deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into siosulli-privacy-dpsw

Browse Source
This commit is contained in:
Sinead O'Sullivan
2021-06-18 12:03:32 +01:00
parent c307294265 1b4dfc703c
commit 93dc4e6d99
13 changed files with 131 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -2551,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices:
[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup> |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2635,3 +2635,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update.
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).

2
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -128,7 +128,7 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
>
> The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."

46
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
The following shows the EnterpriseDesktopAppManagement CSP in tree format.
```
./Device/Vendor/MSFT
EnterpriseDesktopAppManagement
@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement
--------UpgradeCode
------------Guid
```
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.
@ -194,15 +196,15 @@ The following table describes the fields in the previous sample:
The following table describes the fields in the previous sample:
| Name | Description |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. |
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| Name | Description |
|--------|-----------------------|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -292,7 +294,8 @@ The following table describes the fields in the previous sample:
> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements.
<td>Command-line options to be used when calling MSIEXEC.exe</td>
</tr>
<tr class="even">
<td>Timeout</td>
<td>TimeOut</td>
<td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
</tr>
<tr class="odd">
@ -550,21 +553,18 @@ Here's a list of references:
```xml
<Alert>
<CmdID>4</CmdID>
<Data>1224</Data>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
<Format xmlns="syncml:metinf">int</Format>
<Mark xmlns="syncml:metinf">informational</Mark>
</Meta>
<Data>0</Data>
</Item>
<CmdID>4</CmdID>
<Data>1224</Data>
<Item>
<Source>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall</LocURI>
</Source>
<Meta>
<Type xmlns="syncml:metinf">Reversed-Domain-Name:com.microsoft.mdm.win32csp_install</Type>
<Format xmlns="syncml:metinf">int</Format>
<Mark xmlns="syncml:metinf">informational</Mark>
</Meta>
<Data>0</Data>
</Item>
</Alert>
```

4
windows/client-management/mdm/policy-csp-storage.md
View File

@ -719,7 +719,7 @@ ADMX Info:
<!--/SupportedValues-->
<!--Example-->
Example for setting the device custom OMA-URI setting to enable this policy:
To deny write access to removable storage within Intunes custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
To deny write access to removable storage within Intunes custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
<!--/Example-->
@ -740,4 +740,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->
<!--/Policies-->

2
windows/client-management/mdm/update-csp.md
View File

@ -17,7 +17,7 @@ ms.date: 02/23/2018
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!NOTE]
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
The following shows the Update configuration service provider in tree format.

8
windows/client-management/mdm/vpnv2-csp.md
View File

@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-webproxyservers"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>**/WebProxyServers**
Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
> [!NOTE]
> Currently only one web proxy server is supported.
> [!NOTE]
> Currently only one web proxy server is supported.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -1600,4 +1603,3 @@ Servers

2
windows/deployment/update/deployment-service-overview.md
View File

@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **1**.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
#### Set the **AllowWUfBCloudProcessing** policy

4
windows/deployment/update/fod-and-lang-packs.md
View File

@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
> Applies to: Windows 10
In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).

73
windows/security/threat-protection/auditing/event-4771.md
View File

@ -166,13 +166,78 @@ The most common values:
> Table 6. Kerberos ticket flags.
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
| 0x0 | KDC\_ERR\_NONE | No error |
| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired |
| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired |
| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported |
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key |
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key |
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database |
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database |
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database |
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key |
| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating |
| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time |
| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request |
| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option |
| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type |
| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type |
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked |
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked |
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked |
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later |
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The users password has expired.
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided.
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required |
| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match |
| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only |
| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path |
| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available |
| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid |
| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match |
| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great |
| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address |
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch |
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified |
| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order |
| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available |
| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available |
| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed |
| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP |
| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) |
| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation |
| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT |
| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT |
| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT |
| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT |
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use |
| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER |
| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT |
| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT |
| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT |
| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT |
| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT |
| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT |
| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT |
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.

17
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 05/12/2021
ms.date: 06/16/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -36,7 +36,18 @@ sections:
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
- question: |
My network configuration uses a proxy and Im running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
- It must be a FQDN. A simple IP address will not work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
Can employees download documents from the Application Guard Edge session onto host devices?
answer: |
@ -232,4 +243,4 @@ additionalContent: |
## See also
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)

6
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.

3
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
## Example of file rule levels in use

6
windows/whats-new/whats-new-windows-10-version-21H1.md
View File

@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
### Windows Assessment and Deployment Toolkit (ADK)
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
WDAG performance is improved with optimized document opening times:
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle.
- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
### Windows Hello
@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed:
[What's New in Windows 10](./index.yml): See whats new in other versions of Windows 10.<br>
[Announcing more ways were making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
[Windows 10 features were no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
[Windows 10 features were no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>