diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 8eed696dd9..637e02d729 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | | Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | | Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.VP9VideoExtensions | | | | | x | No | @@ -181,4 +181,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, a | | Microsoft.VCLibs.140.00 | x | x | x | Yes | | | Microsoft.VCLibs.120.00.Universal | x | | | Yes | | | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | ---- \ No newline at end of file +--- diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index c7ebdf2171..74aa8f8b40 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -13,7 +13,7 @@ ms.date: 06/26/2017 # WindowsSecurityAuditing CSP -The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511. +The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation. The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format. diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 52fa2a92d0..954454df28 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,18 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 11/07/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## April 2019 + +New or changed topic | Description +--- | --- +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Added information for Shell Launcher v2, coming in the next feature update to Windows 10. + ## February 2019 New or changed topic | Description diff --git a/windows/configuration/images/slv2-oma-uri.png b/windows/configuration/images/slv2-oma-uri.png new file mode 100644 index 0000000000..98ee252b63 Binary files /dev/null and b/windows/configuration/images/slv2-oma-uri.png differ diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 72377d11f6..81a9ba0ecf 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -8,7 +8,6 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 09/13/2018 ms.topic: reference --- @@ -30,7 +29,7 @@ Topic | Description [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. -[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 888cbc3049..82aa4dc94f 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -12,6 +12,9 @@ ms.topic: article # Configure kiosks and digital signs on Windows desktop editions +>[!WARNING] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: | | | @@ -43,6 +46,7 @@ You can use this method | For this edition | For this kiosk account type [Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD +[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD ## Methods for a single-app kiosk running a Windows desktop application @@ -50,8 +54,8 @@ You can use this method | For this edition | For this kiosk account type You can use this method | For this edition | For this kiosk account type --- | --- | --- [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD -[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD +[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD ## Methods for a multi-app kiosk diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index cb4de9b225..308da89102 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -1,6 +1,6 @@ --- title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 @@ -8,7 +8,6 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/01/2018 ms.topic: article --- @@ -16,26 +15,36 @@ ms.topic: article **Applies to** ->App type: Windows desktop application -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD +- Windows 10 Ent, Edu +>[!WARNING] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. +Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell. >[!NOTE] ->Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. +>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. > >Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to: >- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools >- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies >- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies -> ->You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](kiosk-single-app.md#wizard). - +You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. + + +## Differences between Shell Launcher v1 and Shell Launcher v2 + +Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application. + +Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app. + +In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements: +- You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**. +- From a custom UWP shell, you can launch secondary views and run on multiple monitors. +- The custom shell app runs in full screen, and and can run other apps in full screen on user’s demand. + +For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2). ## Requirements @@ -44,16 +53,15 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt > >- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. -- A domain or local user account. +- A domain, Azure Active Directory, or local user account. -- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. +- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) +[See the technical reference for the shell launcher component.](https://docs.microsoft.com/windows-hardware/customize/enterprise/shell-launcher) +## Enable Shell Launcher feature -## Configure Shell Launcher - -To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. +To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM. **To turn on Shell Launcher in Windows features** @@ -63,7 +71,7 @@ To set a Windows desktop application as the shell, you first turn on the Shell L 2. Select **Shell Launcher** and **OK**. -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool. **To turn on Shell Launcher using DISM** @@ -74,9 +82,70 @@ Alternatively, you can turn on Shell Launcher using Windows Configuration Design Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher ``` -**To set your custom shell** -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. +## Configure a custom shell in MDM + +You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM. + +### XML for Shell Launcher configuration + +The following XML sample works for **Shell Launcher v1**: + +``` + + + + + + + + + + + + + +``` + +For **Shell Launcher v2**, you will use a different schema reference and a different app type for `Shell`, as shown in the following example. + +``` + + + + + + + + + + + +``` + +>[!TIP] +>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode. + +[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) + +### Custom OMA-URI setting + +In your MDM service, you can create a [custom OMA-URI setting](https://docs.microsoft.com/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.) + +The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. + +For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)` instead. + +![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png) + +After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. + +## Configure a custom shell using PowerShell + +For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md). + +For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. ``` # Check if shell launcher license is enabled diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 289b0b5793..a966f7ad8e 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -55,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots. ## Log entry structure -A setupact.log or setuperr.log (files are located at C:\Windows) entry includes the following elements: +A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
  1. The date and time - 2016-09-08 09:20:05. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 461d86ca82..5350a7e35a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index a7425d8dc2..06d22fc8d2 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -By default this setting is Administrators on domain controllers and on stand-alone servers. +By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 8522325f19..8b6d1d2ef7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: jsuther1974 -ms.date: 08/31/2018 +ms.date: 04/09/2019 --- # Microsoft recommended block rules @@ -76,7 +76,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules. -Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files: + +- msxml3.dll +- msxml6.dll +- jscript9.dll + +Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions. ```xml @@ -137,7 +143,35 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + --> + + + + --> + + + + --> + + + + --> + + + + --> @@ -842,8 +876,11 @@ Microsoft recommends that you block the following Microsoft-signed applications - - + + + + +