mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
Merge branch 'master' into siosulli-privacy-dpsw
This commit is contained in:
Sinead O'Sullivan
@ -2551,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices:
|
|||||||
[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
|
[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
|
||||||
| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
|
| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
|
||||||
| [RemoteFind CSP](remotefind-csp.md) |  |  <sup>4</sup> |  |
|
| [RemoteFind CSP](remotefind-csp.md) |  |  <sup>4</sup> |  |
|
||||||
| [RemoteWipe CSP](remotewipe-csp.md) |  |  <sup>4</sup> |  |
|
| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  <sup>4</sup> |  |
|
||||||
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
|
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
|
||||||
| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  <sup>10</sup> |
|
| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  <sup>10</sup> |
|
||||||
| [Update CSP](update-csp.md) |  |  |  |
|
| [Update CSP](update-csp.md) |  |  |  |
|
||||||
@ -2635,3 +2635,4 @@ The following list shows the CSPs supported in HoloLens devices:
|
|||||||
- 8 - Added in Windows 10, version 2004.
|
- 8 - Added in Windows 10, version 2004.
|
||||||
- 9 - Added in Windows 10 Team 2020 Update.
|
- 9 - Added in Windows 10 Team 2020 Update.
|
||||||
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).
|
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2).
|
||||||
|
|
||||||
|
|||||||
@ -128,7 +128,7 @@ Requirements:
|
|||||||
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
|
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
|
||||||
>
|
>
|
||||||
> The default behavior for older releases is to revert to **User Credential**.
|
> The default behavior for older releases is to revert to **User Credential**.
|
||||||
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
|
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
|
||||||
|
|
||||||
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
|
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
|
||||||
|
|
||||||
|
|||||||
@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
|
|||||||
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
|
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
|
||||||
|
|
||||||
The following shows the EnterpriseDesktopAppManagement CSP in tree format.
|
The following shows the EnterpriseDesktopAppManagement CSP in tree format.
|
||||||
|
|
||||||
```
|
```
|
||||||
./Device/Vendor/MSFT
|
./Device/Vendor/MSFT
|
||||||
EnterpriseDesktopAppManagement
|
EnterpriseDesktopAppManagement
|
||||||
@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement
|
|||||||
--------UpgradeCode
|
--------UpgradeCode
|
||||||
------------Guid
|
------------Guid
|
||||||
```
|
```
|
||||||
|
|
||||||
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
|
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
|
||||||
The root node for the EnterpriseDesktopAppManagement configuration service provider.
|
The root node for the EnterpriseDesktopAppManagement configuration service provider.
|
||||||
|
|
||||||
@ -195,14 +197,14 @@ The following table describes the fields in the previous sample:
|
|||||||
The following table describes the fields in the previous sample:
|
The following table describes the fields in the previous sample:
|
||||||
|
|
||||||
| Name | Description |
|
| Name | Description |
|
||||||
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|--------|-----------------------|
|
||||||
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
|
||||||
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
|
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
|
||||||
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
|
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
|
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<SyncML xmlns="SYNCML:SYNCML1.1">
|
<SyncML xmlns="SYNCML:SYNCML1.1">
|
||||||
@ -292,7 +294,8 @@ The following table describes the fields in the previous sample:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
> **Note** Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
|
> [!Note]
|
||||||
|
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements.
|
|||||||
<td>Command-line options to be used when calling MSIEXEC.exe</td>
|
<td>Command-line options to be used when calling MSIEXEC.exe</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="even">
|
<tr class="even">
|
||||||
<td>Timeout</td>
|
<td>TimeOut</td>
|
||||||
<td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
|
<td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="odd">
|
<tr class="odd">
|
||||||
@ -565,6 +568,3 @@ Here's a list of references:
|
|||||||
</Item>
|
</Item>
|
||||||
</Alert>
|
</Alert>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -719,7 +719,7 @@ ADMX Info:
|
|||||||
<!--/SupportedValues-->
|
<!--/SupportedValues-->
|
||||||
<!--Example-->
|
<!--Example-->
|
||||||
Example for setting the device custom OMA-URI setting to enable this policy:
|
Example for setting the device custom OMA-URI setting to enable this policy:
|
||||||
To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
|
To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
|
||||||
|
|
||||||
See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
|
See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
|
||||||
<!--/Example-->
|
<!--/Example-->
|
||||||
|
|||||||
@ -17,7 +17,7 @@ ms.date: 02/23/2018
|
|||||||
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
|
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
|
> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
|
||||||
|
|
||||||
The following shows the Update configuration service provider in tree format.
|
The following shows the Update configuration service provider in tree format.
|
||||||
|
|
||||||
|
|||||||
@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
|
|||||||
|
|
||||||
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
|
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
|
||||||
|
|
||||||
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>
|
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>
|
||||||
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
|
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
|
||||||
|
|
||||||
@ -1600,4 +1603,3 @@ Servers
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
|
|||||||
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
|
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
|
||||||
|
|
||||||
- Diagnostic data is set to *Required* or *Optional*.
|
- Diagnostic data is set to *Required* or *Optional*.
|
||||||
- The **AllowWUfBCloudProcessing** policy is set to **1**.
|
- The **AllowWUfBCloudProcessing** policy is set to **8**.
