From e6c58a178bc3b7fb26c36713fcd315ceb17b2122 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Mon, 13 Feb 2017 11:02:42 -0800 Subject: [PATCH 01/65] Moved ELAM text from the old-ish security overview topic into this topic --- windows/keep-secure/bitlocker-countermeasures.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 89261d666c..5cf31239ce 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. + +Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. + +To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: From b8e0a47f56ca0863ec104aeee600164f6a7212e0 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 13:29:32 -0800 Subject: [PATCH 02/65] Adding master redirection file --- .openpublishing.redirection.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .openpublishing.redirection.json diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json new file mode 100644 index 0000000000..ae1ed7e67c --- /dev/null +++ b/.openpublishing.redirection.json @@ -0,0 +1,14 @@ +{ + "redirections": [ + { + "source_path": "keep-secure/create-edp-policy-using-intune.md", + "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", + "redirect_document_id": true + }, + { + "source_path": "keep-secure/create-edp-policy-using-sccm.md", + "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm", + "redirect_document_id": false + } + ] +} \ No newline at end of file From 7b105413b609da49983dafd17fb589ab130f6f19 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 13:31:03 -0800 Subject: [PATCH 03/65] Testing master redirection --- windows/keep-secure/create-edp-policy-using-intune.md | 5 ----- windows/keep-secure/create-edp-policy-using-sccm.md | 5 ----- 2 files changed, 10 deletions(-) delete mode 100644 windows/keep-secure/create-edp-policy-using-intune.md delete mode 100644 windows/keep-secure/create-edp-policy-using-sccm.md diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md deleted file mode 100644 index 77a7c0ee85..0000000000 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md deleted file mode 100644 index 354503af96..0000000000 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm ---- \ No newline at end of file From c9ceae150a54ddcfc15c2d2f7c79a711c7820fc5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 13:41:06 -0800 Subject: [PATCH 04/65] Testing --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ae1ed7e67c..93ed1202f5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,13 +1,13 @@ { "redirections": [ { - "source_path": "keep-secure/create-edp-policy-using-intune.md", + "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", "redirect_document_id": true }, { "source_path": "keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm", + "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm.md", "redirect_document_id": false } ] From e5eb0561a4c582e5b08cccf77a3a861a21e5142d Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:06:39 -0800 Subject: [PATCH 05/65] Fixing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 93ed1202f5..b6324532ec 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,7 +6,7 @@ "redirect_document_id": true }, { - "source_path": "keep-secure/create-edp-policy-using-sccm.md", + "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm.md", "redirect_document_id": false } From d2f30df976cf88e1cd1b11ba53699ff3c17e83b7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:17:17 -0800 Subject: [PATCH 06/65] Fixing --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b6324532ec..be0231ba41 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,8 +6,8 @@ "redirect_document_id": true }, { - "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm.md", + "source_path": "windows/keep-secure/keep-secure/create-edp-policy-using-sccm.md", + "redirect_url": "create-wip-policy-using-sccm.md", "redirect_document_id": false } ] From ad35958279671b846f322ca34096b7ce0fa2901e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:23:11 -0800 Subject: [PATCH 07/65] Fixing --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index be0231ba41..36e2f54fa2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,8 +6,8 @@ "redirect_document_id": true }, { - "source_path": "windows/keep-secure/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "create-wip-policy-using-sccm.md", + "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", + "redirect_url": "keep-secure/create-wip-policy-using-sccm.md", "redirect_document_id": false } ] From b3fac0c9d9bde6f775f1ec3e7308790337a97843 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:37:09 -0800 Subject: [PATCH 08/65] fixing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 36e2f54fa2..b26bea6699 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -8,7 +8,7 @@ { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", "redirect_url": "keep-secure/create-wip-policy-using-sccm.md", - "redirect_document_id": false + "redirect_document_id": true } ] } \ No newline at end of file From 430de12a3abb84634930e03ffb1750ed9e140b78 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:48:39 -0800 Subject: [PATCH 09/65] Fixing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b26bea6699..2b3c38507f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "keep-secure/create-wip-policy-using-sccm.md", + "redirect_url": "create-wip-policy-using-sccm.md", "redirect_document_id": true } ] From 99e4383d39094e30b1ac16df702b9dcbfe938501 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 14:56:29 -0800 Subject: [PATCH 10/65] Fixing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2b3c38507f..3f0d933c6d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "create-wip-policy-using-sccm.md", + "redirect_url": "create-wip-policy-using-sccm", "redirect_document_id": true } ] From a37e4e35c2d4adb37b642d84a3acce2511085485 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 14 Feb 2017 15:03:53 -0800 Subject: [PATCH 11/65] Fixing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3f0d933c6d..db6cd12c6f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "create-wip-policy-using-sccm", + "redirect_url": "keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] From 6064112d55e0b6afb0f76f327a4f99e8a4ed3f60 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 13:30:34 -0800 Subject: [PATCH 12/65] testing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index db6cd12c6f..e91cb561f9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "keep-secure/create-wip-policy-using-sccm", + "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] From 5b9b49e7588359a08bd680852898dd06a71b49b2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 13:39:52 -0800 Subject: [PATCH 13/65] testing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e91cb561f9..3f0d933c6d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "windows/keep-secure/create-wip-policy-using-sccm", + "redirect_url": "create-wip-policy-using-sccm", "redirect_document_id": true } ] From ae1764ef71e9c41b8214aee893a9cf063343f940 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 13:45:11 -0800 Subject: [PATCH 14/65] testing --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3f0d933c6d..c6cec28768 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "create-wip-policy-using-sccm", + "redirect_url": "itpro/windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] From bf442665961fa83740652349cb77631191dc93ab Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 15 Feb 2017 14:44:37 -0800 Subject: [PATCH 15/65] oobe update --- ...points-sccm-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 8b193b46c6..33563eea6f 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -45,14 +45,14 @@ You can use System Center Configuration Manager’s existing functionality to cr 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. +3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading. +> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. ### Configure sample collection settings From ba17e8e703c15a2ada812bf137f5027f1c02efb0 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 14:54:02 -0800 Subject: [PATCH 16/65] test --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c6cec28768..e15667274d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "itpro/windows/keep-secure/create-wip-policy-using-sccm", + "redirect_url": "itpro/windows/keep-secure/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] From f126d7a806eeb7a2eb67cb24eea1c733145e3ffd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 15:04:50 -0800 Subject: [PATCH 17/65] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e15667274d..f6beb69314 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,8 +7,8 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "itpro/windows/keep-secure/keep-secure/create-wip-policy-using-sccm", + "redirect_url": "itpro/windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] -} \ No newline at end of file +} From 40d2041ac0543f2c5c523b4ca543e276e0b0983f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 15 Feb 2017 15:14:59 -0800 Subject: [PATCH 18/65] test --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f6beb69314..fd38c8646e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "itpro/windows/keep-secure/create-wip-policy-using-sccm", + "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true } ] From 24a97936262f669724dbf70e16774205e5d05bcb Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 15 Feb 2017 18:11:17 -0800 Subject: [PATCH 19/65] waas-DO - restructring Removing samples building story in the intro adding gpo-mdm table adding links everywhere --- windows/manage/waas-delivery-optimization.md | 189 +++++-------------- 1 file changed, 47 insertions(+), 142 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index b1701d80d9..0090502c90 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -32,14 +32,45 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization -- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization +You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -Several Delivery Optimization features are configurable. +Several Delivery Optimization features are configurable: - +| Group Policy setting | MDM setting | +| --- | --- | +| [Download mode](#download-mode) | DODownloadMode | +| [Group ID](#group-id) | DOGroupID | +| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | +| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | +| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | +| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | +| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | +| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | +| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | +| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | +| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | -### Download mode (DODownloadMode) +When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates. + +While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. + +[Group ID](#group-id) enables administrators to create custom device groups that will share content between devices in the group. + +Delivery Optimization uses locally cached updates. In cases where devices have limited local storage space, or if you would rather control cache usage, various settings can be used to control that: +- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. +- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. +- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. + +There are additional options available to robustly control the impact Delivery Optimization has on your network: +- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. +- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. +- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. + +Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. + +### Download mode Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. @@ -55,176 +86,50 @@ Download mode dictates which download sources clients are allowed to use when do >[!NOTE] >Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group. -### Group ID (DOGroupID) +### Group ID By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >This configuration is optional and not required for most implementations of Delivery Optimization. -### Max Cache Age (DOMaxCacheAge) +### Max Cache Age In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). -### Max Cache Size (DOMaxCacheSize) +### Max Cache Size This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. -### Absolute Max Cache Size (DOAbsoluteMaxCacheSize) +### Absolute Max Cache Size This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB. -### Maximum Download Bandwidth (DOMaxDownloadBandwidth) +### Maximum Download Bandwidth This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. -### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) +### Percentage of Maximum Download Bandwidth This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. -### Max Upload Bandwidth (DOMaxUploadBandwidth) +### Max Upload Bandwidth This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. -### Minimum Background QoS (DOMinBackgroundQoS) +### Minimum Background QoS This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. -### Modify Cache Drive (DOModifyCacheDrive) +### Modify Cache Drive This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache). -### Monthly Upload Data Cap (DOMonthlyUploadDataCap) +### Monthly Upload Data Cap This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. - -## Delivery Optimization configuration examples - -Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization. - -### Use Delivery Optimzation with group download mode - -Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination. - -**To use Group Policy to configure Delivery Optimization for group download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**. - -5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Group** download mode. - -9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.) - -10. Click **OK**, and then close the Group Policy Management Editor. - -11. In GPMC, select the **Delivery Optimization – Group** policy. - -12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group. - -**To use Intune to configure Delivery Optimization for group download mode** - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**. - -7. In the **Value** box, type **2**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - -8. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**. - -### Use WSUS and BranchCache with Windows 10, version 1511 - -In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to configure HTTP only download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**. - -5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **HTTP only** download mode. - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – HTTP Only** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**. - - ![example of UI](images/waas-do-fig4.png) - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Use WSUS and BranchCache with Windows 10, version 1607 - -In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to enable the Bypass download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**. - -5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.) - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – Bypass** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**. - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Set “preferred” cache devices for Delivery Optimization +## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). From d54bce4b24333d43c2292b725b42e7b20b949e64 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 09:28:28 -0800 Subject: [PATCH 20/65] Creating redirection file --- .openpublishing.redirection.json | 113 ++++++++++++++++++++++++++++++- 1 file changed, 111 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index fd38c8646e..ed29e58d58 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,110 @@ { - "redirections": [ + "redirections": [ + { + "source_path": "windows/manage/waas-quick-start.md", + "redirect_url": "/itpro/windows/update/waas-quick-start", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-overview.md", + "redirect_url": "/itpro/windows/update/waas-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md", + "redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md", + "redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md", + "redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/update-compliance-monitor.md", + "redirect_url": "/itpro/windows/update/update-compliance-monitor", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/update-compliance-get-started.md", + "redirect_url": "/itpro/windows/update/update-compliance-get-started", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/update-compliance-using.md", + "redirect_url": "/itpro/windows/update/update-compliance-using", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-optimize-windows-10-updates.md", + "redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-delivery-optimization.md", + "redirect_url": "/itpro/windows/update/waas-delivery-optimization", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-branchcache.md", + "redirect_url": "/itpro/windows/update/waas-branchcache", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-mobile-updates.md", + "redirect_url": "/itpro/windows/update/waas-mobile-updates", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-manage-updates-wufb.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-configure-wufb.md", + "redirect_url": "/itpro/windows/update/waas-configure-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-integrate-wufb.md", + "redirect_url": "/itpro/windows/update/waas-integrate-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-wufb-group-policy.md", + "redirect_url": "/itpro/windows/update/waas-wufb-group-policy", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-wufb-intune.md", + "redirect_url": "/itpro/windows/update/waas-wufb-intune.md", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-manage-updates-wsus.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-wsus", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-manage-updates-configuration-manager.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-restart.md", + "redirect_url": "/itpro/windows/update/waas-restart", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/waas-update-windows-10.md", + "redirect_url": "/itpro/windows/update/index", + "redirect_document_id": true + }, { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", @@ -9,6 +114,10 @@ "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true - } + }, + + + + ] } From 38707ead7355a847d5f4e03c02edd1fe07cf086d Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 09:58:49 -0800 Subject: [PATCH 21/65] Redirected files --- .../manage/update-compliance-get-started.md | 130 ------ windows/manage/update-compliance-monitor.md | 59 --- windows/manage/update-compliance-using.md | 354 --------------- windows/manage/waas-branchcache.md | 66 --- windows/manage/waas-configure-wufb.md | 233 ---------- windows/manage/waas-delivery-optimization.md | 259 ----------- ...aas-deployment-rings-windows-10-updates.md | 79 ---- windows/manage/waas-integrate-wufb.md | 111 ----- ...as-manage-updates-configuration-manager.md | 410 ------------------ windows/manage/waas-manage-updates-wsus.md | 353 --------------- windows/manage/waas-manage-updates-wufb.md | 142 ------ windows/manage/waas-mobile-updates.md | 84 ---- .../waas-optimize-windows-10-updates.md | 105 ----- windows/manage/waas-overview.md | 193 --------- windows/manage/waas-quick-start.md | 82 ---- windows/manage/waas-restart.md | 151 ------- ...s-servicing-branches-windows-10-updates.md | 220 ---------- ...s-servicing-strategy-windows-10-updates.md | 70 --- windows/manage/waas-update-windows-10.md | 62 --- windows/manage/waas-wufb-group-policy.md | 352 --------------- windows/manage/waas-wufb-intune.md | 283 ------------ 21 files changed, 3798 deletions(-) delete mode 100644 windows/manage/update-compliance-get-started.md delete mode 100644 windows/manage/update-compliance-monitor.md delete mode 100644 windows/manage/update-compliance-using.md delete mode 100644 windows/manage/waas-branchcache.md delete mode 100644 windows/manage/waas-configure-wufb.md delete mode 100644 windows/manage/waas-delivery-optimization.md delete mode 100644 windows/manage/waas-deployment-rings-windows-10-updates.md delete mode 100644 windows/manage/waas-integrate-wufb.md delete mode 100644 windows/manage/waas-manage-updates-configuration-manager.md delete mode 100644 windows/manage/waas-manage-updates-wsus.md delete mode 100644 windows/manage/waas-manage-updates-wufb.md delete mode 100644 windows/manage/waas-mobile-updates.md delete mode 100644 windows/manage/waas-optimize-windows-10-updates.md delete mode 100644 windows/manage/waas-overview.md delete mode 100644 windows/manage/waas-quick-start.md delete mode 100644 windows/manage/waas-restart.md delete mode 100644 windows/manage/waas-servicing-branches-windows-10-updates.md delete mode 100644 windows/manage/waas-servicing-strategy-windows-10-updates.md delete mode 100644 windows/manage/waas-update-windows-10.md delete mode 100644 windows/manage/waas-wufb-group-policy.md delete mode 100644 windows/manage/waas-wufb-intune.md diff --git a/windows/manage/update-compliance-get-started.md b/windows/manage/update-compliance-get-started.md deleted file mode 100644 index 9d2d540b82..0000000000 --- a/windows/manage/update-compliance-get-started.md +++ /dev/null @@ -1,130 +0,0 @@ ---- -title: Get started with Update Compliance (Windows 10) -description: Explains how to configure Update Compliance. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Get started with Update Compliance - -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. - -Steps are provided in sections that follow the recommended setup process: -1. Ensure that [prerequisites](#update-compliance-prerequisites) are met. -2. [Add Update Compliance](#add-update-compliance-to-microsoft-operatiions-management-suite) to Microsoft Operations Management Suite -3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices - -## Update Compliance Prerequisites - -Update Compliance has the following requirements: -1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). -3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: - - -
ServiceEndpoint -
Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com -
settings-win.data.microsoft.com -
Windows Error Reporting watson.telemetry.microsoft.com -
Online Crash Analysis oca.telemetry.microsoft.com -
- -## Add Update Compliance to Microsoft Operations Management Suite - -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). - -If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. - -If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: - -1. Go to [Operations Management Suite’s page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - -

- - - -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - -

- - - -3. Create a new OMS workspace. - -

- - - -4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - -

- - - -5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - -

- - - -6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. - -

- - - -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace. - -

- - - -8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens. - -

- - - -9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below. - -

+ + + + From 3acabd95d597dd22cf46c8fa91a7935e17379ea4 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 15:20:35 -0800 Subject: [PATCH 56/65] fmt change for consistency --- windows/keep-secure/deploy-code-integrity-policies-steps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 82ce96bb82..19608b040d 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -40,7 +40,7 @@ To create a code integrity policy, copy each of the following commands into an e > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. From 506e7465775b9d21595cbc9925d5926305fff845 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:34:46 -0800 Subject: [PATCH 57/65] Added Windows Libraries --- .../manage/change-history-for-manage-and-update-windows-10.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index dcbdb109c3..13a0de7e4f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | @@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -  \ No newline at end of file +  From 39c722ff6c447c5ba008ba7b76293661e41e0502 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 21 Feb 2017 07:53:05 -0800 Subject: [PATCH 58/65] update author fields --- education/windows/change-history-edu.md | 2 +- education/windows/get-minecraft-for-education.md | 2 +- education/windows/school-get-minecraft.md | 2 +- education/windows/set-up-school-pcs-technical.md | 2 +- education/windows/set-up-students-pcs-to-join-domain.md | 2 +- education/windows/set-up-students-pcs-with-apps.md | 2 +- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-app-technical.md | 2 +- education/windows/take-a-test-multiple-pcs.md | 2 +- education/windows/take-a-test-single-pc.md | 2 +- education/windows/take-tests-in-windows-10.md | 2 +- education/windows/teacher-get-minecraft.md | 2 +- education/windows/use-set-up-school-pcs-app.md | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 0bc2dc5bbc..e83f98b49f 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Change history for Windows 10 for Education diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 200b8a1ce9..91345b72c1 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -5,7 +5,7 @@ keywords: school ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # Get Minecraft: Education Edition diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 8668054826..421bd5533b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -5,7 +5,7 @@ keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # For IT administrators - get Minecraft: Education Edition diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 0eabc87c57..bb0dc144ae 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Technical reference for the Set up School PCs app diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 90829321ad..1c3d6361e1 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: CelesteDG --- # Set up student PCs to join domain diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 04e110de10..55da4e77f5 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: CelesteDG --- # Provision student PCs with apps diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index fe7767a997..16a30c38bc 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Provisioning options for Windows 10 diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 7e3ed9ca0b..32d45fb353 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Take a Test app technical reference diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 2eb0b2849a..670d038a5e 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: jCelesteDG --- # Set up Take a Test on multiple PCs diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 5b6d36d46b..7b982a6f0a 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Set up Take a Test on a single PC diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 40850cf578..06129d0ee1 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Take tests in Windows 10 diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 362d143475..211c2913d0 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -5,7 +5,7 @@ keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index c4ecb5351d..b6303d21a2 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Use the Set up School PCs app From 5123cada02b7979d96993f7fd04a26ce55b3d3f3 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 21 Feb 2017 08:04:17 -0800 Subject: [PATCH 59/65] fix typo --- education/windows/take-a-test-multiple-pcs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 670d038a5e..1b80672e68 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jCelesteDG +author: CelesteDG --- # Set up Take a Test on multiple PCs From db26978ec7eaebd9519f72d1abd4ad84b8d9e3fa Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 08:36:33 -0800 Subject: [PATCH 60/65] Updating redirection list --- .openpublishing.redirection.json | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8ab1e55136..384e7696f1 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -155,11 +155,6 @@ "redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", "redirect_document_id": true }, - { - "source_path": "windows/manage/windows-spotlight.md", - "redirect_url": "/itpro/windows/configure/windows-spotlight", - "redirect_document_id": true - }, { "source_path": "windows/manage/manage-tips-and-suggestions.md", "redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", @@ -205,11 +200,6 @@ "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", "redirect_document_id": true }, - { - "source_path": "windows/manage/cortana-at-work-overview.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", - "redirect_document_id": true - }, { "source_path": "windows/manage/cortana-at-work-testing-scenarios.md", "redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", @@ -300,11 +290,6 @@ "redirect_url": "/itpro/windows/configure/index", "redirect_document_id": true }, - { - "source_path": "windows/manage/lockdown-features-windows-10.md", - "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", - "redirect_document_id": true - }, { "source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", From 2c0228895d36b4e23ec0731d7212332ff29768fc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 08:49:56 -0800 Subject: [PATCH 61/65] Fixing broken links from redirection --- ...rating-system-components-to-microsoft-services.md | 2 +- ...hange-history-for-manage-and-update-windows-10.md | 2 +- ...policies-for-enterprise-and-education-editions.md | 12 ++++++------ windows/manage/mandatory-user-profile.md | 2 +- .../whats-new-windows-10-version-1507-and-1511.md | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 83ba743e69..e0cfbed2c9 100644 --- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1259,7 +1259,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. -For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). +For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### 24. Windows Store diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index f4de8fbb12..6abe697705 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -33,7 +33,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also | New or changed topic | Description | | --- | --- | -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New | +|[Cortana at work topics](../configure/cortana-at-work-overview.md)]|New | | [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) | | [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) | | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 0eb86b635e..d059e9f309 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -18,13 +18,13 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | Policy name | Policy path | Comments | | --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | +| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md | +| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | diff --git a/windows/manage/mandatory-user-profile.md b/windows/manage/mandatory-user-profile.md index 6664e2d2aa..3ced9aa8fd 100644 --- a/windows/manage/mandatory-user-profile.md +++ b/windows/manage/mandatory-user-profile.md @@ -164,7 +164,7 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Manage Windows 10 Start layout and taskbar options](windows-10-start-layout-options-and-policies.md) - [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -- [Windows Spotlight on the lock screen](windows-spotlight.md) +- [Windows Spotlight on the lock screen](../configure/windows-spotlight.md) - [Configure devices without MDM](configure-devices-without-mdm.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 6121188e6d..471c58e60b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -301,7 +301,7 @@ Lockdown settings can also be configured for device look and feel, such as a the A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md). -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### Windows Store for Business **New in Windows 10, version 1511** From 9694ad134ae0beebb1711b730bc6078446567866 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 08:59:32 -0800 Subject: [PATCH 62/65] Fixing broken links --- .../change-history-for-manage-and-update-windows-10.md | 8 ++++---- ...roup-policies-for-enterprise-and-education-editions.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 6abe697705..30aacc2244 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -60,7 +60,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also | --- | --- | | [Manage device restarts after updates](waas-restart.md) | New | | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New | -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. | | [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. | | [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. | @@ -71,7 +71,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also | New or changed topic | Description | | --- | --- | | [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New | -| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | +| [Lockdown features from Windows Embedded 8.1 Industry](../configure/lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | @@ -138,7 +138,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | ---|---| | [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New | | [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New | -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | ## February 2016 @@ -156,7 +156,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | New or changed topic | Description | | ---|---| -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | New | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index d059e9f309..74dced9953 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](../configure/cortana-at-work-overview.md) | From d047abf9f0381eb1b72d8104dd6f5523b3580327 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 09:26:47 -0800 Subject: [PATCH 63/65] Adding author attribute --- windows/configure/cortana-at-work-crm.md | 1 + windows/configure/cortana-at-work-feedback.md | 1 + windows/configure/cortana-at-work-o365.md | 1 + windows/configure/cortana-at-work-overview.md | 1 + windows/configure/cortana-at-work-policy-settings.md | 1 + windows/configure/cortana-at-work-powerbi.md | 1 + windows/configure/cortana-at-work-scenario-1.md | 1 + windows/configure/cortana-at-work-scenario-2.md | 1 + windows/configure/cortana-at-work-scenario-3.md | 1 + windows/configure/cortana-at-work-scenario-4.md | 1 + windows/configure/cortana-at-work-scenario-5.md | 1 + windows/configure/cortana-at-work-scenario-6.md | 1 + windows/configure/cortana-at-work-testing-scenarios.md | 1 + windows/configure/cortana-at-work-voice-commands.md | 1 + windows/keep-secure/app-behavior-with-wip.md | 1 + windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 1 + windows/keep-secure/mandatory-settings-for-wip.md | 1 + windows/keep-secure/recommended-network-definitions-for-wip.md | 1 + windows/keep-secure/using-owa-with-wip.md | 1 + windows/keep-secure/wip-app-enterprise-context.md | 1 + 20 files changed, 20 insertions(+) diff --git a/windows/configure/cortana-at-work-crm.md b/windows/configure/cortana-at-work-crm.md index 834bde8a92..914655aab2 100644 --- a/windows/configure/cortana-at-work-crm.md +++ b/windows/configure/cortana-at-work-crm.md @@ -4,6 +4,7 @@ description: How to set up Cortana to help your salespeople get proactive insigh ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-feedback.md b/windows/configure/cortana-at-work-feedback.md index ca24c22703..6dac028eb7 100644 --- a/windows/configure/cortana-at-work-feedback.md +++ b/windows/configure/cortana-at-work-feedback.md @@ -4,6 +4,7 @@ description: How to send feedback to Microsoft about Cortana at work. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-o365.md b/windows/configure/cortana-at-work-o365.md index d58663dc00..02483c3e25 100644 --- a/windows/configure/cortana-at-work-o365.md +++ b/windows/configure/cortana-at-work-o365.md @@ -4,6 +4,7 @@ description: How to connect Cortana to Office 365 so your employees are notified ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-overview.md b/windows/configure/cortana-at-work-overview.md index 96064364c3..2a8d8d14e3 100644 --- a/windows/configure/cortana-at-work-overview.md +++ b/windows/configure/cortana-at-work-overview.md @@ -4,6 +4,7 @@ description: The world’s first personal digital assistant helps users get thin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md index 83f10f7d3e..5a347b3245 100644 --- a/windows/configure/cortana-at-work-policy-settings.md +++ b/windows/configure/cortana-at-work-policy-settings.md @@ -4,6 +4,7 @@ description: The list of Group Policy and mobile device management (MDM) policy ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md index 98b90f572f..5c529b6f70 100644 --- a/windows/configure/cortana-at-work-powerbi.md +++ b/windows/configure/cortana-at-work-powerbi.md @@ -4,6 +4,7 @@ description: How to integrate Cortana with Power BI to help your employees get a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-1.md b/windows/configure/cortana-at-work-scenario-1.md index 4a9714a455..f8c78aeb5c 100644 --- a/windows/configure/cortana-at-work-scenario-1.md +++ b/windows/configure/cortana-at-work-scenario-1.md @@ -4,6 +4,7 @@ description: A test scenario walking you through signing in and managing the not ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-2.md b/windows/configure/cortana-at-work-scenario-2.md index fb7b00d578..9afdab45ec 100644 --- a/windows/configure/cortana-at-work-scenario-2.md +++ b/windows/configure/cortana-at-work-scenario-2.md @@ -4,6 +4,7 @@ description: A test scenario about how to perform a quick search with Cortana at ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-3.md b/windows/configure/cortana-at-work-scenario-3.md index 89610c7093..2e187eb725 100644 --- a/windows/configure/cortana-at-work-scenario-3.md +++ b/windows/configure/cortana-at-work-scenario-3.md @@ -4,6 +4,7 @@ description: A test scenario about how to set a location-based reminder using Co ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-4.md b/windows/configure/cortana-at-work-scenario-4.md index 56f1f6af66..203093cb15 100644 --- a/windows/configure/cortana-at-work-scenario-4.md +++ b/windows/configure/cortana-at-work-scenario-4.md @@ -4,6 +4,7 @@ description: A test scenario about how to use Cortana at work to find your upcom ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-5.md b/windows/configure/cortana-at-work-scenario-5.md index 8373a4f4c2..820acedc37 100644 --- a/windows/configure/cortana-at-work-scenario-5.md +++ b/windows/configure/cortana-at-work-scenario-5.md @@ -4,6 +4,7 @@ description: A test scenario about how to use Cortana at work to send email to a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md index ac15463824..06a6bf3d51 100644 --- a/windows/configure/cortana-at-work-scenario-6.md +++ b/windows/configure/cortana-at-work-scenario-6.md @@ -4,6 +4,7 @@ description: An optional test scenario about how to use Cortana at work with Win ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md index 41f734e006..f3227225c1 100644 --- a/windows/configure/cortana-at-work-testing-scenarios.md +++ b/windows/configure/cortana-at-work-testing-scenarios.md @@ -4,6 +4,7 @@ description: A list of suggested testing scenarios that you can use to test Cort ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/configure/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md index 766a5914ad..3a346131b5 100644 --- a/windows/configure/cortana-at-work-voice-commands.md +++ b/windows/configure/cortana-at-work-voice-commands.md @@ -4,6 +4,7 @@ description: How to create voice commands that use Cortana to perform voice-enab ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md index 1f83aad42f..edf4af5b1b 100644 --- a/windows/keep-secure/app-behavior-with-wip.md +++ b/windows/keep-secure/app-behavior-with-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..079086758f 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..f92c5cee6a 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index bf9a7ac22a..b7b8ab7a18 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index f99f10fb6f..9ebb14e657 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..98ee046b77 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- From 3dc8ae1d9b199fba9169d1c8f08e1067637eb372 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 10:39:29 -0800 Subject: [PATCH 64/65] Fixing warning --- windows/whats-new/whats-new-windows-10-version-1507-and-1511.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 471c58e60b..f23a6b2556 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -251,7 +251,6 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptop ### MDM support - MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. From 4108f972393854e44f011e95804b11ba7a130723 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 21 Feb 2017 11:00:14 -0800 Subject: [PATCH 65/65] sync --- devices/hololens/hololens-provisioning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c341d5ffb2..c077292864 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -9,7 +9,7 @@ author: jdeckerMS localizationpriority: medium --- -# Configure HoloLens using a provisioning package +# Configure HoloLens using a provisioning package test Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages.
- - - -After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. - ->You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic. - -## Deploy your Commercial ID to your Windows 10 devices - -In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). - -- Using Group Policy

- Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor. - 1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** - 2. Double-click **Configure the Commercial ID** - 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.

- -- Using Microsoft Mobile Device Management (MDM)

- Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp). - - For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). - - When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is:

./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
- - For example, you can use the following values in **Add or edit OMA-URI Setting**: - - **Setting Name**: Windows Analytics Commercial ID
- **Setting Description**: Configuring commercial id for Windows Analytics solutions
- **Data Type**: String
- **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
- **Value**: \
- - - -## Related topics - -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file diff --git a/windows/manage/update-compliance-monitor.md b/windows/manage/update-compliance-monitor.md deleted file mode 100644 index 9ee49a1e9d..0000000000 --- a/windows/manage/update-compliance-monitor.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Monitor Windows Updates with Update Compliance (Windows 10) -description: Introduction to Update Compliance. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Monitor Windows Updates with Update Compliance - -## Introduction - -With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: [Windows as a Service](waas-overview.md). - -Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). - -Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. - -Update Compliance provides the following: - -- An overview of your organization’s devices that just works. -- Dedicated drill-downs for devices that might need attention. -- An inventory of devices, including the version of Windows they are running and their update status. -- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later). -- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries. -- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure. - -See the following topics in this guide for detailed information about configuring and use the Update Compliance solution: - -- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. -- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. - -An overview of the processes used by the Update Compliance solution is provided below. - -## Update Compliance architecture - -The Update Compliance architecture and data flow is summarized by the following five step process: - -**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
-**(2)** Telemetry data is analyzed by the Update Compliance Data Service.
-**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.
-**(4)** Telemetry data is available in the Update Compliance solution.
-**(5)** You are able to monitor and troubleshoot Windows updates on your network.
- -These steps are illustrated in following diagram: - -![Update Compliance architecture](images/uc-01.png) - ->This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID. - - - -  -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file diff --git a/windows/manage/update-compliance-using.md b/windows/manage/update-compliance-using.md deleted file mode 100644 index 39d8b0e012..0000000000 --- a/windows/manage/update-compliance-using.md +++ /dev/null @@ -1,354 +0,0 @@ ---- -title: Using Update Compliance (Windows 10) -description: Explains how to begin usihg Update Compliance. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Use Update Compliance to monitor Windows Updates - -This section describes how to use Update Compliance to monitor Windows Updates and troubleshoot update failures on your network. - - -Update Compliance: -- Uses telemetry gathered from user devices to form an all-up view of Windows 10 devices in your organization. -- Enables you to maintain a high-level perspective on the progress and status of updates across all devices. -- Provides a workflow that can be used to quickly identify which devices require attention. -- Enables you to track deployment compliance targets for updates. - ->Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices. - -In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. - -Update Compliance has the following primary blades: - - -1. [OS Update Overview](#os-update-overview) -2. [Overall Quality Update Status](#overall-quality-update-status) -3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status) -4. [Overall Feature Update Status](#overall-feature-update-status) -5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status) -6. [List of Queries](#list-of-queries) - - -## OS Update Overview - -The first blade of OMS Update Compliance is the General **OS Update Overview** blade: - -![OS Update Overview](images/uc-11.png) - - -This blade is divided into three sections: -- Device Summary: -- Needs Attention Summary -- Update Status Summary - -The **Device Summary** displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention. - - -The **Needs Attention Summary** summarizes devices that require action on your part. There are multiple reasons why a device might need attention, and these reasons are categorized and summarized in the tile. You can view details about devices that are categorized as Needs Attention using a table view. The following **Needs Attention** states are defined: - - -
-
Needs AttentionDefinition -
Out of SupportTotal number of devices that are no longer receiving servicing updates -
Update failedWhen a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data. -
Missing 2+ Security UpdatesTotal number of devices that are missing two or more security updates -
Update Progress StalledTotal number of devices where an update installation has been “in progress” for more than 7 days -
- - -The **Update Status Summary** summarizes your organization's devices per the Windows 10 "Windows as a Service" (WaaS) model. For more information about WaaS, see [Overview of Windows as a service](waas-overview.md). Devices are categorized as: **Current**, **Up-to-date**, and **Not up-to-date**. See the following graphical representation of this model:
- - -![Device states](images/uc-12.png) - - -Update Status Summary definitions: - - - -
Update StatusDefinition -
Current and Up-to-dateA device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch. -
Up-to-dateA device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft. -
Not up-to-dateA device does not have the latest quality update for its servicing option. -
- - -## Overall Quality Update Status - -**Overall Quality Update Status** is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. See the following example: - - -![OS Quality Update Status](images/uc-13.png) - - -The donut tile offers a summary of all devices in your organization, divided into **Up-to-date** and **Not up-to-date**. Recall that devices that are current are also up-to-date. - - -The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed, all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the **OS Quality Update Summary Perspective** for that OS version. - - -## Latest and Previous Security Update Status - -Security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, the deployment status for the latest two security updates are displayed for each supported OS build offered by Microsoft. - - -![Latest security update status](images/uc-14.png) - - -For the latest security update, a doughnut chart is displayed across all OS builds with a count of installed, in progress/deferred, update failed, and unknown status relative to that update. Two table views are provided below the doughnut displaying the same breakdown for each OS build supported by Microsoft. - -See the following definitions: - - - -
TermDefinition -
OS BuildThe OS build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context. -
VersionThe OS Version corresponding to the OS build. -
InstalledThe count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since been released but it did not contain any security fixes), then devices that are on a newer update will also be counted. -

For the previous security update, a device will display as **Installed** until it has at least installed the latest security update. -
In Progress or DeferredThe count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy. -

All devices in this category for Previous Security Update Status are missing 2 or more security updates, and therefore qualify as needing attention. -
Update FailedThe count of devices that were **In Progress** for the given security update, but failed at some point in the process. They will no longer be shown as **In Progress or deferred** in this case, and only be counted as **Update failed**. -
Status UnknownIf a device should be, in some way, progressing toward this security update, but it’s status cannot be inferred, it will count as **Status Unknown**. Devices that are not using Windows Update are the most likely devices to fall into this category. -
- - -## Overall Feature Update Status - -Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organization’s devices for feature updates. - -Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device: -- Current -- Up-to-date -- Not up-to-date - - -See the **Update Status Summary** description under [OS Update Overview](#os-update-overview) in this guide for definitions of these terms. - - -The Overall Feature Update Status blade focuses around whether or not your devices are considered Current. See the following example: - - -![Overall feature update status](images/uc-15.png) - - -Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.  - - -## CB, CBB, LTSB Deployment Status - -Following the overview with respect to how current your organization’s devices are, there are three tables that show feature update deployment for all devices. The devices are split up by which branch they are on, as this directly impacts whether they are supported (for example, 1607 may be supported under CBB, but not under CB). This allows you a quick glance at how deployment is progressing across your organization with respect to feature updates. - -See the following example: - - -![CB deployment status](images/uc-16.png) - - -The three tables break down devices by feature update. For each OS version, the following columns provide counts of the possible device states: - - - -
Deployment StatusDescription -
Feature UpdateA concatenation of servicing branch (CB, CBB, LTSB) and OS Version (e.g., 1607) -
InstalledThe number of devices that have reported to be on the given servicing train and feature update. -
In progressThe number of devices that have reported to be at some stage in the installation process for the given feature update. -

Example: Device X running CB 1507 could be installing CB 1607. In this example, X would count as both **Installed** for **CB 1507** and **In Progress** for **CB 1607**. -
Scheduled next 7 daysThe total number of devices that are set to have a deferral period expire within 7 days, and after that deferral period expires are targeted to install the given update. -

Example: Device Y running CB 1507 could be scheduled to install CB 1607 in 5 days. In this example, X would count as both **Installed** for **CB 1507** and **Scheduled next 7 days** for **CB 1607** -
Update FailedThe total number of devices that were **In progress** with the installation for the given feature update, but encountered a failure. -

Example: Device X running CB 1507 could be installing CB 1607. X then encounters an error during installation. In this example, X would count as both **Installed** for **CB 1507** and **Update failed** for **CB 1607**, but not as **In progress** for **CB 1607**. -
Status UnknownFor devices not using Windows Update to get updates, some information on deployment progress cannot be known. It is possible to know the current installed Feature Update for a device, but not which devices are **In Progress**, **Scheduled next 7 days**, or devices with **Update Failed**. -

Devices that Update Compliance knows belongs to your organization, but it does not know update failures or installation progress, will be counted here. -
- - -## Quality Update Perspective - -The Quality Update Deployment Status perspective is a breakdown of the most essential data the user should know about the status of their devices with respect to being Up-to-date. The perspective shows a summary of the organization’s devices for one specific OS version, or build. - -### Quality Update Build Summary - -The build summary blade attempts to summarize the most important data points to the user for the given build. It is divided into two sections. The first section is a summary of devices for that build – the total number of devices, and the amount that need attention. Each row within the table below is a breakdown of why each device requires attention. The rows can be interacted with to be taken to a larger table view that shows detailed information about all the devices that meet the given criteria. See the following example: - - -![Quality update build summary](images/uc-17.png) - -  -### Quality Update Deferral Configurations - -The next blade is the Deferral configuration blade, which shows the WUFB Deferral configurations for all devices that are using WUFB and are reporting to Update Compliance. If no information can be gathered from a device or it is not configured to use WUFB, it will show up as **Not configured (-1)**. See the following example: - - -![Quality Update Deferral Configurations](images/uc-18.png) - -  -### Quality Update Deployment Status - -Under the three top-level blades is the deployment status for the newest quality update for the given build. It provides information on the revision number as well as how many days it has been since that revision has been released. See the following example: - - -![Quality Update Deployment Status](images/uc-19.png) - - -See the following table for a description of last reported states for devices deploying that quality update. - - - -
Deployment StateDescription -
Update CompletedWhen a device has finished the update process and is on the given update, it will display here as **Update completed**. -
In ProgressDevices that are “in progress” installing an update will fall within this category. This category is detailed in the following blade: **Detailed Deployment Status**. -
DeferredIf a device’s WUfB deferral policy dictates that it is not set to receive this update, the device will show as Update deferred. -
CancelledA device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. -
BlockedDevices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed. -
- -

- - -### Quality Update Detailed Deployment Status - -This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. See the following example: - - -![Quality Update Detailed Deployment Status](images/uc-20.png) - - ->Devices that are not managed using Windows Update (Windows Update for Business or otherwise) will not have detailed deployment information. - - -The following table provides a list of the detailed deployment states a device can report: - - - -
Detailed Deployment StateDescription -
Update deferredThe WUfB policy of the device dictates the update is deferred. -
Pre-Download Tasks PassedThe device has finished all tasks necessary prior to downloading the update. -
Download StartedThe update has begun downloading on the device. -
Download SucceededThe device has successfully downloaded the update. -
Pre-Install Tasks PassedThe device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update. -
Install StartedThe device has begun installing the update. -
Reboot RequiredThe device has finished installing the update, and a reboot is required before the update can be completed. -
Reboot PendingThe device is pending a scheduled reboot before the update can be completed. -
Reboot InitiatedThe device has reported to have initiated the reboot process for completing the update. -
Update completedThe device has completed installing, rebooting, and applying the update. -
- - -## Feature Update Perspective - - -Like Quality Updates, the Feature Update Deployment Status perspective is a breakdown of information most essential to an administrator. This information is viewed by clicking on a given build on the Feature Update Status blade and then navigating to the **Update Deployment Status** pane as displayed previously. In Update Compliance, a perspective is assigned to a query; the query used to generate the perspective can be altered to show other information, if desired. - -Every piece of data shown in this view can be clicked; when clicked, it will alter the query to focus only on the data you need. If the perspective is not meaningful after the query is altered, you can use the other data views like the List and Table. - ->After clicking on an OS version from the Feature Update Status blade, the query must fully load the results before you can select the Update Deployment Status perspective. - -### Feature Update Build Summary - - -The Build Summary blade provides a summary for all devices on the given build. It gives a count of all devices, as well as a count of all devices that need attention. Below the counts, you can see why the devices need attention, with a count of devices that fall into each category. See the following example: - -![Feature Update Build Summary](images/uc-21.png) - -### Feature Update Deferral Configuration - - -This blade shows all deferral configurations for the devices on the given build. See the following example: - - -![Feature Update Deferral Configuration](images/uc-22.png) - - -Deferral configurations are WUfB-specific, and are shown as days. Some useful information regarding how deferral configurations are shown: -- The devices are grouped based off what their deferral policy is set at. For feature updates, this can be up to 120 days. -- A deferral of zero days means the device has WUfB configured, but is set to not defer the update. These devices will be under “0” for the Update Deferred field. -- Devices that are not configured to use WUfB deferral policies have a “-1” for their deferral days. In this table, the devices will show up as “Not Configured (-1)”. - -### Feature Update Deployment Status - -As stated earlier in this section, the Feature Updates blade focuses on how Current your devices are. A device is only Current when it is on the latest feature update and quality update Microsoft offers. Thus, the Deployment Status blade displays the deployment status for devices regarding their deployment to the latest feature update. See the following example: - - -![Feature Update Deployment Status](images/uc-23.png) - - -This blade breaks down the main states a device can be in through the deployment of a feature update. The possible states are as follows: - - - -
Deployment StateDescription -
Update completedWhen a device has completely finished the update process and is on the given update, it will show up here as **Update completed**. -
InprogressDevices “in progress” of installing the given update will fall within this category. This category is iterated on with further granularity in the proceeding blade, “Detailed Deployment Status”. -
Update deferredIf a device’s WUfB deferral policy dictates that it is not set to receive this update yet, the device will show as Update deferred. -
CancelledA device will report that the update has been cancelled if the user, at some point, cancelled the update on the device. -
BlockedDevices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed. -
- -

- - - - - - -### Feature Update Detailed Deployment Status - -This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. See the following example: - - -![Feature Update Detailed Deployment Status](images/uc-24.png) - - -The following table displays all states a device can report: - - - -
Detailed Deployment StateDescription -
Update deferredThe WUfB policy of the device dictates the update is deferred. -
Pre-Download Tasks PassedThe device has finished all tasks necessary prior to downloading the update. -
Download StartedThe update has begun downloading on the device. -
Download SucceededThe device has successfully downloaded the update. -
Pre-Install Tasks PassedThe device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update. -
Install StartedThe device has begun installing the update. -
Reboot RequiredThe device has finished installing the update, and a reboot is required before the update can be completed. -
Reboot PendingThe device is pending a scheduled reboot before the update can be completed. -
Reboot InitiatedThe device has reported to have initiated the reboot process for completing the update. -
Update completedThe device has completed installing, rebooting, and applying the update. -
- - - -## List of Queries - -Operations Management Suite leverages its powerful Log Analytics querying to perform all data calculations. For this blade, we provide examples of queries that show useful data to the user about their organization’s devices. See the following example: - - -![List of Queries](images/uc-25.png) - - -The following **Common queries** are available: - - - -
Query TitleDescription -
OS Security Update StatusThis query provides an all-up view with respect to how many devices are on the latest security update for their OS version. The table will detail an aggregated count of the number of devices, out of the total (so count, or percent) are on the latest security update for their OS build. -
Update Deployment FailuresThis query provides a chart view, displaying an aggregation of all devices that have reported a deployment failure for either feature or quality updates. The aggregation of the data is on the given update for which a given device has reported a deployment failure. -
Devices pending reboot to complete updateThis query will provide a table showing all devices that are at the stage of "Reboot Pending" In the update deployment process.

This query will show devices which are in this state for both feature and quality updates; the data will be organized on precisely which update the given device(s) are pending a reboot to install. -
Servicing Option Distribution for the devicesThis query provides a chart view that aggregates all devices seen by the solution on for each servicing option available for Windows 10 devices (CB, CBB, LTSB) -OS Distribution for the devices This query provides a chart view displaying the distribution of the different editions of Windows 10 that devices seen by the solution are running (e.g., Enterprise, Professional, Education, etc.) -
Deferral configurations for Feature UpdateThis query provides a chart view which displays a breakdown of the different Feature Update deferral configurations through WUfB that the devices seen by the solution are using.

The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer feature updates. -1 means the device has no feature update deferral policies configured. -
Pause configurations for Feature UpdateThe WUfB policy -
Update deferredThis query provides a chart view displaying the breakdown of devices that are either paused, or not paused for feature updates.

