mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo
This commit is contained in:
huaping yu
commit
19fcc88838
@ -14,7 +14,10 @@
|
|||||||
"resource": [
|
"resource": [
|
||||||
{
|
{
|
||||||
"files": [
|
"files": [
|
||||||
"**/images/**"
|
"**/images/**",
|
||||||
|
"**/*.png",
|
||||||
|
"**/*.jpg",
|
||||||
|
"**/*.gif"
|
||||||
],
|
],
|
||||||
"exclude": [
|
"exclude": [
|
||||||
"**/obj/**"
|
"**/obj/**"
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. |  |
|
| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. |  |
|
||||||
| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | |
|
| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:|
|
|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | |
|
| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | |
|
||||||
| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. |  |
|
| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented. |  |
|
| Disabled | 0 | 0 | Prevented. |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:|
|
|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. |  |
|
| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. |  |
|
||||||
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled | 1 | 1 | Allowed | |
|
| Enabled | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||||
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Gather and send only basic diagnostic data. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Gather and send only basic diagnostic data. |  |
|
||||||
| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | |
|
| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented |  |
|
| Disabled | 0 | 0 | Prevented |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,12 +20,12 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |  |
|
||||||
| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>Also, the users must be signed in with a school or work account. | |
|
| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>Also, the users must be signed in with a school or work account. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### ADMX info and settings
|
### ADMX info and settings
|
||||||
|
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |  |
|
| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |  |
|
||||||
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Prevented. |  |
|
| Disabled | 0 | 0 | Prevented. |  |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||||
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.<p><p>If you enabled this policy and now want to disable it, all previously configured search engines get removed. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.<p><p>If you enabled this policy and now want to disable it, all previously configured search engines get removed. |  |
|
||||||
| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.<p><p>For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | |
|
| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.<p><p>For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:|
|
|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | |
|
| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | |
|
||||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. |  |
|
| Enabled or not configured<br>**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:|
|
|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:|
|
||||||
| Not configured<br>**(default)** | Blank | Blank | Users can choose to use Autofill. | |
|
| Not configured<br>**(default)** | Blank | Blank | Users can choose to use Autofill. | |
|
||||||
| Disabled | 0 | no | Prevented. |  |
|
| Disabled | 0 | no | Prevented. |  |
|
||||||
| Enabled | 1 | yes | Allowed. | |
|
| Enabled | 1 | yes | Allowed. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -29,7 +29,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No data collected or sent |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | No data collected or sent |  |
|
||||||
| Enabled | 1 | 1 | Send intranet history only | |
|
| Enabled | 1 | 1 | Send intranet history only | |
|
||||||
| Enabled | 2 | 2 | Send Internet history only | |
|
| Enabled | 2 | 2 | Send Internet history only | |
|
||||||
| Enabled | 3 | 3 | Send both intranet and Internet history | |
|
| Enabled | 3 | 3 | Send both intranet and Internet history | |
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:|
|
||||||
| Enabled | 0 | 0 | Block all cookies from all sites. |  |
|
| Enabled | 0 | 0 | Block all cookies from all sites. |  |
|
||||||
| Enabled | 1 | 1 | Block only coddies from third party websites. | |
|
| Enabled | 1 | 1 | Block only coddies from third party websites. | |
|
||||||
| Disabled or not configured<br>**(default)** | 2 | 2 | Allow all cookies from all sites. | |
|
| Disabled or not configured<br>**(default)** | 2 | 2 | Allow all cookies from all sites. | |
|
||||||
|
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured<br>**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|
| Not configured<br>**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|
||||||
| Disabled | 0 | 0 | Never send tracking information. | |
|
| Disabled | 0 | 0 | Never send tracking information. | |
|
||||||
| Enabled | 1 | 1 | Send tracking information. |  |
|
| Enabled | 1 | 1 | Send tracking information. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -11,7 +11,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| | |
|
| | |
|
||||||
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| **Single-app**<p><a href="../images/Picture1.png" alt="Full-sized view single-app digital/interactive signage" target="_blank"></a><p>**Digital/interactive signage**<p>Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.<ul><li>**Digital signage** does not require user interaction.<p>***Example.*** Use digital signage for things like a rotating advertisement or menu.<p></li><li>**Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.<p>***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.</li></ul><p>**Policy setting** = Not configured (0 default)<p> | <p> <p><a href="../images/Picture2.png" alt="Full-sized view single-app public browsing" target="_blank"></a> <p><strong>Public browsing</strong><p>Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.<p>The single-app public browsing mode is the only kiosk mode that has an <strong>End session</strong> button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.<p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. <p><strong>Policy setting</strong> = Enabled (1) |
|
| **Single-app**<p><a href="/images/Picture1.png" alt="Full-sized view single-app digital/interactive signage" target="_blank"></a><p>**Digital/interactive signage**<p>Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.<ul><li>**Digital signage** does not require user interaction.<p>***Example.*** Use digital signage for things like a rotating advertisement or menu.<p></li><li>**Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.<p>***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.</li></ul><p>**Policy setting** = Not configured (0 default)<p> | <p> <p><a href="/images/Picture2.png" alt="Full-sized view single-app public browsing" target="_blank"></a> <p><strong>Public browsing</strong><p>Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.<p>The single-app public browsing mode is the only kiosk mode that has an <strong>End session</strong> button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.<p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. <p><strong>Policy setting</strong> = Enabled (1) |
|
||||||
| **Multi-app**<p><a href="../images/Picture5.png" alt="Full-sized view multi-app normal browsing" target="_blank"></a><p>**Normal browsing**<p>Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.<p>Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>**Policy setting** = Not configured (0 default) | <p> <p><a href="../images/Picture6.png" alt="Full-sized view multi-app public browsing" target="_blank"></a><p><strong>Public browsing</strong><p>Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. <p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.<p><strong>Policy setting</strong> = Enabled (1) |
|
| **Multi-app**<p><a href="/images/Picture5.png" alt="Full-sized view multi-app normal browsing" target="_blank"></a><p>**Normal browsing**<p>Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.<p>Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>**Policy setting** = Not configured (0 default) | <p> <p><a href="/images/Picture6.png" alt="Full-sized view multi-app public browsing" target="_blank"></a><p><strong>Public browsing</strong><p>Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. <p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.<p><strong>Policy setting</strong> = Enabled (1) |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:|
|
|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | |
|
| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | |
|
||||||
| Disabled | 0 | no | Not allowed. |  |
|
| Disabled | 0 | no | Not allowed. |  |
|
||||||
| Enabled<br>**(default)** | 1 | yes | Allowed. | |
|
| Enabled<br>**(default)** | 1 | yes | Allowed. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:|
|
|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | |
|
| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | |
|
||||||
| Disabled<br>**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | |
|
| Disabled<br>**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | |
|
||||||
| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. |  |
|
| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:|
|
|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured<br>**(default)** | Blank | Blank | Users can choose to see search suggestions. | |
|
| Not configured<br>**(default)** | Blank | Blank | Users can choose to see search suggestions. | |
|
||||||
| Disabled | 0 | 0 | Prevented. Hide the search suggestions. |  |
|
| Disabled | 0 | 0 | Prevented. Hide the search suggestions. |  |
|
||||||
| Enabled | 1 | 1 | Allowed. Show the search suggestions. | |
|
| Enabled | 1 | 1 | Allowed. Show the search suggestions. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,13 +20,13 @@ ms:topic: include
|
|||||||
|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | |
|
| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | |
|
||||||
| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|
| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|
||||||
| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. |  |
|
| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
To verify Windows Defender SmartScreen is turned off (disabled):
|
To verify Windows Defender SmartScreen is turned off (disabled):
|
||||||
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
|
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
|
||||||
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>
|
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>
|
||||||
|
|
||||||
|
|
||||||
### ADMX info and settings
|
### ADMX info and settings
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |  |
|
| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |  |
|
||||||
| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
|
| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | |
|
||||||
| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. |  |
|
| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Turned off/not syncing | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Turned off/not syncing | |
|
||||||
| Enabled | 1 | 1 | Turned on/syncing |  |
|
| Enabled | 1 | 1 | Turned on/syncing |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed | |
|
||||||
| Enabled | 1 | 1 | Prevented |  |
|
| Enabled | 1 | 1 | Prevented |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | |
|
||||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | |
|
||||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -18,7 +18,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | |
|
||||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | |
|
||||||
| Enabled | 1 | 1 | Prevented/locked down. |  |
|
| Enabled | 1 | 1 | Prevented/locked down. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | |
|
||||||
| Enabled | 1 | 1 | Prevented. |  |
|
| Enabled | 1 | 1 | Prevented. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Collect and send Live Tile metadata. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Collect and send Live Tile metadata. | |
|
||||||
| Enabled | 1 | 1 | Do not collect data. |  |
|
| Enabled | 1 | 1 | Do not collect data. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ ms:topic: include
|
|||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | |
|
||||||
| Enabled | 1 | 1 | Prevented. |  |
|
| Enabled | 1 | 1 | Prevented. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -23,7 +23,7 @@ ms:topic: include
|
|||||||
| Group Policy | Description | Most restricted |
|
| Group Policy | Description | Most restricted |
|
||||||
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
|
| Disabled or not configured<br>**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
|
||||||
| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file** and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=<https://localhost:8080/URLs.html></li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |  |
|
| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file** and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=<https://localhost:8080/URLs.html></li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -22,7 +22,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
|
||||||
| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<p><p>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**</li><li>Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.<p><p>A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol> | |
|
| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<p><p>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**</li><li>Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.<p><p>A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol> | |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms:topic: include
|
|||||||
|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Not configured<br>**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | |
|
| Not configured<br>**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | |
|
||||||
| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | |
|
| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | |
|
||||||
| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.<p><p>If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |  |
|
| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.<p><p>If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |  |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -21,7 +21,7 @@ ms:topic: include
|
|||||||
|
|
||||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No additional message displays. |  |
|
| Disabled or not configured<br>**(default)** | 0 | 0 | No additional message displays. |  |
|
||||||
| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | |
|
| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | |
|
||||||
| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | |
|
| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | |
|
||||||
|
|
||||||
|
|||||||
@ -37,7 +37,7 @@ Note that the local admin account information is not backed by any directory ser
|
|||||||
|
|
||||||
### Domain join the device to Active Directory (AD)
|
### Domain join the device to Active Directory (AD)
|
||||||
|
|
||||||
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
|
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#use-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
|
||||||
|
|
||||||
#### What happens when you domain join your Surface Hub?
|
#### What happens when you domain join your Surface Hub?
|
||||||
Surface Hubs use domain join to:
|
Surface Hubs use domain join to:
|
||||||
@ -53,7 +53,7 @@ Surface Hub does not support applying group policies or certificates from the do
|
|||||||
|
|
||||||
### Azure Active Directory (Azure AD) join the device
|
### Azure Active Directory (Azure AD) join the device
|
||||||
|
|
||||||
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
|
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#use-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
|
||||||
|
|
||||||
By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
|
By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
|
||||||
1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
|
1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
|
||||||
|
|||||||
@ -29,7 +29,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
|
|||||||
|
|
||||||
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 1. Microsoft Surface UEFI Configurator*
|
*Figure 1. Microsoft Surface UEFI Configurator*
|
||||||
|
|
||||||
@ -51,7 +51,7 @@ You can download Microsoft Surface UEFI Configurator from the [Surface Tools for
|
|||||||
|
|
||||||
Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface devices. These packages contain a configuration file of UEFI settings specified during creation of the package in Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the time of enrollment to perform the confirmation.
|
Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface devices. These packages contain a configuration file of UEFI settings specified during creation of the package in Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the time of enrollment to perform the confirmation.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 2. Secure a SEMM configuration package with a certificate*
|
*Figure 2. Secure a SEMM configuration package with a certificate*
|
||||||
|
|
||||||
@ -64,11 +64,11 @@ After a device is enrolled in SEMM, the configuration file is read and the setti
|
|||||||
|
|
||||||
You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
|
You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
|
*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 4. Configure advanced settings with SEMM*
|
*Figure 4. Configure advanced settings with SEMM*
|
||||||
|
|
||||||
@ -102,13 +102,13 @@ You can configure the following advanced settings with SEMM:
|
|||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
|
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
|
*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
|
||||||
|
|
||||||
These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
|
These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
|
*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
|
||||||
|
|
||||||
@ -134,7 +134,7 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a
|
|||||||
|
|
||||||
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
|
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
|
*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
|
||||||
|
|
||||||
|
|||||||
@ -1055,6 +1055,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
|
|||||||
| | Notify the students and faculty about the deployment. |
|
| | Notify the students and faculty about the deployment. |
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
|
||||||
### Perform the deployment
|
### Perform the deployment
|
||||||
|
|
||||||
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
|
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
|
||||||
|
|||||||
@ -21,8 +21,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
|
|||||||
|
|
||||||
Use the following tables for more information about installing the App-V 5.0 server using the command line.
|
Use the following tables for more information about installing the App-V 5.0 server using the command line.
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>The information in the following tables can also be accessed using the command line by typing the following command:
|
> The information in the following tables can also be accessed using the command line by typing the following command:
|
||||||
>```
|
>```
|
||||||
> appv\_server\_setup.exe /?
|
> appv\_server\_setup.exe /?
|
||||||
>```
|
>```
|
||||||
|
|||||||
@ -19,8 +19,8 @@ ms.date: 08/30/2016
|
|||||||
|
|
||||||
Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies.
|
Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies.
|
||||||
|
|
||||||
>[!NOTE]
|
>[!NOTE]
|
||||||
>A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
|
> A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
|
||||||
>
|
>
|
||||||
>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
|
>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
|
||||||
|
|
||||||
|
|||||||
@ -51,7 +51,7 @@ The changes in App-V for Windows 10, version 1607 impact existing implementation
|
|||||||
* The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client.
|
* The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client.
|
||||||
* In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
|
* In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release.
|
>If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release.
|
||||||
|
|
||||||
For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](../app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](../app-v/appv-migrating-to-appv-from-a-previous-version.md).
|
For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](../app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](../app-v/appv-migrating-to-appv-from-a-previous-version.md).
|
||||||
|
|||||||
@ -411,14 +411,14 @@ The process then configures the client for package or connection group additions
|
|||||||
|
|
||||||
5. Remove objects that are not published to the target (user or machine).
|
5. Remove objects that are not published to the target (user or machine).
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
|
>This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
|
||||||
|
|
||||||
6. Invoke background load mounting based on client configuration.
|
6. Invoke background load mounting based on client configuration.
|
||||||
|
|
||||||
7. Packages that already have publishing information for the machine or user are immediately restored.
|
7. Packages that already have publishing information for the machine or user are immediately restored.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>This condition occurs as a product of removal without unpublishing with background addition of the package.
|
>This condition occurs as a product of removal without unpublishing with background addition of the package.
|
||||||
|
|
||||||
This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
|
This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
|
||||||
@ -447,7 +447,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
|
|||||||
|
|
||||||
2. Store backup information in the user’s registry and roaming profile (Shortcut Backups).
|
2. Store backup information in the user’s registry and roaming profile (Shortcut Backups).
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>This enables restore extension points if the package is unpublished.
|
>This enables restore extension points if the package is unpublished.
|
||||||
|
|
||||||
3. Run scripts targeted for publishing timing.
|
3. Run scripts targeted for publishing timing.
|
||||||
|
|||||||
@ -34,8 +34,8 @@ Use the following procedure to configure access to virtualized packages.
|
|||||||
|
|
||||||
1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
|
1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Ensure that you provide an associated domain name for the group that you are searching for.
|
> Ensure that you provide an associated domain name for the group that you are searching for.
|
||||||
|
|
||||||
3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
|
3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
|
||||||
|
|
||||||
|
|||||||
@ -93,7 +93,7 @@ You can use the connection group file to configure each connection group by usin
|
|||||||
|
|
||||||
- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, select the connection group and then select **Edit**.
|
- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, select the connection group and then select **Edit**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>A package only requires priority if it's associated with more than one connection group.
|
>A package only requires priority if it's associated with more than one connection group.
|
||||||
- Specify package precedence within the connection group.
|
- Specify package precedence within the connection group.
|
||||||
|
|
||||||
|
|||||||
@ -54,7 +54,7 @@ The App-V package converter will save the App-V 4.6 installation root folder and
|
|||||||
|
|
||||||
Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package. This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
|
Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package. This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Before you specify the output directory, you must create the output directory.
|
>Before you specify the output directory, you must create the output directory.
|
||||||
|
|
||||||
### Advanced Conversion Tips
|
### Advanced Conversion Tips
|
||||||
|
|||||||
@ -30,11 +30,8 @@ You can create a dynamic user configuration file with the App-V Management Conso
|
|||||||
|
|
||||||
4. Select **Advanced**, and then select **Export Configuration**. Enter a file name and select **Save**. Now you can edit the file to configure a package for a user.
|
4. Select **Advanced**, and then select **Export Configuration**. Enter a file name and select **Save**. Now you can edit the file to configure a package for a user.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enabled and set to block downloads, you won't be able to download anything from the App-V Server.
|
> If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enalbed and set to block downloads, you won't be able to download anything from the App-V Server.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|||||||
@ -53,7 +53,7 @@ Use the following procedure to create a package accelerator.
|
|||||||
|
|
||||||
6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed are not required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page.
|
6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed are not required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard.
|
>You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard.
|
||||||
|
|
||||||
7. On the **Select Files** page, carefully review the detected files. Clear any file the package accelerator doesn't need to run successfully and select only the files that the application requires. When you're done, select **Next**.
|
7. On the **Select Files** page, carefully review the detected files. Clear any file the package accelerator doesn't need to run successfully and select only the files that the application requires. When you're done, select **Next**.
|
||||||
|
|||||||
@ -40,7 +40,7 @@ Use the following procedure to create a virtual application package with the App
|
|||||||
|
|
||||||
Alternatively, if you have already copied the installation files to a directory on this computer, select **Make New Folder**, browse to the folder that contains the installation files, then select **Next**.
|
Alternatively, if you have already copied the installation files to a directory on this computer, select **Make New Folder**, browse to the folder that contains the installation files, then select **Next**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You can specify the following types of supported installation files:
|
>You can specify the following types of supported installation files:
|
||||||
> - Windows Installer files (**.msi**)
|
> - Windows Installer files (**.msi**)
|
||||||
> - Cabinet files (.cab)
|
> - Cabinet files (.cab)
|
||||||
|
|||||||
@ -27,7 +27,7 @@ You must first create and save a project template, including a virtual app packa
|
|||||||
|
|
||||||
1. On the device running the App-V Sequencer, select **Start**, select **All Programs**, select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**.
|
1. On the device running the App-V Sequencer, select **Start**, select **All Programs**, select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure.
|
>If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure.
|
||||||
|
|
||||||
2. On the **File** menu, select **Open**, select **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V Project Template, and then select **Edit** to change any of the settings or info included in the file.
|
2. On the **File** menu, select **Open**, select **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V Project Template, and then select **Edit** to change any of the settings or info included in the file.
|
||||||
|
|||||||
@ -31,7 +31,7 @@ You can use the App-V Sequencer to perform the following tasks:
|
|||||||
- Upgrade existing packages. You can expand an existing package onto the computer running the sequencer and then upgrade the application to create a newer version.
|
- Upgrade existing packages. You can expand an existing package onto the computer running the sequencer and then upgrade the application to create a newer version.
|
||||||
- Edit configuration information associated with an existing package. For example, you can add a shortcut or modify a file type association.
|
- Edit configuration information associated with an existing package. For example, you can add a shortcut or modify a file type association.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V client.
|
>You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V client.
|
||||||
|
|
||||||
- Convert existing virtual packages.
|
- Convert existing virtual packages.
|
||||||
|
|||||||
@ -54,7 +54,7 @@ ms.topic: article
|
|||||||
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
|
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
|
||||||
8. On the **Configure** page, accept the default value, **Use this local computer**.
|
8. On the **Configure** page, accept the default value, **Use this local computer**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed.
|
>If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed.
|
||||||
9. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
|
9. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
|
||||||
|
|
||||||
@ -64,7 +64,7 @@ ms.topic: article
|
|||||||
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
|
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
|
||||||
10. On the **Configure** page, accept the default value: **Use this local computer**.
|
10. On the **Configure** page, accept the default value: **Use this local computer**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed.
|
>If you're installing the Management server and Management database side-by-side, the appropriate options are selected by default and cannot be changed.
|
||||||
11. On the **Configure** (Management Server Configuration) page, specify the following:
|
11. On the **Configure** (Management Server Configuration) page, specify the following:
|
||||||
|
|
||||||
|
|||||||
@ -110,7 +110,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
|
|||||||
</Configuration>
|
</Configuration>
|
||||||
```
|
```
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The configuration XML is a sample XML file. This file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
|
>The configuration XML is a sample XML file. This file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
|
||||||
|
|
||||||
The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
|
The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
|
||||||
@ -206,7 +206,7 @@ After you download the Office 2013 applications through the Office Deployment To
|
|||||||
|
|
||||||
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
|
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
|
>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
|
||||||
2. Use the **/packager** command to convert the Office applications to an Office 2013 App-V package.
|
2. Use the **/packager** command to convert the Office applications to an Office 2013 App-V package.
|
||||||
|
|
||||||
@ -231,7 +231,7 @@ After you download the Office 2013 applications through the Office Deployment To
|
|||||||
* **App-V Packages**, which contains an Office 2013 App-V package and two deployment configuration files.<br>
|
* **App-V Packages**, which contains an Office 2013 App-V package and two deployment configuration files.<br>
|
||||||
* **WorkingDir**
|
* **WorkingDir**
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>To troubleshoot any issues, see the log files in the %temp% directory (default).
|
>To troubleshoot any issues, see the log files in the %temp% directory (default).
|
||||||
3. Verify that the Office 2013 App-V package works correctly:
|
3. Verify that the Office 2013 App-V package works correctly:
|
||||||
|
|
||||||
|
|||||||
@ -111,7 +111,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
|
|||||||
</Configuration>
|
</Configuration>
|
||||||
```
|
```
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To uncomment these lines, remove the ```<! - -``` from the beginning of the line, and the ```-- >``` from the end of the line.
|
>The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To uncomment these lines, remove the ```<! - -``` from the beginning of the line, and the ```-- >``` from the end of the line.
|
||||||
|
|
||||||
The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. Note that the Product ID of the applications will not affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements:
|
The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. Note that the Product ID of the applications will not affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements:
|
||||||
@ -190,7 +190,7 @@ After you download the Office 2016 applications through the Office Deployment To
|
|||||||
|
|
||||||
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
|
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
|
>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
|
||||||
2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
|
2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
|
||||||
|
|
||||||
@ -215,7 +215,7 @@ After you download the Office 2016 applications through the Office Deployment To
|
|||||||
* **App-V Packages**—contains an Office 2016 App-V package and two deployment configuration files.
|
* **App-V Packages**—contains an Office 2016 App-V package and two deployment configuration files.
|
||||||
* **WorkingDir**
|
* **WorkingDir**
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>To troubleshoot any issues, see the log files in the %temp% directory (default).
|
>To troubleshoot any issues, see the log files in the %temp% directory (default).
|
||||||
3. Verify that the Office 2016 App-V package works correctly:
|
3. Verify that the Office 2016 App-V package works correctly:
|
||||||
|
|
||||||
@ -359,7 +359,7 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a
|
|||||||
|
|
||||||
1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
|
1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Office App-V packages have two Version IDs:
|
>Office App-V packages have two Version IDs:
|
||||||
>* An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
|
>* An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
|
||||||
>* A second App-V Package Version ID, formatted as X.X.X.X, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect the new version of Office. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
|
>* A second App-V Package Version ID, formatted as X.X.X.X, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect the new version of Office. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
|
||||||
|
|||||||
@ -35,7 +35,7 @@ App-V offers the following five server components, each of which serves a specif
|
|||||||
|
|
||||||
* **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server.
|
* **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V.
|
>If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V.
|
||||||
* **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. For more information about the management database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md).
|
* **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. For more information about the management database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md).
|
||||||
* **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. To learn how to configure the publishing server, see [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md).
|
* **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. To learn how to configure the publishing server, see [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md).
|
||||||
|
|||||||
@ -428,7 +428,7 @@ The body of the deployment configuration file includes two sections:
|
|||||||
</DeploymentConfiguration>
|
</DeploymentConfiguration>
|
||||||
```
|
```
|
||||||
|
|
||||||
User Configuration: see [Dynamic User Configuration](appv-dynamic-configuration.md#dynamic-user-configuration) for more information about this section.
|
User Configuration: see [Dynamic User Configuration](#dynamic-user-configuration-file) for more information about this section.
|
||||||
|
|
||||||
Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections.
|
Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections.
|
||||||
|
|
||||||
|
|||||||
@ -33,7 +33,7 @@ Use the following procedure to install the database server and management server
|
|||||||
* If you are using a custom database name, select **Custom configuration** and enter the database name.
|
* If you are using a custom database name, select **Custom configuration** and enter the database name.
|
||||||
7. On the next **Create new management server database** page, select **Use a remote computer**, then enter the remote machine account using the following format: ```Domain\MachineAccount```.
|
7. On the next **Create new management server database** page, select **Use a remote computer**, then enter the remote machine account using the following format: ```Domain\MachineAccount```.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you plan to deploy the management server on the same computer you must select **Use this local computer**. Specify the user name for the management server **Install Administrator** using the following format: ```Domain\AdministratorLoginName```. After that, select **Next**.
|
>If you plan to deploy the management server on the same computer you must select **Use this local computer**. Specify the user name for the management server **Install Administrator** using the following format: ```Domain\AdministratorLoginName```. After that, select **Next**.
|
||||||
8. To start the installation, select **Install**.
|
8. To start the installation, select **Install**.
|
||||||
|
|
||||||
@ -49,7 +49,7 @@ Use the following procedure to install the database server and management server
|
|||||||
* If you're using a custom database name, select **Custom configuration** and enter the database name.
|
* If you're using a custom database name, select **Custom configuration** and enter the database name.
|
||||||
7. On the next **Create new management server database** page, select **Use a remote computer**, and enter the remote machine account using the following format: ```Domain\MachineAccount```.
|
7. On the next **Create new management server database** page, select **Use a remote computer**, and enter the remote machine account using the following format: ```Domain\MachineAccount```.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. Specify the user name for the reporting server **Install Administrator** using the following format: Domain\\AdministratorLoginName. After that, select **Next**.
|
>If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. Specify the user name for the reporting server **Install Administrator** using the following format: Domain\\AdministratorLoginName. After that, select **Next**.
|
||||||
8. To start the installation, select **Install**.
|
8. To start the installation, select **Install**.
|
||||||
|
|
||||||
@ -68,7 +68,7 @@ Use the following procedure to install the database server and management server
|
|||||||
* The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
|
* The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
|
||||||
4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
|
4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
|
>For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
|
||||||
5. Run the scripts on the computer running Microsoft SQL Server.
|
5. Run the scripts on the computer running Microsoft SQL Server.
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,7 @@ To install the management server on a standalone computer and connect it to the
|
|||||||
5. On the **Installation Location** page, accept the default location, then select **Next**.
|
5. On the **Installation Location** page, accept the default location, then select **Next**.
|
||||||
6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```.
|
6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance**, then enter the instance's name. Specify the **SQL Server Database name** that this management server will use, such as ```AppvManagement```.
|
>If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance**, then enter the instance's name. Specify the **SQL Server Database name** that this management server will use, such as ```AppvManagement```.
|
||||||
7. On the **Configure management server configuration** page, specify the following items:
|
7. On the **Configure management server configuration** page, specify the following items:
|
||||||
* The AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
|
* The AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
|
||||||
|
|||||||
@ -30,7 +30,7 @@ Use the following procedure to install the reporting server on a standalone comp
|
|||||||
5. On the **Installation location** page, accept the default location and select **Next**.
|
5. On the **Installation location** page, accept the default location and select **Next**.
|
||||||
6. On the **Configure existing reporting database** page, select **Use a remote SQL Server**, then enter the machine name of the computer running Microsoft SQL Server. For example, you can name your computer **SqlServerMachine**.
|
6. On the **Configure existing reporting database** page, select **Use a remote SQL Server**, then enter the machine name of the computer running Microsoft SQL Server. For example, you can name your computer **SqlServerMachine**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server instance, select **Use the default instance**. If you're using a custom Microsoft SQL Server instance, select **Use a custom instance**, then enter the name of your custom instance. Specify the **SQL Server Database name** that this reporting server will use; for example, you can name the server **AppvReporting**.
|
>If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server instance, select **Use the default instance**. If you're using a custom Microsoft SQL Server instance, select **Use a custom instance**, then enter the name of your custom instance. Specify the **SQL Server Database name** that this reporting server will use; for example, you can name the server **AppvReporting**.
|
||||||
7. On the **Configure reporting server configuration** page.
|
7. On the **Configure reporting server configuration** page.
|
||||||
|
|
||||||
|
|||||||
@ -32,8 +32,8 @@ Get-AppvClientPackage –Name "ContosoApplication" -Version 2
|
|||||||
|
|
||||||
Use the **Add-AppvClientPackage** cmdlet to add a package to a computer.
|
Use the **Add-AppvClientPackage** cmdlet to add a package to a computer.
|
||||||
|
|
||||||
>[!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
>This example only adds a package. It does not publish the package to the user or the computer.
|
> This example only adds a package. It does not publish the package to the user or the computer.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
@ -59,8 +59,8 @@ Publish-AppvClientPackage "ContosoApplication" -Global
|
|||||||
|
|
||||||
## Publish a package to a specific user
|
## Publish a package to a specific user
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
|
> You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
|
||||||
|
|
||||||
An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
|
An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
|
||||||
|
|
||||||
@ -99,8 +99,8 @@ Unpublish-AppvClientPackage "ContosoApplication"
|
|||||||
|
|
||||||
## Unpublish a package for a specific user
|
## Unpublish a package for a specific user
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
|
> You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
|
||||||
|
|
||||||
An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
|
An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
|
||||||
|
|
||||||
@ -127,8 +127,8 @@ For example:
|
|||||||
Remove-AppvClientPackage "ContosoApplication"
|
Remove-AppvClientPackage "ContosoApplication"
|
||||||
```
|
```
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/).
|
> App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/).
|
||||||
|
|
||||||
## Enable only administrators to publish or unpublish packages
|
## Enable only administrators to publish or unpublish packages
|
||||||
|
|
||||||
|
|||||||
@ -87,7 +87,7 @@ Use the following steps to modify the connection string to include ```failover p
|
|||||||
2. Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**.
|
2. Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**.
|
||||||
3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = <server2>``` value.
|
3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = <server2>``` value.
|
||||||
4. Restart management service using the IIS console.
|
4. Restart management service using the IIS console.
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
|
>Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
|
||||||
|
|
||||||
Click any of the following links for more information:
|
Click any of the following links for more information:
|
||||||
|
|||||||
@ -18,8 +18,8 @@ ms.topic: article
|
|||||||
|
|
||||||
Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package.
|
Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
|
> The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
|
||||||
|
|
||||||
## Publish an App-V package
|
## Publish an App-V package
|
||||||
|
|
||||||
|
|||||||
@ -137,8 +137,8 @@ The InsertVersionInfo.sql script is not required for versions of the App-V manag
|
|||||||
|
|
||||||
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
|
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
|
||||||
|
|
||||||
>[!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
>**Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3.
|
> **Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3.
|
||||||
|
|
||||||
## Microsoft Visual Studio 2012 not supported
|
## Microsoft Visual Studio 2012 not supported
|
||||||
App-V doesn't support Visual Studio 2012.
|
App-V doesn't support Visual Studio 2012.
|
||||||
|
|||||||
@ -32,7 +32,7 @@ The following list displays the end–to-end high-level workflow for reporting i
|
|||||||
2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
|
2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
|
||||||
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/en-us/download/details.aspx?id=42630).
|
3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/en-us/download/details.aspx?id=42630).
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
|
>If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
|
||||||
4. After importing the App-V Windows PowerShell module using **Import-Module AppvClient** as administrator, enable App-V client reporting. This sample Windows PowerShell command enables App-V reporting:
|
4. After importing the App-V Windows PowerShell module using **Import-Module AppvClient** as administrator, enable App-V client reporting. This sample Windows PowerShell command enables App-V reporting:
|
||||||
|
|
||||||
@ -46,7 +46,7 @@ The following list displays the end–to-end high-level workflow for reporting i
|
|||||||
5. After the reporting server receives the data from the App-V client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client.
|
5. After the reporting server receives the data from the App-V client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client.
|
||||||
6. When the App-V client receives the success notification, it empties the data cache to conserve space.
|
6. When the App-V client receives the success notification, it empties the data cache to conserve space.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>By default, the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
|
>By default, the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
|
||||||
|
|
||||||
If the App-V client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
|
If the App-V client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
|
||||||
@ -91,7 +91,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send
|
|||||||
For a complete list of client configuration settings, go to [About client configuration settings](appv-client-configuration-settings.md) and look for the following entries: **ReportingEnabled**, **ReportingServerURL**, **ReportingDataCacheLimit**, **ReportingDataBlockSize**, **ReportingStartTime**, **ReportingRandomDelay**, **ReportingInterval**.
|
For a complete list of client configuration settings, go to [About client configuration settings](appv-client-configuration-settings.md) and look for the following entries: **ReportingEnabled**, **ReportingServerURL**, **ReportingDataCacheLimit**, **ReportingDataBlockSize**, **ReportingStartTime**, **ReportingRandomDelay**, **ReportingInterval**.
|
||||||
* Using Group Policy. If distributed using the domain controller, the settings are the same as previously listed.
|
* Using Group Policy. If distributed using the domain controller, the settings are the same as previously listed.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Group Policy settings override local settings configured using Windows PowerShell.
|
>Group Policy settings override local settings configured using Windows PowerShell.
|
||||||
|
|
||||||
## App-V Client reporting
|
## App-V Client reporting
|
||||||
|
|||||||
@ -56,7 +56,7 @@ No groups are created automatically during App-V setup. You should create the fo
|
|||||||
Consider the following additional information:
|
Consider the following additional information:
|
||||||
|
|
||||||
* Access to the package shares: If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
|
* Access to the package shares: If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>In previous versions of App-V, package share was referred to as content share.
|
>In previous versions of App-V, package share was referred to as content share.
|
||||||
* Registering publishing servers with Management Server: A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
|
* Registering publishing servers with Management Server: A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
|
||||||
|
|
||||||
|
|||||||
@ -55,7 +55,7 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
|
|||||||
|
|
||||||
5. On the **Select Installer** page, select **Browse** and specify the installation file for the application.
|
5. On the **Select Installer** page, select **Browse** and specify the installation file for the application.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
|
>If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
|
||||||
|
|
||||||
If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then select **Next**.
|
If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then select **Next**.
|
||||||
@ -73,7 +73,7 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
|
|||||||
|
|
||||||
9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then select **Run All**. To run specific programs, select the program or programs, and then select **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
|
9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then select **Run All**. To run specific programs, select the program or programs, and then select **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
|
>To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
|
||||||
|
|
||||||
Select **Next**.
|
Select **Next**.
|
||||||
@ -89,7 +89,7 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
|
|||||||
|
|
||||||
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then select **Next**.
|
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then select **Next**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened. After that, depending on how the background loading is configured, it will load the rest of the application.
|
>If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened. After that, depending on how the background loading is configured, it will load the rest of the application.
|
||||||
|
|
||||||
13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. After that, select **Next**.
|
13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. After that, select **Next**.
|
||||||
@ -153,7 +153,7 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD
|
|||||||
|
|
||||||
13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all applications to run. After all applications have run, close each application. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Select **Next**.
|
13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all applications to run. After all applications have run, close each application. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Select **Next**.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, select **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
|
>If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, select **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
|
||||||
|
|
||||||
14. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Select **Next**.
|
14. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Select **Next**.
|
||||||
|
|||||||
@ -20,7 +20,7 @@ ms.author: lomayor
|
|||||||
|
|
||||||
Use the following procedure to create a new App-V package using Windows PowerShell.
|
Use the following procedure to create a new App-V package using Windows PowerShell.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
|
> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
|
||||||
|
|
||||||
|
|
||||||
@ -65,8 +65,8 @@ The following list displays additional optional parameters that can be used with
|
|||||||
|
|
||||||
In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
|
In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
|
||||||
|
|
||||||
>[!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
|
> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
|
|||||||
@ -51,8 +51,8 @@ These tools were included in previous versions of Windows and the associated doc
|
|||||||
- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
|
- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
|
||||||
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
|
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
|
||||||
|
|
||||||
>[!TIP]
|
> [!TIP]
|
||||||
>If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
|
> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
|
|||||||
@ -16,7 +16,7 @@ manager: dansimp
|
|||||||
|
|
||||||
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
|
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
|
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -43,7 +43,7 @@ Defines restrictions for applications.
|
|||||||
Additional information:
|
Additional information:
|
||||||
|
|
||||||
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
|
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
|
||||||
- [Whitelist example](#whitelist-example) - example for Windows 10 Mobile that denies all apps except the ones listed.
|
- [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
|
||||||
|
|
||||||
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection**
|
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection**
|
||||||
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
|
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
|
||||||
|
|||||||
@ -17,7 +17,7 @@ manager: dansimp
|
|||||||
|
|
||||||
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
|
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
|
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
|
||||||
> You must send all the settings together in a single SyncML to be effective.
|
> You must send all the settings together in a single SyncML to be effective.
|
||||||
|
|
||||||
@ -167,7 +167,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
|
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
|
||||||
@ -193,7 +193,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
- 6 = XTS-AES 128
|
- 6 = XTS-AES 128
|
||||||
- 7 = XTS-AES 256
|
- 7 = XTS-AES 256
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
|
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
|
||||||
|
|
||||||
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
|
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
|
||||||
@ -245,26 +245,26 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
|
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
|
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
|
||||||
|
|
||||||
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
|
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
|
||||||
|
|
||||||
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
|
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
|
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
|
||||||
|
|
||||||
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
|
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
|
||||||
|
|
||||||
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
|
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
|
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
|
||||||
|
|
||||||
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
|
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
|
||||||
@ -342,12 +342,12 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
|
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
|
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
|
||||||
>
|
>
|
||||||
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
|
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
|
||||||
@ -411,7 +411,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
|
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
|
||||||
@ -437,7 +437,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
- 'yy' = string of max length 900.
|
- 'yy' = string of max length 900.
|
||||||
- 'zz' = string of max length 500.
|
- 'zz' = string of max length 500.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
|
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
|
||||||
|
|
||||||
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
|
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
|
||||||
@ -457,7 +457,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
</Replace>
|
</Replace>
|
||||||
```
|
```
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
|
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
|
||||||
|
|
||||||
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
|
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
|
||||||
@ -492,7 +492,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
|
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
|
||||||
@ -589,7 +589,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
|
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
|
||||||
@ -687,7 +687,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
|
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
|
||||||
@ -749,7 +749,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
|
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
|
||||||
@ -795,7 +795,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
|
|
||||||
<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
|
<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
|
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
|
||||||
|
|
||||||
> [!Warning]
|
> [!Warning]
|
||||||
@ -842,7 +842,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
</Replace>
|
</Replace>
|
||||||
```
|
```
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
|
>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
|
||||||
>
|
>
|
||||||
>The endpoint for a fixed data drive's backup is chosen in the following order:
|
>The endpoint for a fixed data drive's backup is chosen in the following order:
|
||||||
@ -855,7 +855,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
|||||||
<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
|
<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
|
||||||
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
|
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> This policy is only supported in Azure AD accounts.
|
> This policy is only supported in Azure AD accounts.
|
||||||
|
|
||||||
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
|
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
|
||||||
|
|||||||
@ -32,7 +32,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
|
|||||||
|
|
||||||
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
|
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
> - Bulk-join is not supported in Azure Active Directory Join.
|
> - Bulk-join is not supported in Azure Active Directory Join.
|
||||||
> - Bulk enrollment does not work in Intune standalone environment.
|
> - Bulk enrollment does not work in Intune standalone environment.
|
||||||
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
|
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
|
||||||
|
|||||||
@ -139,7 +139,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
|||||||
<a href="" id="iptype"></a>**IPType**
|
<a href="" id="iptype"></a>**IPType**
|
||||||
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
|
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
|
||||||
|
|
||||||
> [!Warning]
|
> [!WARNING]
|
||||||
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
|
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
|
||||||
|
|
||||||
|
|
||||||
@ -149,7 +149,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
|||||||
|
|
||||||
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
|
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
|
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
|
||||||
|
|
||||||
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
|
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
|
||||||
@ -168,12 +168,11 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
|||||||
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
|
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
|
||||||
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
|
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> <p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
|
> <p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
|
||||||
>
|
|
||||||
>
|
|
||||||
>
|
> [!NOTE]
|
||||||
> [!Note]
|
|
||||||
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
|
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1078,7 +1078,7 @@ Specifies the properties of the publisher details.
|
|||||||
</tr>
|
</tr>
|
||||||
<tr class="even">
|
<tr class="even">
|
||||||
<td><p>architectures</p></td>
|
<td><p>architectures</p></td>
|
||||||
<td><p>collection of <a href="#productarchitecture" data-raw-source="[ProductArchitecture](#productarchitecture)">ProductArchitecture</a></p></td>
|
<td><p>collection of <a href="#productarchitectures" data-raw-source="[ProductArchitectures](#productarchitectures)">ProductArchitectures</a></p></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|||||||
@ -188,7 +188,7 @@ Value type is string. Supported operation is Get.
|
|||||||
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
|
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
|
||||||
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
|
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
|
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
|
||||||
|
|
||||||
<p style="margin-left: 20px">Supported operation is Get.
|
<p style="margin-left: 20px">Supported operation is Get.
|
||||||
|
|||||||
@ -61,7 +61,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
|
|||||||
|
|
||||||
In this example you configure **Enable App-V Client** to **Enabled**.
|
In this example you configure **Enable App-V Client** to **Enabled**.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
@ -223,7 +223,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
|
|||||||
|
|
||||||
Here is the example for **AppVirtualization/PublishingAllowServer2**:
|
Here is the example for **AppVirtualization/PublishingAllowServer2**:
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
|
|||||||
@ -21,7 +21,7 @@ Requirements:
|
|||||||
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
|
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
|
||||||
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
|
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
|
||||||
|
|
||||||
> [!Tip]
|
> [!TIP]
|
||||||
> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
|
> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
|
||||||
|
|
||||||
To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
|
To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
|
||||||
@ -32,7 +32,7 @@ Here is a partial screenshot of the result:
|
|||||||
|
|
||||||
The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
|
The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
|
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
|
||||||
|
|
||||||
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
|
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
|
||||||
@ -128,7 +128,7 @@ Requirements:
|
|||||||
4. Filter using Security Groups.
|
4. Filter using Security Groups.
|
||||||
5. Enforce a GPO link.
|
5. Enforce a GPO link.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
> Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).
|
> Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).
|
||||||
|
|
||||||
### Related topics
|
### Related topics
|
||||||
|
|||||||
@ -41,7 +41,7 @@ Supported operations are Add, Delete, Get and Replace.
|
|||||||
|
|
||||||
The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
|
The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
|
> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
|
||||||
|
|
||||||
When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
|
When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
|
||||||
@ -268,7 +268,7 @@ Here is an example for Windows 10, version 1703.
|
|||||||
|
|
||||||
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
|
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
|
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
@ -376,7 +376,7 @@ Buttons | The following list identifies the hardware buttons on the device that
|
|||||||
<li><p>Custom3</p></li>
|
<li><p>Custom3</p></li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Lock down of the Start button only prevents the press and hold event.
|
> Lock down of the Start button only prevents the press and hold event.
|
||||||
>
|
>
|
||||||
> Custom buttons are hardware buttons that can be added to devices by OEMs.
|
> Custom buttons are hardware buttons that can be added to devices by OEMs.
|
||||||
@ -400,7 +400,7 @@ Buttons example:
|
|||||||
```
|
```
|
||||||
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
|
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
|
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
|
||||||
>
|
>
|
||||||
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
|
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
|
||||||
@ -498,7 +498,7 @@ Entry | Description
|
|||||||
----------- | ------------
|
----------- | ------------
|
||||||
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
|
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
|
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
|
||||||
|
|
||||||
MenuItems example:
|
MenuItems example:
|
||||||
@ -513,12 +513,12 @@ Entry | Description
|
|||||||
----------- | ------------
|
----------- | ------------
|
||||||
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
|
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
|
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
|
||||||
|
|
||||||
The following sample file contains configuration for enabling tile manipulation.
|
The following sample file contains configuration for enabling tile manipulation.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Tile manipulation is disabled when you don’t have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but don’t have the `<EnableTileManipulation>` node.
|
> Tile manipulation is disabled when you don’t have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but don’t have the `<EnableTileManipulation>` node.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
@ -1666,15 +1666,3 @@ The following table lists the product ID and AUMID for each app that is included
|
|||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -71,7 +71,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
|
|||||||
<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
|
<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
|
||||||
<p style="margin-left: 20px">Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
|
<p style="margin-left: 20px">Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
||||||
|
|
||||||
<p style="margin-left: 20px">The following list shows the supported values:
|
<p style="margin-left: 20px">The following list shows the supported values:
|
||||||
|
|||||||
@ -16,7 +16,7 @@ ms.date: 12/05/2017
|
|||||||
|
|
||||||
The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
|
The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
|
||||||
|
|
||||||
> [!Important]
|
> [!IMPORTANT]
|
||||||
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
||||||
|
|
||||||
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
|
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
|
||||||
|
|||||||
@ -167,7 +167,7 @@ Supported operations are Get and Delete.
|
|||||||
<a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**
|
<a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**
|
||||||
Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
|
Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> ReleaseManagement settings only apply to updates through the Microsoft Store.
|
> ReleaseManagement settings only apply to updates through the Microsoft Store.
|
||||||
|
|
||||||
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
|
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
|
||||||
|
|||||||
@ -29,7 +29,7 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
|
|||||||
|
|
||||||
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
|
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>Intune support for the MDM security baseline is coming soon.
|
>Intune support for the MDM security baseline is coming soon.
|
||||||
|
|
||||||
The MDM security baseline includes policies that cover the following areas:
|
The MDM security baseline includes policies that cover the following areas:
|
||||||
|
|||||||
@ -364,7 +364,8 @@ Starting in Windows 10, version 1709, clicking the **Info** button will show a l
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [Note] Starting in Windows 10, version 1709, the **Manage** button is no longer available.
|
> [NOTE]
|
||||||
|
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
|
||||||
|
|
||||||
### Disconnect
|
### Disconnect
|
||||||
|
|
||||||
|
|||||||
@ -15,7 +15,7 @@ manager: dansimp
|
|||||||
|
|
||||||
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
|
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.
|
> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.
|
||||||
|
|
||||||
How the settings work:
|
How the settings work:
|
||||||
@ -40,7 +40,7 @@ Added in Windows 10, version 1803. When set to 0, it enables proxy configuration
|
|||||||
|
|
||||||
Supported operations are Add, Get, Replace, and Delete.
|
Supported operations are Add, Get, Replace, and Delete.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Per user proxy configuration setting is not supported.
|
> Per user proxy configuration setting is not supported.
|
||||||
|
|
||||||
<a href="" id="autodetect"></a>**AutoDetect**
|
<a href="" id="autodetect"></a>**AutoDetect**
|
||||||
|
|||||||
@ -1108,7 +1108,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
|||||||
</ul>
|
</ul>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
<tr class="even">
|
<tr class="even">
|
||||||
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
|
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
|
||||||
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
|
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Username</li>
|
<li>Username</li>
|
||||||
@ -1690,7 +1690,7 @@ The following list describes the prerequisites for a certificate to be used with
|
|||||||
|
|
||||||
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
|
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
|
>For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
|
||||||
|
|
||||||
|
|
||||||
@ -1793,7 +1793,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
|
|||||||
</EapHostConfig>
|
</EapHostConfig>
|
||||||
```
|
```
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
|
>The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
|
||||||
|
|
||||||
|
|
||||||
@ -1818,7 +1818,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
|
|||||||
7. Close the rasphone dialog box.
|
7. Close the rasphone dialog box.
|
||||||
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering.
|
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
>You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -30,7 +30,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
|
|||||||
|
|
||||||
The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only).
|
The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only).
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
|
||||||
|
|
||||||
The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
|
The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
|
||||||
@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
|
|||||||
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
|
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
|
||||||
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
|
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The HTTP server response must not be chunked; it must be sent as one message.
|
>The HTTP server response must not be chunked; it must be sent as one message.
|
||||||
|
|
||||||
The following example shows a response received from the discovery web service for OnPremise authentication:
|
The following example shows a response received from the discovery web service for OnPremise authentication:
|
||||||
@ -214,7 +214,7 @@ After the user is authenticated, the web service retrieves the certificate templ
|
|||||||
|
|
||||||
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
|
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The HTTP server response must not be chunked; it must be sent as one message.
|
>The HTTP server response must not be chunked; it must be sent as one message.
|
||||||
|
|
||||||
The following snippet shows the policy web service response.
|
The following snippet shows the policy web service response.
|
||||||
@ -306,7 +306,7 @@ The RequestSecurityToken will use a custom TokenType (http:<span></span>//schema
|
|||||||
|
|
||||||
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
|
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
|
||||||
|
|
||||||
>[!NOTE]
|
> [!NOTE]
|
||||||
>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
|
||||||
|
|
||||||
The following example shows the enrollment web service request for OnPremise authentication.
|
The following example shows the enrollment web service request for OnPremise authentication.
|
||||||
|
|||||||
@ -738,10 +738,10 @@ The following diagram shows the Policy configuration service provider in tree fo
|
|||||||
|
|
||||||
<dl>
|
<dl>
|
||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy" id="cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
|
<a href="./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy" id="CryptographyAllowFipsAlgorithmPolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
|
||||||
</dd>
|
</dd>
|
||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
|
<a href="./policy-csp-cryptography.md#cryptographytlsciphersuites" id="cryptographytlsciphersuites">Cryptography/TLSCipherSuites</a>
|
||||||
</dd>
|
</dd>
|
||||||
</dl>
|
</dl>
|
||||||
|
|
||||||
@ -4378,7 +4378,7 @@ The following diagram shows the Policy configuration service provider in tree fo
|
|||||||
- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
|
- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
|
||||||
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
|
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
|
||||||
- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
|
- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
|
||||||
- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
|
- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy)
|
||||||
- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
|
- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
|
||||||
- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
|
- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
|
||||||
- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
|
- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
|
||||||
@ -5243,8 +5243,8 @@ The following diagram shows the Policy configuration service provider in tree fo
|
|||||||
|
|
||||||
- [Camera/AllowCamera](#camera-allowcamera)
|
- [Camera/AllowCamera](#camera-allowcamera)
|
||||||
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
|
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
|
||||||
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
|
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
|
||||||
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
|
- [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
|
||||||
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
|
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
|
||||||
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
|
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
|
||||||
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
|
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
|
||||||
|
|||||||
@ -600,7 +600,7 @@ For this policy to work, the Windows apps need to declare in their manifest that
|
|||||||
</desktop:Extension>
|
</desktop:Extension>
|
||||||
```
|
```
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> This policy only works on modern apps.
|
> This policy only works on modern apps.
|
||||||
|
|
||||||
<!--/Description-->
|
<!--/Description-->
|
||||||
|
|||||||
@ -456,7 +456,7 @@ ADMX Info:
|
|||||||
<!--Description-->
|
<!--Description-->
|
||||||
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
|
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> Any property changes to the job or any successful download action will reset this timeout.
|
> Any property changes to the job or any successful download action will reset this timeout.
|
||||||
|
|
||||||
Value type is integer. Default is 90 days.
|
Value type is integer. Default is 90 days.
|
||||||
|
|||||||
@ -66,7 +66,7 @@ manager: dansimp
|
|||||||
<!--Description-->
|
<!--Description-->
|
||||||
Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
|
Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
|
||||||
|
|
||||||
> [!Note]
|
> [!NOTE]
|
||||||
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
|
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
|
||||||
|
|
||||||
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
||||||
|
|||||||
@ -19,14 +19,14 @@ manager: dansimp
|
|||||||
## Cryptography policies
|
## Cryptography policies
|
||||||
|
|
||||||
|
|
||||||
* [Cryptography/AllowFipsAlgorithmPolicy](#CryptographyAllowFipsAlgorithmPolicy)
|
* [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
|
||||||
* [Cryptography/TLSCipherSuites](#CryptographyTLSCipherSuites)
|
* [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
|
||||||
* [Cryptography/Microsoft Surface Hub](#Cryptography-policies-supported-by-Microsoft-Surface-Hub)
|
* [Cryptography/Microsoft Surface Hub](#cryptography-policies-supported-by-microsoft-surface-hub)
|
||||||
<hr/>
|
<hr/>
|
||||||
|
|
||||||
<!--Policy-->
|
<!--Policy-->
|
||||||
|
|
||||||
# Cryptography/AllowFipsAlgorithmPolicy
|
## Cryptography/AllowFipsAlgorithmPolicy
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
<!--SupportedSKUs-->
|
||||||
|
|
||||||
@ -68,7 +68,7 @@ The following list shows the supported values:
|
|||||||
|
|
||||||
<!--Policy-->
|
<!--Policy-->
|
||||||
|
|
||||||
# Cryptography/TLSCipherSuites
|
## Cryptography/TLSCipherSuites
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
<!--SupportedSKUs-->
|
||||||
|Home|Pro|Business |Enterprise |Education |Mobile |Mobile Enterprise |
|
|Home|Pro|Business |Enterprise |Education |Mobile |Mobile Enterprise |
|
||||||
@ -103,7 +103,7 @@ Footnote:
|
|||||||
<!--/Policies-->
|
<!--/Policies-->
|
||||||
|
|
||||||
<!--StartSurfaceHub-->
|
<!--StartSurfaceHub-->
|
||||||
# Cryptography policies supported by Microsoft Surface Hub
|
## Cryptography policies supported by Microsoft Surface Hub
|
||||||
|
|
||||||
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
|
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
|
||||||
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
|
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user