mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-26 15:53:40 +00:00
Merge pull request #5301 from MicrosoftDocs/master
Publish 06/17/2021, 10:30 AM
This commit is contained in:
Diana Hanson
GitHub
@ -2551,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices:
|
||||
[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
|
||||
| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
|
||||
| [RemoteFind CSP](remotefind-csp.md) |  |  <sup>4</sup> |  |
|
||||
| [RemoteWipe CSP](remotewipe-csp.md) |  |  <sup>4</sup> |  |
|
||||
| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  <sup>4</sup> |  |
|
||||
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
|
||||
| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  <sup>10</sup> |
|
||||
| [Update CSP](update-csp.md) |  |  |  |
|
||||
@ -2635,3 +2635,4 @@ The following list shows the CSPs supported in HoloLens devices:
|
||||
- 8 - Added in Windows 10, version 2004.
|
||||
- 9 - Added in Windows 10 Team 2020 Update.
|
||||
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).
|
||||
|
||||
|
||||
@ -128,7 +128,7 @@ Requirements:
|
||||
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
|
||||
>
|
||||
> The default behavior for older releases is to revert to **User Credential**.
|
||||
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
|
||||
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
|
||||
|
||||
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
|
||||
|
||||
|
||||
@ -719,7 +719,7 @@ ADMX Info:
|
||||
<!--/SupportedValues-->
|
||||
<!--Example-->
|
||||
Example for setting the device custom OMA-URI setting to enable this policy:
|
||||
To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
|
||||
To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
|
||||
|
||||
See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
|
||||
<!--/Example-->
|
||||
@ -740,4 +740,4 @@ Footnotes:
|
||||
- 7 - Available in Windows 10, version 1909.
|
||||
- 8 - Available in Windows 10, version 2004.
|
||||
|
||||
<!--/Policies-->
|
||||
<!--/Policies-->
|
||||
|
||||
@ -17,7 +17,7 @@ ms.date: 02/23/2018
|
||||
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
|
||||
|
||||
> [!NOTE]
|
||||
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
|
||||
> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
|
||||
|
||||
The following shows the Update configuration service provider in tree format.
|
||||
|
||||
|
||||
@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
|
||||
|
||||
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
|
||||
|
||||
> [!NOTE]
|
||||
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
|
||||
|
||||
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>
|
||||
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
|
||||
|
||||
@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
|
||||
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-webproxyservers"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>**/WebProxyServers**
|
||||
Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
|
||||
|
||||
> [!NOTE]
|
||||
> Currently only one web proxy server is supported.
|
||||
> [!NOTE]
|
||||
> Currently only one web proxy server is supported.
|
||||
|
||||
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
|
||||
|
||||
@ -1600,4 +1603,3 @@ Servers
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
|
||||
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
|
||||
|
||||
- Diagnostic data is set to *Required* or *Optional*.
|
||||
- The **AllowWUfBCloudProcessing** policy is set to **1**.
|
||||
- The **AllowWUfBCloudProcessing** policy is set to **8**.
|
||||
|
||||
#### Set the **AllowWUfBCloudProcessing** policy
|
||||
|
||||
|
||||
@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
|
||||
|
||||
> Applies to: Windows 10
|
||||
|
||||
In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
|
||||
|
||||
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
|
||||
|
||||
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
|
||||
@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio
|
||||
|
||||
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
|
||||
|
||||
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
|
||||
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
|
||||
|
||||
@ -166,13 +166,78 @@ The most common values:
|
||||
|
||||
> Table 6. Kerberos ticket flags.
|
||||
|
||||
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
|
||||
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
|
||||
|
||||
| Code | Code Name | Description | Possible causes |
|
||||
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
|
||||
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
|
||||
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
|
||||
| 0x0 | KDC\_ERR\_NONE | No error |
|
||||
| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired |
|
||||
| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired |
|
||||
| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported |
|
||||
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key |
|
||||
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key |
|
||||
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database |
|
||||
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database |
|
||||
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database |
|
||||
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key |
|
||||
| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating |
|
||||
| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time |
|
||||
| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request |
|
||||
| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option |
|
||||
| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type |
|
||||
| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type |
|
||||
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
|
||||
| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type |
|
||||
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked |
|
||||
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked |
|
||||
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked |
|
||||
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later |
|
||||
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later |
|
||||
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired.
|
||||
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided.
|
||||
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required |
|
||||
| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match |
|
||||
| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only |
|
||||
| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path |
|
||||
| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available |
|
||||
| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed |
|
||||
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired |
|
||||
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid |
|
||||
| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay |
|
||||
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us |
|
||||
| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match |
|
||||
| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great |
|
||||
| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address |
|
||||
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch |
|
||||
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type |
|
||||
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified |
|
||||
| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order |
|
||||
| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available |
|
||||
| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available |
|
||||
| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed |
|
||||
| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction |
|
||||
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required |
|
||||
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message |
|
||||
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message |
|
||||
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path |
|
||||
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP |
|
||||
| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) |
|
||||
| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation |
|
||||
| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT |
|
||||
| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT |
|
||||
| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT |
|
||||
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT |
|
||||
| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT |
|
||||
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER |
|
||||
| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use |
|
||||
| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER |
|
||||
| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT |
|
||||
| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT |
|
||||
| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT |
|
||||
| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT |
|
||||
| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT |
|
||||
| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT |
|
||||
| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT |
|
||||
|
||||
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
|
||||
|
||||
|
||||
@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st
|
||||
|
||||
### Deploying multiple policies via ApplicationControl CSP
|
||||
|
||||
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
|
||||
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
|
||||
|
||||
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
|
||||
|
||||
See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
|
||||
|
||||
> [!NOTE]
|
||||
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
|
||||
|
||||
@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
|
||||
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
|
||||
|
||||
> [!NOTE]
|
||||
> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
|
||||
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
|
||||
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
|
||||
|
||||
## Example of file rule levels in use
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
|
||||
|
||||
### Windows Assessment and Deployment Toolkit (ADK)
|
||||
|
||||
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
|
||||
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
|
||||
|
||||
## Device management
|
||||
|
||||
@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
|
||||
|
||||
WDAG performance is improved with optimized document opening times:
|
||||
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
|
||||
- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle.
|
||||
- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
|
||||
- The performance of Robocopy is improved when copying files over 400 MB in size.
|
||||
|
||||
### Windows Hello
|
||||
@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed:
|
||||
[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.<br>
|
||||
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
|
||||
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
|
||||
[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
|
||||
[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
|
||||
|
||||
Reference in New Issue
Block a user