Windows Server vNext Insider Preview Build 18317 released.
WDAC – Composable (stacked) code integrity policies for supporting multiple code integrity policies
WDAC brings you the ability to support multiple CI policies. Three scenarios are now supported:
- Scenario 1 – Deploy a “base” policy in enforcement mode and deploy a second “audit” policy side-by-side to support validation of policy changes before deploying in enforcement mode. (Intersection)
- Scenario 2 – Enforce 2 or more “base” policies simultaneously to allow simpler policy targeting for policies with different scope/intent, e.g., Base1 corporate standard policy that is relatively loose to accommodate all organizations while forcing minimum corp standards (e.g. Windows works + Managed Installer + path rules). Base2 team specific policy that further restricts what is allowed to run (e.g. Windows works + Managed Installer + corporate signed apps only) (Intersection)
- Scenario 3 – Supplemental policies deployed to expand Base policy, e.g., Azure host baseline policy restricts tightly to just allow Windows and hardware drivers allows supplemental policies. Exchange Azure team supplemental policy adds just the additional signer rules needed to support Exchange team signed code. (Union)
Windows Server Bug Fixes
- We fixed an issue where a password change could result in the next unlock hanging for domain joined AD users.
- We fixed an issue addressing frequent access violations in bindflt!BfNormalizeNameComponentExCallback.
- We fixed an issue where SRV2.sys may crash with an access violation when attempting to connect to a client machine with a null name string.
- We fixed an issue where OpenId Connect sign-on applications may experience high latency in ADFS authentication when using SAML and Oauth code flow.
- We fixed an issue where an occasional corruption may occur in UserName information on events retrieved using PowerShell cmdlet Get-RemoteAccessConnectionStatistics.
- We fixed an issue where using classic file explorer in Server core from the App Compat FOD, clicking Eject on a USB device would notify the user that the USB Drive is currently in use, resulting in a hung eject operation.
- We fixed an issue where virtual machine runtime state (VMRS) files failed to load. An affected system may report a failure in looking up or receiving the VM from the source host due to the data being invalid (0x8007000d).
Windows Server Known Issues
- [New] Dynamic Update Setup on Server shows “Installing Windows 10” instead of Server.
- [New] Scheduled startup tasks may fail to run. An event is logged, ID 101 with the error code ERROR_LOGON_FAILURE when the failure occurs.
- [New] A virtual machine may not report all virtual fibre channel (vfc) LUNs after powering on if there are 2000+ vfc LUNs. WMI queries from the host show the LUNS available. Restarting the VMMs may show the LUNS again as available.
- [New] DCPromo fails if the interface metric of the physical NIC is larger than Loopback Interface
- [New] ADFS Requests with invalid domain suffixes fail after a long delay (around 3 minutes) with error DS_NAME_ERROR_DOMAIN_ONLY. This can cause queued legitimate requests to experience delays or also timeout.
- Server FODs are not retained after in-place (or B2B) upgrade
- [New] Domain Controller rename updates incorrect attributes in AD leaving orphaned data behind (ValidateSPNsAndDNSHostNameActual). This can be reproduced by adding a new FQDN, setting it as primary, restarting the domain controller, then removing the current FQDN. Checking the msDS-AdditionalDnsHostName, msDS-AdditionalSamAccountName and servicePrincipalName attributes will incorrect values.
- [New] Invalid file may be created in %Systemroot%\System32\LogFiles\Sum by User Access Logging
- [New] Windows may attempt to reuse an expired DHCP lease if the lease expired while the OS was shutdown.
- Self-service users cannot install Feature on Demand (FOD) packages and Language Packs for Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM), and Autopilot scenarios.
A container host may become unresponsive due to a deadlock when attempting to mount a volume. On an affected system, Docker hangs on all commands.
- The operating system has an unnecessary utility account for Windows Defender Application Guard.
When a Windows Defender Application Guard container crashes, the resulting type of dump may be unexpected.
- [New] CPU spike may happen when Windows Server logs obsolete Windows Error Reporting reports PnPDriverInstallError and PnPDriverImportError.