deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into WDAC-Docs

Browse Source
This commit is contained in:
Stacyrch140 2024-03-13 18:04:47 -04:00 committed by GitHub
commit 1ef3155d87
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 103 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.openpublishing.redirection.windows-configuration.json
View File

@ -167,7 +167,7 @@
}, },
{ {
"source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md", "source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md",
"redirect_url": "/windows/configuration/stop-employees-from-using-microsoft-store", "redirect_url": "/windows/configuration/store",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -392,7 +392,7 @@
}, },
{ {
"source_path": "windows/configuration/manage-tips-and-suggestions.md", "source_path": "windows/configuration/manage-tips-and-suggestions.md",
"redirect_url": "/windows/configuration/tips/manage-tips-and-suggestions", "redirect_url": "/windows/configuration/",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -432,7 +432,12 @@
}, },
{ {
"source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md", "source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md",
"redirect_url": "/windows/configuration/store/stop-employees-from-using-microsoft-store", "redirect_url": "/windows/configuration/store",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/store/stop-employees-from-using-microsoft-store.md",
"redirect_url": "/windows/configuration/store",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -839,6 +844,11 @@
"source_path": "windows/configuration/taskbar/customize-taskbar-windows-11.md", "source_path": "windows/configuration/taskbar/customize-taskbar-windows-11.md",
"redirect_url": "/windows/configuration/taskbar", "redirect_url": "/windows/configuration/taskbar",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/configuration/tips/manage-tips-and-suggestions.md",
"redirect_url": "/windows/configuration",
"redirect_document_id": false
} }
] ]
} }

5
windows/configuration/assigned-access/includes/quickstart-kiosk-ps.md
View File

@ -24,11 +24,6 @@ $assignedAccessConfiguration = @"
</AssignedAccessConfiguration> </AssignedAccessConfiguration>
"@ "@
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
StartTime = Get-Date -Millisecond 0
}
$namespaceName="root\cimv2\mdm\dmmap" $namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess" $className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className

10
windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md
View File

@ -62,11 +62,6 @@ $assignedAccessConfiguration = @"
</AssignedAccessConfiguration> </AssignedAccessConfiguration>
"@ "@
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
StartTime = Get-Date -Millisecond 0
}
$namespaceName="root\cimv2\mdm\dmmap" $namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess" $className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
@ -124,11 +119,6 @@ $assignedAccessConfiguration = @"
</AssignedAccessConfiguration> </AssignedAccessConfiguration>
"@ "@
$eventLogFilterHashTable = @{
ProviderName = "Microsoft-Windows-AssignedAccess";
StartTime = Get-Date -Millisecond 0
}
$namespaceName="root\cimv2\mdm\dmmap" $namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess" $className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className

26
windows/configuration/index.yml
View File

@ -32,14 +32,16 @@ landingContent:
- title: Configure a Windows kiosk - title: Configure a Windows kiosk
linkLists: linkLists:
- linkListType: how-to-guide - linkListType: concept
links: links:
- text: Configure kiosks and restricted user experiences
url: assigned-access/index.md
- text: What is Assigned Access? - text: What is Assigned Access?
url: assigned-access/overview.md url: assigned-access/overview.md
- text: What is Shell Launcher? - text: What is Shell Launcher?
url: assigned-access/shell-launcher/index.md url: assigned-access/shell-launcher/index.md
- linkListType: how-to-guide
links:
- text: Configure kiosks and restricted user experiences
url: assigned-access/index.md
- linkListType: quickstart - linkListType: quickstart
links: links:
- text: Configure a kiosk with Assigned Access - text: Configure a kiosk with Assigned Access
@ -48,13 +50,27 @@ landingContent:
url: assigned-access/shell-launcher/quickstart-kiosk.md url: assigned-access/shell-launcher/quickstart-kiosk.md
- text: Configure a restricted user experience with Assigned Access - text: Configure a restricted user experience with Assigned Access
url: assigned-access/quickstart-restricted-user-experience.md url: assigned-access/quickstart-restricted-user-experience.md
- linkListType: reference
links:
- text: Assigned Access XML Schema Definition (XSD)
url: assigned-access/xsd.md
- text: Shell Launcher XML Schema Definition (XSD)
url: assigned-access/shell-launcher/xsd.md
- title: Configure shared devices - title: Configure shared devices
linkLists: linkLists:
- linkListType: concept
links:
- text: Shared devices concepts
url: /windows/configuration/shared-pc/shared-devices-concepts
- linkListType: how-to-guide - linkListType: how-to-guide
links: links:
- text: Manage multi-user and guest devices - text: Configure a shared or guest Windows device
url: shared-devices-concepts.md url: /windows/configuration/shared-pc/set-up-shared-or-guest-pc
- linkListType: reference
links:
- text: Shared PC technical reference
url: /windows/configuration/shared-pc/shared-pc-technical
- title: Use provisioning packages - title: Use provisioning packages
linkLists: linkLists:

BIN
windows/configuration/store/images/store-blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

66
windows/configuration/store/index.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Configure access to the Microsoft Store app
description: Learn how to configure access to the Microsoft Store app.
ms.topic: how-to
ms.date: 03/13/2024
---
# Configure access to the Microsoft Store app
Microsoft Store is a digital distribution platform that provides a way for users to install applications on Windows devices. For some organizations, business policies require blocking access to Microsoft Store.
This article describes how to configure access to the Microsoft Store app in your organization.
## Prevent access to the Microsoft Store app
You can use configuration service provider (CSP) or group policy (GPO) settings to configure access to the Microsoft Store app. The CSP configuration is available to Windows Enterprise and Education editions only.
[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)]
| Category | Setting name | Value |
|--|--|--|
| **Administrative Templates > Windows Components > Store** | Turn off the Store application| **Enabled**|
[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].
| Setting |
|--|
|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2`<br>- **Data type:** string<br>- **Value:** `<enabled/>`|
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)]
| Group policy path | Group policy setting | Value |
| - | - | - |
| **Computer Configuration\Administrative Templates\Windows Components\Store** | Turn off the Store application| **Enabled**|
[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
---
## User experience
When you turn off the Microsoft Store application, users get the following message when they open it:
:::image type="content" source="images/store-blocked.png" alt-text="Screenshot of the Microsoft Store app blocked access." border="false":::
## Considerations
Here are some considerations when you prevent access to the Microsoft Store app:
- Microsoft Store applications keep updating automatically, by default
- Users might still be able to install applications using Windows Package Manager (winget), or other methods, if they don't need to acquire the package from Microsoft Store
- Devices managed by Microsoft Intune can still install applications sourced from Microsoft Store, even if you block access to the Microsoft Store app. To learn more, see [Add Microsoft Store apps to Microsoft Intune][INT-2]
<!--links-->
[CSP-1]: /windows/client-management/mdm/policy-csp-admx-windowsstore
[INT-1]: /mem/intune/configuration/settings-catalog
[INT-2]: /mem/intune/apps/store-apps-microsoft

107
windows/configuration/store/stop-employees-from-using-microsoft-store.md
View File