“Not configured” means the device is not paused. “Paused” means it is currently paused. -
Deferral configurations for Quality UpdateThis query provides a chart view which displays a breakdown of the different Quality Update deferral configurations through WUfB that the devices seen by the solution are using.

The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer quality updates. -1 means the device has no quality update deferral policies configured. -
Pause configurations for Quality UpdateThis query provides to a chart view displaying the breakdown of devices that are either paused, or not paused for quality updates.

**Not configured** means the device is not paused. **Paused** means it is currently paused. -
- -## Related topics - -[Get started with Update Compliance](update-compliance-get-started.md) \ No newline at end of file diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md deleted file mode 100644 index 6e44cbaaa1..0000000000 --- a/windows/manage/waas-branchcache.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Configure BranchCache for Windows 10 updates (Windows 10) -description: Use BranchCache to optimize network bandwidth during update deployment. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Configure BranchCache for Windows 10 updates - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - -- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. - - >[!TIP] - >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution. - -- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. - -For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx). - -## Configure clients for BranchCache - -Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). - -In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. - -## Configure servers for BranchCache - -You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager. - -For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide). - -In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode. - ->[!NOTE] ->Configuration Manager only supports Distributed Cache mode. - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md deleted file mode 100644 index fcb36d20f6..0000000000 --- a/windows/manage/waas-configure-wufb.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: Configure Windows Update for Business (Windows 10) -description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Configure Windows Update for Business - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). - ->[!IMPORTANT] ->For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level). - -Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). - -## Start by grouping devices - -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). - ->[!TIP] ->In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). - - -## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) - -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing). - -**Release branch policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | -| GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | -| MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | - - -## Configure when devices receive Feature Updates - -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. - ->[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. - -**Examples** - -| Settings | Scenario and behavior | -| --- | --- | -| Device is on CB
DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. | -| Device is on CBB
DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. | - -

-**Defer Feature Updates policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | -| GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | -| MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | - - -## Pause Feature Updates - -You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. - ->[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. - -**Pause Feature Updates policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates | -| GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates | -| MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - - -You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. - -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. - -| Value | Status| -| --- | --- | -| 0 | Feature Updates not paused | -| 1 | Feature Updates paused | -| 2 | Feature Updates have auto-resumed after being paused | - - -## Configure when devices receive Quality Updates - -Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. - -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. - ->[!IMPORTANT] ->This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. - -**Defer Quality Updates policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | -| GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | -| MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | - - -## Pause Quality Updates - -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. - ->[!IMPORTANT] ->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. - -**Pause Quality Updates policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates | -| GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates | -| MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - - -You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. - -The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. - -| Value | Status| -| --- | --- | -| 0 | Quality Updates not paused | -| 1 | Quality Updates paused | -| 2 | Quality Updates have auto-resumed after being paused | - -## Exclude drivers from Quality Updates - -In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. - -**Exclude driver policies** - -| Policy | Sets registry key under **HKLM\Software** | -| --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | - - - -## Summary: MDM and Group Policy for version 1607 - -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607. - -**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** - -| GPO Key | Key type | Value | -| --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdates | REG_DWORD | 1: defer quality updates
Other value or absent: don’t defer quality updates | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | -|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
Other value or absent: don’t defer feature updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD |1: pause feature updates
Other value or absent: don’t pause feature updates | -| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | - - -**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update** - -| MDM Key | Key type | Value | -| --- | --- | --- | -| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | -| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | - -## Update devices from Windows 10, version 1511 to version 1607 - -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator. - -### How version 1511 policies are respected on version 1607 - -When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent. - -### Comparing the version 1511 keys to the version 1607 keys - -In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other. - - - -
Group Policy keys
Version 1511 GPO keysVersion 1607 GPO keys
**DeferUpgrade**: *enable/disable*
    -Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**Pause**: *enable/disable*
   Enabling will pause both upgrades and updates for a max of 35 days
**DeferFeatureUpdates**: *enable/disable*

**BranchReadinessLevel**
   Set device on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdates**: *Enable/disable*

**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*

**PauseQualityUpdates**: *enable/disable*
   Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDrivers**: *enable/disable*
- - - -
MDM keys
Version 1511 MDM keysVersion 1607 MDM keys
**RequireDeferUpgade**: *bool*
   Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
   Enabling will pause both upgrades and updates for a max of 35 days
**BranchReadinessLevel**
   Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*

**PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
- - - - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md deleted file mode 100644 index b1701d80d9..0000000000 --- a/windows/manage/waas-delivery-optimization.md +++ /dev/null @@ -1,259 +0,0 @@ ---- -title: Configure Delivery Optimization for Windows 10 updates (Windows 10) -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Configure Delivery Optimization for Windows 10 updates - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. - -Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet. - -For more details, see [Download mode](#download-mode). - ->[!NOTE] ->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. - -By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. - -## Delivery Optimization options - -You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. - -- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization -- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization - -Several Delivery Optimization features are configurable. - - - -### Download mode (DODownloadMode) - -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. - -| Download mode option | Functionality when set | -| --- | --- | -| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | -| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | -| Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | - ->[!NOTE] ->Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group. - -### Group ID (DOGroupID) - -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. - ->[!NOTE] ->This configuration is optional and not required for most implementations of Delivery Optimization. - -### Max Cache Age (DOMaxCacheAge) - -In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). - -### Max Cache Size (DOMaxCacheSize) - -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. - -### Absolute Max Cache Size (DOAbsoluteMaxCacheSize) - -This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB. - -### Maximum Download Bandwidth (DOMaxDownloadBandwidth) - -This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. - -### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - -This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - -### Max Upload Bandwidth (DOMaxUploadBandwidth) - -This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. - -### Minimum Background QoS (DOMinBackgroundQoS) - -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. - -### Modify Cache Drive (DOModifyCacheDrive) - -This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache). - -### Monthly Upload Data Cap (DOMonthlyUploadDataCap) - -This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. - -## Delivery Optimization configuration examples - -Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization. - -### Use Delivery Optimzation with group download mode - -Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination. - -**To use Group Policy to configure Delivery Optimization for group download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**. - -5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Group** download mode. - -9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.) - -10. Click **OK**, and then close the Group Policy Management Editor. - -11. In GPMC, select the **Delivery Optimization – Group** policy. - -12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group. - -**To use Intune to configure Delivery Optimization for group download mode** - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**. - -7. In the **Value** box, type **2**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - -8. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**. - -### Use WSUS and BranchCache with Windows 10, version 1511 - -In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to configure HTTP only download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**. - -5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **HTTP only** download mode. - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – HTTP Only** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**. - - ![example of UI](images/waas-do-fig4.png) - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Use WSUS and BranchCache with Windows 10, version 1607 - -In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to enable the Bypass download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**. - -5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.) - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – Bypass** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**. - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Set “preferred” cache devices for Delivery Optimization - -In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). - -To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files. - -On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet: - -- Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s. - -## Learn more - -[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/) - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md deleted file mode 100644 index 1277f71080..0000000000 --- a/windows/manage/waas-deployment-rings-windows-10-updates.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Build deployment rings for Windows 10 updates (Windows 10) -description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Build deployment rings for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. - -Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. - -Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. - -Table 1 provides an example of the deployment rings you might use. - -**Table 1** - -| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release | -| --- | --- | --- | -| Preview | Windows Insider | Pre-CB | -| Ring 1 Pilot IT | CB | CB + 0 weeks | -| Ring 2 Pilot business users | CB | CB + 4 weeks | -| Ring 3 Broad IT | CB | CB + 6 weeks | -| Ring 4 Broad business users | CBB | CBB + 0 weeks | -| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints | - ->[!NOTE] ->In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates. -> ->Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates. - - -As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. - -![illustration of rings](images/waas-rings.png) - - - -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)Build deployment rings for Windows 10 updates -(this topic)
![to do](images/checklistbox.gif)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![to do](images/checklistbox.gif)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![to do](images/checklistbox.gif)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md deleted file mode 100644 index 26e1d2bb42..0000000000 --- a/windows/manage/waas-integrate-wufb.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: Integrate Windows Update for Business with management solutions (Windows 10) -description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Integrate Windows Update for Business with management solutions - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. - -## Integrate Windows Update for Business with Windows Server Update Services - - -For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup: - -- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy -- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies - -### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS - -**Configuration:** - -- Device is configured to defer Windows Quality Updates using Windows Update for Business -- Device is also configured to be managed by WSUS -- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled) -- Admin has opted to put updates to Office and other products on WSUS -- Admin has also put 3rd party drivers on WSUS - - - - - -
ContentMetadata sourcePayload sourceDeferred?
Updates to WindowsWindows UpdateWindows UpdateYes![diagram of content flow](images/wufb-config1a.png)
Updates to Office and other productsWSUSWSUSNo
Third-party driversWSUSWSUSNo
- -### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business - -**Configuration:** - -- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled) -- Device is also configured to be managed by WSUS -- Admin has opted to put Windows Update drivers on WSUS - - - - - - - -
ContentMetadata sourcePayload sourceDeferred?
Updates to Windows (excluding drivers)Windows UpdateWindows UpdateYes![diagram of content flow](images/wufb-config2.png)
Updates to Office and other productsWSUSWSUSNo
DriversWSUSWSUSNo
- -### Configuration example \#3: Device configured to receive Microsoft updates - -**Configuration:** - -- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS -- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled) -- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server - -In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled. -- In a non-WSUS case, these updates would be deferred just as any update to Windows would be. -- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied. - - - - - - -
ContentMetadata sourcePayload sourceDeferred?
Updates to Windows (excluding drivers)Microsoft UpdateMicrosoft UpdateYes![diagram of content flow](images/wufb-config3a.png)
Updates to Office and other productsMicrosoft UpdateMicrosoft UpdateNo
Drivers, third-party applicationsWSUSWSUSNo
- ->[!NOTE] -> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner. - -## Integrate Windows Update for Business with System Center Configuration Manager - -For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**. - -![Example of unknown devices](images/wufb-sccm.png) - - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md deleted file mode 100644 index 10a6565a03..0000000000 --- a/windows/manage/waas-manage-updates-configuration-manager.md +++ /dev/null @@ -1,410 +0,0 @@ ---- -title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10) -description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Manage Windows 10 updates using System Center Configuration Manager - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. - -You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation. - ->[!NOTE] ->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager). - -## Windows 10 servicing dashboard - -The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx). - -For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements: - -- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods. -- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed. -- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode. -- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications. - - **To configure Upgrade classification** - - 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list. - - 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**. - - ![Example of UI](images/waas-sccm-fig1.png) - - 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**. - -When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard. - -## Enable CBB clients in Windows 10, version 1511 - -When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode. - -**To use Group Policy to configure a client for the CBB servicing branch** - ->[!NOTE] ->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied. - -1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. - - ![Example of UI](images/waas-sccm-fig2.png) - -5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure. - -6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**. - -7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**. - - ![Example of UI](images/waas-sccm-fig3.png) - -9. Enable the policy, and then click **OK**. - - >[!NOTE] - >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing. - -10. Close the Group Policy Management Editor. - -This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU. - - -## Enable CBB clients in Windows 10, version 1607 - -When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode. - ->[!NOTE] ->System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607. - -**To use Group Policy to configure a client for the CBB servicing branch** - ->[!NOTE] ->In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied. - -1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC. - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**. - - ![Example of UI](images/waas-sccm-fig2.png) - -5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure. - -6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**. - -7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates. - -8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**. - -9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**. - -10. Close the Group Policy Management Editor. - -This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU. - -## Create collections for deployment rings - -Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users. - ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. - -**To create collections for deployment rings** - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**. - -4. Click **Browse** to select the limiting collection, and then click **All Systems**. - -5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**. - -6. Name the rule **CBB Detection**, and then click **Edit Query Statement**. - -7. On the **Criteria** tab, click the **New** icon. - - ![Example of UI](images/waas-sccm-fig4.png) - -8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**. - -9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig5.png) - - >[!NOTE] - >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**. - -10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**. - - ![Example of UI](images/waas-sccm-fig6.png) - -11. Now that the **OSBranch** attribute is correct, verify the operating system version. - -12. On the **Criteria** tab, click the **New** icon again to add criteria. - -13. In the **Criterion Properties** dialog box, click **Select**. - -14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig7.png) - -15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**. - - ![Example of UI](images/waas-sccm-fig8.png) - -16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard. - -17. Click **Summary**, and then click **Next**. - -18. Close the wizard. - ->[!IMPORTANT] ->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds. - -After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences. - -1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections. - -2. On the Ribbon, in the **Create** group, click **Create Device Collection**. - -3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**. - -4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**. - -5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**. - -6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**. - -7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**. - -8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**. - -9. Click **Next**, and then click **Close**. - -10. In the **Create Device Collection Wizard** dialog box, click **Summary**. - -11. Click **Next**, and then click **Close**. - - -## Use Windows 10 servicing plans to deploy Windows 10 feature updates - -There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates. - -**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan** - -1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**. - -2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**. - -3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**. - -4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**. - - >[!IMPORTANT] - >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message. - > - >![This is a high-risk deployment](images/waas-sccm-fig9.png) - > - >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx). - -5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**. - - Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB. - - On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**. - -6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank. - -7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline. - -8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**. - - Doing so allows installation and restarts after the 7-day deadline on workstations only. - -9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**. - - In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates. - - ![Example of UI](images/waas-sccm-fig10.png) - -10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**. - - ![Example of UI](images/waas-sccm-fig11.png) - - Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**. - -11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**. - - -You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab. - -![Example of UI](images/waas-sccm-fig12.png) - - -## Use a task sequence to deploy Windows 10 updates - -There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments. - -Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages. - -2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**. - -3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**. - - In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607. - - >[!NOTE] - >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607. - -4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**. - -5. On the **Summary** page, click **Next** to create the package. - -6. On the **Completion** page, click **Close**. - -Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package. - -2. On the Ribbon, in the **Deployment group**, click **Distribute Content**. - -3. In the Distribute Content Wizard, on the **General** page, click **Next**. - -4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**. - -5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**. - -6. On the **Content Destination** page, click **Next**. - -7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point. - -8. On the **Completion** page, click **Close**. - -Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package: - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences. - -2. On the Ribbon, in the **Create** group, click **Create Task Sequence**. - -3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**. - -4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**. - -5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**. - -6. Click **Next**. - -7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**. - -8. On the **Install Applications** page, click **Next**. - -9. On the **Summary** page, click **Next** to create the task sequence. - -10. On the **Completion** page, click **Close**. - -With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**. - ->[!IMPORTANT] ->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully. - -**To deploy your task sequence** - -1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence. - -2. On the Ribbon, in the **Deployment** group, click **Deploy**. - -3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**. - -4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**. - -5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**. - -6. In the **Assignment Schedule** dialog box, click **Schedule**. - -7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**. - -8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**. - -9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**. - -10. Use the defaults for the remaining settings. - -11. Click **Summary**, and then click **Next** to deploy the task sequence. - -12. Click **Close**. - - - - -
- -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![done](images/checklistdone.png)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![done](images/checklistdone.png)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![done](images/checklistdone.png)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or Manage Windows 10 updates using System Center Configuration Manager (this topic)
-
- -## See also - -[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service) - - - - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md deleted file mode 100644 index 6fee51df69..0000000000 --- a/windows/manage/waas-manage-updates-wsus.md +++ /dev/null @@ -1,353 +0,0 @@ ---- -title: Manage Windows 10 updates using Windows Server Update Services (Windows 10) -description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Manage Windows 10 updates using Windows Server Update Services (WSUS) - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides. - -When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. - - - -## Requirements for Windows 10 servicing with WSUS - -To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server. - -## WSUS scalability - -To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx). - - -## Express Installation Files - -With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*. - - At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered. - - **To configure WSUS to download Express Update Files** - -1. Open the WSUS Administration Console. - -2. In the navigation pane, go to *Your_Server*\\**Options**. - -3. In the **Options** section, click **Update Files and Languages**. - - ![Example of UI](images/waas-wsus-fig1.png) - -4. In the **Update Files and Languages** dialog box, select **Download express installation files**. - - ![Example of UI](images/waas-wsus-fig2.png) - - >[!NOTE] - >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative. - -## Configure automatic updates and update service location - -When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain. - -**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment** - -1. Open GPMC. - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - - ![Example of UI](images/waas-wsus-fig3.png) - - >[!NOTE] - >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. - -4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**. - -5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. - - ![Example of UI](images/waas-wsus-fig4.png) - -8. In the **Configure Automatic Updates** dialog box, select **Enable**. - -9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig5.png) - - >[!NOTE] - ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). - -9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. - -9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. - -12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**. - - >[!NOTE] - >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. - - ![Example of UI](images/waas-wsus-fig6.png) - - >[!NOTE] - >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**. - -As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings. - -## Create computer groups in the WSUS Administration Console - ->[!NOTE] ->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples. - -You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. - -**To create computer groups in the WSUS Administration Console** - -1. Open the WSUS Administration Console. - -2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. - - ![Example of UI](images/waas-wsus-fig7.png) - -3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**. - -4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups. - -Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin). - - -## Use the WSUS Administration Console to populate deployment rings - -Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. - -In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers. - -### Manually assign unassigned computers to groups - -When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups. - -**To assign computers manually** - -1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers. - - Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here. - -2. Select both computers, right-click the selection, and then click **Change Membership**. - - ![Example of UI](images/waas-wsus-fig8.png) - -3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**. - - Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there. - -### Search for multiple computers to add to groups - -Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature. - -**To search for multiple computers** - -1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**. - -2. In the search box, type **WIN10**. - -3. In the search results, select the computers, right-click the selection, and then click **Change Membership**. - - ![Example of UI](images/waas-wsus-fig9.png) - -4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**. - -You can now see these computers in the **Ring 3 Broad IT** computer group. - - - -## Use Group Policy to populate deployment rings - -The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment. - -**To configure WSUS to allow client-side targeting from Group Policy** - -1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**. - - ![Example of UI](images/waas-wsus-fig10.png) - -2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**. - - >[!NOTE] - >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. - -Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting: - -**To configure client-side targeting** - ->[!TIP] ->When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings. - -1. Open GPMC. - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO. - -5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**. - - ![Example of UI](images/waas-wsus-fig11.png) - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. - -7. Right-click **Enable client-side targeting**, and then click **Edit**. - -8. In the **Enable client-side targeting** dialog box, select **Enable**. - -9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added. - - ![Example of UI](images/waas-wsus-fig12.png) - -10. Close the Group Policy Management Editor. - -Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. - -**To scope the GPO to a group** - -1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy. - -2. Click the **Scope** tab. - -3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. - - ![Example of UI](images/waas-wsus-fig13.png) - -The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. - -## Automatically approve and deploy feature updates - -For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. - ->[!NOTE] ->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. - -**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring** - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**. - -2. On the **Update Rules** tab, click **New Rule**. - -3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. - - ![Example of UI](images/waas-wsus-fig14.png) - -4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**. - -5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**. - - Windows 10 is under All Products\Microsoft\Windows. - -6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**. - -7. Leave the deadline set for **7 days after the approval at 3:00 AM**. - -8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig15.png) - -9. In the **Automatic Approvals** dialog box, click **OK**. - - >[!NOTE] - >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait. - -Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. - -## Manually approve and deploy feature updates - -You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates. - -**To approve and deploy feature updates manually** - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**. - -2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**. - -3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**. - -4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**. - - Windows 10 is under All Products\Microsoft\Windows. - -5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig16.png) - -Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring: - -1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades. - -2. Right-click the feature update you want to deploy, and then click **Approve**. - - ![Example of UI](images/waas-wsus-fig17.png) - -3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. - - ![Example of UI](images/waas-wsus-fig18.png) - -4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. - - ![Example of UI](images/waas-wsus-fig19.png) - -5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**. - - If the deployment is successful, you should receive a successful progress report. - - ![Example of UI](images/waas-wsus-fig20.png) - -6. In the **Approval Progress** dialog box, click **Close**. - -
- -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![done](images/checklistdone.png)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![done](images/checklistdone.png)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![done](images/checklistdone.png)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or Manage Windows 10 updates using Windows Server Update Services (this topic)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md deleted file mode 100644 index 790cb61972..0000000000 --- a/windows/manage/waas-manage-updates-wufb.md +++ /dev/null @@ -1,142 +0,0 @@ ---- -title: Manage updates using Windows Update for Business (Windows 10) -description: Windows Update for Business lets you manage when devices received updates from Windows Update. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Manage updates using Windows Update for Business - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. - -Specifically, Windows Update for Business allows for: - -- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met). -- Selectively including or excluding drivers as part of Microsoft-provided updates -- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. -- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. - -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education. - ->[!NOTE] ->See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. - -## Update types - -Windows Update for Business provides three types of updates to Windows 10 devices: - -- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months. -- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. -- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. - -Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryMaximum deferralDeferral incrementsExampleClassification GUID
Feature Updates180 daysDaysFrom Windows 10, version 1511 to version 16073689BDC8-B205-4AF4-8D4A-A63924C5E9D5
Quality Updates30 daysDaysSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
Drivers (optional)EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
Non-security updatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Microsoft updates (Office, Visual Studio, etc.)varies
Non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
- ->[!NOTE] ->For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx). - -## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 - -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. - ->[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md). - - - - - - - - - - - - -
CapabilityWindows 10, version 1511Windows 10, version 1607

Select Servicing Options: CB or CBB

Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

Quality Updates

Able to defer receiving Quality Updates:

  • Up to 4 weeks
  • In weekly increments

Able to defer receiving Quality Updates:

  • Up to 30 days
  • In daily increments

Feature Updates

Able to defer receiving Feature Updates:

  • Up to 8 months
  • In monthly increments

Able to defer receiving Feature Updates:

  • Up to 180 days
  • In daily increments

Pause updates

  • Feature Updates and Quality Updates paused together
  • Maximum of 35 days

Features and Quality Updates can be paused separately.

  • Feature Updates: maximum 60 days
  • Quality Updates: maximum 35 days

Drivers

No driver-specific controls

Drivers can be selectively excluded from Windows Update for Business.

