mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo
This commit is contained in:
huaping yu
commit
19fcc88838
@ -14,7 +14,10 @@
|
||||
"resource": [
|
||||
{
|
||||
"files": [
|
||||
"**/images/**"
|
||||
"**/images/**",
|
||||
"**/*.png",
|
||||
"**/*.jpg",
|
||||
"**/*.gif"
|
||||
],
|
||||
"exclude": [
|
||||
"**/obj/**"
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. |  |
|
||||
| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. |  |
|
||||
| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | |
|
||||
| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. |  |
|
||||
| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented. |  |
|
||||
| Disabled | 0 | 0 | Prevented. |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. |  |
|
||||
| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. |  |
|
||||
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Gather and send only basic diagnostic data. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Gather and send only basic diagnostic data. |  |
|
||||
| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Disabled | 0 | 0 | Prevented |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,12 +20,12 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |  |
|
||||
| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>Also, the users must be signed in with a school or work account. | |
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
### ADMX info and settings
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |  |
|
||||
| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:<p>**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**<p>For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |  |
|
||||
| Enabled<br>**(default)** | 1 | 1 | Allowed. | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Prevented. |  |
|
||||
| Disabled | 0 | 0 | Prevented. |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. |  |
|
||||
| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | |
|
||||
|
||||
---
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.<p><p>If you enabled this policy and now want to disable it, all previously configured search engines get removed. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.<p><p>If you enabled this policy and now want to disable it, all previously configured search engines get removed. |  |
|
||||
| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.<p><p>For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. |  |
|
||||
| Enabled or not configured<br>**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:|
|
||||
| Not configured<br>**(default)** | Blank | Blank | Users can choose to use Autofill. | |
|
||||
| Disabled | 0 | no | Prevented. |  |
|
||||
| Disabled | 0 | no | Prevented. |  |
|
||||
| Enabled | 1 | yes | Allowed. | |
|
||||
|
||||
---
|
||||
|
||||
@ -29,7 +29,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No data collected or sent |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No data collected or sent |  |
|
||||
| Enabled | 1 | 1 | Send intranet history only | |
|
||||
| Enabled | 2 | 2 | Send Internet history only | |
|
||||
| Enabled | 3 | 3 | Send both intranet and Internet history | |
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:|
|
||||
| Enabled | 0 | 0 | Block all cookies from all sites. |  |
|
||||
| Enabled | 0 | 0 | Block all cookies from all sites. |  |
|
||||
| Enabled | 1 | 1 | Block only coddies from third party websites. | |
|
||||
| Disabled or not configured<br>**(default)** | 2 | 2 | Allow all cookies from all sites. | |
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured<br>**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|
||||
| Disabled | 0 | 0 | Never send tracking information. | |
|
||||
| Enabled | 1 | 1 | Send tracking information. |  |
|
||||
| Enabled | 1 | 1 | Send tracking information. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms:topic: include
|
||||
|
||||
| | |
|
||||
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| **Single-app**<p><a href="../images/Picture1.png" alt="Full-sized view single-app digital/interactive signage" target="_blank"></a><p>**Digital/interactive signage**<p>Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.<ul><li>**Digital signage** does not require user interaction.<p>***Example.*** Use digital signage for things like a rotating advertisement or menu.<p></li><li>**Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.<p>***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.</li></ul><p>**Policy setting** = Not configured (0 default)<p> | <p> <p><a href="../images/Picture2.png" alt="Full-sized view single-app public browsing" target="_blank"></a> <p><strong>Public browsing</strong><p>Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.<p>The single-app public browsing mode is the only kiosk mode that has an <strong>End session</strong> button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.<p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. <p><strong>Policy setting</strong> = Enabled (1) |
|
||||
| **Multi-app**<p><a href="../images/Picture5.png" alt="Full-sized view multi-app normal browsing" target="_blank"></a><p>**Normal browsing**<p>Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.<p>Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>**Policy setting** = Not configured (0 default) | <p> <p><a href="../images/Picture6.png" alt="Full-sized view multi-app public browsing" target="_blank"></a><p><strong>Public browsing</strong><p>Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. <p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.<p><strong>Policy setting</strong> = Enabled (1) |
|
||||
| **Single-app**<p><a href="/images/Picture1.png" alt="Full-sized view single-app digital/interactive signage" target="_blank"></a><p>**Digital/interactive signage**<p>Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.<ul><li>**Digital signage** does not require user interaction.<p>***Example.*** Use digital signage for things like a rotating advertisement or menu.<p></li><li>**Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.<p>***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.</li></ul><p>**Policy setting** = Not configured (0 default)<p> | <p> <p><a href="/images/Picture2.png" alt="Full-sized view single-app public browsing" target="_blank"></a> <p><strong>Public browsing</strong><p>Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.<p>The single-app public browsing mode is the only kiosk mode that has an <strong>End session</strong> button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.<p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. <p><strong>Policy setting</strong> = Enabled (1) |
