deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into atp-email-notifications

Browse Source
This commit is contained in:
Joey Caparas 2018-05-08 12:49:19 -07:00
commit 21aaaa87e9
45 changed files with 848 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.openpublishing.redirection.json
View File

@ -5178,8 +5178,18 @@
{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": false
},
{
"source_path": "education/windows/switch-to-pro-education.md",
"redirect_url": "/education/windows/s-mode-switch-to-edu",
"redirect_document_id": true
},
{
"source_path": "education/windows/swithc-to-pro-de.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/policy-admx-backed.md",
"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",
@ -13609,9 +13619,5 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
]
}]
}

166
browsers/edge/available-policies.md
View File

@ -9,27 +9,47 @@ ms.mktglfcycl: explore
ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: high
ms.date: 4/30/2018 #Previsou release date 09/13/2017
ms.date: 4/30/2018
---
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
> Applies to: Windows 10, Windows 10 Mobile
> Applies to: Windows 10, Windows 10 Mobile
Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain.
> [!NOTE]
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
Microsoft Edge works with the following Group Policy settings to help you manage your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\
## Allow a shared books folder
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: None*
You can configure Microsoft Edge to use a shared folder to store books from the Books Library.
If enabled, a shared books folder is allowed.
If disabled, a shared books folder not allowed.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks |
|Data type |Integer |
|Allowed values |<ul><li>**0** - No folder shared.</li><li>**1** - Use a shared folder.</li></ul> |
## Allow Address bar drop-down list suggestions
>*Supporteded versions: Windows 10, version 1703 or later*
>*Supported versions: Windows 10, version 1703 or later*
The Address bar drop-down list, when enabled, allows the Address bar drop-down functionality in Microsoft Edge. By default, this policy is enabled. If disabled, you do not see the address bar drop-down functionality and disables the user-defined policy "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this policy takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy.
@ -46,7 +66,7 @@ If you want to minimize network connections from Microsoft Edge to Microsoft ser
## Allow Adobe Flash
>*Supporteded version: Windows 10*
>*Supported version: Windows 10*
Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update. By default, this policy is enabled or not configured allowing you to use Adobe Flash Player in Microsoft Edge.
@ -60,9 +80,9 @@ Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update.
|Allowed values |<ul><li>**0** - Adobe Flash cannot be used Microsoft Edge.</li><li>**1 (default)** - Adobe Flash can be used in Microsoft Edge. </li></ul> |
## Allow clearing browsing data on exit
>*Supporteded versions: Windows 10, version 1703*
>*Supported versions: Windows 10, version 1703*
Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered into forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings.
Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings.
**Microsoft Intune to manage your MDM settings**
@ -75,10 +95,27 @@ Your browsing data is the information that Microsoft Edge remembers and stores a
|Allowed values |<ul><li>**0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1** - Browsing data is cleared on exit.</li></ul> |
## Allow configuration updates for the Books Library
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: Enabled or not configured*
Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or
not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary |
|Data type |Integer |
|Allowed values |<ul><li>**0** - Disable. Microsoft Edge cannot retrieve a configuration.</li><li>**1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.</li></ul> |
## Allow Cortana
>*Supported versions: Windows 10, version 1607 or later*
Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device.
Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you to use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device.
**Microsoft Intune to manage your MDM settings**
| | |
@ -91,9 +128,9 @@ Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you
|Allowed values |<ul><li>**0** - Not allowed.</li><li>**1 (default)** - Allowed.</li></ul> |
## Allow Developer Tools
>*Supporteded versions: Windows 10, version 1511 or later*
>*Supported versions: Windows 10, version 1511 or later*
F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools availabe to use.
F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools available to use.
**Microsoft Intune to manage your MDM settings**
| | |
@ -104,9 +141,26 @@ F12 developer tools is a suite of tools to help you build and debug your webpage
|Data type | Integer |
|Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> |
## Allow extended telemetry for the Books tab
>*Supported versions: Windows 10, version 1803*<br>
>*Default setting: Disabled or not configured*
If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are
reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic
diagnostic data, depending on your device configuration, is sent to Microsoft.
**MDM settings in Microsoft Intune**
| | |
|---|---|
|MDM name |Browser/[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |
|Supported devices |Desktop |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry |
|Data type |Integer |