- - -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![done](images/checklistdone.png)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![done](images/checklistdone.png)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![done](images/checklistdone.png)Manage updates using Windows Update for Business (this topic)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md deleted file mode 100644 index 1352624cc9..0000000000 --- a/windows/manage/waas-mobile-updates.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile - - -**Applies to** - -- Windows 10 Mobile -- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot) - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!TIP] ->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first. - -Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB. - -[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades) - -
- -| Windows 10 edition | CB | CBB | Insider Program | -| --- | --- | --- | --- | --- | -| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | - -
- -Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. - -## Windows 10, version 1511 - -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade -- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod -- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals - -To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy. - -## Windows 10, version 1607 - -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel -- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays -- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates - -In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches. - -If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied. - - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md deleted file mode 100644 index 08251d8c02..0000000000 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Optimize update delivery for Windows 10 updates (Windows 10) -description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Optimize update delivery for Windows 10 updates - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. - -Two methods of peer-to-peer content distribution are available in Windows 10. - -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. - - Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. - -- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. - - >[!NOTE] - >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - - Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. - -

- -| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | -| --- | --- | --- | --- | --- | -| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | -| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | - ->[!NOTE] ->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases. -> ->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx). - -## Express update delivery - -Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. - -### How Microsoft supports Express -- **Express on WSUS Standalone** - - Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). -- **Express on devices directly connected to Windows Update** -- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration. - -### How Express download works - -For OS updates that support Express, there are two versions of the file payload stored on the service: -1. **Full-file version** - essentially replacing the local versions of the update binaries. -2. **Express version** - containing the deltas needed to patch the existing binaries on the device. - -Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase. - -**Express download works as follows:** - -The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests). - -1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package. -2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered. -3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required. -4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded. - -At this point, the download is complete and the update is ready to be installed. - -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![done](images/checklistdone.png)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![done](images/checklistdone.png)Optimize update delivery for Windows 10 updates (this topic)
![to do](images/checklistbox.gif)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - - diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md deleted file mode 100644 index d597a74145..0000000000 --- a/windows/manage/waas-overview.md +++ /dev/null @@ -1,193 +0,0 @@ ---- -title: Overview of Windows as a service (Windows 10) -description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Overview of Windows as a service - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - -## Building - -Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues. - -In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible. - -Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider). - -Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program. - -## Deploying - -Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple. - -One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified. - -### Application compatibility - -Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience. - -Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. - -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com). - -### Device compatibility - -Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10. - -## Servicing - -Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - -With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). - -For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools). - -To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches). - - -### Feature updates - -With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — two to three times per year rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter. - -### Quality updates - -Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes. - -In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates. - -**Figure 1** - -![Comparison of patch environment in enterprise compared to test](images/waas-overview-patch.png) - - - -## Servicing branches - -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). - -The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools). - ->[!NOTE] ->Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). - - -### Current Branch - -In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. - -When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). - - -### Current Branch for Business - -Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months. - - ->[!NOTE] ->Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. - -Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back. - -### Long-term Servicing Branch - -Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. - ->[!NOTE] ->LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch. - -Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. - ->[!NOTE] ->Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). - -LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices. - ->[!NOTE] ->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB. - -### Windows Insider - -For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. - -Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com). - ->[!NOTE] ->Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. -> ->The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - - - -## Servicing tools - -There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates: - -- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client. -- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune. -- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. -- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. - -With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. - -**Table 1** - -| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features | -| --- | --- | --- | --- | --- | -| Windows Update | Yes (manual) | No | Delivery Optimization | None| -| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | -| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | - -
- -## Steps to manage updates for Windows 10 - - - - - - - - -
![to do](images/checklistdone.png)Learn about updates and servicing branches (this topic)
![to do](images/checklistbox.gif)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![to do](images/checklistbox.gif)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![to do](images/checklistbox.gif)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![to do](images/checklistbox.gif)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![to do](images/checklistbox.gif)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Quick guide to Windows as a service](waas-quick-start.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - - - - diff --git a/windows/manage/waas-quick-start.md b/windows/manage/waas-quick-start.md deleted file mode 100644 index eef6aed2a3..0000000000 --- a/windows/manage/waas-quick-start.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Quick guide to Windows as a service (Windows 10) -description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Quick guide to Windows as a service - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Mobile - -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. - -## Definitions - -Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. -- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. -- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. -- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically don’t run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure. -- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. - -See [Overview of Windows as a service](waas-overview.md) for more information. - -## Key Concepts - -New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment. - -Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced. - -Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. - -See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information. - -## Staying up to date - -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. - -Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin. - -This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. - -Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. - -See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information. - -## Video: An overview of Windows as a service - - - -## Learn more - -[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) - - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - - - - diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md deleted file mode 100644 index ffb43434aa..0000000000 --- a/windows/manage/waas-restart.md +++ /dev/null @@ -1,151 +0,0 @@ ---- -title: Manage device restarts after updates (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Manage device restarts after updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. - -## Schedule update installation - -In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time. - -To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). - -**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur. - -While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur. - -For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - -## Delay automatic reboot - -When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion: - -- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. -- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. - -You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. - -For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - -## Configure active hours - -*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. - -By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. - -Administrators can use multiple ways to set active hours for managed devices: - -- You can use Group Policy, as described in the procedure that follows. -- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm). -- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry). - -### Configuring active hours with Group Policy - -To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours. - -![Use Group Policy to configure active hours](images/waas-active-hours-policy.png) - -### Configuring active hours with MDM - -MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. - -### Configuring active hours through Registry - -This method is not recommended, and should only be used when neither Group Policy or MDM are available. -Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above. - -You should set a combination of the following registry values, in order to configure active hours. -Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours. - -For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). - ->[!NOTE] ->To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**. -> ->![Change active hours](images/waas-active-hours.png) - -## Limit restart delays - -After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. - -## Group Policy settings for restart - -In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10. - -| Policy | Applies to Windows 10 | Notes | -| --- | --- | --- | -| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | -| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. | -| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. | -| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates.
There is no equivalent MDM policy setting for Windows 10 Mobile. | -| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) | | -| Delay Restart for scheduled installations | ![no](images/crossmark.png) | | -| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | | - ->[!NOTE] ->You can only choose one path for restart behavior. -> ->If you set conflicting restart policies, the actual restart behavior may not be what you expected. - -## Registry keys used to manage restart -The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. - -**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** - -| Registry key | Key type | Value | -| --- | --- | --- | -| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
1: enable automatic restart after updates outside of active hours | - -**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** - -| Registry key | Key type | Value | -| --- | --- | --- | -| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | -| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | -| AUOptions | REG_DWORD | 2: notify for download and automatically install updates
3: automatically download and notify for instllation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation | -| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | - -There are 3 different registry combinations for controlling restart behavior: - -- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. -- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. -- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - - - - - diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md deleted file mode 100644 index 322b7c07b2..0000000000 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: Assign devices to servicing branches for Windows 10 updates (Windows 10) -description: tbd -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Assign devices to servicing branches for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - ->[!TIP] ->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first. - -Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10. - -| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program | -| --- | --- | --- | --- | --- | -| Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Enterprise LTSB | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | -| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | - - - ->[!NOTE] ->The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - -## Assign devices to Current Branch for Business - -**To assign a single PC locally to CBB** - -1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**. -2. Select **Defer feature updates**. - -**To assign PCs to CBB using Group Policy** - -- In Windows 10, version 1511: - - Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** - -- In Windows 10, version 1607: - - Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB - -**To assign PCs to CBB using MDM** - -- In Windows 10, version 1511: - - ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade** - -- In Windows 10, version 1607: - - ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** - -**To assign Windows 10 Mobile Enterprise to CBB using MDM** - -- In Windows 10 Mobile Enterprise, version 1511: - - ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade - -- In Windows 10 Mobile Enterprise, version 1607: - - ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel - -## Enroll devices in the Windows Insider Program - -Enrolling devices in the Windows Insider Program is simple and requires only a Microsoft account. To enroll a device in the Windows Insider Program, complete the following steps on the device that you want to enroll: - -1. Go to **Start** > **Settings** > **Update & security** > **Windows Insider Program**. - -2. Select **Get started**. - >[!NOTE] - >If you didn’t use a Microsoft account to log in to the computer, you’ll be prompted to log in. If you don’t have a Microsoft account, you can create one now. - -3. Read the privacy statement and program terms, and then click **Next**. - -6. Click **Confirm**, and then select a time to restart the computer. - -## Install your first preview build from the Windows Insider Program - -After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. - -The options for Insider level are: -- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. -- **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. -- **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality. - ->[!NOTE] ->Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. - -## Block access to Windows Insider Program - -To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10: - -- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds** -- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview) - -## Switching branches - -During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
From this branchTo this branchYou need to
Windows Insider ProgramCurrent BranchWait for the final Current Branch release.
Current Branch for BusinessNot directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Current BranchInsiderUse the Settings app to enroll the device in the Windows Insider Program.
Current Branch for BusinessSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Current Branch for BusinessInsiderUse the Settings app to enroll the device in the Windows Insider Program.
Current BranchDisable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Branch release.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Long-Term Servicing BranchInsiderUse media to upgrade to the latest Windows Insider Program build.
Current BranchUse media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
Current Branch for BusinessUse media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
- - -## Steps to manage updates for Windows 10 - - - - - - - - -
![done](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![done](images/checklistdone.png)[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
![done](images/checklistdone.png)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![done](images/checklistdone.png)Assign devices to servicing branches for Windows 10 updates (this topic)
![to do](images/checklistbox.gif)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![to do](images/checklistbox.gif)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- -## Block user access to Windows Update settings - -In Windows 10, administrators can control user access to Windows Update. -By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. - ->[!NOTE] -> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) - - diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md deleted file mode 100644 index 52c156bbeb..0000000000 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Prepare servicing strategy for Windows 10 updates (Windows 10) -description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Prepare servicing strategy for Windows 10 updates - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. - -**Figure 1** - -![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) - -Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: - -- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. -- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. -- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). -- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics). - ->[!NOTE] ->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](https://technet.microsoft.com/itpro/windows/plan/index). - -Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: - -1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility. -2. **Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. -3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. - - -## Steps to manage updates for Windows 10 - - - - - - - - -
![to do](images/checklistdone.png)[Learn about updates and servicing branches](waas-overview.md)
![to do](images/checklistdone.png)Prepare servicing strategy for Windows 10 updates (this topic)
![to do](images/checklistbox.gif)[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
![to do](images/checklistbox.gif)[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
![to do](images/checklistbox.gif)[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
![to do](images/checklistbox.gif)[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
-or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
-
- - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md deleted file mode 100644 index 353a7bf43d..0000000000 --- a/windows/manage/waas-update-windows-10.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Update Windows 10 in the enterprise (Windows 10) -description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Update Windows 10 in the enterprise - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. - ->[!TIP] ->See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date. - - - -## In this section - -| Topic | Description| -| --- | --- | -| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. | -| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | -| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | -| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | -| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. | -| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | -| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | -| [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | -| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | -| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | -| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | - ->[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager). - - -## Related topics - - -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md deleted file mode 100644 index 87d3b8ba3f..0000000000 --- a/windows/manage/waas-wufb-group-policy.md +++ /dev/null @@ -1,352 +0,0 @@ ---- -title: Walkthrough use Group Policy to configure Windows Update for Business (Windows 10) -description: Configure Windows Update for Business settings using Group Policy. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Walkthrough: use Group Policy to configure Windows Update for Business - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. - -In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch. - ->[!NOTE] ->The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511. - -To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. - -## Configure Windows Update for Business in Windows 10 version 1511 - -In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). - -- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. -- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. - ->[!NOTE] ->Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. -> ->Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings. - - Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller. - - ### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral - -1. Open GPMC (gpmc.msc). - -2. Expand **Forest** > **Domains** > *your domain*. - -3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. - - ![UI for Create GPO menu](images/waas-wufb-gp-create.png) - -4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure. - -5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**. - - ![UI for Edit GPO](images/waas-wufb-gp-edit.png) - -6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**. - -7. Right-click **Defer Upgrades and Updates**, and then click **Edit**. - - ![UI to edit Defer Upgrades and Updates](images/waas-wufb-gp-edit-defer.png) - - In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options: - - **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it. - - **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB. - - **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type. - - **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current month’s quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency. - - Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation. - - **Table 1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryMaximum deferralDeferral incrementsClassification typeClassification GUID
OS upgrades8 months1 monthUpgrade3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
OS updates4 weeks1 weekSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
DriversEBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
UpdatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Other/non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
- - Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 4 Broad business users**. - -8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**. - -9. Close the Group Policy Management Editor. - -Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 4 Broad business users** group, use **Security Filtering** to scope the policy’s effect. - -### Scope the policy to the Ring 4 Broad business users group - -1. In the GPMC, select the **Windows Update for Business - CBB1** policy. - -2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group. - - ![Scope policy to group](images/waas-wufb-gp-scope.png) - - -The **Ring 4 Broad business users** deployment ring has now been configured. Next, configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 2-week delay for feature updates. - - -### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals - -1. Open GPMC (gpmc.msc). - -2. Expand **Forest** > **Domains** > *your domain*. - -3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. - - ![UI for Create GPO menu](images/waas-wufb-gp-create.png) - -4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO. - -5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**. - - ![UI for Edit GPO](images/waas-wufb-gp-edit.png) - -6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**. - -7. Right-click **Defer Upgrades and Updates**, and then click **Edit**. - -8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week. - - ![Example of policy settings](images/waas-wufb-gp-broad.png) - -9. Click **OK** and close the Group Policy Management Editor. - - -### Scope the policy to the Ring 5 Broad business users \#2 group - -1. In the GPMC, select the **Windows Update for Business - CBB2** policy. - -2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users \#2** group. - -## Configure Windows Update for Business in Windows 10 version 1607 - -To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. - -In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: - -- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 4 weeks after they are released. -- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. -- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. - -In this example, you configure and scope the update schedules for all three groups. - -### Configure Ring 2 Pilot Business Users policy - -1. Open GPMC (gpmc.msc). - -2. Expand **Forest** > **Domains** > *your domain*. - -3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. - - ![UI for Create GPO menu](images/waas-wufb-gp-create.png) - -4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO. - - >[!NOTE] - >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure. - -5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**. - - ![Edit menu for this GPO](images/waas-wufb-gp-cb2.png) - -6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**. - -7. Right-click **Select when Feature Updates are received**, and then click **Edit**. - -8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **28** days, and then click **OK**. - - ![Settings for this GPO](images/waas-wufb-gp-cb2-settings.png) - - Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation. - - **Table 3** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryMaximum deferralDeferral incrementsExampleClassification GUID
Feature Updates180 daysDaysFrom Windows 10, version 1511 to version 16073689BDC8-B205-4AF4-8D4A-A63924C5E9D5
Quality Updates30 daysDaysSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
Drivers (optional)EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
Non-security updatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Microsoft updates (Office, Visual Studio, etc.)varies
Non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
- -9. Close the Group Policy Management Editor. - -Because the **Windows Update for Business – CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policy’s effect. - -### Scope the policy to the Ring 2 Pilot Business Users group - -1. In the GPMC, select the **Windows Update for Business - CB2** policy. - -2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group. - - ![Scope policy to group](images/waas-wufb-gp-scope-cb2.png) - -The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 4 Broad business users** to set those clients into the CBB servicing branch so that they receive feature updates as soon as they’re made available for the CBB servicing branch. - -### Configure Ring 4 Broad business users policy - -1. Open GPMC (gpmc.msc). - -2. Expand **Forest** > **Domains** > *your domain*. - -3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO. - -5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**. - -7. Right-click **Select when Feature Updates are received**, and then click **Edit**. - -8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**. - - ![Settings for this GPO](images/waas-wufb-gp-cbb1-settings.png) - -9. Close the Group Policy Management Editor. - - - -### Scope the policy to the Ring 4 Broad business users group - -1. In the GPMC, select the **Windows Update for Business - CBB1** policy. - -2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group. - - -The **Ring 4 Broad business users** deployment ring has now been configured. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates - -### Configure Ring 5 Broad business users \#2 policy - -1. Open GPMC (gpmc.msc). - -2. Expand **Forest** > **Domains** > *your domain*. - -3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO. - -5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**. - -7. Right-click **Select when Feature Updates are received**, and then click **Edit**. - -8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **14** days, and then click **OK**. - - ![Settings for this GPO](images/waas-wufb-gp-cbb2-settings.png) - -9. Right-click **Select when Quality Updates are received**, and then click **Edit**. - -10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**. - - ![Settings for this GPO](images/waas-wufb-gp-cbb2q-settings.png) - -11. Close the Group Policy Management Editor. - - - -### Scope the policy to the Ring 5 Broad business users \#2 group - -1. In the GPMC, select the **Windows Update for Business - CBB2** policy. - -2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group. - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md deleted file mode 100644 index c730a5edfd..0000000000 --- a/windows/manage/waas-wufb-intune.md +++ /dev/null @@ -1,283 +0,0 @@ ---- -title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) -description: Configure Windows Update for Business settings using Microsoft Intune. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Walkthrough: use Microsoft Intune to configure Windows Update for Business - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. - -Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - ->[!NOTE] ->Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/en-us/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) - -## Configure Windows Update for Business in Windows 10, version 1511 - -In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). - -- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. -- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. - ->[!NOTE] ->Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only. - -### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - ![Settings for this policy](images/waas-wufb-intune-step7a.png) - -8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates. - -### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals - -1. In the Policy workspace, click **Configuration Policies**, and then click **Add**. - -2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - In this policy, you add two OMA-URI settings, one for each deferment type. - -4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**. - -7. Click **OK** to save the setting. - -8. In the **OMA-URI Settings** section, click **Add**. - -9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**. - -11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**. - -12. In the **Value** box, type **1**. - -13. Click **OK** to save the setting. - -14. In the **OMA-URI Settings** section, click **Add**. - -15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**. - -17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**. - -18. In the **Value** box, type **1**. - -19. Click **OK** to save the setting. - - Three settings should appear in the **Windows Update for Business – CBB2** policy. - - ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png) - -20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt. - -21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**. - -## Configure Windows Update for Business in Windows 10 version 1607 - -To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. - -In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates: - -- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released. -- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch. -- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days. - -### Configure Ring 2 Pilot Business Users policy - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **0**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - ![Settings for this policy](images/waas-wufb-intune-cb2a.png) - -8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list. -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. -11. In the **Value** box, type **28**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-step11a.png) - -9. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available. - -### Configure Ring 4 Broad business users policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - -8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -11. In the **Value** box, type **0**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) - -9. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. - -You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. - - -### Configure Ring 5 Broad business users \#2 policy - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - - ![Shows the UI for this step](images/waas-wufb-intune-step2a.png) - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. - -4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. - -7. In the **Value** box, type **1**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - - -8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. - -11. In the **Value** box, type **7**, and then click **OK**. - -8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. - -8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. - -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. - -11. In the **Value** box, type **14**, and then click **OK**. - - ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) - -9. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. - -## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) - - - - - - - - From 7368362ec48249e90ecbbd04bd428bef32849af6 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 10:30:22 -0800 Subject: [PATCH 22/65] Adding content --- .openpublishing.redirection.json | 257 ++++++++++++++++++++++++++++++- 1 file changed, 256 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ed29e58d58..4f24a628d8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -104,7 +104,262 @@ "source_path": "windows/manage/waas-update-windows-10.md", "redirect_url": "/itpro/windows/update/index", "redirect_document_id": true - }, + }, + { + "source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", + "redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md", + "redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md", + "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/guidelines-for-assigned-access-app.md", + "redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md", + "redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", + "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/lockdown-xml.md", + "redirect_url": "/itpro/windows/configure/lockdown-xml", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/settings-that-can-be-locked-down.md", + "redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/product-ids-in-windows-10-mobile.md", + "redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/windows-spotlight.md", + "redirect_url": "/itpro/windows/configure/windows-spotlight", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/manage-tips-and-suggestions.md", + "redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/windows-10-start-layout-options-and-policies.md", + "redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/configure-windows-10-taskbar.md", + "redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/customize-and-export-start-layout.md", + "redirect_url": "/itpro/windows/configure/customize-and-export-start-layout", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/start-layout-xml-desktop.md", + "redirect_url": "/itpro/windows/configure/start-layout-xml-desktop", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/start-layout-xml-mobile.md", + "redirect_url": "/itpro/windows/configure/start-layout-xml-mobile", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md", + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md", + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md", + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-overview.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-testing-scenarios.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-1.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-2.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-3.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-4.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-5.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-scenario-6.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-o365.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-o365", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-crm.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/", + "redirect_url": "/itpro/windows/configure/", + "redirect_document_id": true + }, + + + + + + + + + + + + + + + + + + + + { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", From 2b31930fb193f4a67f8a3cad365c80556cc943cb Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 10:34:02 -0800 Subject: [PATCH 23/65] Removed blank fields --- .openpublishing.redirection.json | 105 ------------------------------- 1 file changed, 105 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 4f24a628d8..957aebbdcf 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -255,111 +255,6 @@ "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", "redirect_document_id": true }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - { - "source_path": "windows/manage/", - "redirect_url": "/itpro/windows/configure/", - "redirect_document_id": true - }, - - - - - - - - - - - - - - - - - - - - { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", From 1fed50d00ee150eaf121023a1584360de3352fbd Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 10:47:58 -0800 Subject: [PATCH 24/65] Adding content --- .openpublishing.redirection.json | 55 ++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 957aebbdcf..2d7c53809a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -255,6 +255,61 @@ "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", "redirect_document_id": true }, + { + "source_path": "windows/manage/cortana-at-work-powerbi.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-voice-commands.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-policy-settings.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/cortana-at-work-feedback.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-feedback", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/stop-employees-from-using-the-windows-store.md", + "redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/configure-devices-without-mdm.md", + "redirect_url": "/itpro/windows/configure/configure-devices-without-mdm", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/changes-to-start-policies-in-windows-10.md", + "redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md", + "redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/lock-down-windows-10.md", + "redirect_url": "/itpro/windows/configure/index", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/lockdown-features-windows-10.md", + "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", + "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", + "redirect_document_id": true + }, { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", From eaa2ff5b7e5b6959e08fbcff03d7cf53a08b621c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 10:52:33 -0800 Subject: [PATCH 25/65] Redirection files --- ...changes-to-start-policies-in-windows-10.md | 172 --- .../manage/configure-devices-without-mdm.md | 203 --- .../manage/configure-windows-10-taskbar.md | 305 ---- ...-windows-telemetry-in-your-organization.md | 406 ----- windows/manage/cortana-at-work-crm.md | 62 - windows/manage/cortana-at-work-feedback.md | 24 - windows/manage/cortana-at-work-o365.md | 72 - windows/manage/cortana-at-work-overview.md | 64 - .../manage/cortana-at-work-policy-settings.md | 44 - windows/manage/cortana-at-work-powerbi.md | 138 -- windows/manage/cortana-at-work-scenario-1.md | 58 - windows/manage/cortana-at-work-scenario-2.md | 41 - windows/manage/cortana-at-work-scenario-3.md | 86 -- windows/manage/cortana-at-work-scenario-4.md | 51 - windows/manage/cortana-at-work-scenario-5.md | 57 - windows/manage/cortana-at-work-scenario-6.md | 37 - .../cortana-at-work-testing-scenarios.md | 32 - .../manage/cortana-at-work-voice-commands.md | 64 - .../customize-and-export-start-layout.md | 169 -- ...-10-start-screens-by-using-group-policy.md | 137 -- ...reens-by-using-mobile-device-management.md | 152 -- ...-by-using-provisioning-packages-and-icd.md | 122 -- .../guidelines-for-assigned-access-app.md | 104 -- ...can-use-configuration-service-providers.md | 238 --- .../lock-down-windows-10-to-specific-apps.md | 131 -- windows/manage/lock-down-windows-10.md | 16 - .../manage/lockdown-features-windows-10.md | 116 -- windows/manage/lockdown-xml.md | 870 ----------- ...system-components-to-microsoft-services.md | 1362 ----------------- windows/manage/manage-tips-and-suggestions.md | 64 - .../manage/manage-wifi-sense-in-enterprise.md | 99 -- .../product-ids-in-windows-10-mobile.md | 262 ---- .../set-up-a-device-for-anyone-to-use.md | 89 -- ...osk-for-windows-10-for-desktop-editions.md | 444 ------ ...kiosk-for-windows-10-for-mobile-edition.md | 199 --- .../settings-that-can-be-locked-down.md | 517 ------- windows/manage/start-layout-xml-desktop.md | 492 ------ windows/manage/start-layout-xml-mobile.md | 392 ----- ...-employees-from-using-the-windows-store.md | 124 -- ...ws-10-start-layout-options-and-policies.md | 178 --- windows/manage/windows-spotlight.md | 85 - 41 files changed, 8278 deletions(-) delete mode 100644 windows/manage/changes-to-start-policies-in-windows-10.md delete mode 100644 windows/manage/configure-devices-without-mdm.md delete mode 100644 windows/manage/configure-windows-10-taskbar.md delete mode 100644 windows/manage/configure-windows-telemetry-in-your-organization.md delete mode 100644 windows/manage/cortana-at-work-crm.md delete mode 100644 windows/manage/cortana-at-work-feedback.md delete mode 100644 windows/manage/cortana-at-work-o365.md delete mode 100644 windows/manage/cortana-at-work-overview.md delete mode 100644 windows/manage/cortana-at-work-policy-settings.md delete mode 100644 windows/manage/cortana-at-work-powerbi.md delete mode 100644 windows/manage/cortana-at-work-scenario-1.md delete mode 100644 windows/manage/cortana-at-work-scenario-2.md delete mode 100644 windows/manage/cortana-at-work-scenario-3.md delete mode 100644 windows/manage/cortana-at-work-scenario-4.md delete mode 100644 windows/manage/cortana-at-work-scenario-5.md delete mode 100644 windows/manage/cortana-at-work-scenario-6.md delete mode 100644 windows/manage/cortana-at-work-testing-scenarios.md delete mode 100644 windows/manage/cortana-at-work-voice-commands.md delete mode 100644 windows/manage/customize-and-export-start-layout.md delete mode 100644 windows/manage/customize-windows-10-start-screens-by-using-group-policy.md delete mode 100644 windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md delete mode 100644 windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md delete mode 100644 windows/manage/guidelines-for-assigned-access-app.md delete mode 100644 windows/manage/how-it-pros-can-use-configuration-service-providers.md delete mode 100644 windows/manage/lock-down-windows-10-to-specific-apps.md delete mode 100644 windows/manage/lock-down-windows-10.md delete mode 100644 windows/manage/lockdown-features-windows-10.md delete mode 100644 windows/manage/lockdown-xml.md delete mode 100644 windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md delete mode 100644 windows/manage/manage-tips-and-suggestions.md delete mode 100644 windows/manage/manage-wifi-sense-in-enterprise.md delete mode 100644 windows/manage/product-ids-in-windows-10-mobile.md delete mode 100644 windows/manage/set-up-a-device-for-anyone-to-use.md delete mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md delete mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md delete mode 100644 windows/manage/settings-that-can-be-locked-down.md delete mode 100644 windows/manage/start-layout-xml-desktop.md delete mode 100644 windows/manage/start-layout-xml-mobile.md delete mode 100644 windows/manage/stop-employees-from-using-the-windows-store.md delete mode 100644 windows/manage/windows-10-start-layout-options-and-policies.md delete mode 100644 windows/manage/windows-spotlight.md diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md deleted file mode 100644 index 6cba8aeed7..0000000000 --- a/windows/manage/changes-to-start-policies-in-windows-10.md +++ /dev/null @@ -1,172 +0,0 @@ ---- -title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) -description: Windows 10 has a brand new Start experience. -ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F -keywords: ["group policy", "start menu", "start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Changes to Group Policy settings for Windows 10 Start - - -**Applies to** - -- Windows 10 - -Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated. - -## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PolicyNotes
Clear history of recently opened documents on exitDocuments that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.
Do not allow pinning items in Jump ListsJump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.
Do not display or track items in Jump Lists from remote locationsWhen this policy is applied, only items local on the computer are shown in Jump Lists.
Do not keep history of recently opened documentsDocuments that the user opens are not tracked during the session.
Prevent changes to Taskbar and Start Menu SettingsIn Windows 10, this disables all of the settings in Settings > Personalization > Start as well as the options in dialog available via right-click Taskbar > Properties
Prevent users from customizing their Start Screen

Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it

Prevent users from uninstalling applications from StartIn Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)
Remove All Programs list from the Start menuIn Windows 10, this removes the All apps button.
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsThis removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.
Remove common program groups from Start MenuAs in earlier versions of Windows, this removes apps specified in the All Users profile from Start
Remove frequent programs list from the Start MenuIn Windows 10, this removes the top left Most used group of apps.
Remove Logoff on the Start MenuLogoff has been changed to Sign Out in the user interface, however the functionality is the same.
Remove pinned programs list from the Start MenuIn Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).
Show "Run as different user" command on StartThis enables the Run as different user option in the right-click menu for apps.
Start Layout

This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in User Configuration or Computer Configuration.

-
-Note   -

Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.

-
-
-  -
Force Start to be either full screen size or menu sizeThis applies a specific size for Start.
- -  - -## Deprecated Group Policy settings for Start - - -The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. - -| Policy | When deprecated | -|----------------------------------------------------------------------------------|-----------------| -| Go to the desktop instead of Start when signing in | Windows 10 | -| List desktop apps first in the Apps view | Windows 10 | -| Pin Apps to Start when installed (User or Computer) | Windows 10 | -| Remove Default Programs link from the Start menu. | Windows 10 | -| Remove Documents icon from Start Menu | Windows 10 | -| Remove programs on Settings menu | Windows 10 | -| Remove Run menu from Start Menu | Windows 10 | -| Remove the "Undock PC" button from the Start Menu | Windows 10 | -| Search just apps from the Apps view | Windows 10 | -| Show Start on the display the user is using when they press the Windows logo key | Windows 10 | -| Show the Apps view automatically when the user goes to Start | Windows 10 | -| Add the Run command to the Start Menu | Windows 8 | -| Change Start Menu power button | Windows 8 | -| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 | -| Remove Downloads link from Start Menu | Windows 8 | -| Remove Favorites menu from Start Menu | Windows 8 | -| Remove Games link from Start Menu | Windows 8 | -| Remove Help menu from Start Menu | Windows 8 | -| Remove Homegroup link from Start Menu | Windows 8 | -| Remove Music icon from Start Menu | Windows 8 | -| Remove Network icon from Start Menu | Windows 8 | -| Remove Pictures icon from Start Menu | Windows 8 | -| Remove Recent Items menu from Start Menu | Windows 8 | -| Remove Recorded TV link from Start Menu | Windows 8 | -| Remove user folder link from Start Menu | Windows 8 | -| Remove Videos link from Start Menu | Windows 8 | - -  - -## Related topics - - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -  - -  - - - - - diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md deleted file mode 100644 index 04ba35f499..0000000000 --- a/windows/manage/configure-devices-without-mdm.md +++ /dev/null @@ -1,203 +0,0 @@ ---- -title: Configure devices without MDM (Windows 10) -description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -keywords: runtime provisioning, provisioning package -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile, devices -author: jdeckerMS -localizationpriority: medium ---- - -# Configure devices without MDM - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. - -Sometimes mobile device management (MDM) isn't available to you for setting up a device because the device isn't connected to your network, or because an employee is remote and needs a fast replacement for a work device. You might not use MDM in your organization at all, but would like an easy way to place a standard configuration on multiple devices. - -Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. - -Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed. - -## Advantages - - -- You can configure new devices without re-imaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple for people to apply. - -- Ensures compliance and security before a device is enrolled in MDM. - -## Typical use cases - - -- **Set up a new off-the-shelf device for an employee** - - Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, domain join with service account, or company application. - -- **Configure an off-the-shelf mobile device to be used as a point of sale or inventory terminal** - - Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, security policies, company application, or assigned access (also known as [kiosk mode](set-up-a-device-for-anyone-to-use.md). - -- **Help employees set up personally-owned devices to use for work** - - Package might include company root certificate, Wi-Fi profiles, security policies, or company application. - - > [!NOTE]   - > Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device. - -   - -- **Repurpose devices by returning the device to a specific state between users** - - Package might include computer name, company root certificate, Wi-Fi profile, or company application. - - > [!NOTE]   - > To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience. - -   - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Create a provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -When you run Windows ICD, you have several options for creating your package. - -![Simple or advanced provisioning](images/ICDstart-option.png). - -- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. -- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added). -- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices. - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -### Using Simple provisioning - -1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -2. Click **Simple provisioning**. -2. Name your project and click **Finish**. -3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. -4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Home to Education - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - - Mobile to Mobile Enterprise -5. Click **Set up network**. -6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. -7. Click **Enroll into Active Directory**. -8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. - - > [!WARNING] - > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - > - >- Use a least-privileged domain account to join the device to the domain. - >- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - >- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -9. Click **Finish**. -10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. -11. Click **Create**. - - - -### Using Advanced provisioning - - - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Click **Advanced provisioning**. -3. Choose **New provisioning package**. -3. Name your project, and click **Next**. -4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**. -5. On **New project**, click **Finish**. The workspace for your package opens. -6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916) -7. On the **File** menu, select **Save.** -8. On the **Export** menu, select **Provisioning package**. -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. - > [!TIP]   - > You can make changes to existing packages and change the version number to update previously applied packages. -   -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - > [!IMPORTANT]   - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -   -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - Shared network folder - - SharePoint site - - Removable media (USB/SD) - - Email - - USB tether (mobile only) - -Learn more: [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) - -## Apply package - - -On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL. - -![add a package option](images/package.png) - -On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install. - -![add provisioning package on phone](images/phoneprovision.png) - -## Manage a package - - -- Users can view details or delete package (if policy allows deletion); only user-installed packages are listed. - -- Deleting a package removes settings, profiles, certificates, and apps it contains. - -- Use policies to disable manual deletion of packages, installation of unsigned packages, or the installation of any additional packages. - -- Update content by installing a new package with same name and new version number. - -- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed. - - ![reset a device](images/resetdevice.png) - -## Learn more - - -- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -  - -  - - - - - diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md deleted file mode 100644 index bd5e26f4ba..0000000000 --- a/windows/manage/configure-windows-10-taskbar.md +++ /dev/null @@ -1,305 +0,0 @@ ---- -title: Configure Windows 10 taskbar (Windows 10) -description: Admins can pin apps to users' taskbars. -keywords: ["taskbar layout","pin apps"] -ms.prod: W10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- -# Configure Windows 10 taskbar - -Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. - -> [!NOTE] -> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. - -You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application). - -If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. - -The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. - -> [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - - -## Configure taskbar (general) - -To configure the taskbar: -1. Create the XML file. - * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from the following sample to the file. - * If you are only configuring the taskbar, use the following sample to create a layout modification XML file. -2. Edit and save the XML file. You can use [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar. - * Use `` and [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps. - * Use `` and Desktop Application Link Path to pin desktop applications. -3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). - ->[!IMPORTANT] ->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. - -### Tips for finding AUMID and Desktop Application Link Path - -In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. - -The easiest way to find this data for an application is to: -1. Pin the application to the Start menu on a reference or testing PC. -2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. -3. Open the generated XML file. -4. Look for an entry corresponding to the app you pinned. -5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. - - -### Sample taskbar configuration XML file - -```xml - - - - - - - - - - - -``` -### Sample taskbar configuration added to Start layout XML file - -```xml - - - - - - - - - - - - - - - - - - - - - - - -``` - -##Keep default apps and add your own - -The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. - -```xml - - - - - - - - - - - - -``` -**Before:** - -![default apps pinned to taskbar](images/taskbar-default.png) - -**After:** - - ![additional apps pinned to taskbar](images/taskbar-default-plus.png) - -## Remove default apps and add your own - -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. - -If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. - -```xml - - - - - - - - - - - - - -``` -**Before:** - -![Taskbar with default apps](images/taskbar-default.png) - -**After:** - -![Taskbar with default apps removed](images/taskbar-default-removed.png) - -## Configure taskbar by country or region - -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: - -![taskbar for US and UK locale](images/taskbar-region-usuk.png) - -The resulting taskbar for computers in Germany or France: - -![taskbar for DE and FR locale](images/taskbar-region-defr.png) - -The resulting taskbar for computers in any other country region: - -![taskbar for all other regions](images/taskbar-region-other.png) - - -> [!NOTE] -> [Look up country and region codes (use the ISO Short column)](https://go.microsoft.com/fwlink/p/?LinkId=786445) - - - - -## Layout Modification Template schema definition - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Related topics - -[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - - - diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md deleted file mode 100644 index a7f9bbef7e..0000000000 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ /dev/null @@ -1,406 +0,0 @@ ---- -description: Use this article to make informed decisions about how you can configure telemetry in your organization. -title: Configure Windows telemetry in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft ---- - -# Configure Windows telemetry in your organization - -**Applies to** - -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways: - -- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers. - -This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview - -In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows telemetry - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows telemetry? -Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows telemetry data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT telemetry? - -Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Telemetry gives users a voice - -Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Drive higher app and driver quality - -Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature. - -**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md). - -#### Windows 10 Upgrade Analytics - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Analytics to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How is telemetry data handled by Microsoft? - -### Data collection - -Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings. -4. The Connected User Experience and Telemetry component transmits the telemetry data. - -Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for telemetry services: - -| Service | Endpoint | -| - | - | -| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com | -| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | - -### Data use and access - -The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history. - -## Telemetry levels - - -This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. - -The telemetry data is categorized into four levels: - -- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level. - -- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. - -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. - -![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered. - -  - -The data gathered at this level includes: - -- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -   - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -   - -For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue. - -### Full level - -The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -## Enterprise management - -Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option. - -Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that. - - -### Manage your telemetry settings - -We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. - -> [!IMPORTANT] -> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). - -You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. - -The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**. - -### Configure the operating system telemetry level - -You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Data gathered | Value | -| - | - | - | -| Security | Security data only. | **0** | -| Basic | Security data, and basic system and quality data. | **1** | -| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | -| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | - - -### Use Group Policy to set the telemetry level - -Use a Group Policy object to set your organization’s telemetry level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the telemetry level - -Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the telemetry level - -Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Configure System Center 2016 telemetry - -For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps: - -- Turn off telemetry by using the System Center UI Console settings workspace. - -- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). - -### Additional telemetry controls - -There are a few more settings that you can turn off that may send telemetry information: - -- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](http://privacy.microsoft.com) diff --git a/windows/manage/cortana-at-work-crm.md b/windows/manage/cortana-at-work-crm.md deleted file mode 100644 index 834bde8a92..0000000000 --- a/windows/manage/cortana-at-work-crm.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10) -description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. - ->[!NOTE] ->For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819). - -![Cortana at work, showing the sales data pulled from Dynamics CRM](images/cortana-crm-screen.png) - -## Turn on Cortana with Dynamics CRM in your organization -You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)? - -**To turn on Cortana with Dynamics CRM** - -1. Go to **Settings**, and then click **Administration**. - -2. Choose **System Settings**, and then click the **Previews** tab. - -3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box. - -4. For each preview feature you want to enable, click **Yes**. - -## Turn on Cortana with Dynamics CRM on your employees’ devices -You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM. - -**To turn on local Cortana with Dynamics CRM** - -1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. - -2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. - - ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](images/cortana-connect-crm.png) - - The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. - -## Turn off Cortana with Dynamics CRM -Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off. - -**To turn off Cortana with Dynamics CRM** -1. Go to **Settings**, and then click **Administration**. - -2. Choose **System Settings**, and then click the **Previews** tab. - -3. Click **No** for **Cortana**. - - All Dynamics CRM functionality related to Cortana is turned off in your organization. \ No newline at end of file diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/manage/cortana-at-work-feedback.md deleted file mode 100644 index ca24c22703..0000000000 --- a/windows/manage/cortana-at-work-feedback.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Send feedback about Cortana at work back to Microsoft (Windows 10) -description: How to send feedback to Microsoft about Cortana at work. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Send feedback about Cortana at work back to Microsoft -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. - -![Cortana at work, showing how to provide feedback to Microsoft](images/cortana-feedback.png) - -If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). - diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md deleted file mode 100644 index d58663dc00..0000000000 --- a/windows/manage/cortana-at-work-o365.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: Set up and test Cortana with Office 365 in your organization (Windows 10) -description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Set up and test Cortana with Office 365 in your organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. - -But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. - -![Cortana at work, showing the day's schedule pulled from Office 365](images/cortana-o365-screen.png) - -We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful. - ->[!NOTE] ->For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379). - -## Before you begin -There are a few things to be aware of before you start using Cortana with Office 365 in your organization. - -- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations. - -- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf. - -- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419). - -- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763). - -## Turn on Cortana with Office 365 on employees’ devices -You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365. - -**To turn on local Cortana with Office 365** - -1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. - -2. Click on **Connected Services**, click **Office 365**, and then click **Connect**. - - ![Cotana at work, showing how to turn on the connected services for Office 365](images/cortana-connect-o365.png) - - The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen. - -## Turn off Cortana with Office 365 -Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Office 365 admin center. - -**To turn off Cortana with Office 365** -1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. - -2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). - -3. Expand **Service Settings**, and select **Cortana**. - -4. Click **Cortana** to toggle Cortana off. - - All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work. - - - - - - diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md deleted file mode 100644 index 96064364c3..0000000000 --- a/windows/manage/cortana-at-work-overview.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Cortana integration in your business or enterprise (Windows 10) -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Cortana integration in your business or enterprise -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -## Who is Cortana? -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. -Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. - -Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. - -![Cortana at work, showing the About me screen](images/cortana-about-me.png) - -## Where is Cortana available for use in my organization? -You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers. - -Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program. - -## Required hardware and software -Cortana requires the following hardware and software to successfully run the included scenario in your organization. - -|Hardware |Description | -|---------|------------| -|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. | -|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. | -|Desktop devices |For non-phone-related scenarios. | - - -|Software |Minimum version | -|---------|------------| -|Client operating system |

  • **Desktop:** Windows 10, Windows Insider Program
  • **Mobile:** Windows 8.1, Windows Insider Program (with limited functionality)
  • | -|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.

    For example:

    If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.

    If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | -|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)

    If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| - -## Signing in using Azure AD -Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) - -## Cortana and privacy -We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. - -Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement). - -## See also -- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818) - -- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) - -- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) - -- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/manage/cortana-at-work-policy-settings.md deleted file mode 100644 index 83f10f7d3e..0000000000 --- a/windows/manage/cortana-at-work-policy-settings.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10) -description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). - -|Group policy |MDM policy |Description | -|-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

    **NOTE**
    This setting only applies to Windows 10 for desktop devices. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.

    **In Windows 10, version 1511**
    Cortana won’t work if this setting is turned off (disabled).

    **In Windows 10, version 1607 and later**
    Cortana still works if this setting is turned off (disabled).| -|None|System/AllowLocation|Specifies whether to allow app access to the Location service.

    **In Windows 10, version 1511**
    Cortana won’t work if this setting is turned off (disabled).

    **In Windows 10, version 1607 and later**
    Cortana still works if this setting is turned off (disabled).| -|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

    Use this setting if you only want to support Azure AD in your organization.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

    **NOTE**
    This setting only applies to Windows 10 Mobile.| -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

    **In Windows 10 Pro edition**
    This setting can’t be managed.

    **In Windows 10 Enterprise edition**
    Cortana won't work if this setting is turned off (disabled).| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

    **IMPORTANT**
    Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| - - - - - - - - - - - - diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md deleted file mode 100644 index 98b90f572f..0000000000 --- a/windows/manage/cortana-at-work-powerbi.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Set up and test Cortana for Power BI in your organization (Windows 10) -description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Set up and test Cortana for Power BI in your organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. - ->[!Note] ->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). - -## Before you begin -To use this walkthrough, you’ll need: - -- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program. - -- **Cortana**. You need to have Cortana turned on and be logged into your account. - -- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use. - -- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account. - - **To connect your account to Windows** - a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**. - - b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows. - -## Set up your test environment for Cortana for Power BI -Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI. - -**To set up your test environment with Cortana and Power BI** - -1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic. - -2. Expand the left rail by clicking the **Show the navigation pane** icon. - - ![Cortana at work, showing the navigation expand icon in Power BI](images/cortana-powerbi-expand-nav.png) - -3. Click **Get Data** from the left-hand navigation in Power BI. - - ![Cortana at work, showing the Get Data link](images/cortana-powerbi-getdata.png) - -4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen. - - ![Cortana at work, showing the Samples link](images/cortana-powerbi-getdata-samples.png) - -5. Click **Retail Analysis Sample**, and then click **Connect**. - - ![Cortana at work, showing the Samples link](images/cortana-powerbi-retail-analysis-sample.png) - - The sample data is imported and you’re returned to the **Power BI** screen. - -6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**. - - ![Cortana at work, showing a dashboard view of the sample data](images/cortana-powerbi-retail-analysis-dashboard.png) - -7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**. - - ![Cortana at work, showing where to find the Settings option](images/cortana-powerbi-settings.png) - -8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list. - -9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**. - - ![Cortana at work, showing where to find the dataset options](images/cortana-powerbi-retail-analysis-dataset.png) - - >[!NOTE] - >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.

    If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. - -## Create a custom Answer Page for Cortana -You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana. - -After you’ve finished creating your Answer Page, you can continue to the included testing scenarios. - - >[!NOTE] - >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately. - -**To create a custom sales data Answer Page for Cortana** -1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. - - ![Cortana at work, showing where to create the new report](images/cortana-powerbi-create-report.png) - -2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**. - - A blank report page appears. - -3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list. - - ![Cortana at work, showing the Visualizations options](images/cortana-powerbi-pagesize.png) - -4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**. - - ![Cortana at work, showing the Field options](images/cortana-powerbi-field-selection.png) - - The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders. - -5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box. - - The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns. - - ![Cortana at work, showing the page info for your specific report](images/cortana-powerbi-report-qna.png) - -6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. - - Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears. - -## Test Scenario: Use Cortana to show info from Power BI in your organization -Now that you’ve set up your device, you can use Cortana to show your info from within Power BI. - -**To use Cortana with Power BI** -1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -2. Type _This year in sales_. - - Cortana shows you the available results. - - ![Cortana at work, showing the best matches based on the Power BI data](images/cortana-powerbi-search.png) - -3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**. - - Cortana returns your custom report. - - ![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png) - ->[!NOTE] ->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/manage/cortana-at-work-scenario-1.md deleted file mode 100644 index 4a9714a455..0000000000 --- a/windows/manage/cortana-at-work-scenario-1.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10) -description: A test scenario walking you through signing in and managing the notebook. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook. - -## Turn on Azure AD -This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. - -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. - -2. Click your email address. - - A dialog box appears, showing the associated account info. - -3. Click your email address again, and then click **Sign out**. - - This signs out the Microsoft account, letting you continue to add and use the Azure AD account. - -4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. - -5. Click **Sign-In** and follow the instructions. - -6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. - - >[!IMPORTANT] - >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. - -## Use Cortana to manage the notebook content -This process helps you to manage the content Cortana shows in your Notebook. - -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**. - -2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**. - -3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**. - - ![Cortana at work, showing the multiple Weather screens](images/cortana-weather-multipanel.png) - -4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington. - - ![Cortana at work, showing Redmond, WA weather](images/cortana-redmond-weather.png) \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/manage/cortana-at-work-scenario-2.md deleted file mode 100644 index fb7b00d578..0000000000 --- a/windows/manage/cortana-at-work-scenario-2.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10) -description: A test scenario about how to perform a quick search with Cortana at work. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 2 - Perform a quick search with Cortana at work - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. - -## Search using Cortana -This process helps you use Cortana at work to perform a quick search. - -1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -2. Type *Weather in New York*. - - You should see the weather in New York, New York at the top of the search results. - - ![Cortana at work, showing the weather in New York, New York](images/cortana-newyork-weather.png) - -## Search with Cortana, by using voice commands -This process helps you to use Cortana at work and voice commands to perform a quick search. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago. - - ![Cortana at work, showing the current weather in Chicago, IL](images/cortana-chicago-weather.png) \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/manage/cortana-at-work-scenario-3.md deleted file mode 100644 index 89610c7093..0000000000 --- a/windows/manage/cortana-at-work-scenario-3.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10) -description: A test scenario about how to set a location-based reminder using Cortana at work. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 3 - Set a reminder for a specific location using Cortana at work - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. - ->[!NOTE] ->You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.

    Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. - -## Create a reminder for a specific location -This process helps you to create a reminder based on a specific location. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - -2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**. - - ![Cortana at work, showing the add a reminder screens](images/cortana-add-reminder.png) - -3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. - - ![Cortana at work, showing how to add a place to the reminder screens](images/cortana-place-reminder.png) - -4. Click **Done**. - - >[!NOTE] - >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps. - -5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box. - -6. Take a picture of your receipts and store them locally on your device. - -7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. - - The photo is stored with the reminder. - - ![Cortana at work, showing the stored image in the reminder screens](images/cortana-final-reminder.png) - -8. Review the reminder info, and then click **Remind**. - - The reminder is saved and ready to be triggered. - - ![Cortana at work, showing the final reminder](images/cortana-reminder-pending.png) - -## Create a reminder for a specific location by using voice commands -This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say _Remind me to grab my expense report receipts before I leave home_. - - Cortana opens a new reminder task and asks if it sounds good. - - ![Cortana at work, showing the reminder created through voice commands](images/cortana-reminder-mic.png) - -3. Say _Yes_ so Cortana can save the reminder. - - ![Cortana at work, showing the final reminder created through voice commands](images/cortana-reminder-pending-mic.png) - -## Edit or archive an existing reminder -This process helps you to edit or archive and existing or completed reminder. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - - ![Cortana at work, showing the list of pending reminders](images/cortana-reminder-list.png) - -2. Click the pending reminder you want to edit. - - ![Cortana at work, showing the reminder editing screen](images/cortana-reminder-edit.png) - -3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/manage/cortana-at-work-scenario-4.md deleted file mode 100644 index 56f1f6af66..0000000000 --- a/windows/manage/cortana-at-work-scenario-4.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10) -description: A test scenario about how to use Cortana at work to find your upcoming meetings. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 4 - Use Cortana at work to find your upcoming meetings - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. - ->[!NOTE] ->If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. - -## Find out about upcoming meetings -This process helps you find your upcoming meetings. - -1. Check to make sure your work calendar is connected and synchronized with your Azure AD account. - -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -3. Type _Show me my meetings for tomorrow_. - - You’ll see all your meetings scheduled for the next day. - - ![Cortana at work, showing all upcoming meetings](images/cortana-meeting-tomorrow.png) - -## Find out about upcoming meetings by using voice commands -This process helps you to use Cortana at work and voice commands to find your upcoming meetings. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Show me what meeting I have at 3pm tomorrow_. - - >[!IMPORTANT] - >Make sure that you have a meeting scheduled for the time you specify here. - - ![Cortana at work, showing the meeting scheduled for 3pm](images/cortana-meeting-specific-time.png) - - diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/manage/cortana-at-work-scenario-5.md deleted file mode 100644 index 8373a4f4c2..0000000000 --- a/windows/manage/cortana-at-work-scenario-5.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10) -description: A test scenario about how to use Cortana at work to send email to a co-worker. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 5 - Use Cortana to send email to a co-worker - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. - -## Send an email to a co-worker -This process helps you to send a quick message to a co-worker from the work address book. - -1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account. - -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -3. Type _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. - - ![Cortana at work, showing the email text](images/cortana-send-email-coworker.png) - -## Send an email to a co-worker by using voice commands -This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -3. Add your email message by saying, _Hello this is a test email using Cortana at work._ - - The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. - - ![Cortana at work, showing the email text created from verbal commands](images/cortana-send-email-coworker-mic.png) - -4. Say _Send it_. - - The email is sent. - - ![Cortana at work, showing the sent email text](images/cortana-complete-send-email-coworker-mic.png) \ No newline at end of file diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md deleted file mode 100644 index ac15463824..0000000000 --- a/windows/manage/cortana-at-work-scenario-6.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10) -description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana. - -## Use Cortana and WIP to protect your organization’s data - -1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md). - -2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_. - -3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. - - Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you. - -4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_. - -5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. - - Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you. diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md deleted file mode 100644 index 41f734e006..0000000000 --- a/windows/manage/cortana-at-work-testing-scenarios.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Testing scenarios using Cortana in your business or organization (Windows 10) -description: A list of suggested testing scenarios that you can use to test Cortana in your organization. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Testing scenarios using Cortana in your business or organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - -- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana. - -- Set a reminder and have it remind you when you’ve reached a specific location. - -- Search for your upcoming meetings on your work calendar. - -- Send an email to a co-worker from your work email app. - -- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. \ No newline at end of file diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md deleted file mode 100644 index 766a5914ad..0000000000 --- a/windows/manage/cortana-at-work-voice-commands.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Set up and test custom voice commands in Cortana for your organization (Windows 10) -description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Set up and test custom voice commands in Cortana for your organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. - ->[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions). - -## High-level process -Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. - -To enable voice commands in Cortana - -1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized. - - Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana). - - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana). - -2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. - -## Test Scenario: Use voice commands in a Windows Store app -While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. - -**To get a Windows Store app** -1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**. - -2. Click **Uber**, and then click **Install**. - -3. Open Uber, create an account or sign in, and then close the app. - -**To set up the app with Cortana** -1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. - -2. Click on **Connected Services**, click **Uber**, and then click **Connect**. - - ![Cortana at work, showing where to connect the Uber service to Cortana](images/cortana-connect-uber.png) - -**To use the voice-enabled commands with Cortana** -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say _Uber get me a taxi_. - - Cortana changes, letting you provide your trip details for Uber. - -## See also -- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) \ No newline at end of file diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md deleted file mode 100644 index 102272ce54..0000000000 --- a/windows/manage/customize-and-export-start-layout.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Customize and export Start layout (Windows 10) -description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. -ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236 -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Customize and export Start layout - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. - -After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. - -When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. - -When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. - ->[!NOTE] ->Partial Start layout is only supported on Windows 10, version 1511 and later. - -  - -You can deploy the resulting .xml file to devices using one of the following methods: - -- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -## Customize the Start screen on your test computer - - -To prepare a Start layout for export, you simply customize the Start layout on a test computer. - -**To prepare a test computer** - -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display. - -2. Create a new user account that you will use to customize the Start layout. - - -**To customize Start** - -1. Sign in to your test computer with the user account that you created. - -2. Customize the Start layout as you want users to see it by using the following techniques: - - - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**. - - To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. - - - **Drag tiles** on Start to reorder or group apps. - - - **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.** - - - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group. - -## Export the Start layout - - -When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file. - -**To export the Start layout to an .xml file** - -1. From Start, open **Windows PowerShell**. - -2. At the Windows PowerShell command prompt, enter the following command: - - `export-startlayout –path .xml ` - - In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). - - Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension. - - Example of a layout file produced by `Export-StartLayout`: - - - - - - - - - - - - - - - - -
    XML
    <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
    -      <DefaultLayoutOverride>
    -        <StartLayoutCollection>
    -          <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
    -            <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
    -              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
    -              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
    -              <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
    -            </start:Group>        
    -          </defaultlayout:StartLayout>
    -        </StartLayoutCollection>
    -      </DefaultLayoutOverride>
    -    </LayoutModificationTemplate>
    - -## Configure a partial Start layout - - -A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. - -![locked tile group](images/start-pinned-app.png) - -When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. - -When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added. - -If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked. - -**To configure a partial Start screen layout** - -1. [Customize the Start layout](#bmk-customize-start). - -2. [Export the Start layout](#bmk-exportstartscreenlayout). -3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - - ``` syntax - - ``` - -4. Save the file and apply using any of the deployment methods. - -## Related topics - - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md deleted file mode 100644 index 47b68d045b..0000000000 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ /dev/null @@ -1,137 +0,0 @@ ---- -title: Customize Windows 10 Start with Group Policy (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. -ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 -keywords: ["Start layout", "start menu", "layout", "group policy"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Customize Windows 10 Start and taskbar with Group Policy - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. - -This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. - ->[!WARNING]   ->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. - -  - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) - -## Operating system requirements - - -Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro. - -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base. - -## How Start layout control works - - -Three features enable Start and taskbar layout control: - -- The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. - -- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. - -- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case. - ->[!NOTE]   ->To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). - -  - -## Use Group Policy to apply a customized Start layout in a domain - - -To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. - -The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. - -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. - -The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar. - -For information about deploying GPOs in a domain, see [Working with Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620889). - -## Use Group Policy to apply a customized Start layout on the local computer - - -You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. - ->[!NOTE]   ->This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment). -> ->This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10. - - -This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer. - -**To configure Start Layout policy settings in Local Group Policy Editor** - -1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. - -2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - - ![start screen layout policy settings](images/starttemplate.jpg) - -3. Right-click **Start Layout** in the right pane, and click **Edit**. - - This opens the **Start Layout** policy settings. - - ![policy settings for start screen layout](images/startlayoutpolicy.jpg) - -4. Enter the following settings, and then click **OK**: - - 1. Select **Enabled**. - - 2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. - - 3. Optionally, enter a comment to identify the Start and taskbar layout. - - >[!IMPORTANT]   - >If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: - - >`(ls ).LastWriteTime = Get-Date` - -   - -## Update a customized Start layout - - -After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp. - -## Related topics - - -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -  - -  - - - - - diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md deleted file mode 100644 index 2ccace55f5..0000000000 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. -ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 -keywords: ["start screen", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: medium ---- - -# Customize Windows 10 Start with mobile device management (MDM) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for consumer information?** - -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. - -> **Note:** Customized taskbar configuration cannot be applied using MDM at this time. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -**Warning**   -When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. - -  - -## How Start layout control works - - -Two features enable Start layout control: - -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. - -   - -- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). - -## Create a policy for your customized Start layout - - -This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy. - -1. In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.) - - Example of a layout file produced by Export-StartLayout: - - - - - - - - - - - - - - - - -
    XML
    <LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
    -      <DefaultLayoutOverride>
    -        <StartLayoutCollection>
    -          <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
    -            <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
    -              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
    -              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
    -              <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
    -            </start:Group>        
    -          </defaultlayout:StartLayout>
    -        </StartLayoutCollection>
    -      </DefaultLayoutOverride>
    -    </LayoutModificationTemplate>
    - - Example of the same layout file with escape characters replacing the markup characters: - -``` - &lt;wdcml:p xmlns:wdcml=&quot;http://microsoft.com/wdcml&quot;&gt;Example of a layout file produced by Export-StartLayout:&lt;/wdcml:p&gt;&lt;wdcml:snippet xmlns:wdcml=&quot;http://microsoft.com/wdcml&quot;&gt;&lt;![CDATA[&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt; - &lt;DefaultLayoutOverride&gt; - &lt;StartLayoutCollection&gt; - &lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt; - &lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt; - &lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt; - &lt;/start:Group&gt; - &lt;/defaultlayout:StartLayout&gt; - &lt;/StartLayoutCollection&gt; - &lt;/DefaultLayoutOverride&gt; - &lt;/LayoutModificationTemplate&gt;]]&gt;&lt;/wdcml:snippet&gt; -``` - -2. In the Microsoft Intune administration console, click **Policy** > **Add Policy**. - -3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy. - -4. Enter a name (mandatory) and description (optional) for the policy. - -5. In the **OMA-URI Settings** section, click **Add.** - -6. In **Add or Edit OMA-URI Setting**, enter the following information. - - | Item | Information | - |----|----| - | **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. | - | **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. | - | **Data type** | **String** | - | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** | - | **Value** | Paste the contents of the Start layout .xml file that you created. | - -   - -7. Click **OK** to save the setting and return to the **Create Policy** page. - -8. Click **Save Policy**. - -## Related topics - - -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Use Windows 10 custom policies to manage device settings with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=616316) - -  - -  - - - - - diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md deleted file mode 100644 index 7cc8395f8b..0000000000 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10) -description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. -ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC -keywords: ["Start layout", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: medium ---- - -# Customize Windows 10 Start and taskbar with ICD and provisioning packages - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for consumer information?** - -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. - ->[!IMPORTANT] ->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -## How Start layout control works - - -Three features enable Start and taskbar layout control: - -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. - -- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. - - -- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. - -## Create a provisioning package that contains a customized Start layout - - -Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **Start**, and click **StartLayout**. - - >[!TIP] - >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. - -7. Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet. - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Copy the provisioning package to the target device. - -17. Double-click the ppkg file and allow it to install. - -## Related topics - - -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -  - -  - - - - - diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/manage/guidelines-for-assigned-access-app.md deleted file mode 100644 index 0552f8af1a..0000000000 --- a/windows/manage/guidelines-for-assigned-access-app.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. -ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 -keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Guidelines for choosing an app for assigned access (kiosk mode) - - -**Applies to** - -- Windows 10 - - -You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. - -The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607. - -## General guidelines - -- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/library/windows/hardware/mt228170.aspx#install_your_apps). - -- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. - - -## Guidelines for Windows apps that launch other apps - -Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps. - -Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality. - -## Guidelines for web browsers - -Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. - -If you use a web browser as your assigned access app, consider the following tips: - -- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store. -- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar. -- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: - - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) - - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx) - - [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) - -**To block access to the file system from Internet Explorer's web address bar** -1. On the Start screen, type the following: - `gpedit.msc` -2. Press **Enter** or click the gpedit icon to launch the group policy editor. -3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**. -4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar: - - A UNC path (\\\\*server*\\\\*share*) - - A local drive (C:\\) - - A local folder (\temp) - - -## Secure your information - -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access. - -## App configuration - -Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. -Check the guidelines published by your selected app and do the setup accordingly. - -## Develop your kiosk app - -Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app. - -Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx). - -## Test your assigned access experience - -The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. - - ## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -## Related topics - -[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) - -[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) - -  - -  - - - - - diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md deleted file mode 100644 index 26ab03140f..0000000000 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md +++ /dev/null @@ -1,238 +0,0 @@ ---- -title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10) -description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. -ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: medium ---- - -# Introduction to configuration service providers (CSPs) for IT pros - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs. - -The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations. - -**Note**   -The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. - - [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) - -## What is a CSP? - - -A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. Their function is similar to that of Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable and some are read-only. - -Starting in Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. In the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10. - -Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkId=717438) contains the settings to create a Wi-Fi profile. - -CSPs are behind many of the management tasks and policies for Windows 10 in Microsoft Intune and non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). - -![how intune maps to csp](images/policytocsp.png) - -CSPs receive configuration policies in the XML-based SyncML format pushed to it from an MDM-compliant management server such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs by using a client-side WMI-to-CSP bridge. - -### Synchronization Markup Language (SyncML) - -The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations. - -### The WMI-to-CSP Bridge - -The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. - -[Learn how to use the WMI Bridge Provider with PowerShell.](https://go.microsoft.com/fwlink/p/?LinkId=761090) - -## Why should you learn about CSPs? - - -Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. - -In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. - -In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. - -### CSPs in Windows Imaging and Configuration Designer (ICD) - -You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs. - -Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. - -![how help content appears in icd](images/cspinicd.png) - -[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. - -### CSPs in MDM - -Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390). - -When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](https://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information. - -### CSPs in Lockdown XML - -Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). - -## How do you use the CSP documentation? - - -All CSPs in Windows 10 are documented in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390). - -The [main CSP topic](https://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP. - -![csp per windows edition](images/csptable.png) - -The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. - -The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path. - -The following example shows the diagram for the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied. - -![assigned access csp tree](images/provisioning-csp-assignedaccess.png) - -The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see it uses the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608). - -```XML -./Vendor/MSFT/AssignedAccess/KioskModeApp -``` - -When an element in the diagram uses italic font, it indicates a placeholder for specific information, such as the tenant ID in the following example. - -![placeholder in csp tree](images/csp-placeholder.png) - -After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. - -For example, in the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. - -The documentation for most CSPs will also include an XML example. - -## CSP examples - - -CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful. - -- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601) - - The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app. - - In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings: - - - Enabling or disabling the Action Center. - - Configuring the number of tile columns in the Start layout. - - Restricting the apps that will be available on the device. - - Restricting the settings that the user can access. - - Restricting the hardware buttons that will be operable. - - Restricting access to the context menu. - - Enabling or disabling tile manipulation. - - Creating role-specific configurations. -- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244) - - The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. - - Some of the settings available in the Policy CSP include the following: - - - **Accounts**, such as whether a non-Microsoft account can be added to the device - - **Application management**, such as whether only Windows Store apps are allowed - - **Bluetooth**, such as the services allowed to use it - - **Browser**, such as restricting InPrivate browsing - - **Connectivity**, such as whether the device can be connected to a computer by USB - - **Defender** (for desktop only), such as day and time to scan - - **Device lock**, such as the type of PIN or password required to unlock the device - - **Experience**, such as allowing Cortana - - **Security**, such as whether provisioning packages are allowed - - **Settings**, such as allowing the user to change VPN settings - - **Start**, such as applying a standard Start layout - - **System**, such as allowing the user to reset the device - - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft - - **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store - - **WiFi**, such as whether to enable Internet sharing - -Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both: - -- [ActiveSync CSP](https://go.microsoft.com/fwlink/p/?LinkId=723219) -- [Application CSP](https://go.microsoft.com/fwlink/p/?LinkId=723220) -- [AppLocker CSP](https://go.microsoft.com/fwlink/p/?LinkID=626609) -- [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608) -- [Bootstrap CSP](https://go.microsoft.com/fwlink/p/?LinkId=723224) -- [BrowserFavorite CSP](https://go.microsoft.com/fwlink/p/?LinkId=723428) -- [CellularSettings CSP](https://go.microsoft.com/fwlink/p/?LinkId=723427) -- [CertificateStore CSP](https://go.microsoft.com/fwlink/p/?LinkId=723225) -- [ClientCertificateInstall CSP](https://go.microsoft.com/fwlink/p/?LinkId=723226) -- [CM\_CellularEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723426) -- [CM\_ProxyEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723425) -- [CMPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723424) -- [Defender CSP](https://go.microsoft.com/fwlink/p/?LinkId=723227) -- [DevDetail CSP](https://go.microsoft.com/fwlink/p/?LinkId=723228) -- [DeviceInstanceService CSP](https://go.microsoft.com/fwlink/p/?LinkId=723275) -- [DeviceLock CSP](https://go.microsoft.com/fwlink/p/?LinkId=723370) -- [DeviceStatus CSP](https://go.microsoft.com/fwlink/p/?LinkId=723229) -- [DevInfo CSP](https://go.microsoft.com/fwlink/p/?LinkId=723230) -- [DiagnosticLog CSP](https://go.microsoft.com/fwlink/p/?LinkId=723231) -- [DMAcc CSP](https://go.microsoft.com/fwlink/p/?LinkId=723232) -- [DMClient CSP](https://go.microsoft.com/fwlink/p/?LinkId=723233) -- [Email2 CSP](https://go.microsoft.com/fwlink/p/?LinkId=723234) -- [EnterpriseAPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723235) -- [EnterpriseAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723237) -- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601) -- [EnterpriseDesktopAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723236) -- [EnterpriseExt CSP](https://go.microsoft.com/fwlink/p/?LinkId=723423) -- [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkID=703716) -- [EnterpriseModernAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723257) -- [FileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=723422) -- [HealthAttestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=723258) -- [HotSpot CSP](https://go.microsoft.com/fwlink/p/?LinkId=723421) -- [Maps CSP](https://go.microsoft.com/fwlink/p/?LinkId=723420) -- [NAP CSP](https://go.microsoft.com/fwlink/p/?LinkId=723419) -- [NAPDEF CSP](https://go.microsoft.com/fwlink/p/?LinkId=723371) -- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265) -- [PassportForWork CSP](https://go.microsoft.com/fwlink/p/?LinkID=692070) -- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244) -- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418) -- [Provisioning CSP](https://go.microsoft.com/fwlink/p/?LinkId=723266) -- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372) -- [PXLOGICAL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723374) -- [Registry CSP](https://go.microsoft.com/fwlink/p/?LinkId=723417) -- [RemoteFind CSP](https://go.microsoft.com/fwlink/p/?LinkId=723267) -- [RemoteWipe CSP](https://go.microsoft.com/fwlink/p/?LinkID=703714) -- [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkId=723375) -- [RootCATrustedCertificates CSP](https://go.microsoft.com/fwlink/p/?LinkId=723270) -- [SecurityPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723376) -- [Storage CSP](https://go.microsoft.com/fwlink/p/?LinkId=723377) -- [SUPL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723378) -- [UnifiedWriteFilter CSP](https://go.microsoft.com/fwlink/p/?LinkId=723272) -- [Update CSP](https://go.microsoft.com/fwlink/p/?LinkId=723271) -- [VPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723416) -- [VPNv2 CSP](https://go.microsoft.com/fwlink/p/?LinkID=617588) -- [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=71743) -- [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723274) -- [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415) - -## Related topics - -[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) - -[Lock down Windows 10](lock-down-windows-10.md) - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) - -[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md deleted file mode 100644 index 8ab992a6f0..0000000000 --- a/windows/manage/lock-down-windows-10-to-specific-apps.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Lock down Windows 10 to specific apps (Windows 10) -description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -keywords: ["lockdown", "app restrictions", "applocker"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security -author: jdeckerMS -localizationpriority: high ---- - -# Lock down Windows 10 to specific apps - - -**Applies to** - -- Windows 10 - ->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. - -You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device. - -AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md). - -This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. - -![install create lockdown customize](images/lockdownapps.png) - -## Install apps - - -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. - -## Use AppLocker to set rules for apps - - -After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else. - -1. Run Local Security Policy (secpol.msc) as an administrator. - -2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - - ![configure rule enforcement](images/apprule.png) - -3. Check **Configured** under **Executable rules**, and then click **OK**. - -4. Right-click **Executable Rules** and then click **Automatically generate rules**. - - ![automatically generate rules](images/genrule.png) - -5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. - -6. Type a name to identify this set of rules, and then click **Next**. - -7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules. - -8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps. - -9. Read the message and click **Yes**. - - ![default rules warning](images/appwarning.png) - -10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. - -11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**. - -12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run: - - ``` syntax - sc config appidsvc start=auto - ``` - -13. Restart the device. - -## Other settings to lock down - - -In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device: - -- Remove **All apps**. - - Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**. - -- Hide **Ease of access** feature on the logon screen. - - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. - -- Disable the hardware power button. - - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. - -- Disable the camera. - - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. - -- Turn off app notifications on the lock screen. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. - -- Disable removable media. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. - - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -   - -To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). - -## Customize Start screen layout for the device - - -Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). - -## Related topics - -- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md) - -  - -  - - - - - diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md deleted file mode 100644 index 63fda8dbd1..0000000000 --- a/windows/manage/lock-down-windows-10.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Lock down Windows 10 (Windows 10) -description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. -ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D -keywords: lockdown -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -localizationpriority: high ---- - -# Lock down Windows 10 - - diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md deleted file mode 100644 index c6eaa7e68d..0000000000 --- a/windows/manage/lockdown-features-windows-10.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 -keywords: lockdown, embedded -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -localizationpriority: high ---- - -# Lockdown features from Windows Embedded 8.1 Industry - -**Applies to** -- Windows 10 - - -Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Windows Embedded 8.1 Industry lockdown featureWindows 10 featureChanges

    [Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

    N/A

    HORM is supported in Windows 10, version 1607.