|
||||
| **Multi-app**<p><a href="/images/Picture5.png" alt="Full-sized view multi-app normal browsing" target="_blank"></a><p>**Normal browsing**<p>Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.<p>Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.<p>**Policy setting** = Not configured (0 default) | <p> <p><a href="/images/Picture6.png" alt="Full-sized view multi-app public browsing" target="_blank"></a><p><strong>Public browsing</strong><p>Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.<p>In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. <p><em><strong>Example.</strong></em> A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.<p><strong>Policy setting</strong> = Enabled (1) |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | |
|
||||
| Disabled | 0 | no | Not allowed. |  |
|
||||
| Disabled | 0 | no | Not allowed. |  |
|
||||
| Enabled<br>**(default)** | 1 | yes | Allowed. | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | |
|
||||
| Disabled<br>**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | |
|
||||
| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. |  |
|
||||
| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured<br>**(default)** | Blank | Blank | Users can choose to see search suggestions. | |
|
||||
| Disabled | 0 | 0 | Prevented. Hide the search suggestions. |  |
|
||||
| Disabled | 0 | 0 | Prevented. Hide the search suggestions. |  |
|
||||
| Enabled | 1 | 1 | Allowed. Show the search suggestions. | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,13 +20,13 @@ ms:topic: include
|
||||
|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | |
|
||||
| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|
||||
| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. |  |
|
||||
| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. |  |
|
||||
|
||||
---
|
||||
|
||||
To verify Windows Defender SmartScreen is turned off (disabled):
|
||||
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
|
||||
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>
|
||||
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>
|
||||
|
||||
|
||||
### ADMX info and settings
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |  |
|
||||
| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |  |
|
||||
| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
|
||||
|
||||
---
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | |
|
||||
| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. |  |
|
||||
| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Turned off/not syncing | |
|
||||
| Enabled | 1 | 1 | Turned on/syncing |  |
|
||||
| Enabled | 1 | 1 | Turned on/syncing |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed | |
|
||||
| Enabled | 1 | 1 | Prevented |  |
|
||||
| Enabled | 1 | 1 | Prevented |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
| Enabled | 1 | 1 | Prevented/turned on. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | |
|
||||
| Enabled | 1 | 1 | Prevented/locked down. |  |
|
||||
| Enabled | 1 | 1 | Prevented/locked down. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | |
|
||||
| Enabled | 1 | 1 | Prevented. |  |
|
||||
| Enabled | 1 | 1 | Prevented. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Collect and send Live Tile metadata. | |
|
||||
| Enabled | 1 | 1 | Do not collect data. |  |
|
||||
| Enabled | 1 | 1 | Do not collect data. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ ms:topic: include
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | |
|
||||
| Enabled | 1 | 1 | Prevented. |  |
|
||||
| Enabled | 1 | 1 | Prevented. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ ms:topic: include
|
||||
| Group Policy | Description | Most restricted |
|
||||
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
|
||||
| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file** and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=<https://localhost:8080/URLs.html></li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |  |
|
||||
| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file** and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=<https://localhost:8080/URLs.html></li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
|
||||
| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<p><p>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**</li><li>Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.<p><p>A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol> | |
|
||||
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ ms:topic: include
|
||||
|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Not configured<br>**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | |
|
||||
| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | |
|
||||
| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.<p><p>If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |  |
|
||||
| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.<p><p>If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |  |
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ ms:topic: include
|
||||
|
||||
| Group Policy | MDM | Registry | Description | Most restricted |
|
||||
|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No additional message displays. |  |
|
||||
| Disabled or not configured<br>**(default)** | 0 | 0 | No additional message displays. |  |
|
||||
| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | |
|
||||
| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | |
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ Note that the local admin account information is not backed by any directory ser
|
||||
|
||||
### Domain join the device to Active Directory (AD)
|
||||
|
||||
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
|
||||
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#use-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