@ -1,107 +0,0 @@
---
title: Configure access to Microsoft Store
description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
ms.topic: conceptual
ms.date: 11/29/2022
---
# Configure access to Microsoft Store
IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
> [!IMPORTANT]
> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
## Options to configure access to Microsoft Store
You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
## Block Microsoft Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education
AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
**To block Microsoft Store using AppLocker:**
1. Enter **`secpol`** in the search bar to find and start AppLocker.
1. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
1. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
1. On **Before You Begin**, select **Next**.
1. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
1. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
1. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
[Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
1. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
## Block Microsoft Store using configuration service provider
Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs):
- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
> [!IMPORTANT]
> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
## Block Microsoft Store using Group Policy
Applies to: Windows 10 Enterprise, Windows 10 Education
> [!NOTE]
> Not supported on Windows 10 Pro, starting with version 151. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
You can also use Group Policy to manage access to Microsoft Store.
**To block Microsoft Store using Group Policy:**
1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
1. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
1. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
1. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
> [!IMPORTANT]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, Windows 10 Education
If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Microsoft Store app:**
1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
1. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
1. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
The **Only display the private store within the Microsoft Store app** policy settings will open.
1. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
## Related articles
[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
[Manage access to private store](/microsoft-store/manage-access-to-private-store)

32
windows/configuration/tips/manage-tips-and-suggestions.md
View File

@ -1,32 +0,0 @@
---
title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions
description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
ms.topic: how-to
ms.date: 09/20/2017
---
# Manage Windows 10 and Microsoft Store tips, fun fact and suggestions
Windows includes user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, and app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include:
* **Windows Spotlight on the lock screen**: Daily updated images on the lock screen that can include more facts and tips in "hotspots" that are revealed on hover.
* **Start menu app suggestions**: App suggestions in Start that recommend productivity tool or utilities from the Microsoft Store.
* **Additional apps on Start**: More apps preinstalled on the Start screen, which can enhance the user's experience.
* **Windows tips**: Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario.
* **Microsoft account notifications**: For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration.
>[!TIP]
> On all Windows desktop editions, users can directly enable and disable Windows tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows.
Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.
## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions
| Windows 10 edition | Disable | Show Microsoft apps only | Show Microsoft and popular third-party apps |
|--|--|--|--|
| Windows 10 Pro | No | Yes | Yes (default) |
| Windows 10 Enterprise | Yes | Yes | Yes (default) |
| Windows 10 Pro Education | Yes (default) | Yes | No (setting can't be changed) |
| Windows 10 Education | Yes (default) | Yes | No (setting can't be changed) |
[Learn more about policy settings for Windows Spotlight.](../lock-screen/windows-spotlight.md)

6
windows/configuration/toc.yml
View File

@ -13,12 +13,10 @@ items:
href: lock-screen/windows-spotlight.md href: lock-screen/windows-spotlight.md
- name: Microsoft Store - name: Microsoft Store
items: items:
- name: Configure access to the Microsoft Store - name: Configure access to Microsoft Store
href: store/stop-employees-from-using-microsoft-store.md href: store/index.md
- name: Find the AUMID of an installed app - name: Find the AUMID of an installed app
href: store/find-aumid.md href: store/find-aumid.md
- name: Manage Microsoft Store tips, "fun facts", and suggestions
href: tips/manage-tips-and-suggestions.md
- name: Cellular settings - name: Cellular settings
href: cellular/provisioning-apn.md href: cellular/provisioning-apn.md
- name: Kiosks and restricted user experiences - name: Kiosks and restricted user experiences

2
windows/security/identity-protection/remote-credential-guard.md
View File

@ -169,7 +169,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the
| Setting | | Setting |
|--| |--|
|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`<br>- **Data type:** string<br>- **Value:** `<enabled/><data id=\"RestrictedRemoteAdministrationDrop\" value=\"2\"/>`<br><br>Possible values for `RestrictedRemoteAdministrationDrop` are:<br>- `0`: Disabled<br>- `1`: Require Restricted Admin<br>- `2`: Require Remote Credential Guard<br>- `3`: Restrict credential delegation | |- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`<br>- **Data type:** string<br>- **Value:** `<enabled/><data id="RestrictedRemoteAdministrationDrop" value="2"/>`<br><br>Possible values for `RestrictedRemoteAdministrationDrop` are:<br>- `0`: Disabled<br>- `1`: Require Restricted Admin<br>- `2`: Require Remote Credential Guard<br>- `3`: Restrict credential delegation |
#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) #### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)