|Allowed values |<ul><li>**0 (default)** - Disable. No additional diagnostic data.</li><li>**1** - Enable. Additional diagnostic data for schools.</li></ul> |
## Allow Extensions
>*Supporteded versions: Windows 10, version 1607 or later*
>*Supported versions: Windows 10, version 1607 or later*
If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy.
@ -120,7 +174,7 @@ If you enable this policy, you can personalize and add new features to Microsoft
|Allowed values |<ul><li>**0** - Microsoft Edge extensions are disabled.</li><li>**1 (default)** - Microsoft Edge Extensions are enabled. </li></ul> |
## Allow InPrivate browsing
>*Supporteded versions: Windows 10, version 1511 or later*
>*Supported versions: Windows 10, version 1511 or later*
InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed.
@ -134,7 +188,7 @@ InPrivate browsing, when enabled, prevents your browsing data is not saved on yo
|Allowed values |<ul><li>**0** - InPrivate browsing is disabled.</li><li>**1 (default)** - InPrivate browsing is enabled.</li></ul> |
## Allow Microsoft Compatibility List
>*Supporteded versions: Windows 10, version 1703 or later*
>*Supported versions: Windows 10, version 1703 or later*
Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used.
@ -151,7 +205,7 @@ Microsoft Edge uses the compatibility list that helps websites with known compat
## Allow search engine customization
>*Supported versions: Windows 10, version 1703 or later*
This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing you to add new search engines and change the default under Settings. If disabled, you cannot add search enginess or change the default.
This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing you to add new search engines and change the default under Settings. If disabled, you cannot add search engines or change the default.
For more information, see [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy).
@ -162,16 +216,22 @@ For more information, see [Microsoft browser extension policy](https://docs.micr
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization |
|Data type | Integer |
|Allowed values |<ul><li>**0** - Additional search engines are not allowed and the default cannot be changed in the Address bar.</li><li>**1 (default)** - Additional search engines are allowed and the default can be changed in the Address bar.</li></ul> |
|Allowed values |<ul><li>**0** - Additional search engines are not allowed, and the default cannot be changed in the Address bar.</li><li>**1 (default)** - Additional search engines are allowed, and the default can be changed in the Address bar.</li></ul> |
## Allow web content on New Tab page
>*Supported versions: Windows 10*
This policy setting lets you configure what appears when a New Tab page is opened in Microsoft Edge. By default, this setting is disabled or not configured, which means you cannot customize their New Tab page. If enabled, you can customize their New Tab page.
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page.
If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it.
If you don't configure this setting, employees can choose how new tabs appears.
## Always Enable book library
>*Supporteded versions: Windows 10, version 1709 or later*
>*Supported versions: Windows 10, version 1709 or later*
This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation.
@ -189,7 +249,7 @@ This policy settings specifies whether to always show the Books Library in Micro
This policy setting, when enabled, lets you add up to five additional search engines. Employees cannot remove these search engines, but they can set any one as the default. By default, this setting is not configured and does not allow additional search engines to be added. If disabled, the search engines added are deleted.
For each additional search engine you add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
For each additional search engine, you add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
This setting does not set the default search engine. For that, you must use the "Set default search engine" setting.
@ -233,7 +293,7 @@ This policy setting specifies whether cookies are allowed. By default, this sett
## Configure Do Not Track
>*Supported versions: Windows 10*
This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing you to choose whether or not to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent.
This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing you to choose if to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent.
**Microsoft Intune to manage your MDM settings**
| | |
@ -246,35 +306,18 @@ This policy setting specifies whether Do Not Track requests to websites is allow
## Configure Favorites
>*Supported versions: Windows 10, version 1709*
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their favorites by adding or removing items at any time.
This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing you to customize the Favorites list, such as adding folders to organize their favorites. If enabled, you are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off.
If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
Specify the URL which points to the file that has all the data for provisioning favorites (in html format).
URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html"
You can export a set of favorites from Edge and use that html file for provisioning user machines.
>[!Important]
>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites |
|Data type | String |
If you disable or don't configure this setting, employees will see the Favorites that they set in the Favorites hub.
## Configure Password Manager
>*Supported versions: Windows 10*
This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off.
This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose if to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off.
**Microsoft Intune to manage your MDM settings**
| | |
@ -330,7 +373,7 @@ This policy setting specifies your Start pages for domain-joined or MDM-enrolled
## Configure the Adobe Flash Click-to-Run setting
>*Supported versions: Windows 10, version 1703 or later*
This policy setting specifies whether you must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. when the setting is enabled, you must click the content, Click-to-Run button, or have the site appear on an auto-allow list before before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically.
This policy setting specifies whether you must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. When the setting is enabled, you must click the content, Click-to-Run button, or have the site appear on an auto-allow list before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically.
**Microsoft Intune to manage your MDM settings**
| | |
@ -362,7 +405,7 @@ This policy setting lets you configure whether to use Enterprise Mode and the En
## Configure Windows Defender SmartScreen
>*Supported versions: Windows 10*
This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on and you cannot turn it off. If disabled, Windows Defender SmartScreen is turned off and you cannot turn it on. If not configured, you can choose whether to use Windows Defender SmartScreen.
This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on, and you cannot turn it off. If disabled, Windows Defender SmartScreen is turned off, and you cannot turn it on. If not configured, you can choose whether to use Windows Defender SmartScreen.
**Microsoft Intune to manage your MDM settings**
| | |
@ -391,7 +434,7 @@ This policy setting specifies whether the lockdown on the Start pages is disable
## Do not sync
>*Supported versions: Windows 10*
This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on the option to turn the feature off by default, but to let the employee change this setting. For information about what settings are synced, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
**Microsoft Intune to manage your MDM settings**
| | |
@ -495,6 +538,7 @@ This policy setting specifies whether Microsoft can collect information to creat
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.</li><li>**1** - Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.</li></ul> |
## Prevent the First Run webpage from opening on Microsoft Edge
>*Supported versions: Windows 10, version 1703 or later*
@ -513,7 +557,7 @@ This policy setting specifies whether to enable or disable the First Run webpage
>*Supported versions: Windows 10, version 1511 or later*
This policy setting specifies whether localhost IP address are visible or hiddle while making phone calls to the WebRTC protocol. By default, this setting is disabled or not configured (turned off), which means the localhost IP address are visible. If enabled (turned on), localhost IP addresses are hidden.
This policy setting specifies whether localhost IP address is visible or hidden while making phone calls to the WebRTC protocol. By default, this setting is disabled or not configured (turned off), which means the localhost IP address is visible. If enabled (turned on), localhost IP addresses are hidden.
**Microsoft Intune to manage your MDM settings**
| | |
@ -524,6 +568,33 @@ This policy setting specifies whether localhost IP address are visible or hiddle
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul> |
## Provision Favorites
>*Supported versions: Windows 10, version 1709*
You can configure a default list of favorites that appear for your users in Microsoft Edge.
If disabled or not configured, a default list of favorites is not defined in Microsoft Edge. In this case, users can customize the Favorites list, such as adding folders for organizing, adding, or removing favorites.
If enabled, a default list of favorites is defined for users in Microsoft Edge. Users are not allowed to add, import, or change the Favorites list. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
To define a default list of favorites, you can export favorites from Microsoft Edge and use the HTML file for provisioning user machines. In HTML format, specify the URL which points to the file that has all the data for provisioning favorites.
URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html"
>[!Important]
>You can only enable either this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy, but not both. Enabling both stops you from syncing favorites between Internet Explorer and Microsoft Edge.
**Microsoft Intune to manage your MDM settings**
| | |
|---|---|
|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |
|Supported devices |Desktop<br>Mobile |
|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites |
|Data type | String |
## Send all intranet sites to Internet Explorer 11
>*Supported versions: Windows 10*
@ -561,7 +632,7 @@ To set the default search engine, you must specify a link to the OpenSearch XML
>*Supported versions: Windows 10, version 1607 and later*
This policy setting specifies whether you see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, you see an additional page.
This policy setting specifies whether you see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, you see an additional page.
**Microsoft Intune to manage your MDM settings**
| | |
@ -572,8 +643,5 @@ This policy setting specifies whether you see an additional page in Microsoft Ed
|Data type | Integer |
|Allowed values |<ul><li>**0 (default)** - Doesnt show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> |
## Related topics
* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)

1
browsers/edge/microsoft-browser-extension-policy-include.md Normal file
View File

@ -0,0 +1 @@
[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy)

2
browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
View File

@ -101,7 +101,7 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe
Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.
## Out-of-date ActiveX control blocking on managed devices
Out-of-date ActiveX control blocking includes 4 new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system.
### Group Policy settings
Heres a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.

177
browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
View File

@ -3,12 +3,14 @@ ms.localizationpriority: low
ms.mktglfcycl: support
ms.pagetype: security
description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.manager: elizapo
ms.prod: ie11
ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91
title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
ms.date: 04/24/2018
---
@ -24,14 +26,14 @@ ms.date: 07/27/2017
The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update.
**Important**<br>
The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
>[!IMPORTANT]
>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11.
**To install the toolkit**
## Install the toolkit
1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745).
2. Accept the license agreement and store the included 4 files on your local computer.
2. Accept the license agreement and store the included four files on your local computer.
3. Start an elevated Command Prompt by going to **Start**&gt;**All Programs**&gt;**Accessories**&gt; right-clicking on **Command Prompt**, and then choosing **Run as Administrator**.
@ -44,9 +46,168 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op
For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063).
 
## Automatic updates
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
 
### Automatic delivery process
Internet Explorer 11 only downloads and installs if its available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. Users without local administrator accounts wont be prompted to install the update and will continue using their current version of Internet Explorer.
Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you dont want Internet Explorer 11, and youre running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. 
### Internet Explorer 11 automatic upgrades
Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11.
Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update.
### Options for blocking automatic delivery
If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following:
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
>[!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq).
- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
>[!NOTE]
>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
### Prevent automatic installation of Internet Explorer 11 with WSUS
Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if youve configured WSUS to “auto-approve” Update Rollup packages, itll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to:
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Options**.
3. Click **Automatic Approvals**.
4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.**
>[!NOTE]
>If you dont see a rule like this, you most likely havent configured WSUS to automatically approve Update Rollups for installation. In this situation, you dont have to do anything else.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
>[!NOTE]
>The properties for this rule will resemble the following:<ul><li>When an update is in Update Rollups</li><li>Approve the update for all computers</li></ul>
6. Clear the **Update Rollup** check box, and then click **OK**.
7. Click **OK** to close the **Automatic Approvals** dialog box.
After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it wont be automatically installed.
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Synchronizations**.
3. Click **Synchronize Now**.
4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
5. Choose **Unapproved** in the **Approval**drop down box.
6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
>[!NOTE]
>There may be multiple updates, depending on the imported language and operating system updates.
### Optional - Reset update rollups packages to auto-approve
1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
2. Expand *ComputerName*, and then click **Options**.
3. Click **Automatic Approvals**.
4. Click the rule that automatically approves updates of different classifications, and then click **Edit**.
5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
6. Check the **Update Rollups** check box, and then click **OK**.
7. Click **OK** to close the **Automatic Approvals** dialog box.
>[!NOTE]
>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server wont cause this update to be auto-approved.
## <a name="faq"></a>Frequently Asked Questions 
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
### Automatic updates delivery process
**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
A. We encourage anyone who wants full control over their companys deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
**Q. How long does the blocker mechanism work?**
A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isnt removed or changed.
**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why cant I just disable all of utomatic Updates?**
A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your users computers.
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that cant use WSUS, Configuration Manager, or other update management solution.
**Q. Why dont we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
### How the Internet Explorer 11 Blocker Toolkit works
**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
**Q. Whats the registry key used to block delivery of Internet Explorer 11?**
A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
**Q. Whats the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11
using Automatic Updates and turns off the Express install option.
- Not providing a registry key, or using a value of anything other than **1**,
lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
**Q. Whats the ADM template file used for?**
A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
**Q. Is the tool localized?**
A. No. The tool isnt localized, its only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
### Internet Explorer 11 Blocker Toolkit and other update services
**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like SUS?**
A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that dont use upgrade management solutions.
**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
- You dont want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now.
If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) for more information on how to prevent automatic installation.

56
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
View File

@ -145,8 +145,62 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
**Q. What are the different modes available for the Internet Explorer Customization Wizard?**
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
## Related topics
- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)

13
browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
View File

@ -2,25 +2,28 @@
ms.localizationpriority: low
ms.mktglfcycl: plan
description: A list of steps to follow before you start to create your custom browser installation packages.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.manager: elizapo
ms.prod: ie11
ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4
title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
ms.date: 04/24/2018
---
# Before you start using IEAK 11
Go through this list, making sure youve answered all of the questions before you run Internet Explorer Administration Kit 11 (IEAK 11) and the Customization Wizard.
Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements:
- Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
- Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md).
- Have you gotten all of the URLs youll need so you can customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md).
- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md).
- Have you reviewed the security features, determining how you want to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md).
- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md).
- Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly?

43
browsers/internet-explorer/ie11-ieak/index.md
View File

@ -12,15 +12,50 @@ ms.date: 07/27/2017
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
**Important**<br>
Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
>[!IMPORTANT}
>Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
## IEAK 11 users
IEAK 11 includes programs and tools that enterprises can use to customize, deploy, and administer Internet Explorer 11 for employee devices, while Internet service and content providers can use the same programs and tools to customize, deploy, and administer Internet Explorer 11 for customers.
Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
IEAK 10 and newer includes the ability to install using one of the following installation modes:
- Internal
- External
>[!NOTE]
>IEAK 11 works in network environments, with or without Microsoft Active Directory service.
### Corporations
IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality.
Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older).
### Internet service providers
IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package.
ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older).
### Internet content providers
IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use.
ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older)
### Independent software vendors
IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar.
ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older).
## Included technology
IEAK 11 includes the following technology:
- **Internet Explorer Customization Wizard.** This wizard guides you through the process of creating custom browser packages. After these packages are installed on your user's desktop, the user receives customized versions of Internet Explorer 11, with the settings and options you selected through the wizard.
- **Windows Installer (MSI).** IEAK 11 supports creating an MSI wrapper for your custom Internet Explorer 11 packages, enabling you to use Active Directory to deploy the package to your user's PC.
- **IEAK Help.** IEAK 11 Help includes many conceptual and procedural topics, which you can view from the **Index**, **Contents**, or **Search** tabs. You also have the option to print any topic, or the entire Help library.
IEAK 11 works in network environments, with or without Microsoft Active Directory service.
## Naming conventions
IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system:

54
browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
View File

@ -14,10 +14,13 @@ ms.date: 05/02/2018
# Determine the licensing version and features to use in IEAK 11
You must pick a version of IEAK 11 to run during installation, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can pick from, the steps youll have to follow to deploy your Internet Explorer 11 package, and how youll manage the browser after deployment.
In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If youre an ISP or an ICP, your license agreement also says that you have to show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.<p>
**Important**<br>Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
>[!IMPORTANT]
>Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
@ -52,3 +55,48 @@ You must pick a version of IEAK 11 to run during installation, either **Externa
|Additional settings |Not available |
|Wizard complete |Wizard complete |
## Customization guidelines
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
- **External Distribution**
This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
- **Internal Distribution**
This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
The table below identifies which customizations you may or may not perform based on the mode you selected.
| **Feature Name** | **External Distribution** | **Internal Distribution** |
|---------------------------------|----------------------|-------------------|
| **Custom Components** | Yes | Yes |
| **Title Bar** | Yes | Yes |
| **Favorites** | One folder, containing any number of links. | Any number of folders/links. |
| **Search Provider URLs** | Yes | Yes |
| **Search Guide URL** | No | Yes |
| **Online Support URL** | Yes | Yes |
| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. |
| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. |
| **Homepage URLs** | Can add a maximum of three. | Unlimited. |
| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. |
| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. |
| **Browsing Options** | No | Yes |
| **Security and Privacy Settings** | No | Can add any number of sites. |
| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes |
| **User Experience** (Setup/Restart) | No | Yes |
| **User Agent String** | Yes | Yes |
| **Compatibility View** | Yes | Yes |
| **Connection Settings and Manage** | Yes | Yes |
Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options).
## Distribution guidelines
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
- **External Distribution**
You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)].
- **Internal Distribution - corporate intranet**
The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.

55
browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
View File

@ -2,7 +2,8 @@
ms.localizationpriority: low
ms.mktglfcycl: support
description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
author: eross-msft
author: shortpatti
ms.author: pashort
ms.prod: ie11
ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4
title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros)
@ -14,8 +15,8 @@ ms.date: 07/27/2017
# Troubleshoot custom package and IEAK 11 problems
While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package.
## I cant locate some of the wizard pages
The most common reasons you wont see certain pages is because:
## I am unable to locate some of the wizard pages
The most common reasons you will not see certain pages is because:
- **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md).
@ -23,7 +24,7 @@ The most common reasons you wont see certain pages is because:
- **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md).
## Internet Explorer Setup fails on employee devices
## Internet Explorer Setup fails on user's devices
Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure.
### Main.log file codes
@ -61,18 +62,60 @@ To address connection issues (for example, as a result of server problems) where
Where `<path>` represents the folder location where you stored IE11setup.exe.
## Employees cant uninstall IE
If you cant uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information isnt on the computer. To fix this issue, you should:
## Users cannot uninstall IE
If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should:
1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown.
2. Try to manually uninstall IE. Go to the backup folder, `<system_drive>:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`.
 
## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets
The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp).
1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**.
2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory.
 
## Unicode characters are not supported in IEAK 11 path names
While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built.
## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings
Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage).
## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option
The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page.
Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**.
## F1 does not activate Help on Automatic Version Synchronization page
Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page.
## Certificate installation does not work on IEAK 11
IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe).
>[!NOTE]
>This applies only when using the External licensing mode of IEAK 11.
## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11
When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language.
>[!NOTE]
>This applies only when using the Internal licensing mode of IEAK 11.
To work around this issue, run the customization wizard following these steps:
1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11.
2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page.
3. After synchronization is complete, cancel the wizard.
4. Repeat these steps for each platform on the Platform Selection page.
After performing these steps, you must still do the following each time you synchronize a new language and platform:
1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder.
2. Open the **Policies** folder, and then open the appropriate platform folder.
3. Copy the contents of the matching-language folder into the new language folder.
After completing these steps, the Additional Settings page matches your wizards language.
## Unable to access feeds stored in a subfolder
Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail.