|
||||
|
||||
#### What happens when you domain join your Surface Hub?
|
||||
Surface Hubs use domain join to:
|
||||
@ -53,7 +53,7 @@ Surface Hub does not support applying group policies or certificates from the do
|
||||
|
||||
### Azure Active Directory (Azure AD) join the device
|
||||
|
||||
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
|
||||
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#use-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
|
||||
|
||||
By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
|
||||
1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
|
||||
|
||||
@ -29,7 +29,7 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
|
||||
|
||||
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 1. Microsoft Surface UEFI Configurator*
|
||||
|
||||
@ -51,7 +51,7 @@ You can download Microsoft Surface UEFI Configurator from the [Surface Tools for
|
||||
|
||||
Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface devices. These packages contain a configuration file of UEFI settings specified during creation of the package in Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the time of enrollment to perform the confirmation.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 2. Secure a SEMM configuration package with a certificate*
|
||||
|
||||
@ -64,11 +64,11 @@ After a device is enrolled in SEMM, the configuration file is read and the setti
|
||||
|
||||
You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 4. Configure advanced settings with SEMM*
|
||||
|
||||
@ -102,13 +102,13 @@ You can configure the following advanced settings with SEMM:
|
||||
>[!NOTE]
|
||||
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
|
||||
|
||||
These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
|
||||
|
||||
@ -134,7 +134,7 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a
|
||||
|
||||
In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
|
||||
|
||||
|
||||
|
||||
|
||||
*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
|
||||
|
||||
|
||||
@ -1055,6 +1055,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
|
||||
| | Notify the students and faculty about the deployment. |
|
||||
|
||||
<p>
|
||||
|
||||
### Perform the deployment
|
||||
|
||||
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
|
||||
|
||||
@ -21,7 +21,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
|
||||
|
||||
Use the following tables for more information about installing the App-V 5.0 server using the command line.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
> The information in the following tables can also be accessed using the command line by typing the following command:
|
||||
>```
|
||||
> appv\_server\_setup.exe /?
|
||||
|
||||
@ -19,7 +19,7 @@ ms.date: 08/30/2016
|
||||
|
||||
Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
> A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
|
||||
>
|
||||
>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
|
||||
|
||||
@ -34,7 +34,7 @@ Use the following procedure to configure access to virtualized packages.
|
||||
|
||||
1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
|
||||
|
||||
>[!NOTE]
|
||||
> [!NOTE]
|
||||
> Ensure that you provide an associated domain name for the group that you are searching for.
|
||||
|
||||
3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
|
||||
|
||||
@ -30,11 +30,8 @@ You can create a dynamic user configuration file with the App-V Management Conso
|
||||
|
||||
4. Select **Advanced**, and then select **Export Configuration**. Enter a file name and select **Save**. Now you can edit the file to configure a package for a user.
|
||||
|
||||
>[!NOTE]
|
||||
>If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enabled and set to block downloads, you won't be able to download anything from the App-V Server.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enalbed and set to block downloads, you won't be able to download anything from the App-V Server.
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -428,7 +428,7 @@ The body of the deployment configuration file includes two sections:
|
||||
</DeploymentConfiguration>
|
||||
```
|
||||
|
||||
User Configuration: see [Dynamic User Configuration](appv-dynamic-configuration.md#dynamic-user-configuration) for more information about this section.
|
||||
User Configuration: see [Dynamic User Configuration](#dynamic-user-configuration-file) for more information about this section.
|
||||
|
||||
Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections.
|
||||
|
||||
|
||||
@ -59,7 +59,7 @@ Publish-AppvClientPackage "ContosoApplication" -Global
|
||||
|
||||
## Publish a package to a specific user
|
||||
|
||||
>[!NOTE]
|
||||
> [!NOTE]
|
||||
> You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
|
||||
|
||||
An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
|
||||
|
||||
@ -18,7 +18,7 @@ ms.topic: article
|
||||
|
||||
Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package.
|
||||
|
||||
>[!NOTE]
|
||||
> [!NOTE]
|
||||
> The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
|
||||
|
||||
## Publish an App-V package
|
||||
|
||||
@ -137,7 +137,7 @@ The InsertVersionInfo.sql script is not required for versions of the App-V manag
|
||||
|
||||
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340).
|
||||
|
||||
>[!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> **Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3.
|
||||
|
||||
## Microsoft Visual Studio 2012 not supported
|
||||
|
||||
@ -20,7 +20,7 @@ ms.author: lomayor
|
||||
|
||||
Use the following procedure to create a new App-V package using Windows PowerShell.