    [Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

    [Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx)

    The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

    [Keyboard Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

    [Keyboard Filter](https://go.microsoft.com/fwlink/p/?LinkId=708391)

    Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

    [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

    [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

    Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

    -

    Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

    [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

    [Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)

    The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.

    [Dialog Filter](https://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run

    [AppLocker](../keep-secure/applocker-overview.md)

    Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.

    -
      -
    • Control over which processes are able to run will now be provided by AppLocker.

    • -
    • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.

    • -

    [Toast Notification Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications

    Mobile device management (MDM) and Group Policy

    Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.

    -

    Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

    -

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](https://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications.

    [Embedded Lockdown Manager](https://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features

    [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkID=525483)

    The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.

    [USB Filter](https://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system

    MDM and Group Policy

    The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

    -

    Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

    -

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

    [Assigned Access](https://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system

    [Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)

    Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.

    -

    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    -

    Learn [how to use Assigned Access to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.

    [Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

    MDM and Group Policy

    In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy.

    [Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

    [Embedded Logon](https://go.microsoft.com/fwlink/p/?LinkId=626760)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    [Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements

    [Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626873)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    -  -  -  diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md deleted file mode 100644 index 936ed8c310..0000000000 --- a/windows/manage/lockdown-xml.md +++ /dev/null @@ -1,870 +0,0 @@ ---- -title: Configure Windows 10 Mobile using Lockdown XML (Windows 10) -description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. -ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -localizationpriority: high ---- - -# Configure Windows 10 Mobile using Lockdown XML - - -**Applies to** - -- Windows 10 Mobile - -Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. - -This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. - -Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). - -> [!NOTE] -> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). - -If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first. - -## Overview of the lockdown XML file - -Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml. - -```xml - - - - - - - - - - - - - -``` - -**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles) - -The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device. - -> **Tip**  Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. - -## Action Center - -![XML for Action Center](images/ActionCenterXML.jpg) - -The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. - -In the following example, the Action Center is enabled and both policies are disabled. - -```xml - -``` - -In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled. - -```xml - -``` - -The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts. - -```xml - - - - - - - -``` - -## Apps - -![XML for Apps](images/AppsXML.png) - -The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. - -You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) - -The following example makes Outlook Calendar available on the device. - -```xml - - - - - -``` - -When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size). - -![Grid to lay out tiles for Start](images/StartGrid.jpg) - -Tile sizes are: -* Small: 1x1 -* Medium: 2x2 -* Large: 2x4 - -Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5. - -If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen. - -In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start. - -```xml - - - - - Large - - 0 - 0 - - - - - - - Medium - - 4 - 0 - - - - - - -``` - -That layout would appear on a device like this: - -![Example of the layout on a Start screen](images/StartGridPinnedApps.jpg) - -You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start. - -```xml - - - - - Medium - - 4 - 0 - - - - -``` - -To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example: - -```xml - - - - - Large - - 0 - 0 - - 1 - - - - - - Medium - - 4 - 0 - - 1 - - - -``` -When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened. - -## Buttons - -![XML for buttons](images/ButtonsXML.jpg) - -In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. - -### ButtonLockdownList - -When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button. - -Button | Press | PressAndHold | All ----|:---:|:---:|:--:|- -Start | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) -Back | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) -Search | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) -Camera | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) -Custom 1, 2, and 3 | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) - -> [!NOTE] -> Custom buttons are hardware buttons that can be added to devices by OEMs. - -In the following example, press-and-hold is disabled for the Back button. - -```xml - - - - - -``` - -If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button. - -```xml - - - - - -``` - -### ButtonRemapList - -ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons. - -> [!WARNING] -> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role. - -To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open. -In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app. - -```xml - - - - - -``` - -## CSPRunner - -![XML for CSP Runner](images/CSPRunnerXML.jpg) - -You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx). - -CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role. - -In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section. - -> [!NOTE] -> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx). - -Let's start with the structure of SyncML in the following example: - -```xml -SyncML> - - | - # - - - CSP Path - - - Data Type - - Value - - | - - - -``` - -This table explains the parts of the SyncML structure. - -SyncML entry | Description ----|--- -**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy. -**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value. -**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation. -**Target > LocURI** | **LocURI** is the path to the CSP. -**Meta > Format** | The data format required by the CSP. -**Data** | The value for the setting. - - -## Menu items - -![XML for menu items](images/MenuItemsXML.png) - -Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create. - -```xml - - - -``` - -## Settings - -![XML for settings](images/SettingsXML.png) - -The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings. - -```xml - - - - ``` -In the following example, all system setting pages are enabled. - -```xml - - - - - - - - - - - - -``` - -If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps). - -For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md). - - - ## Tiles - - ![XML for tiles](images/TilesXML.png) - - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. - - > [!IMPORTANT] - > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. - - ```xml - - - - ``` - - ## Start screen size - - Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). - * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - - - If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. - - [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) - - - ## Configure additional roles - - You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - - [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). - - In the XML file, you define each role with a GUID and name, as shown in the following example: - - ```xml - - ``` - - You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - - You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - - ```xml - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Add lockdown XML to a provisioning package - - -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Follow the instructions at [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project. - -2. In **Available customizations**, go to **Runtime settings** > **EmbeddedLockdownProfiles** > **AssignedAccessXml**. - -3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created. - - ![browse button](images/icdbrowse.png) - -4. On the **File** menu, select **Save.** - -5. On the **Export** menu, select **Provisioning package**. - -6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -9. Click **Next**. - -10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=619164). - -## Push lockdown XML using MDM - - -After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - -To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as < in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device. - -## Full Lockdown.xml example - -```xml - - - - - - - - - Large - - 0 - 0 - - - - - - - Small - - 0 - 2 - - - - - - - Medium - - 2 - 2 - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 7 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 1 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg - - - - - - - - - - - - - - - - - - - - - - - - - Small - - - - - - - - - Small - - 0 - 0 - - - - - - - Large - - 0 - 2 - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 10 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 0 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Small - - 0 - 0 - - - - - - - Small - - 1 - 0 - - - - - - - Medium - - 2 - 0 - - - - - - - - - Small - - 0 - 2 - - - - - - - Medium - - 2 - 2 - - - - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID - - - int - - - 2 - - - - - - - - - 1 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground - - - int - - - 1 - - - - - - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName - - - chr - text/plain - - c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg - - - - - - - - - - - - - - - - - - - -``` - -## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -## Related topics - - -[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md deleted file mode 100644 index 83ba743e69..0000000000 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ /dev/null @@ -1,1362 +0,0 @@ ---- -title: Manage connections from Windows operating system components to Microsoft services (Windows 10) -description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. -ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high -author: brianlic-msft ---- - -# Manage connections from Windows operating system components to Microsoft services - -**Applies to** - -- Windows 10 -- Windows Server 2016 - -If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). - -Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. - -If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. - -You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. - -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## What's new in Windows 10, version 1607 and Windows Server 2016 - -Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: - -- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). -- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. -- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). -- Added a new setting in [25. Windows Update](#bkmk-wu). -- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). -- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). - -- Added the following Group Policies: - - - Turn off unsolicited network traffic on the Offline Maps settings page - - Turn off all Windows spotlight features - -## Settings - - -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. - -If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. - -### Settings for Windows 10 Enterprise, version 1607 - -See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. - -| Setting | UI | Group Policy | MDM policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | -| [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | - -### Settings for Windows Server 2016 with Desktop Experience - -See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience. - -| Setting | UI | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | -| [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | - -### Settings for Windows Server 2016 Server Core - -See the following table for a summary of the management settings for Windows Server 2016 Server Core. - -| Setting | Group Policy | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | -| [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | - -### Settings for Windows Server 2016 Nano Server - -See the following table for a summary of the management settings for Windows Server 2016 Nano Server. - -| Setting | Registry | Command line | -| - | :-: | :-: | :-: | :-: | :-: | -| [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | - -## Settings - -Use the following sections for more information about how to configure each setting. - -### 1. Certificate trust lists - -A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available. - -To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. - -For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** - - -and- - -1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. -2. Double-click **Certificate Path Validation Settings**. -3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. -4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. - - -or- - -- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. - - -and- - -1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. -2. Double-click **Certificate Path Validation Settings**. -3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. -4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. - -On Windows Server 2016 Nano Server: - -- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. - ->[!NOTE] ->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. - -### 2. Cortana and Search - -Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683). - -### 2.1 Cortana and Search Group Policies - -Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. - -| Policy | Description | -|------------------------------------------------------|---------------------------------------------------------------------------------------| -| Allow Cortana | Choose whether to let Cortana install and run on the device.

    Disable this policy to turn off Cortana. | -| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.

    Disable this policy to block access to location information for Cortana. | -| Do not allow web search | Choose whether to search the web from Windows Desktop Search.

    Enable this policy to remove the option to search the Internet from Cortana. | -| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.

    Enable this policy to stop web queries and results from showing in Search. | -| Set what information is shared in Search | Control what information is shared with Bing in Search.

    If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | - -In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - ->[!IMPORTANT] ->These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. - -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. - -2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. - -3. On the **Rule Type** page, click **Program**, and then click **Next**. - -4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. - -5. On the **Action** page, click **Block the connection**, and then click **Next**. - -6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. - -7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** - -8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. - -9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - - For **Protocol type**, choose **TCP**. - - - For **Local port**, choose **All Ports**. - - - For **Remote port**, choose **All ports**. - - -If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. - -### 2.2 Cortana and Search MDM policies - -For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | -| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
    Default: Allowed| - -### 3. Date & Time - -You can prevent Windows from setting the time automatically. - -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - - -or- - -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. - -### 4. Device metadata retrieval - -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. - -### 5. Font streaming - -Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. - -If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. - -If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. - -> [!NOTE] -> After you apply this policy, you must restart the device for it to take effect. - - -### 6. Insider Preview builds - -The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. - -> [!NOTE] -> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016. - -To turn off Insider Preview builds for a released version of Windows 10: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - -To turn off Insider Preview builds for Windows 10: - -> [!NOTE] -> If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. - -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - - -or- - -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - - -or- - -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -### 7. Internet Explorer - -Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
    Default: Enabled
    You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
    Default: Enabled| -| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
    Default: Disabled
    You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| -| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
    Default: Enabled | -| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
    Default: Disabled| - -There are two more Group Policy objects that are used by Internet Explorer: - -| Path | Policy | Description | -| - | - | - | -| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
    Default: Enabled | -| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
    Default: Enabled | - -### 7.1 ActiveX control blocking - -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). - -For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). - -### 8. Live Tiles - -To turn off Live Tiles: - -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -### 9. Mail synchronization - -To turn off mail synchronization for Microsoft Accounts that are configured on a device: - -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - - -or- - -- Remove any Microsoft Accounts from the Mail app. - - -or- - -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. - -To turn off the Windows Mail app: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -### 10. Microsoft Account - -To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. - -- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. - - -### 11. Microsoft Edge - -Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). - -### 11.1 Microsoft Edge Group Policies - -Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - -> [!NOTE] -> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Configure autofill | Choose whether employees can use autofill on websites.
    Default: Enabled | -| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
    Default: Disabled | -| Configure password manager | Choose whether employees can save passwords locally on their devices.
    Default: Enabled | -| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
    Default: Enabled | -| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
    Default: Enabled | -| Allow web content on New Tab page | Choose whether a new tab page appears.
    Default: Enabled | -| Configure Home pages | Choose the corporate Home page for domain-joined devices.
    Set this to **about:blank** | - - -The Windows 10, version 1511 Microsoft Edge Group Policy names are: - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn off autofill | Choose whether employees can use autofill on websites.
    Default: Enabled | -| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
    Default: Disabled | -| Turn off password manager | Choose whether employees can save passwords locally on their devices.
    Default: Enabled | -| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
    Default: Enabled | -| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
    Default: Enabled | -| Open a new tab with an empty tab | Choose whether a new tab page appears.
    Default: Enabled | -| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
    Set this to **about:blank** | - -### 11.2 Microsoft Edge MDM policies - -The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
    Default: Allowed | -| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
    Default: Not allowed | -| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
    Default: Allowed | -| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
    Default: Allowed | -| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
    Default: Allowed | - - -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). - -### 12. Network Connection Status Indicator - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). - -In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. - -You can turn off NCSI through Group Policy: - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - -> [!NOTE] -> After you apply this policy, you must restart the device for the policy setting to take effect. - -### 13. Offline maps - -You can turn off the ability to download and update offline maps. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - - -and- - -- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** - -### 14. OneDrive - -To turn off OneDrive in your organization: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -### 15. Preinstalled apps - -Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. - -To remove the News app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** - -To remove the Weather app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** - -To remove the Money app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** - -To remove the Sports app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** - -To remove the Twitter app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** - -To remove the XBOX app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** - -To remove the Sway app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** - -To remove the OneNote app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** - -To remove the Get Office app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** - -To remove the Get Skype app: - -- Right-click the Sports app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** - -### 16. Settings > Privacy - -Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - -- [16.1 General](#bkmk-general) - -- [16.2 Location](#bkmk-priv-location) - -- [16.3 Camera](#bkmk-priv-camera) - -- [16.4 Microphone](#bkmk-priv-microphone) - -- [16.5 Notifications](#bkmk-priv-notifications) - -- [16.6 Speech, inking, & typing](#bkmk-priv-speech) - -- [16.7 Account info](#bkmk-priv-accounts) - -- [16.8 Contacts](#bkmk-priv-contacts) - -- [16.9 Calendar](#bkmk-priv-calendar) - -- [16.10 Call history](#bkmk-priv-callhistory) - -- [16.11 Email](#bkmk-priv-email) - -- [16.12 Messaging](#bkmk-priv-messaging) - -- [16.13 Radios](#bkmk-priv-radios) - -- [16.14 Other devices](#bkmk-priv-other-devices) - -- [16.15 Feedback & diagnostics](#bkmk-priv-feedback) - -- [16.16 Background apps](#bkmk-priv-background) - -- [16.17 Motion](#bkmk-priv-motion) - -### 16.1 General - -**General** includes options that don't fall into other areas. - -To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: - -> [!NOTE] -> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). - -To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero). - -To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: - -> [!NOTE] -> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. - - - -- Turn off the feature in the UI. - - -or- - -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Not allowed - - - **1**. Allowed (default) - -To turn off **Let websites provide locally relevant content by accessing my language list**: - -- Turn off the feature in the UI. - - -or- - -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. - -To turn off **Let apps on my other devices open apps and continue experiences on this devices**: - -- Turn off the feature in the UI. - - -or- - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. - -To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - -- Turn off the feature in the UI. - -### 16.2 Location - -In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. - -To turn off **Location for this device**: - -- Click the **Change** button in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - - -or- - -- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Turned off and the employee can't turn it back on. - - - **1**. Turned on, but lets the employee choose whether to use it. (default) - - - **2**. Turned on and the employee can't turn it off. - - > [!NOTE] - > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - - **No**. Turns off location service. - - - **Yes**. Turns on location service. (default) - -To turn off **Location**: - -- Turn off the feature in the UI. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -To turn off **Location history**: - -- Erase the history using the **Clear** button in the UI. - -To turn off **Choose apps that can use your location**: - -- Turn off each app using the UI. - -### 16.3 Camera - -In the **Camera** area, you can choose which apps can access a device's camera. - -To turn off **Let apps use my camera**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - - > [!NOTE] - > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - -To turn off **Choose apps that can use your camera**: - -- Turn off the feature in the UI for each app. - -### 16.4 Microphone - -In the **Microphone** area, you can choose which apps can access a device's microphone. - -To turn off **Let apps use my microphone**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can use your microphone**: - -- Turn off the feature in the UI for each app. - -### 16.5 Notifications - -In the **Notifications** area, you can choose which apps have access to notifications. - -To turn off **Let apps access my notifications**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications** - - - Set the **Select a setting** box to **Force Deny**. - -### 16.6 Speech, inking, & typing - -In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. - -> [!NOTE] -> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. - -To turn off the functionality: - -- Click the **Stop getting to know me** button, and then click **Turn off**. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - - -or- - -- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). - - -and- - -- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). - - -If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models: - -Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where: - -- **0** (default). Not allowed. -- **1**. Allowed. - - -or- - -- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero). - -### 16.7 Account info - -In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. - -To turn off **Let apps access my name, picture, and other account info**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose the apps that can access your account info**: - -- Turn off the feature in the UI for each app. - -### 16.8 Contacts - -In the **Contacts** area, you can choose which apps can access an employee's contacts list. - -To turn off **Choose apps that can access contacts**: - -- Turn off the feature in the UI for each app. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - - Set the **Select a setting** box to **Force Deny**. - -### 16.9 Calendar - -In the **Calendar** area, you can choose which apps have access to an employee's calendar. - -To turn off **Let apps access my calendar**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can access calendar**: - -- Turn off the feature in the UI for each app. - -### 16.10 Call history - -In the **Call history** area, you can choose which apps have access to an employee's call history. - -To turn off **Let apps access my call history**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - - Set the **Select a setting** box to **Force Deny**. - -### 16.11 Email - -In the **Email** area, you can choose which apps have can access and send email. - -To turn off **Let apps access and send email**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - - Set the **Select a setting** box to **Force Deny**. - -### 16.12 Messaging - -In the **Messaging** area, you can choose which apps can read or send messages. - -To turn off **Let apps read or send messages (text or MMS)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can read or send messages**: - -- Turn off the feature in the UI for each app. - -### 16.13 Radios - -In the **Radios** area, you can choose which apps can turn a device's radio on or off. - -To turn off **Let apps control radios**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can control radios**: - -- Turn off the feature in the UI for each app. - -### 16.14 Other devices - -In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. - -To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** - -To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - - Set the **Select a setting** box to **Force Deny**. - -### 16.15 Feedback & diagnostics - -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. - -To change how frequently **Windows should ask for my feedback**: - -> [!NOTE] -> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. - - - -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - - -or- - -- Create the registry keys (REG\_DWORD type): - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod - - Based on these settings: - - | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | - |---------------|-----------------------------|-----------------------------| - | Automatically | Delete the registry setting | Delete the registry setting | - | Never | 0 | 0 | - | Always | 100000000 | Delete the registry setting | - | Once a day | 864000000000 | 1 | - | Once a week | 6048000000000 | 1 | - - - -To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: - -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > [!NOTE] - > You can't use the UI to change the telemetry level to **Security**. - - - - -or- - -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** - - -or- - -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - -### 16.16 Background apps - -In the **Background Apps** area, you can choose which apps can run in the background. - -To turn off **Let apps run in the background**: - -- Turn off the feature in the UI for each app. - - - Set the **Select a setting** box to **Force Deny**. - -### 16.17 Motion - -In the **Motion** area, you can choose which apps have access to your motion data. - -To turn off **Let Windows and your apps use your motion data and collect motion history**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** - -### 17. Software Protection Platform - -Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: - -For Windows 10: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** - - -or- - -- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. - -For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** - -The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. - -### 18. Sync your settings - -You can control if your settings are synchronized: - -- In the UI: **Settings** > **Accounts** > **Sync your settings** - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - - -or- - -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - - **No**. Settings are not synchronized. - - - **Yes**. Settings are synchronized. (default) - -To turn off Messaging cloud sync: - -- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). - -### 19. Teredo - -You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). - ->[!NOTE] ->If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. - - -or- - -- From an elevated command prompt, run **netsh interface teredo set state disabled** - -### 20. Wi-Fi Sense - -Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. - -To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: - -- Turn off the feature in the UI. - - -or- - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - - -or- - -- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). - - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). - -When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. - -### 21. Windows Defender - -You can disconnect from the Microsoft Antimalware Protection Service. - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** - - -or- - -- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - - -and- - - From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** - -You can stop sending file samples back to Microsoft. - -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - - -or- - -- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Always prompt. - - - **1**. (default) Send safe samples automatically. - - - **2**. Never send. - - - **3**. Send all samples automatically. - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. - -You can stop downloading definition updates: - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - - -and- - -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -For Windows 10 only, you can stop Enhanced Notifications: - -- Turn off the feature in the UI. - -You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. - -### 22. Windows Media Player - -To remove Windows Media Player on Windows 10: - -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - - -or- - -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** - -To remove Windows Media Player on Windows Server 2016: - -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** - -### 23. Windows spotlight - -Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. - -If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy: - -- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** - -If you're not running Windows 10, version 1607 or later, you can use the other options in this section. - -- Configure the following in **Settings**: - - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. - - > [!NOTE] - > In Windows 10, version 1507 and Windows 10, version 1511, this setting was called **Show me tips, tricks, and more on the lock screen**. - - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - - **System** > **Notifications & actions** > **Show me tips about Windows**. - - -or- - -- Apply the Group Policies: - - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. - - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - - > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - - - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). - -### 24. Windows Store - -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. - -### 25. Windows Update Delivery Optimization - -Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. - -By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. - -Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. - -In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below. - -### 25.1 Settings > Update & security - -You can set up Delivery Optimization from the **Settings** UI. - -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. - -### 25.2 Delivery Optimization Group Policies - -You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including

    • None. Turns off Delivery Optimization.

    • Group. Gets or sends updates and apps to PCs on the same local network domain.

    • Internet. Gets or sends updates and apps to PCs on the Internet.

    • LAN. Gets or sends updates and apps to PCs on the same NAT only.

    • Simple. Simple download mode with no peering.

    • Bypass. Use BITS instead of Windows Update Delivery Optimization.

    | -| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
    **Note:** This ID must be a GUID.| -| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
    The default value is 259200 seconds (3 days).| -| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
    The default value is 20, which represents 20% of the disk.| -| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
    The default value is 0, which means unlimited possible bandwidth.| - -### 25.3 Delivery Optimization MDM policies - -The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
    • 0. Turns off Delivery Optimization.

    • 1. Gets or sends updates and apps to PCs on the same NAT only.

    • 2. Gets or sends updates and apps to PCs on the same local network domain.

    • 3. Gets or sends updates and apps to PCs on the Internet.

    • 99. Simple download mode with no peering.

