification received from an unassigned role
Issue: Log in as a domain administrator with the UPA Full Administrator role also assigned. Set up email notifications for both Approver and Full Administrator roles.
The Email notification received is for the Approver, an unassigned role, though Full Administrator is the assigned role.
Workaround: If more than one role generate the same notification, it is sent from the role first enabled. Therefore, enable roles in the desired order.
Replication and export to another domain of IP Security Policies on Active Directory settings in a Universal Policy fail.
Issue: Replication and export to another domain of IP Security Policies on Active Directory settings in a Universal Policy fail.
Workaround: None. The system is working as designed.
Replication and export to another domain of non built-in and domain specific network settings in a Universal Policy fail.
Issue: Replication and export to another domain, of non built-in and domain specific Network List Manager settings and IP Security Policies on Active Directory settings respectively, in a Universal Policy fail. However, built-in and domain specific Network List Manager settings replicate and export successfully.
Workaround: None. The system is working as designed.
Unable to create or modify Automatic Certificate Request settings nor modify Enterprise Trust Public Key Policy settings
Issue: For Public Key Policies, you cannot:
- Create or modify Automatic Certificate Request settings
- Modify Enterprise Trust Public Key Policy settings
Workaround: Delete a given Enterprise Trust Public Key Policy setting and create a new one to replace it. Similarly, delete an existing Automatic Certificate Request setting and reimport from a GPO.
Unable to browse and import a Public Key Policy certificate
Issue: The Browse option does not work as expected to import a Public Key Policy certificate.
Workaround: Ensure the least privilege account (LPA) defined to access the domain and the UPA account used to log into the web console both, have permissions to access the share from which a Public Key Policy certificate is imported.
Unable to import Microsoft Serialized Certificate Store (.SST) files related to Public Key Policies in the web console
Issue: For Public Key Policies, the web console allows you to add a Certificate Trust List (CTL) to the Enterprise Trust store but not Microsoft Serialized Certificate Store (.SST) files.
Workaround: The web console allows import of an .STL file, the default option in GPEdit.
Unable to add a data recovery agent related to Public Key Policies in the web console
Issue: If you select Public Key Policies, the option to add a data recovery agent is not available, in the web console.
Workaround: Choose the option to import a certificate used by a recovery agent to proceed. This applies to both BitLocker Drive Encryption and Data protection policies.
Replication of Windows Defender Firewall settings do not allow for mapping of computer accounts
Issue: If you replicate a Windows Defender Firewall setting in another domain, you can map user accounts in the web console but not computer accounts.
Workaround: Manually modify desired computer accounts in the target Universal Policy, post replication.
Predefined rules not enabled by default in the web console
Issue: Predefined rules when added are not enabled by default in the web console, like in GPMC.
Workaround: If required, ensure the administrator modifies the rule to enable this setting in the web console.
Unable to add Startup and Shut down scripts to a Universal Policy in the web console
Issue: When you create a Universal Policy with Startup and Shut down scripts (both, normal and PowerShell), they are not saved and the Universal Policy does not list in the web console.
Workaround: Copy the Startup and Shut down scripts to the NetLogon folder on the domain controller before you attempt to add them to the Universal Policy. Ensure the least privilege account (LPA) defined to access the domain and the UPA account used to log into the web console both, have read access to the NetLogon folder. The system is working as designed.
Universal Policies with certain settings do not replicate properly in another domain
Issue: If a Universal Policy includes, one or both of the settings domain local policies and security–domain controller policies , you cannot map them in the UI when replicating the given Universal Policy in another domain.
Workaround: To modify these settings in the target Universal Policy, you must check it out and edit the settings in Administrative Templates\Security Settings\Local Policies\Security Options manually as follows:
- Domain Controller: Allow computer account re-use during domain join
- Domain Controller: Allow vulnerable NetLogon secure channel connections
The web console recreates an existing predefined rule to a Windows Defender firewall rule setting and does not replace it
Issue: Though the web console asserts it does not allow you to add an existing predefined rule to a Windows Defender firewall rule setting if attempted, it does allow and not replace.
Workaround: If you see the assertion in the web console, do not add a duplicate. In case you do, you must delete one of the two rules.