|
||||
|
||||
> [!NOTE]
|
||||
> [!NOTE]
|
||||
> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
|
||||
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ These tools were included in previous versions of Windows and the associated doc
|
||||
- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
|
||||
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
|
||||
|
||||
>[!TIP]
|
||||
> [!TIP]
|
||||
> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -16,7 +16,7 @@ manager: dansimp
|
||||
|
||||
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
|
||||
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ Defines restrictions for applications.
|
||||
Additional information:
|
||||
|
||||
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
|
||||
- [Whitelist example](#whitelist-example) - example for Windows 10 Mobile that denies all apps except the ones listed.
|
||||
- [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
|
||||
|
||||
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection**
|
||||
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
|
||||
|
||||
@ -17,7 +17,7 @@ manager: dansimp
|
||||
|
||||
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
|
||||
> You must send all the settings together in a single SyncML to be effective.
|
||||
|
||||
@ -167,7 +167,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
|
||||
@ -193,7 +193,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
- 6 = XTS-AES 128
|
||||
- 7 = XTS-AES 256
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
|
||||
|
||||
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
|
||||
@ -245,26 +245,26 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
|
||||
|
||||
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
|
||||
|
||||
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
|
||||
|
||||
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
|
||||
|
||||
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
|
||||
|
||||
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
|
||||
@ -342,12 +342,12 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
|
||||
>
|
||||
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
|
||||
@ -411,7 +411,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
|
||||
@ -437,7 +437,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
- 'yy' = string of max length 900.
|
||||
- 'zz' = string of max length 500.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
|
||||
|
||||
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
|
||||
@ -457,7 +457,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
</Replace>
|
||||
```
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
|
||||
|
||||
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
|
||||
@ -492,7 +492,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
|
||||
@ -589,7 +589,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
|
||||
@ -687,7 +687,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
|
||||
@ -749,7 +749,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
|
||||
</ul>
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
||||
|
||||
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
|
||||
@ -795,7 +795,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
|
||||
<p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
|
||||
|
||||
> [!Warning]
|
||||
@ -855,7 +855,7 @@ The following diagram shows the BitLocker configuration service provider in tree
|
||||
<a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
|
||||
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy is only supported in Azure AD accounts.
|
||||
|
||||
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
|
||||
|
||||
@ -32,7 +32,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
|
||||
|
||||
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
|
||||
|
||||
>[!NOTE]
|
||||
> [!NOTE]
|
||||
> - Bulk-join is not supported in Azure Active Directory Join.
|
||||
> - Bulk enrollment does not work in Intune standalone environment.
|
||||
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
|
||||
|
||||
@ -139,7 +139,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
||||
<a href="" id="iptype"></a>**IPType**
|
||||
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
|
||||
|
||||
|
||||
@ -149,7 +149,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
||||
|
||||
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
|
||||
|
||||
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
|
||||
@ -168,12 +168,11 @@ The following diagram shows the CM\_CellularEntries configuration service provid
|
||||
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
|
||||
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> <p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
|
||||
>
|
||||
>
|
||||
>
|
||||
> [!Note]
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
|
||||
|
||||
|
||||
|
||||
@ -1078,7 +1078,7 @@ Specifies the properties of the publisher details.
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>architectures</p></td>
|
||||
<td><p>collection of <a href="#productarchitecture" data-raw-source="[ProductArchitecture](#productarchitecture)">ProductArchitecture</a></p></td>
|
||||
<td><p>collection of <a href="#productarchitectures" data-raw-source="[ProductArchitectures](#productarchitectures)">ProductArchitectures</a></p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -188,7 +188,7 @@ Value type is string. Supported operation is Get.
|
||||
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
|
||||
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
|
||||
|
||||
<p style="margin-left: 20px">Supported operation is Get.
|
||||
|
||||
@ -61,7 +61,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
|
||||
|
||||
In this example you configure **Enable App-V Client** to **Enabled**.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
||||
|
||||
``` syntax
|
||||
@ -223,7 +223,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
|
||||
|
||||
Here is the example for **AppVirtualization/PublishingAllowServer2**:
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
|
||||
|
||||
``` syntax
|
||||
|
||||
@ -21,7 +21,7 @@ Requirements:
|
||||
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
|
||||
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
|
||||
|
||||
> [!Tip]
|
||||
> [!TIP]
|
||||
> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
|
||||
|
||||
To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
|
||||
@ -32,7 +32,7 @@ Here is a partial screenshot of the result:
|
||||
|
||||
The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
|
||||
|
||||
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
|
||||
|
||||
@ -41,7 +41,7 @@ Supported operations are Add, Delete, Get and Replace.
|
||||
|
||||
The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
|
||||
|
||||
When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
|
||||
@ -268,7 +268,7 @@ Here is an example for Windows 10, version 1703.
|
||||
|
||||
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
|
||||
|
||||
<ul>
|
||||
@ -376,7 +376,7 @@ Buttons | The following list identifies the hardware buttons on the device that
|
||||
<li><p>Custom3</p></li>
|
||||
</ul>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Lock down of the Start button only prevents the press and hold event.
|
||||
>
|
||||
> Custom buttons are hardware buttons that can be added to devices by OEMs.
|
||||
@ -400,7 +400,7 @@ Buttons example:
|
||||
```
|
||||
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
|
||||
>
|
||||
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
|
||||
@ -498,7 +498,7 @@ Entry | Description
|
||||
----------- | ------------
|
||||
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
|
||||
|
||||
MenuItems example:
|
||||
@ -513,12 +513,12 @@ Entry | Description
|
||||
----------- | ------------
|
||||
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
|
||||
|
||||
The following sample file contains configuration for enabling tile manipulation.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Tile manipulation is disabled when you don’t have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but don’t have the `<EnableTileManipulation>` node.
|
||||
|
||||
``` syntax
|
||||
@ -1666,15 +1666,3 @@ The following table lists the product ID and AUMID for each app that is included
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -71,7 +71,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
|
||||
<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
|
||||
<p style="margin-left: 20px">Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
||||
|
||||
<p style="margin-left: 20px">The following list shows the supported values:
|
||||
|
||||
@ -16,7 +16,7 @@ ms.date: 12/05/2017
|
||||
|
||||
The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
|
||||
|
||||
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
|
||||
|
||||
@ -167,7 +167,7 @@ Supported operations are Get and Delete.
|
||||
<a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**
|
||||
Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> ReleaseManagement settings only apply to updates through the Microsoft Store.
|
||||
|
||||
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
|
||||
|
||||
@ -364,7 +364,8 @@ Starting in Windows 10, version 1709, clicking the **Info** button will show a l
|
||||
|
||||
|
||||
|
||||
> [Note] Starting in Windows 10, version 1709, the **Manage** button is no longer available.
|
||||
> [NOTE]
|
||||
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
|
||||
|
||||
### Disconnect
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ manager: dansimp
|
||||
|
||||
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.
|
||||
|
||||
How the settings work:
|
||||
@ -40,7 +40,7 @@ Added in Windows 10, version 1803. When set to 0, it enables proxy configuration
|
||||
|
||||
Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Per user proxy configuration setting is not supported.
|
||||
|
||||
<a href="" id="autodetect"></a>**AutoDetect**
|
||||
|
||||
@ -1108,7 +1108,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
|
||||
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
|
||||
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
|
||||
<ul>
|
||||
<li>Username</li>
|
||||
|
||||
@ -738,10 +738,10 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy" id="cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
|
||||
<a href="./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy" id="CryptographyAllowFipsAlgorithmPolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
|
||||
</dd>
|
||||
<dd>
|
||||
<a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
|
||||
<a href="./policy-csp-cryptography.md#cryptographytlsciphersuites" id="cryptographytlsciphersuites">Cryptography/TLSCipherSuites</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
@ -4378,7 +4378,7 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
|
||||
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
|
||||
- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
|
||||
- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
|
||||
- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy)
|
||||
- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
|
||||
- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
|
||||
- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
|
||||
@ -5243,8 +5243,8 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
|
||||
- [Camera/AllowCamera](#camera-allowcamera)
|
||||
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
|
||||
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
|
||||
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
|
||||
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
|
||||
- [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
|
||||
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
|
||||
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
|
||||
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
|
||||
|
||||
@ -600,7 +600,7 @@ For this policy to work, the Windows apps need to declare in their manifest that
|
||||
</desktop:Extension>
|
||||
```
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only works on modern apps.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -456,7 +456,7 @@ ADMX Info:
|
||||
<!--Description-->
|
||||
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Any property changes to the job or any successful download action will reset this timeout.
|
||||
|
||||
Value type is integer. Default is 90 days.
