-The checkmark disappears from next to Enterprise Mode and the site is removed from the list.
+2. Click **Tools**, and then click **Enterprise Mode**.
-**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
+ The checkmark disappears from next to Enterprise Mode and the site is removed from the list.
- **To remove all sites from a local Enterprise Mode site list**
+ > [!NOTE]
+ > If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
-1. Open IE11, click **Tools**, and then click **Internet options**.
+**To remove all sites from a local Enterprise Mode site list**
+
+1. Open Internet Explorer 11, click **Tools**, and then click **Internet options**.
2. Click the **Delete** button from the **Browsing history** area.
3. Click the box next to **Cookies and website data**, and then click **Delete**.
-**Note**
This removes all of the sites from a local Enterprise Mode site list.
-
-
-
-
-
-
-
-
-
+ > [!NOTE]
+ > This removes all of the sites from a local Enterprise Mode site list.
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index dba25c2b0f..00b99a4c75 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -36,25 +36,29 @@ You can set the policy using one of these methods:
- MDM provider
- -Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+ Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
- For example, in Intune, create a new configuration policy and add an OMA-URI.
- - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
- - Data type: Integer
- - Value: 0
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
+ - Data type: Integer
+ - Value: 0
- Windows Configuration Designer
- You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
+ You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
- Set up School PCs app
- Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
+ Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
+
- Reach out to your device manufacturer.
+
- If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
+
- Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
- To use the Autopilot Reset setting in the Set up School PCs app:
+ To use the Autopilot Reset setting in the Set up School PCs app:
+
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
@@ -66,30 +70,36 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
- 
+ 
+
+ This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
- This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Autopilot Reset
+
2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
->[!IMPORTANT]
->To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
+ > [!IMPORTANT]
+ > To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
- Once Autopilot Reset is triggered, the reset process starts.
+ Once Autopilot Reset is triggered, the reset process starts.
- After reset, the device:
- - Sets the region, language, and keyboard.
- - Connects to Wi-Fi.
- - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device.
- - Is returned to a known good managed state, connected to Azure AD and MDM.
+ After reset, the device:
+
+ - Sets the region, language, and keyboard.
+
+ - Connects to Wi-Fi.
+
+ - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device.
+
+ - Is returned to a known good managed state, connected to Azure AD and MDM.
- Once provisioning is complete, the device is again ready for use.
+ Once provisioning is complete, the device is again ready for use.
@@ -99,7 +109,7 @@ Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windo
To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
-```
+```console
reagentc /enable
```
@@ -107,4 +117,4 @@ If Autopilot Reset fails after enabling WinRE, or if you are unable to enable Wi
## Related topics
-[Set up Windows devices for education](set-up-windows-10.md)
\ No newline at end of file
+[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 268f6d2d8b..eaa2f7c35b 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -26,15 +26,21 @@ We want all students to have the chance to use the apps they need for success in
## Deployment best practices
Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts:
+
* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account.
+
* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school.
+
* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store.
+
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
## Windows 10 Contacts privacy settings
If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
+
* [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data.
+
* [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data.
In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on.
@@ -44,7 +50,9 @@ To change the setting, you can:
* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts)
### Turn off access to contacts for all apps
+
To turn off access to contacts for all apps on individual Windows devices:
+
1. On the computer, go to **Settings** and select **Privacy**.
@@ -56,10 +64,13 @@ To turn off access to contacts for all apps on individual Windows devices:
3. Turn off **Let apps access my contacts**.
For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this:
+
1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**.
+
2. Set the **Select a setting** box to **Force Deny**.
### Choose the apps that you want to allow access to contacts
+
If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
@@ -67,62 +78,78 @@ If you want to allow only certain apps to have access to contacts, you can use t
The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
To allow only certain apps to have access to contacts, you can:
+
* Configure each app individually using the **Settings** > **Contacts** option in the Windows UI
+
* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
- 
+ 
+
## Skype and Xbox settings
Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10.
-The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](https://go.microsoft.com/fwlink/?LinkId=821441).
+The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see [Skype for Windows 10 Insiders – your most asked questions](https://go.microsoft.com/fwlink/?LinkId=821441).
With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account.
Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by:
+
* [Managing the user profile](#managing-the-user-profile)
* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying)
### Managing the user profile
+
#### Skype
+
Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
To manage and edit your profile in the Skype UWP app, follow these steps:
+
1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
+
2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
+
3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
The profile page includes these sections:
- * Personal information
- * Contact details
- * Profile settings
+ * Personal information
+ * Contact details
+ * Profile settings
4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
+
5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
+
6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
* To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
+
* You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
#### Xbox
+
A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive.
To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](https://go.microsoft.com/fwlink/?LinkId=821445).
### Delete an account if username is identifying
+
If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it.
#### Skype
+
To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515)
If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
+
1. Select a help topic (**Account and Password**)
2. Select a related problem (**Deleting an account**)
3. Click **Next**.
@@ -130,7 +157,8 @@ If you need help deleting the account, you can contact Skype customer service by
#### Xbox
+
To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](https://go.microsoft.com/fwlink/?LinkId=816521).
## Related topics
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
\ No newline at end of file
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 1620881268..a95d9212e0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -28,7 +28,7 @@ Applies to:
- Azure AD joined deployments
- Windows 10, version 1803 and later
-PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the "We can't open that page right now" error message.
+PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
@@ -36,7 +36,7 @@ The user can launch the PIN reset flow from above lock using the "I forgot my PI
In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list.
-If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in the "We can't open that page right now" being shown.
+If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now".
### Resolving Azure AD joined PIN Reset Allowed Domains Issue
@@ -96,7 +96,7 @@ Description:
The Kerberos client received a KDC certificate that does not have a matched domain name.
Expected Domain Name: ad.contoso.com
Error Code: 0xC000006D
- ```
+```
### Resolving On-premises Resource Access Issue with Third-Party CAs
@@ -173,7 +173,7 @@ See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration.
-If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs':
+If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource `http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope` with scope 'ugs':
```console
Log Name: AD FS/Admin
@@ -198,16 +198,22 @@ Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientE
This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, this issue can be remediated by adding the ugs scope manually.
-1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
-2. Right click "Scope Descriptions" and select "Add Scope Description".
-3. Under name type "ugs" and Click Apply > OK.
+1. Launch AD FS management console. Browse to **Services > Scope Descriptions**.
+
+2. Right click **Scope Descriptions** and select **Add Scope Description**.
+
+3. Under name type **ugs** and click **Apply > OK**.
+
4. Launch PowerShell as an administrator.
+
5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
-``` PowerShell
-(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-```
+ ```powershell
+ (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
+ ```
6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier