deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 17:23:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 7496: merging master

Browse Source
This commit is contained in:
Justin Hall
2018-04-25 21:50:52 +00:00
parent 866ad6916e 39c50366f6
commit 1d3792b8bf
11 changed files with 386 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
education/trial-in-a-box/images/Bug.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

297
windows/client-management/mdm/applocker-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/09/2017
ms.date: 04/24/2018
---
# AppLocker CSP
@ -430,6 +430,11 @@ The following list shows the apps that may be included in the inbox.
<td>59553c14-5701-49a2-9909-264d034deb3d</td>
<td></td>
</tr>
<tr class="odd">
<td>Broker plug-in (same as Work or school account)</td>
<td></td>
<td>Microsoft.AAD.BrokerPlugin</td>
</tr>
<tr class="even">
<td>Calculator</td>
<td>b58171c6-c70c-4266-a2e8-8f9c994f4456</td>
@ -466,6 +471,21 @@ The following list shows the apps that may be included in the inbox.
<td>Microsoft.Windows.Cortana</td>
</tr>
<tr class="odd">
<td>Cortana Listen UI</td>
<td></td>
<td>CortanaListenUI</td>
</tr>
<tr class="odd">
<td>Credentials Dialog Host</td>
<td></td>
<td>Microsoft.CredDialogHost</td>
</tr>
<tr class="odd">
<td>Device Portal PIN UX</td>
<td></td>
<td>holopairingapp</td>
</tr>
<tr class="odd">
<td>Email and accounts</td>
<td>39cf127b-8c67-c149-539a-c02271d07060</td>
<td>Microsoft.AccountsControl</td>
@ -536,6 +556,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Holographic Shell</td>
<td></td>
<td>HoloShell</td>
</tr>
<tr class="odd">
<td>Lumia motion data</td>
<td>8fc25fd2-4e2e-4873-be44-20e57f6ec52b</td>
<td></td>
@ -567,6 +592,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Migration UI</td>
<td></td>
<td>MigrationUIApp</td>
</tr>
<tr class="odd">
<td>MiracastView</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
@ -691,6 +721,11 @@ The following list shows the apps that may be included in the inbox.
<td>2a4e62d8-8809-4787-89f8-69d0f01654fb</td>
</tr>
<tr class="odd">
<td>Settings</td>
<td></td>
<td>SystemSettings</td>
</tr>
<tr class="odd">
<td>Setup wizard</td>
<td>07d87655-e4f0-474b-895a-773790ad4a32</td>
<td></td>
@ -701,6 +736,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Sign-in for Windows 10 Holographic</td>
<td></td>
<td>WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn</td>
</tr>
<tr class="odd">
<td>Skype</td>
<td>c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51</td>
<td>Microsoft.SkypeApp</td>
@ -1360,6 +1400,261 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
</SyncML>
```
## Example for Windows 10 Holographic for Business
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings.
``` syntax
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="96B82A15-F841-499a-B674-963DC647762F"
Name="Whitelist BackgroundTaskHost"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="*"
BinaryName="BackgroundTaskHost*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="8D345CB2-AC5B-4b6b-8F0B-DCE3F6FB9259"
Name="Whitelist CertInstaller"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*"
ProductName="4c4ad968-7100-49de-8cd1-402e198d869e"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9F07FB38-B952-4f3c-A17A-CE7EC8132987"
Name="Whitelist MigrationUI"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="MigrationUIApp"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="1C32E96F-2F44-4317-9D98-2F624147D7AE"
Name="Whitelist CredDiagHost"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.CredDialogHost"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="53DCC751-E92A-4d0a-84DF-E6EAC2A7C7CE"
Name="Whitelist Settings"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="SystemSettings"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="70D9E233-81F4-4707-B79D-58F9C3A6BFB1"
Name="Whitelist HoloShell"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="HoloShell"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6557A9BC-BA1F-4b7d-90FD-8C620CA81906"
Name="Whitelist MSA"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.Windows.CloudExperienceHost"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="81CD98A6-82EC-443f-87F8-039B00DFBE78"
Name="Whitelist BrokerPlugin"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.AAD.BrokerPlugin"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="1330E03E-7D43-4e01-9853-40ED8CF62D10"
Name="Whitelist SignIn1"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeInternetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="107EC30A-2CEF-4ec1-B556-F7DAA7DF7998"
Name="Whitelist SignIn2"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeInternet"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="F806AC17-3E31-4a83-92EB-6A34696478D1"
Name="Whitelist SignIn3"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeIntranetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="E8CAF694-2256-4516-BDCC-CDABF218573C"
Name="Whitelist SignIn4"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerInternetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="5918428D-B9A8-4810-8FB4-25AE5A25D5A7"
Name="Whitelist SignIn5"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerInternet"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="C90D99E3-C3EE-47c5-B181-7E8C54FA66B3"
Name="Whitelist SignIn6"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerIntranetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9CD87A91-FB48-480d-B788-3770A950CD03"
Name="Whitelist SignIn7"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="SignIn"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="DCF74448-C287-4195-9072-8F3649AB9305"
Name="Whitelist Cortana"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.Windows.Cortana"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="BE4FD0C4-527B-45a3-A5B8-F4EA00584779"
Name="Whitelist Cortana ListenUI"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="CortanaListenUI"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="336509A7-FFBA-48cb-81BD-8DF9060B3CF8"
Name="Whitelist Email and accounts"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.AccountsControl"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="55912F15-0B94-445b-80E1-83BC8F0E8999"
Name="Whitelist Device Portal PIN UX"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="holopairingapp"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
```
## Recommended deny list for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.

64
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/20/2018
ms.date: 04/25/2018
---
# AssignedAccess CSP
@ -20,7 +20,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following diagram shows the AssignedAccess configuration service provider in tree format
@ -1137,4 +1137,64 @@ ShellLauncherConfiguration Get
</xs:complexType>
</xs:element>
</xs:schema>
```
## Windows Holographic for Business edition example
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning).
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
!!! NOTE: Change the Account below to a user in the tenant being tested !!!
-->
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<!-- Learning app -->
<App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
<!-- Calibration app -->
<App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
<!-- Feedback Hub -->
<App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
<!-- HoloSkype -->
<App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</AllowedApps>
</AllAppsList>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
AzureAD\ for AAD accounts. -->
<Config>
<Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```

14
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/20/2018
ms.date: 04/24/2018
---
# Configuration service provider reference
@ -2585,9 +2585,9 @@ The following list shows the configuration service providers supported in Window
| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
|--------|--------|------------|
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)3 |
| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2606,9 +2606,11 @@ The following list shows the configuration service providers supported in Window
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
Footnotes:
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1803
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/11/2018
ms.date: 04/25/2018
---
# What's new in MDM enrollment and management
@ -1185,7 +1185,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
@ -1310,7 +1309,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@ -1808,7 +1807,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@ -1870,7 +1869,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>

4
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2054,9 +2054,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -4388,7 +4385,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)

60
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -90,9 +90,6 @@ ms.date: 04/06/2018
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -1612,63 +1609,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**

2
windows/configuration/provisioning-packages/provisioning-how-it-works.md
View File

@ -53,7 +53,7 @@ When multiple provisioning packages are available for device provisioning, the c
The valid value range of package rank level is 0 to 99.
When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device.
When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device.
## Windows provisioning XML

6
windows/deployment/change-history-for-deploy-windows-10.md
View File

@ -12,6 +12,12 @@ ms.date: 11/08/2017
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/en-us/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
## April 2018
New or changed topic | Description
--- | ---
[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
## November 2017
New or changed topic | Description

19
windows/deployment/volume-activation/install-vamt.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
ms.localizationpriority: high
ms.date: 07/27/2017
ms.date: 04/25/2018
---
# Install VAMT
@ -19,23 +19,20 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
**Important**  
VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
>[!IMPORTANT]  
>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
**Note**  
The VAMT Microsoft Management Console snap-in ships as an x86 package.
>[!NOTE]  
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express:
To install SQL Server Express:
1. Install the Windows ADK.
2. Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed.
2. Ensure that **Volume Activation Management Tool** is selected to be installed.
3. Click **Install**.
## Select a Database
**Using a SQL database installed during ADK setup**
If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database.
**Using a SQL database installed outside of ADK setup**
VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL.
You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.

4
windows/security/index.yml
View File

@ -154,7 +154,7 @@ sections:
title: Windows Hello for Business
- href: \windows\security\threat-protection\windows-defender-application-control
- href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
html: <p>Lock down applications that run on a device</p>
@ -251,7 +251,7 @@ sections:
- html: <a href="/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security">Windows Defender Firewall</a>
- html: <a href="/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard">Windows Defender Exploit Guard</a>
- html: <a href="/windows/security/identity-protection/credential-guard/credential-guard">Windows Defender Credential Guard</a>
- html: <a href="/windows/security/threat-protection/device-guard/device-guard-deployment-guide">Windows Defender Device Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control">Windows Defender Device Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview">Windows Defender Application Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview">Windows Defender SmartScreen</a>
- html: <a href="/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center">Windows Defender Security Center</a>