|
||||
|
||||
@ -66,7 +66,7 @@ manager: dansimp
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
|
||||
|
||||
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
||||
|
||||
@ -19,14 +19,14 @@ manager: dansimp
|
||||
## Cryptography policies
|
||||
|
||||
|
||||
* [Cryptography/AllowFipsAlgorithmPolicy](#CryptographyAllowFipsAlgorithmPolicy)
|
||||
* [Cryptography/TLSCipherSuites](#CryptographyTLSCipherSuites)
|
||||
* [Cryptography/Microsoft Surface Hub](#Cryptography-policies-supported-by-Microsoft-Surface-Hub)
|
||||
* [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
|
||||
* [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
|
||||
* [Cryptography/Microsoft Surface Hub](#cryptography-policies-supported-by-microsoft-surface-hub)
|
||||
<hr/>
|
||||
|
||||
<!--Policy-->
|
||||
|
||||
# Cryptography/AllowFipsAlgorithmPolicy
|
||||
## Cryptography/AllowFipsAlgorithmPolicy
|
||||
|
||||
<!--SupportedSKUs-->
|
||||
|
||||
@ -68,7 +68,7 @@ The following list shows the supported values:
|
||||
|
||||
<!--Policy-->
|
||||
|
||||
# Cryptography/TLSCipherSuites
|
||||
## Cryptography/TLSCipherSuites
|
||||
|
||||
<!--SupportedSKUs-->
|
||||
|Home|Pro|Business |Enterprise |Education |Mobile |Mobile Enterprise |
|
||||
@ -103,7 +103,7 @@ Footnote:
|
||||
<!--/Policies-->
|
||||
|
||||
<!--StartSurfaceHub-->
|
||||
# Cryptography policies supported by Microsoft Surface Hub
|
||||
## Cryptography policies supported by Microsoft Surface Hub
|
||||
|
||||
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
|
||||
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
|
||||
|
||||
@ -1244,7 +1244,7 @@ If this setting is on, Windows Defender Antivirus will be more aggressive when i
|
||||
|
||||
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
|
||||
|
||||
<!--/Description-->
|
||||
@ -1315,7 +1315,7 @@ The typical cloud check timeout is 10 seconds. To enable the extended cloud chec
|
||||
|
||||
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -73,7 +73,7 @@ Device memory sandboxing allows the OS to leverage the I/O Memory Management Uni
|
||||
|
||||
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
|
||||
|
||||
Supported values:
|
||||
|
||||
@ -2227,7 +2227,7 @@ Value - A number indicating the zone with which this site should be associated f
|
||||
|
||||
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy is a list that contains the site and index value.
|
||||
|
||||
The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.
|
||||
|
||||
@ -88,7 +88,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
@ -134,7 +134,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
@ -180,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
@ -269,7 +269,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
@ -315,7 +315,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
@ -363,7 +363,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
|
||||
|
||||
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This policy only applies to the Kiosk Browser app in Microsoft Store.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -692,7 +692,7 @@ GP Info:
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
||||
|
||||
Domain member: Digitally encrypt or sign secure channel data (always)
|
||||
@ -762,7 +762,7 @@ GP Info:
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
||||
|
||||
Domain member: Digitally encrypt secure channel data (when possible)
|
||||
@ -829,7 +829,7 @@ GP Info:
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
||||
|
||||
Domain member: Disable machine account password changes
|
||||
|
||||
@ -81,7 +81,7 @@ If you disable or do not configure this policy setting, the client computer will
|
||||
|
||||
No reboots or service restarts are required for this policy setting to take effect.
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -318,7 +318,7 @@ manager: dansimp
|
||||
<!--Description-->
|
||||
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
|
||||
|
||||
|
||||
|
||||
@ -444,7 +444,7 @@ This MDM setting corresponds to the EnableFontProviders Group Policy setting. If
|
||||
|
||||
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
|
||||
|
||||
<!--/Description-->
|
||||
|
||||
@ -1896,7 +1896,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic
|
||||
|
||||
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period.
|
||||
|
||||
Value type is integer. Default is 14.
|
||||
@ -3786,7 +3786,7 @@ Options:
|
||||
- 1 – Turn off all notifications, excluding restart warnings
|
||||
- 2 – Turn off all notifications, including restart warnings
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
|
||||
|
||||
<!--/Description-->
|
||||
@ -3847,7 +3847,7 @@ ADMX Info:
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
|
||||
|
||||
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
|
||||
@ -3939,7 +3939,7 @@ To use this setting, you must set two server name values: the server from which
|
||||
|
||||
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
|
||||
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
|
||||
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
|
||||
|
||||
@ -436,7 +436,7 @@ Valid values:
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If Suppress notification is enabled then users will not see critical or non-critical messages.
|
||||
|
||||
Value type is integer. Supported operations are Add, Get, Replace and Delete.
|
||||
|
||||
@ -29,7 +29,7 @@ The following diagram shows the Reboot configuration service provider management
|
||||
<a href="" id="rebootnow"></a>**RebootNow**
|
||||
<p style="margin-left: 20px">This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.</p>
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
|
||||
|
||||
<p style="margin-left: 20px">The supported operations are Execute and Get.</p>
|
||||
|
||||
@ -45,7 +45,7 @@ The default value changed to false in Windows 10, version 1703. The default valu
|
||||
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
|
||||
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -55,7 +55,7 @@ The default value is Not Configured and the effective power settings are determi
|
||||
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
|
||||
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -65,7 +65,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
|
||||
<a href="" id="signinonresume"></a>**SignInOnResume**
|
||||
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -75,7 +75,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
|
||||
<a href="" id="sleeptimeout"></a>**SleepTimeout**
|
||||
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -85,7 +85,7 @@ The default value is Not Configured, and effective behavior is determined by the
|
||||
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
|
||||
A boolean that enables the account manager for shared PC mode.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -95,7 +95,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
|
||||
<a href="" id="accountmodel"></a>**AccountModel**
|
||||
Configures which type of accounts are allowed to use the PC.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -111,7 +111,7 @@ Its value in the SharedPC provisioning package is 1 or 2.
|
||||
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
|
||||
Configures when accounts are deleted.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The supported operations are Add, Get, Replace, and Delete.
|
||||
@ -132,7 +132,7 @@ The default value is Not Configured. Its value in the SharedPC provisioning pack
|
||||
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
|
||||
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
|
||||
@ -144,7 +144,7 @@ The supported operations are Add, Get, Replace, and Delete.
|
||||
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
|
||||
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
|
||||
@ -158,7 +158,7 @@ Added in Windows 10, version 1703. Restricts the user from using local storage.
|
||||
|
||||
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
|
||||
@ -166,7 +166,7 @@ Added in Windows 10, version 1703. Specifies the AUMID of the app to use with as
|
||||
|
||||
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
|
||||
@ -174,7 +174,7 @@ Added in Windows 10, version 1703. Specifies the display text for the account sh
|
||||
|
||||
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
|
||||
@ -187,7 +187,7 @@ The default in the SharedPC provisioning package is 30.
|
||||
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
|
||||
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
|
||||
|
||||
Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
@ -18,7 +18,7 @@ manager: dansimp
|
||||
|
||||
The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The forced network connection is only applicable to devices after reset (not new).
|
||||
|
||||
The following diagram shows the TenantLockdown configuration service provider in tree format.
|
||||
|
||||
@ -16,10 +16,10 @@ manager: dansimp
|
||||
|
||||
The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The production UEFI CSP is present in 1809, but it depends upon the Device Firmware Configuration Interface (DFCI) and UEFI firmware to comply with this interface. The specification for this interface and compatible firmware is not yet available.
|
||||
|
||||
The following diagram shows the UEFI CSP in tree format.
|
||||
|
||||
@ -50,7 +50,7 @@ This policy setting allows you to decide how the clipboard behaves while in Appl
|
||||
- 2 - Turns On clipboard operation from the host to an isolated session
|
||||
- 3 - Turns On clipboard operation in both the directions
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
|
||||
|
||||
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
|
||||
@ -128,7 +128,7 @@ If you enable this policy, applications inside Windows Defender Application Guar
|
||||
|
||||
If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device.
|
||||
|
||||
> [!Important]
|
||||
> [!IMPORTANT]
|
||||
> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
|
||||
|
||||
<a href="" id="status"></a>**Status**
|
||||
|
||||
@ -31,7 +31,7 @@ The supported operation is Get.
|
||||
<a href="" id="upgradeeditionwithproductkey"></a>**UpgradeEditionWithProductKey**
|
||||
Enters a product key for an edition upgrade of Windows 10 desktop devices.
|
||||
|
||||
> [!NOTE]
|
||||
> [!NOTE]
|
||||
> This upgrade process requires a system restart.
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ When a product key is pushed from an MDM server to a user's device, **changepk.e
|
||||
|
||||
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail.
|
||||
|
||||
|
||||
@ -55,7 +55,7 @@ After the device restarts, the edition upgrade process completes. The user will
|
||||
|
||||
This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
|
||||
|
||||
|
||||
@ -97,7 +97,7 @@ The supported operation is Get.
|
||||
<a href="" id="upgradeeditionwithlicense"></a>**UpgradeEditionWithLicense**
|
||||
Provides a license for an edition upgrade of Windows 10 mobile devices.
|
||||
|
||||
> [!NOTE]
|
||||
> [!NOTE]
|
||||
> This upgrade process does not require a system restart.
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ The date type is XML.
|
||||
|
||||
The supported operation is Execute.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
> The XML license file contents must be properly escaped (that is, it should not simply be a copied XML), otherwise the edition upgrade on Windows 10 mobile devices will fail. For more information on proper escaping of the XML license file, see Section 2.4 of the [W3C XML spec](http://www.w3.org/TR/xml/) . The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
|
||||
|
||||
|
||||
@ -216,7 +216,7 @@ Values:
|
||||
</SyncML>
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> [!NOTE]
|
||||
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
|
||||
|
||||
|
||||
@ -297,7 +297,7 @@ Values:
|
||||
</SyncML>
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> [!NOTE]
|
||||
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
|
||||
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.author: dansimp
|
||||
|
||||
This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
|
||||
|
||||
## Identify the problem
|
||||
@ -76,14 +76,14 @@ To collect data for a server freeze, check the following table, and use one or m
|
||||
|
||||
### Method 1: Memory dump
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
|
||||
|
||||
A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected.
|
||||
|
||||
If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process.
|
||||
|
||||
|
||||
@ -97,7 +97,7 @@ If the computer is no longer frozen and now is running in a good state, use the
|
||||
|
||||
3. In the **Write Debugging Information** section, select **Complete Memory Dump**.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD):
|
||||
>**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**
|
||||
|
||||
@ -131,12 +131,12 @@ If the computer is no longer frozen and now is running in a good state, use the
|
||||
|
||||
To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146).
|
||||
|
||||
4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> By default, the dump file is located in the following path:<br />
|
||||
> %SystemRoot%\MEMORY.DMP
|
||||
|
||||
@ -187,19 +187,19 @@ The Performance Monitor log is located in the path: C:\PERFLOGS
|
||||
|
||||
#### Use memory dump to collect data for the physical computer that's running in a frozen state
|
||||
|
||||
> [!Warning]
|
||||
> [!WARNING]
|
||||
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
|
||||
|
||||
If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump:
|
||||
|
||||
|
||||
1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps:
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified.
|
||||
|
||||
1. Try to access the desktop of the computer by any means.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured.
|
||||
|
||||
2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings:
|
||||
@ -218,7 +218,7 @@ If the physical computer is still running in a frozen state, follow these steps
|
||||
|
||||
If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size.
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$).
|
||||
|
||||
3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM.
|
||||
@ -244,7 +244,7 @@ If the physical computer is still running in a frozen state, follow these steps
|
||||
4. Restart the computer.
|
||||
|
||||
3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump.
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP
|
||||
|
||||
### Use Pool Monitor to collect data for the physical computer that is no longer frozen
|
||||
@ -267,7 +267,7 @@ To debug the virtual machines on Hyper-V, run the following cmdlet in Windows Po
|
||||
Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname
|
||||
```
|
||||
|
||||
> [!Note]
|
||||
> [!NOTE]
|
||||
> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section.
|
||||
|
||||
#### VMware
|
||||
|
||||
@ -28,7 +28,7 @@ In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object
|
||||
|
||||
This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
|
||||
|
||||
>[!WARNING]
|
||||
>[!WARNING]
|
||||
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
|
||||
|
||||
|
||||
@ -49,14 +49,14 @@ Three features enable Start and taskbar layout control:
|
||||
|
||||
- The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
|
||||
|
||||
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
|
||||
|
||||
- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863).
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ For information about deploying GPOs in a domain, see [Working with Group Policy
|
||||
|
||||
You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment).
|
||||
>
|
||||
>This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
|
||||
|
||||
@ -32,7 +32,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us
|
||||
|
||||
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
|
||||
|
||||
>[!WARNING]
|
||||
>[!WARNING]
|
||||
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Two features enable Start layout control:
|
||||
|
||||
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
|
||||
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ Three features enable Start and taskbar layout control:
|
||||
|
||||
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
|
||||
|
||||
>[!NOTE]
|
||||
>[!NOTE]
|
||||
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
|
||||
|
||||
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
|
||||
|
||||
@ -184,7 +184,7 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
|
||||
|
||||
1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
|
||||
|
||||
>[!TIP]
|
||||
>[!TIP]
|
||||
>Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen.
|
||||
|
||||
2. Give the device to someone else, so they can use the device and only the one app you chose.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user