diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md index 17598057c2..01dbef4001 100644 --- a/windows/access-protection/credential-guard/credential-guard-considerations.md +++ b/windows/access-protection/credential-guard/credential-guard-considerations.md @@ -61,7 +61,7 @@ Since Credential Manager cannot decrypt saved Windows Credentials, they are dele ### Domain-joined device’s automatically provisioned public key Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication). -Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy disabled. For more information on Configuring device to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication). +Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication). Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 10a90e34ec..7e36c48d66 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -187,6 +187,7 @@ #### [Camera](policy-csp-camera.md) #### [Cellular](policy-csp-cellular.md) #### [Connectivity](policy-csp-connectivity.md) +#### [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) #### [CredentialProviders](policy-csp-credentialproviders.md) #### [CredentialsUI](policy-csp-credentialsui.md) #### [Cryptography](policy-csp-cryptography.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 70a293fad5..06bc214f80 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -617,6 +617,14 @@ The following diagram shows the Policy configuration service provider in tree fo +### ControlPolicyConflict policies + +
+
+ ControlPolicyConflict/MDMWinsOverGP +
+
+ ### CredentialProviders policies
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md new file mode 100644 index 0000000000..c628f5e912 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -0,0 +1,101 @@ +--- +title: Policy CSP - ControlPolicyConflict +description: Policy CSP - ControlPolicyConflict +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 01/11/2018 +--- + +# Policy CSP - ControlPolicyConflict + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## ControlPolicyConflict policies + +
+
+ ControlPolicyConflict/MDMWinsOverGP +
+
+ +
+ +**ControlPolicyConflict/MDMWinsOverGP** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, next major update. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device. + +This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. In next major update, the MDM policies in Policy CSP will behave as described if this policy value is set 1. + +The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: + +- GP settings that correspond to MDM applied settings are not conflicting +- The current Policy Manager policies are refreshed from what MDM has set +- Any values set by scripts/user outside of GP that conflict with MDM are removed + + + +The following list shows the supported values: + +- 0 (default) +- 1 - The MDM policy is used and the GP policy is blocked. + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index bce822bcc6..f67599ce30 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/16/2017 +ms.date: 01/11/2018 ms.localizationpriority: high --- @@ -571,7 +571,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo Code -800040005 - 0x20007 +80040005 - 0x20007