|
||||||
|
|
||||||
#### Set the **AllowWUfBCloudProcessing** policy
|
#### Set the **AllowWUfBCloudProcessing** policy
|
||||||
|
|
||||||
|
|||||||
@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
|
|||||||
|
|
||||||
> Applies to: Windows 10
|
> Applies to: Windows 10
|
||||||
|
|
||||||
|
In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
|
||||||
|
|
||||||
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
|
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
|
||||||
|
|
||||||
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
|
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
|
||||||
|
|||||||
@ -166,13 +166,78 @@ The most common values:
|
|||||||
|
|
||||||
> Table 6. Kerberos ticket flags.
|
> Table 6. Kerberos ticket flags.
|
||||||
|
|
||||||
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
|
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
|
||||||
|
|
||||||
| Code | Code Name | Description | Possible causes |
|
| Code | Code Name | Description | Possible causes |
|
||||||
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
|
| 0x0 | KDC\_ERR\_NONE | No error |
|
||||||
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
|
| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired |
|
||||||
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
|
| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired |
|
||||||
|
| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported |
|
||||||
|
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key |
|
||||||
|
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key |
|
||||||
|
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database |
|
||||||
|
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database |
|
||||||
|
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database |
|
||||||
|
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key |
|
||||||
|
| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating |
|
||||||
|
| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time |
|
||||||
|
| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request |
|
||||||
|
| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option |
|
||||||
|
| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type |
|
||||||
|
| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type |
|
||||||
|
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
|
||||||
|
| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type |
|
||||||
|
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked |
|
||||||
|
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked |
|
||||||
|
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked |
|
||||||
|
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later |
|
||||||
|
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later |
|
||||||
|
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired.
|
||||||
|
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided.
|
||||||
|
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required |
|
||||||
|
| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match |
|
||||||
|
| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only |
|
||||||
|
| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path |
|
||||||
|
| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available |
|
||||||
|
| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed |
|
||||||
|
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired |
|
||||||
|
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid |
|
||||||
|
| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay |
|
||||||
|
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us |
|
||||||
|
| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match |
|
||||||
|
| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great |
|
||||||
|
| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address |
|
||||||
|
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch |
|
||||||
|
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type |
|
||||||
|
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified |
|
||||||
|
| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order |
|
||||||
|
| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available |
|
||||||
|
| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available |
|
||||||
|
| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed |
|
||||||
|
| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction |
|
||||||
|
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required |
|
||||||
|
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message |
|
||||||
|
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message |
|
||||||
|
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path |
|
||||||
|
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP |
|
||||||
|
| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) |
|
||||||
|
| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation |
|
||||||
|
| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT |
|
||||||
|
| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT |
|
||||||
|
| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT |
|
||||||
|
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT |
|
||||||
|
| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT |
|
||||||
|
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER |
|
||||||
|
| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use |
|
||||||
|
| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER |
|
||||||
|
| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT |
|
||||||
|
| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT |
|
||||||
|
| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT |
|
||||||
|
| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT |
|
||||||
|
| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT |
|
||||||
|
| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT |
|
||||||
|
| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT |
|
||||||
|
|
||||||
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
|
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
|
||||||
|
|
||||||
|
|||||||
@ -9,7 +9,7 @@ metadata:
|
|||||||
ms.localizationpriority: medium
|
ms.localizationpriority: medium
|
||||||
author: denisebmsft
|
author: denisebmsft
|
||||||
ms.author: deniseb
|
ms.author: deniseb
|
||||||
ms.date: 05/12/2021
|
ms.date: 06/16/2021
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
manager: dansimp
|
manager: dansimp
|
||||||
ms.custom: asr
|
ms.custom: asr
|
||||||
@ -37,6 +37,17 @@ sections:
|
|||||||
|
|
||||||
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
|
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
|
||||||
|
|
||||||
|
- question: |
|
||||||
|
My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
|
||||||
|
answer: |
|
||||||
|
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
|
||||||
|
|
||||||
|
To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
|
||||||
|
|
||||||
|
- Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
|
||||||
|
- It must be a FQDN. A simple IP address will not work.
|
||||||
|
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
|
||||||
|
|
||||||
- question: |
|
- question: |
|
||||||
Can employees download documents from the Application Guard Edge session onto host devices?
|
Can employees download documents from the Application Guard Edge session onto host devices?
|
||||||
answer: |
|
answer: |
|
||||||
|
|||||||
@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st
|
|||||||
|
|
||||||
### Deploying multiple policies via ApplicationControl CSP
|
### Deploying multiple policies via ApplicationControl CSP
|
||||||
|
|
||||||
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
|
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
|
||||||
|
|
||||||
|
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
|
||||||
|
|
||||||
|
See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
|
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
|
||||||
|
|||||||
@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
|
|||||||
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
|
> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
|
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
|
||||||
|
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
|
||||||
|
|
||||||
## Example of file rule levels in use
|
## Example of file rule levels in use
|
||||||
|
|
||||||
|
|||||||
@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
|
|||||||
|
|
||||||
### Windows Assessment and Deployment Toolkit (ADK)
|
### Windows Assessment and Deployment Toolkit (ADK)
|
||||||
|
|
||||||
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
|
There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
|
||||||
|
|
||||||
## Device management
|
## Device management
|
||||||
|
|
||||||
@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
|
|||||||
|
|
||||||
WDAG performance is improved with optimized document opening times:
|
WDAG performance is improved with optimized document opening times:
|
||||||
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
|
- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
|
||||||
- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle.
|
- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
|
||||||
- The performance of Robocopy is improved when copying files over 400 MB in size.
|
- The performance of Robocopy is improved when copying files over 400 MB in size.
|
||||||
|
|
||||||
### Windows Hello
|
### Windows Hello
|
||||||
|
|||||||
Reference in New Issue
Block a user