1
devices/hololens/TOC.md
View File

@ -9,5 +9,6 @@
## [Share HoloLens with multiple people](hololens-multiple-users.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

10
devices/hololens/change-history-hololens.md
View File

@ -8,13 +8,21 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.localizationpriority: medium
ms.date: 04/30/2018
ms.date: 05/07/2018
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## May 2018
New or changed topic | Description
--- | ---
[Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New
## Windows 10 Holographic for Business, version 1803
The topics in this library have been updated for Windows 10 Holographic for Business, version 1803. The following new topics have been added:

97
devices/hololens/hololens-public-preview-apps.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Get early access to preview new mixed reality apps for HoloLens
description: Here's what you need to know to prepare for the public preview of new mixed reality apps for HoloLens
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: alhopper
ms.localizationpriority: medium
ms.date: 05/08/2018
---
# Get ready to preview new mixed reality apps for HoloLens
Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout.
On May 22, 2018, these apps will be available to download for free for a limited time from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store). At that time you'll be able to distribute the apps across your organization as part of a public preview. In the meantime, here's what you need to know to prepare for the public preview of each app, to make sure your roll-out is smooth and seamless.
## Microsoft Remote Assist
Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster.
Below, you'll find the technical requirements you'll need to meet in order to distribute Microsoft Remote Assist throughout your organization when it's available from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22, 2018.
### Device requirements
| Device | OS requirements | Details |
|:---------------------------|:----------------------------------|:-----------------------------------------------------------|
| HoloLens | RS1, build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. |
| Windows 10 PC (optional) | Any Windows 10 build | You can use a Windows 10 PC to collaborate with the HoloLens. |
| Mobile device (optional) | Android or iOS | You can use a mobile device to collaborate with the HoloLens. Inking, annotations, and image insertion are not currently available on mobile. |
> [!Note]
> RS1 OS build 10.0.14393.0 is the minimum HoloLens build that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available.
### Licensing & product requirements
| Product required | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Remote Assist on a HoloLens or PC from the [Microsoft store](https://www.microsoft.com/en-us/store/apps) using their Microsoft Account credentials (MSA). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Microsoft Teams | Microsoft Teams is the backbone that facilitates communication in Remote Assist. All devices that will make calls to the HoloLens will need to have Microsoft Teams installed. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) |
| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, all users who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) |
### Network requirements
1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your companys network bandwidth, we suggest following the steps outlined below:
1. Have a mobile Teams user (iOS or Android) video call a desktop Teams user.
2. Once the video call has been successfully connected between user 1 and 2, add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user.
3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time.
See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more.
## Microsoft Layout
Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, see ideas in context, saving valuable time and money.
Below, you'll find the device options, and technical requirements, you'll need to consider in order to distribute Layout throughout your organization when it's available from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22, 2018.
### Device options
You can use Microsoft Layout with a HoloLens, or with a Windows Mixed Reality headset with motion controllers.
#### HoloLens requirements
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
| RS4, build 10.0.17134.77 or above | This build will be available as a HoloLens update on May 22, to align with the app release. Instructions for upgrading to the RS4 OS build are forthcoming. |
Alternately, you can get started testing out the HoloLens RS4 build in advance of May 22. See [HoloLens RS4 Preview](https://docs.microsoft.com/en-us/windows/mixed-reality/hololens-rs4-preview) for instructions on flashing the RS4 build to your device. Be advised that doing so will erase all content on the device, and will put the device on track to receive future pre-released versions of the OS which may exhibit bugs and issues. We recommend using preview builds for testing only.
#### Windows Mixed Reality headset requirements
| OS requirements | Details |
|:----------------------------------------------|:-----------------------------------------------------------|
| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. |
| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. |
### Technical requirements
Have the following technical requirements in place to start using Microsoft Layout as soon as it's available:
| Requirement | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) using their Microsoft Account credentials (MSA). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | |
| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.<br/><br/>A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](#microsoft-remote-assist) <br/><br/>[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) |
| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on HoloLens or a Windows Mixed Reality headset. To import 3D models, users must download and launch the Import Tool for Microsoft Layout on their PC, available for free from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) starting May 22nd. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | |
### Visio Add-in for Microsoft Layout
The free Visio Add-in for Microsoft Layout enables you to import space dimensions from Visio to view and edit on HoloLens or in Windows Mixed Reality. The Import Tool for Microsoft Layout is also required.
Be sure to grab the Import Tool and Visio Add-in for Microsoft Layout from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) or [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22 if you'd like to import, view, and edit space dimensions from Visio.
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

17
devices/hololens/index.md
View File

@ -7,7 +7,7 @@ ms.pagetype: hololens, devices
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 04/30/2018
ms.date: 05/07/2018
---
# Microsoft HoloLens
@ -21,18 +21,19 @@ ms.date: 04/30/2018
| Topic | Description |
| --- | --- |
[What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update.
| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. |
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business |
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
[Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates.
| [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. |
| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app |
[Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts.
[Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens|
[Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens.
[Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library.
| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens |
| [Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Get ready to distribute and use new mixed reality apps for HoloLens during private preview |
| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens |
| [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. |
## Related resources

31
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 10/20/2017
ms.date: 05/04/2018
ms.localizationpriority: medium
---
@ -68,21 +68,7 @@ If you prefer to use a graphical user interface, you can create a device account
![Image with new mobile device mailbox policy in Exchange admin center.](images/setupdeviceaccto365-12.png)
6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** &gt; **Mailboxes** and then select a mailbox.
![Image showing mailbox in Exchange admin center.](images/setupdeviceaccto365-13.png)
7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
![Image showing mobile device details for the mailbox.](images/setupdeviceaccto365-14.png)
8. The mobile device mailbox policy thats currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
![Image with details for the mobile device policy.](images/setupdeviceaccto365-15.png)
9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
![Image showing multiple mobile device mailbox policies.](images/setupdeviceaccto365-16.png)
### <a href="" id="create-device-acct-o365-complete-acct"></a>Use PowerShell to complete device account creation
@ -152,19 +138,19 @@ Now that you're connected to the online services, you can finish setting up the
1. Youll need to enter the accounts mail address and create a variable with that value:
``` syntax
```powershell
$mailbox = (Get-Mailbox <your device accounts alias>)
```
To store the value get it from the mailbox:
``` syntax
```powershell
$strEmail = $mailbox.WindowsEmailAddress
```
Print the value:
``` syntax
```powershell
$strEmail
```
@ -172,7 +158,11 @@ Now that you're connected to the online services, you can finish setting up the
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-23.png)
2. Run the following cmdlet:
```powershell
Set-CASMailbox $strEmail -ActiveSyncMailboxPolicy "SurfaceHubDeviceMobilePolicy"
```
4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
@ -244,7 +234,8 @@ You can use the Exchange Admin Center to create a device account:
### <a href="" id="create-device-acct-exch-mbx-policy"></a>Create a mobile device mailbox policy from the Exchange Admin Center
>**Note**  If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).
>[!NOTE]
>If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).
 
@ -310,7 +301,7 @@ Now that you're connected to the online services, you can finish setting up the
You will see the correct email address.
2. You need to convert the account into to a room mailbox, so run:
2. You need to convert the account into a room mailbox, so run:
``` syntax
Set-Mailbox $strEmail -Type Room

2
education/windows/TOC.md
View File

@ -21,6 +21,6 @@
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md)
## [Switch to Windows 10 Pro Education from Windows 10 Pro](switch-to-pro-education.md)
## [Change to Windows 10 Pro Education from Windows 10 Pro](change-to-pro-education.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
## [Change history for Windows 10 for Education](change-history-edu.md)

16
education/windows/change-history-edu.md
View File

@ -6,15 +6,21 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
ms.date: 03/08/2018
author: MikeBlodge
ms.author: MikeBlodge
ms.date: 05/07/2018
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## April 2018
New or changed topic | Description
--- | ---
[Windows 10 Pro in S mode for Education](s-mode-switch-to-edu.md) | Created a new topic on S mode for Education. |
[Change to Windows 10 Education from Windows 10 Pro](change-to-pro-education.md) | Updated sections referencing S mode.
## March 2018
New or changed topic | Description
@ -71,7 +77,7 @@ New or changed topic | Description
| New or changed topic | Description |
| --- | ---- |
| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. |
| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. |
## RELEASE: Windows 10, version 1703 (Creators Update)
@ -97,7 +103,7 @@ New or changed topic | Description
| New or changed topic | Description |
| --- | --- |
| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). |
| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). |
## November 2016

0
education/windows/switch-to-pro-education.md → education/windows/change-to-pro-education.md
View File

4
education/windows/configure-windows-for-education.md
View File

@ -20,7 +20,7 @@ ms.date: 08/31/2017
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready.
@ -55,7 +55,7 @@ It is easy to be education ready when using Microsoft products. We recommend the
3. Enroll the PCs in MDM.
* If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
4. Ensure that needed assistive technology apps can be used.
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info.
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
4. Distribute the PCs to students.

4
education/windows/edu-deployment-recommendations.md
View File

@ -19,7 +19,7 @@ ms.prod: W10
Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsofts commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings wed like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search.
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
## Deployment best practices
@ -27,7 +27,7 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc
* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account.
* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school.
* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store.
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info.
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
## Windows 10 Contacts privacy settings

2
education/windows/index.md
View File

@ -39,7 +39,7 @@ ms.date: 10/13/2017
## ![Switch to Windows 10 for Education](images/windows.png) Switch
<p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
<p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
## Windows 8.1

2
education/windows/test-windows10s-for-edu.md
View File

@ -124,7 +124,7 @@ After installing Windows 10 in S mode, use the free [Set up School PCs app](use-
## Switch to previously installed Windows 10 editions
If Windows 10 in S mode is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](switch-to-pro-education.md).
* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
* If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
## Device recovery

2
education/windows/windows-editions-for-education-customers.md
View File

@ -61,7 +61,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)

26
windows/client-management/mdm/firewall-csp.md
View File

@ -150,7 +150,7 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
@ -158,6 +158,30 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Default value is 0 (allow).</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
Sample syncxml to provision the firewall settings to evaluate
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<!-- Block Outbound by default -->
<Add>
<CmdID>2010</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<ul>

5
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -44,12 +44,17 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser app is coming soon to Microsoft Store for Business.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
### Other browsers
>[!NOTE]
>Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not currently supported for assigned access.

3
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1689,6 +1689,9 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
### <a href="" id="bkmk-wifisense"></a>22. Wi-Fi Sense
>[!IMPORTANT]
>Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspots) for more details.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:

5
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -7,7 +7,7 @@ ms.localizationpriority: high
ms.sitesec: library
author: lizap
ms.author: elizapo
ms.date: 04/27/2018
ms.date: 05/03/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1803
@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that youll only see mail for work and school organization accounts and some Office 365 accounts.|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features were no longer developing
@ -50,3 +50,4 @@ If you have feedback about the proposed replacement of any of these features, yo
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.|
|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

4
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 12/13/2017
ms.date: 05/17/2018
---
# Overview of Windows Autopilot
@ -21,6 +21,8 @@ ms.date: 12/13/2017
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.</br>
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
For a quick overview of the
## Benefits of Windows Autopilot
Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.

1
windows/security/information-protection/TOC.md
View File

@ -51,4 +51,5 @@
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)

1
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -256,6 +256,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 215 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 510 KiB

BIN
windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 406 KiB

BIN
windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 256 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 250 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
---
@ -120,7 +120,7 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
### WIP-protection modes
### <a href="" id="bkmk-modes"></a>WIP-protection modes
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.

101
windows/security/information-protection/windows-information-protection/wip-learning.md Normal file
View File

@ -0,0 +1,101 @@
---
title:
# Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 04/18/2018
---
# Fine-tune Windows Information Protection (WIP) with WIP Learning
**Applies to:**
- Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
## Access the WIP Learning reports
1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
2. Choose **Intune** > **Mobile Apps**.
3. Choose **App protection status**.
4. Choose **Reports**.
![Image showing the UI path to the WIP report](images/access-wip-learning-report.png)
5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**.
![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png)
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
## View the WIP app learning report in Microsoft Operations Management Suite
From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
![View in Intune of the link to OMS](images/wip-in-oms-console-link.png)
If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
>[!NOTE]
>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
![Details view](images/WIPNEW1-chart-selected-sterile.png)
In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
![Details view for a specific app](images/WIPappID-sterile.png)
Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
## Use OMS and Intune to adjust WIP protection policy
1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
4. Click **Protected apps**, and then click **Add Apps**.
5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

8
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -21,7 +21,9 @@ Describes the best practices, location, values, and security considerations for
The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change.
In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
In Active Directorybased domains, each device has an account and password. By default, the domain members submit a password change every 30 days. Increasing this interval significantly, or setting it to **0** so that a device no longer submits a password change, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/).
### Possible values
@ -30,8 +32,8 @@ In Active Directorybased domains, each device has an account and password, ju
### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
2. If the machine's password has expired, it will no longer be able to authenticate with the domain. The easiest way to get authentication working again might require removing the device from the domain and then re-joining it. For this reason, some organizations create a special organizational unit (OU) for computers that are prebuilt and then stored for later use or shipped to remote locations, and change the value to more than 30 days.
It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites.
### Location

2
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -44,4 +44,4 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|

13
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -13,7 +13,8 @@ ms.date: 11/07/2017
# Frequently asked questions - Windows Defender Application Guard
**Applies to:**
- Windows 10 Enterpise edition, version 1709
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
@ -31,7 +32,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.<br><br>In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
<br>
| | |
@ -55,5 +56,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| | |
|---|----------------------------|
|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to WDAG in RS3 (1709) and RS4 (1803).|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
<br>
| | |
|---|----------------------------|
|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?|
|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.|
<br>

42
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -12,11 +12,12 @@ ms.date: 10/19/2017
# Testing scenarios using Windows Defender Application Guard in your business or organization
**Applies to:**
- Windows 10 Enterpise edition, version 1709
We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
@ -97,6 +98,10 @@ Application Guard provides the following default behavior for your employees:
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
**To change the copy and paste options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
@ -152,3 +157,34 @@ You have the option to change each of these settings to work with your enterpris
>[!NOTE]
>If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and arent shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>
**Applies to:**
- Windows 10 Enterpise edition, version 1803
- Windows 10 Professional edition, version 1803
**To change the download options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor Download options](images/appguard-gp-download.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
**To change hardware acceleration options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
3. Contact Microsoft for further information to fully enable this setting.
4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
5. Assess the visual experience and battery performance.