mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 13:23:36 +00:00
Merge branch 'public' into patch-4
This commit is contained in:
brianreidc7
GitHub
@ -103,9 +103,9 @@ To do this, follow these steps:
|
||||
|
||||
### Use the keyboard
|
||||
|
||||
[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
|
||||
[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
|
||||
|
||||
### Use Debugger
|
||||
|
||||
[Forcing a System Crash from the Debugger](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
|
||||
[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.date: 05/21/2019
|
||||
|
||||
# ApplicationControl CSP
|
||||
|
||||
Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
|
||||
Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
|
||||
Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only.
|
||||
|
||||
ApplicationControl CSP was added in Windows 10, version 1903.
|
||||
@ -117,7 +117,7 @@ Value type is char.
|
||||
To use ApplicationControl CSP, you must:
|
||||
- Know a generated policy’s GUID, which can be found in the policy xml as `<PolicyTypeID>`.
|
||||
- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
|
||||
- Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool.
|
||||
- Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool.
|
||||
|
||||
Here is a sample certutil invocation:
|
||||
```
|
||||
|
||||
@ -979,7 +979,7 @@ The data type is string.
|
||||
|
||||
Default string is as follows:
|
||||
|
||||
https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype.
|
||||
https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype.
|
||||
|
||||
Add **SDDL**
|
||||
``` xml
|
||||
|
||||
@ -2030,7 +2030,7 @@ The content below are the latest versions of the DDF files:
|
||||
<Delete />
|
||||
<Replace />
|
||||
</AccessType>
|
||||
<Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
|
||||
<Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
|
||||
<DFFormat>
|
||||
<chr />
|
||||
</DFFormat>
|
||||
|
||||
@ -32,7 +32,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
|
||||
## Enable a policy
|
||||
|
||||
> [!NOTE]
|
||||
> See [Understanding ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies).
|
||||
> See [Understanding ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies).
|
||||
|
||||
1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.
|
||||
- GP English name
|
||||
|
||||
@ -22,13 +22,13 @@ Requirements:
|
||||
- The enterprise has configured a mobile device management (MDM) service
|
||||
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
|
||||
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
|
||||
- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
|
||||
- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
|
||||
|
||||
> [!TIP]
|
||||
> For additional information, see the following topics:
|
||||
> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
|
||||
> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan)
|
||||
> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
|
||||
> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan)
|
||||
> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
|
||||
|
||||
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
|
||||
|
||||
@ -48,7 +48,7 @@ The following steps demonstrate required settings using the Intune service:
|
||||
|
||||
|
||||
|
||||
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal).
|
||||
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal).
|
||||
Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues.
|
||||
|
||||
|
||||
@ -76,7 +76,7 @@ Also verify that the **MAM user scope** is set to **None**. Otherwise, it will h
|
||||
|
||||
|
||||
|
||||
7. Verify that the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune.
|
||||
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune.
|
||||
You may contact your domain administrators to verify if the group policy has been deployed successfully.
|
||||
|
||||
8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
|
||||
@ -106,19 +106,27 @@ Requirements:
|
||||
|
||||
|
||||
|
||||
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10 1709 and later, once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
|
||||
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
|
||||
|
||||
|
||||
|
||||
5. Click **Enable**, then click **OK**.
|
||||
|
||||
A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
|
||||
> [!NOTE]
|
||||
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed.
|
||||
The default behavior for older releases is to revert to **User Credential**.
|
||||
|
||||
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
|
||||
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
|
||||
|
||||
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
|
||||
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
|
||||
|
||||
|
||||
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
|
||||
|
||||
|
||||
|
||||
> [!Tip]
|
||||
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
|
||||
Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
|
||||
|
||||
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
|
||||
|
||||
@ -154,6 +162,7 @@ Requirements:
|
||||
- Ensure that PCs belong to same computer group.
|
||||
|
||||
> [!IMPORTANT]
|
||||
|
||||
> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1903 or version 1809. To fix the issue, follow these steps:
|
||||
> 1. Download:
|
||||
> 1903 -->[Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) or
|
||||
@ -163,6 +172,7 @@ Requirements:
|
||||
> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**, or
|
||||
> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
|
||||
> 4. Copy the policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if a Group Policy Central Store exists.
|
||||
|
||||
> This procedure will work for any future version as well.
|
||||
|
||||
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 65 KiB After Width: | Height: | Size: 102 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 147 KiB |
@ -349,7 +349,7 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
|
||||
<a href="" id="syncml-response-codes"></a>
|
||||
## SyncML response status codes
|
||||
|
||||
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.
|
||||
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
|
||||
|
||||
| Status code | Description |
|
||||
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
|
||||
@ -271,7 +271,7 @@ Scope is permanent. Supported operation is Get.
|
||||
|
||||
|
||||
<a href="" id="securitykey-usesecuritykeyforsignin"></a>**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
|
||||
Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
|
||||
Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
|
||||
|
||||
Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
|
||||
@ -132,9 +132,9 @@ Here is an example:
|
||||
|
||||
```
|
||||
<groupmembership>
|
||||
<accessgroup desc="Administrators">
|
||||
<member name="AzureAD\CSPTest@contoso.com" />
|
||||
<member name="CSPTest22306\administrator" />
|
||||
<accessgroup desc = "Administrators">
|
||||
<member name = "AzureAD\CSPTest@contoso.com" />
|
||||
<member name = "CSPTest22306\administrator" />
|
||||
<member name = "AzureAD\patlewis@contoso.com" />
|
||||
</accessgroup>
|
||||
<accessgroup desc = "testcsplocal">
|
||||
|
||||
@ -202,4 +202,4 @@ To view system failure and recovery settings for your local computer, type **wmi
|
||||
|
||||
## References
|
||||
|
||||
[Varieties of Kernel-Mode Dump Files](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
|
||||
[Varieties of Kernel-Mode Dump Files](https://docs.microsoft.com/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
|
||||
|
||||
@ -46,8 +46,8 @@ To understand the underlying cause of Windows startup problems, it's important t
|
||||
|
||||
These articles will walk you through the resources you need to troubleshoot Windows startup issues:
|
||||
|
||||
- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-boot-problems)
|
||||
- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems)
|
||||
|
||||
- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-stop-errors)
|
||||
- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
|
||||
|
||||
- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-windows-freeze)
|
||||
- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
|
||||
|
||||
Reference in New Issue
Block a user