    • 100. Use BITS instead of Windows Update Delivery Optimization.

    | -| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
    **Note** This ID must be a GUID.| -| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
    The default value is 259200 seconds (3 days).| -| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
    The default value is 20, which represents 20% of the disk.| -| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
    The default value is 0, which means unlimited possible bandwidth.| - - -### 25.4 Delivery Optimization Windows Provisioning - -If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies - -Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next.** - -3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. - -4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. - -For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). - -### 26. Windows Update - -You can turn off Windows Update by setting the following registry entries: - -- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - - -and- - -- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - - -and- - -- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. - - -You can turn off automatic updates by doing one of the following. This is not recommended. - -- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - - -or- - -- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Notify the user before downloading the update. - - - **1**. Auto install the update and then notify the user to schedule a device restart. - - - **2** (default). Auto install and restart. - - - **3**. Auto install and restart at a specified time. - - - **4**. Auto install and restart without end-user control. - - - **5**. Turn off automatic updates. - -To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/manage/manage-tips-and-suggestions.md deleted file mode 100644 index 547f77a1aa..0000000000 --- a/windows/manage/manage-tips-and-suggestions.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10) -description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. -keywords: ["device management"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: jdeckerMS -localizationpriority: high ---- - -# Manage Windows 10 and Windows Store tips, tricks, and suggestions - - -**Applies to** - -- Windows 10 - - -Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include: - -* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. - -* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store. - -* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the user’s experience. - -* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. - -* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. - ->[!TIP] -> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Windows Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows. - -Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. - -## Options available to manage Windows 10 tips and tricks and Windows Store suggestions - -| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps | -| --- | --- | --- | --- | -| Windows 10 Pro | No | Yes | Yes (default) | -| Windows 10 Enterprise | Yes | Yes | Yes (default) | -| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) | -| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) | - - - -## Related topics - -- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) -- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) -- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md) -- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) - - -  - -  - - - - - diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md deleted file mode 100644 index 6f0d6a2526..0000000000 --- a/windows/manage/manage-wifi-sense-in-enterprise.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Manage Wi-Fi Sense in your company (Windows 10) -description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. -ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271 -keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: eross-msft -localizationpriority: medium ---- - -# Manage Wi-Fi Sense in your company -**Applies to:** - -- Windows 10 -- Windows 10 Mobile - ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it. - -The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. - -**Note**
    Wi-Fi Sense isn’t available in all countries or regions. - -## How does Wi-Fi Sense work? -Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when you’re out and about. - -## How to manage Wi-Fi Sense in your company -In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense. - -**Important**
    Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots. - -### Using Group Policy (available starting with Windows 10, version 1511) -You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor. - -**To set up Wi-Fi Sense using Group Policy** - -1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting. - - ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png) - -2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment. - -### Using the Registry Editor -You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor. - -**To set up Wi-Fi Sense using the Registry Editor** - -1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\` - -2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**. -

    Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959). - - ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) - -### Using the Windows Provisioning settings -You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. - -**To set up Wi-Fi Sense using WiFISenseAllowed** - -- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**. -

    Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - -### Using Unattended Windows Setup settings -If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**. - -**To set up Wi-Fi Sense using WiFISenseAllowed** - -- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**. -

    Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). - -### How employees can change their own Wi-Fi Sense settings -If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. - -![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png) - -**Important**
    The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means: - -The **Connect to networks shared by my contacts** setting will still appear in **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings** on your PC and in **Settings > Network & wireless > Wi‑Fi > Wi‑Fi Sense** on your phone. However, this setting will have no effect now. Regardless of what it’s set to, networks won’t be shared with your contacts. Your contacts won’t be connected to networks you’ve shared with them, and you won’t be connected to networks they’ve shared with you. - -Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still won’t be connected to networks your contacts have shared with you. - -If you select the **Share network with my contacts** check box the first time you connect to a new network, the network won’t be shared. - -## Related topics -- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911) -- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959) - -  - -  - - - - - diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md deleted file mode 100644 index 6fd085952b..0000000000 --- a/windows/manage/product-ids-in-windows-10-mobile.md +++ /dev/null @@ -1,262 +0,0 @@ ---- -title: Product IDs in Windows 10 Mobile (Windows 10) -description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. -ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C -keywords: ["lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -localizationpriority: high ---- - -# Product IDs in Windows 10 Mobile - - -**Applies to** - -- Windows 10 Mobile - -You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. - -## Apps included in Windows 10 Mobile - - -The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    AppProduct IDAUMID
    Alarms and clock44F7D2B4-553D-4BEC-A8B7-634CE897ED5FMicrosoft.WindowsAlarms_8wekyb3d8bbwe!App
    CalculatorB58171C6-C70C-4266-A2E8-8F9C994F4456Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
    CameraF0D8FEFD-31CD-43A1-A45A-D0276DB069F1Microsoft.WindowsCamera_8wekyb3d8bbwe!App
    Contact Support0DB5FCFF-4544-458A-B320-E352DFD9CA2BWindows.ContactSupport_cw5n1h2txyewy!App
    CortanaFD68DCF4-166F-4C55-A4CA-348020F71B94Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
    ExcelEAD3E7C0-FAE6-4603-8699-6A448138F4DCMicrosoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel
    Facebook82A23635-5BD9-DF11-A844-00237DE2DB9EMicrosoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e
    File ExplorerC5E2524A-EA46-4F67-841F-6A9465D9D515c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App
    FM RadioF725010E-455D-4C09-AC48-BCDEF0D4B626N/A
    Get StartedB3726308-3D74-4A14-A84C-867C8C735C3CMicrosoft.Getstarted_8wekyb3d8bbwe!App
    Groove MusicD2B6A184-DA39-4C9A-9E0A-8B589B03DEC0Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
    MapsED27A07E-AF57-416B-BC0C-2596B622EF7DMicrosoft.WindowsMaps_8wekyb3d8bbwe!App
    Messaging27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax
    Microsoft Edge395589FB-5884-4709-B9DF-F7D558663FFDMicrosoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
    Money1E0440F1-7ABF-4B9A-863D-177970EEFB5EMicrosoft.BingFinance_8wekyb3d8bbwe!AppexFinance
    Movies and TV6AFFE59E-0467-4701-851F-7AC026E21665Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
    News9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1Microsoft.BingNews_8wekyb3d8bbwe!AppexNews
    OneDriveAD543082-80EC-45BB-AA02-FFE7F4182BA8Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App
    OneNoteCA05B3AB-F157-450C-8C49-A1F127F5E71DMicrosoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim
    Outlook Calendar

    A558FEBA-85D7-4665-B5D8-A2FF9C19799B

    Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar

    Outlook Mail

    A558FEBA-85D7-4665-B5D8-A2FF9C19799B

    Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail

    People60BE1FB8-3291-4B21-BD39-2221AB166481Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x
    Phone (dialer)F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7Microsoft.CommsPhone_8wekyb3d8bbwe!App
    PhotosFCA55E1B-B9A4-4289-882F-084EF4145005Microsoft.Windows.Photos_8wekyb3d8bbwe!App
    PodcastsC3215724-B279-4206-8C3E-61D1A9D63ED3Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x
    PowerpointB50483C4-8046-4E1B-81BA-590B24935798Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim
    Settings2A4E62D8-8809-4787-89F8-69D0F01654FB2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App
    SkypeC3F8E570-68B3-4D6A-BDBB-C0A3F4360A51Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId
    Skype Video27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!App
    Sports0F4C8C7E-7114-4E1E-A84C-50664DB13B17Microsoft.BingSports_8wekyb3d8bbwe!AppexSports
    Storage5B04B775-356B-4AA0-AAF8-6491FFEA564DN/A
    Store7D47D89A-7900-47C5-93F2-46EB6D94C159Microsoft.WindowsStore_8wekyb3d8bbwe!App
    Voice recorder7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App
    Wallet587A4577-7868-4745-A29E-F996203F1462Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App
    Weather63C2A117-8604-44E7-8CEF-DF10BE3A57C8Microsoft.BingWeather_8wekyb3d8bbwe!App
    Windows Feedback7604089D-D13F-4A2D-9998-33FC02B63CE3Microsoft.WindowsFeedback_8wekyb3d8bbwe!App
    Word258F115C-48F4-4ADB-9A68-1387E634459BMicrosoft.Office.Word_8wekyb3d8bbwe!microsoft.word
    XboxB806836F-EEBE-41C9-8669-19E243B81B83Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp
    - -  - -## Get product ID and AUMID for other apps - - -To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps. - -**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png) - -3. Tap **advanced**, and then **tap export to SD card**. - -4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app. - -## Related topics - - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) - -  - -  - - - - - diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md deleted file mode 100644 index f274498ed1..0000000000 --- a/windows/manage/set-up-a-device-for-anyone-to-use.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up a device for anyone to use (kiosk mode) (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. -ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 -keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Set up a device for anyone to use (kiosk mode) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for Windows Embedded 8.1 Industry information?** - -- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) - -You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device. - -> [!NOTE]   -> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - -  - -| Windows 10 edition | Universal Windows app | Classic Windows application | -|--------------------|------------------------------------|--------------------------------------| -| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | - -  - -## In this section - - - ---- - - - - - - - - - - - - - - - - -
    TopicDescription

    [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)

    A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell.

    [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)

    A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.

    - - ## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -  - -  - - - - - diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md deleted file mode 100644 index 211f47f9c2..0000000000 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ /dev/null @@ -1,444 +0,0 @@ ---- -title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Set up a kiosk on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 - -> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) - -A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). - -**Note**   -A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - -  - -## Other settings to lock down - - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: - -- Put device in **Tablet mode**. - - If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** - -- Hide **Ease of access** feature on the logon screen. - - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. - -- Disable the hardware power button. - - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. - -- Remove the power button from the sign-in screen. - - Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** - -- Disable the camera. - - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. - -- Turn off app notifications on the lock screen. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. - -- Disable removable media. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. - - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -   - -## Assigned access method for Universal Windows apps - - -Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: - -| Method | Account type | Windows 10 edition | -| --- | --- | --- | -| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | -| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | - - - -### Requirements - -- A domain or local user account. - -- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - - The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - - The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. - -**Note**   -Assigned access does not work on a device that is connected to more than one monitor. - -  - -### Set up assigned access in PC settings - -1. Go to **Start** > **Settings** > **Accounts** > **Other users**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, in step 3, choose **Don't use assigned access**. - -### Set up assigned access in MDM - -Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) - -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**Create a provisioning package for a kiosk device** - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. - -7. Enter a string to specify the user account and app (by AUMID). For example: - - "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -**Apply the provisioning package** - -1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. - -2. Consent to allow the package to be installed. - - After you allow the package to be installed, the settings will be applied to the device - -[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) - -### Set up assigned access using Windows PowerShell - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - -### Set up automatic logon - -When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - -Edit the registry to have an account automatically logged on. - -1. Open Registry Editor (regedit.exe). - - **Note**   - If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - -### Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -## Shell Launcher for Classic Windows applications - - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. -2. Select **Embedded Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Related topics - - -[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Manage and update Windows 10](index.md) - -  - -  - - - - - diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md deleted file mode 100644 index 1a11ff9c20..0000000000 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ /dev/null @@ -1,199 +0,0 @@ ---- -title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10) -description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. -ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7 -keywords: kiosk, lockdown, assigned access -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -localizationpriority: high ---- - -# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise - - -**Applies to** - -- Windows 10 Mobile - -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. - -**Note**   -The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - -  - -## Apps Corner - - -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back](images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). - - **Tip**   - Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -   - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. - -## Enterprise Assigned Access - - -Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. - -**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. - -  - -### Set up Enterprise Assigned Access in MDM - -In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md). - -[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) - -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) - -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**To create and apply a provisioning package for a kiosk device** - -1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - - **Note**   - Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. - -   - -2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -3. Choose **Advanced provisioning**. - - - -4. Name your project, and click **Next**. - -5. Choose **All Windows mobile editions** and click **Next**. - -6. On **New project**, click **Finish**. The workspace for your package opens. - -7. Expand **Runtime settings** > **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**. - -8. Click **Browse** to select the *AssignedAccess*.xml file. - -9. On the **File** menu, select **Save.** - -10. On the **Export** menu, select **Provisioning package**. - -11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -14. Click **Next**. - -15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: - - - Removable media (USB/SD) - - **To apply a provisioning package from removable media** - - 1. Copy the provisioning package file to the root directory on a micro SD card. - - 2. On the device, insert the micro SD card containing the provisioning package. - - 3. Go to **Settings** > **Accounts** > **Provisioning.** - - 4. Tap **Add a package**. - - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - - Email - - **To apply a provisioning package sent in email** - - 1. Send the provisioning package in email to an account on the device. - - 2. Open the email on the device, and then double-tap the attached file. - - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - - USB tether (mobile only) - - **To apply a provisioning package using USB tether** - - 1. Connect the device to your PC by USB. - - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - - 3. The provisioning package installation dialog will appear on the phone. - - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) - -## Related topics - - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md deleted file mode 100644 index c0348677ba..0000000000 --- a/windows/manage/settings-that-can-be-locked-down.md +++ /dev/null @@ -1,517 +0,0 @@ ---- -title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10) -description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 -keywords: ["lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -localizationpriority: high ---- - -# Settings and quick actions that can be locked down in Windows 10 Mobile - - -**Applies to** - -- Windows 10 Mobile - -This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. - -## Settings lockdown - - -You can use Lockdown.xml to configure lockdown settings. - -The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Main menuSub-menuPage name
    SystemSettingsPageGroupPCSystem
    DisplaySettingsPageDisplay
    Notifications & actionsSettingsPageAppsNotifications
    PhoneSettingsPageCalls
    MessagingSettingsPageMessaging
    BatterySettingsPageBatterySaver
    Apps for websitesSettingsPageAppsForWebsites
    StorageSettingsPageStorageSenseStorageOverview
    Driving modeSettingsPageDrivingMode
    Offline mapsSettingsPageMaps
    AboutSettingsPagePCSystemInfo
    DevicesSettingsPageGroupDevices
    Default cameraSettingsPagePhotos
    BluetoothSettingsPagePCSystemBluetooth
    NFCSettingsPagePhoneNFC
    MouseSettingsPageMouseTouchpad
    USBSettingsPageUsb
    Network and wirelessSettingsPageGroupNetwork
    Cellular & SIMSettingsPageNetworkCellular
    Wi-FiSettingsPageNetworkWiFi
    Airplane modeSettingsPageNetworkAirplaneMode
    Data usageSettingsPageDataSenseOverview
    Mobile hotspotSettingsPageNetworkMobileHotspot
    VPNSettingsPageNetworkVPN
    PersonalizationSettingsPageGroupPersonalization
    StartSettingsPageBackGround
    ColorsSettingsPageColors
    SoundsSettingsPageSounds
    Lock screenSettingsPageLockscreen
    Glance screenSettingsPageGlance
    Navigation barSettingsNagivationBar
    AccountsSettingsPageGroupAccounts
    Your infoSettingsPageAccountsPicture
    Sign-in optionsSettingsPageAccountsSignInOptions
    Email & app accountsSettingsPageAccountsEmailApp
    Access work or schoolSettingsPageWorkAccess
    Sync your settingsSettingsPageAccountsSync

    Apps corner

    -

    (disabled in Assigned Access)

    SettingsPageAppsCorner
    Time & languageSettingsPageGroupTimeRegion
    Date & timeSettingsPageTimeRegionDateTime
    LanguageSettingsPageTimeLanguage
    RegionSettingsPageTimeRegion
    KeyboardSettingsPageKeyboard
    SpeechSettingsPageSpeech
    Ease of accessSettingsPageGroupEaseOfAccess
    NarratorSettingsPageEaseOfAccessNarrator
    MagnifierSettingsPageEaseOfAccessMagnifier
    High contrastSettingsPageEaseOfAccessHighContrast
    Closed captionsSettingsPageEaseOfAccessClosedCaptioning
    More optionsSettingsPageEaseOfAccessMoreOptions
    PrivacySettingsPageGroupPrivacy
    LocationSettingsPagePrivacyLocation
    CameraSettingsPagePrivacyWebcam
    MicrophoneSettingsPagePrivacyMicrophone
    MotionSettingsPagePrivacyMotionData
    NotificationsSettingsPagePrivacyNotifications
    Speech. inking, & typingSettingsPagePrivacyPersonalization
    Account infoSettingsPagePrivacyAccountInfo
    ContactsSettingsPagePrivacyContacts
    CalendarSettingsPagePrivacyCalendar
    Phone callsSettingsPagePrivacyPhoneCall
    Call historySettingsPagePrivacyCallHistory
    EmailSettingsPagePrivacyEmail
    MessagingSettingsPagePrivacyMessaging
    RadiosSettingsPagePrivacyRadios
    Continue App ExperiencesSettingsPagePrivacyCDP
    Background appsSettingsPagePrivacyBackgroundApps
    Accessory appsSettingsPageAccessories
    Advertising IDSettingsPagePrivacyAdvertisingId
    Other devicesSettingsPagePrivacyCustomPeripherals
    Feedback and diagnosticsSettingsPagePrivacySIUFSettings
    Update and securitySettingsPageGroupRestore
    Phone updateSettingsPageRestoreMusUpdate
    Windows Insider ProgramSettingsPageFlights
    Device encryptionSettingsPageGroupPCSystemDeviceEncryption
    BackupSettingsPageRestoreOneBackup
    Find my phoneSettingsPageFindMyDevice
    For developersSettingsPageSystemDeveloperOptions
    OEMSettingsPageGroupExtensibility
    ExtensibilitySettingsPageExtensibility
    - -  - -## Quick actions lockdown - - -Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional. - -You can specify the quick actions as follows: - -``` syntax - - - - - - - - - - - - - - - - - - -``` - -Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. - -**Note**   -Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. - -  - -The following table lists the dependencies between quick actions and Settings groups/pages. - -| Quick action | Settings group | Settings page | -|-----|-------|-------| -| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | -| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | -| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | -| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | -| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | -| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | -| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | -| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | -| SystemSettings\_Launcher\_QuickNote | N/A | N/A | -| SystemSettings\_Flashlight\_Toggle | N/A | N/A | -| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | -| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | -| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | -| QuickActions\_Launcher\_AllSettings | N/A | N/A | -| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | -| SystemSettings\_QuickAction\_Camera | N/A | N/A | - -  - -## Related topics - - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md deleted file mode 100644 index 1a48aaad33..0000000000 --- a/windows/manage/start-layout-xml-desktop.md +++ /dev/null @@ -1,492 +0,0 @@ ---- -title: Start layout XML for desktop editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Start layout XML for desktop editions of Windows 10 (reference) - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -On Windows 10 for desktop editions, the customized Start works by: - -- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. - -- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: - - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles. - - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. - - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). - -## LayoutModification XML - -IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout | -| [LayoutOptions](#layoutoptions)

    Parent:
    LayoutModificationTemplate | StartTileGroupsColumnCount
    FullScreenStart | Use to specify:
    - Whether to use full screen Start on the desktop
    - The number of tile columns in the Start menu | -| RequiredStartGroupsCollection

    Parent:
    LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups | -| [RequiredStartGroups](#requiredstartgroups)

    Parent:
    RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | -| [AppendGroup](#appendgroup)

    Parent:
    RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | -| [start:Tile](#specify-start-tiles)

    Parent:
    AppendGroup | AppUserModelID
    Size
    Row
    Column | Use to specify any of the following:
    - A Universal Windows app
    - A Windows 8 or Windows 8.1 app | -| start:DesktopApplicationTile

    Parent:
    AppendGroup | DesktopApplicationID
    DesktopApplicationLinkPath
    Size
    Row
    Column | Use to specify any of the following:
    - A Windows desktop application with a known AppUserModelID
    - An application in a known folder with a link in a legacy Start Menu folder
    - A Windows desktop application link in a legacy Start Menu folder
    - A Web link tile with an associated .url file that is in a legacy Start Menu folder | -| start:SecondaryTile

    Parent:
    AppendGroup | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile | -| TopMFUApps

    Parent:
    LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area | -| Tile

    Parent:
    TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID | -| DesktopApplicationTile

    Parent:
    TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID | -| AppendOfficeSuite

    Parent:
    LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start

    Do not use this tag with AppendDownloadOfficeTile | -| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | - -### LayoutOptions - -New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: - -- Boot to tablet mode can be set on or off. -- Set full screen Start on desktop to on or off. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false. -- Specify the number of columns in the Start menu to 1 or 2. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. - -The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu: - -```XML - - - -``` - -For devices being upgraded to Windows 10 for desktop editions: - -- Devices being upgraded from Windows 7 will default to a Start menu with 1 column. -- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns. - -### RequiredStartGroups - -The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. - ->[!IMPORTANT] ->For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. - -You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: - -```XML - -``` - -If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. - -If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start. - -### AppendGroup - -**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. - -For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. - -You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles. - -### Specify Start tiles - -To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - -#### start:Tile - -You can use the **start:Tile** tag to pin any of the following apps to Start: - -- A Universal Windows app -- A Windows 8 app or Windows 8.1 app - -To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - - ```XML - - ``` - -#### start:DesktopApplicationTile - -You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: - -- By using a path to a shortcut link (.lnk file) to a Windows desktop application. - - To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. - - The following example shows how to pin the Command Prompt: - - ```XML - - ``` - - You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. - - If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". - -- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. - - To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - - The following example shows how to pin the Internet Explorer Windows desktop application: - - ```XML - - ``` - - -You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. - -To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. - -The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: - -```XML - -``` - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag). - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - -Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. - -#### TopMFUApps - -You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. - -You can use this tag to add: - -- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID. -- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. - -The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: - - ```XML - - - - - - - -``` - -#### AppendOfficeSuite - -You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. - -The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: - -```XML - - - -``` - -#### AppendDownloadOfficeTile - -You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group. - -The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: - -```XML - - - -``` - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: - -```XML - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx). - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain condition, you can: -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. - -## Add the LayoutModification.xml file to the device - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. -2. In the middle pane, click **Browse** to open File Explorer. -3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - ->[!NOTE] ->There is currently no way to add the .url and .lnk files through Windows ICD. - -Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. - - - - - - - - - - - - -## Related topics - - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/start-layout-xml-mobile.md b/windows/manage/start-layout-xml-mobile.md deleted file mode 100644 index 9d10466302..0000000000 --- a/windows/manage/start-layout-xml-mobile.md +++ /dev/null @@ -1,392 +0,0 @@ ---- -title: Start layout XML for mobile editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions. -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Start layout XML for mobile editions of Windows 10 (reference) - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - - -On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. - -On Windows 10 Mobile, the customized Start works by: - -- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region. -- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten. -- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen. - -## Default Start layouts - -The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. - -![Start layout for Windows 10 Mobile](images\mobile-start-layout.png) - -The diagrams show: - -- Tile coordinates - These are determined by the row number and the column number. -- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up. -- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are: - - Rows 6-9 - - Rows 16-19 - -## LayoutModification XML - -IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file: ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout. | -| DefaultLayoutOverride

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. | -| StartLayoutCollection

    Parent:
    DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. | -| StartLayout

    Parent:
    StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. | -| start:Group

    Parent:
    StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. | -| start:Tile

    Parent:
    start:Group | AppUserModelID
    Size
    Row
    Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. | -| start:SecondaryTile

    Parent:
    start:Group | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile. | -| start:PhoneLegacyTile

    Parent:
    start:Group | ProductID
    Size
    Row
    Column | Use to add a mobile app that has a valid **ProductID** attribute. | -| start:Folder

    Parent:
    start:Group | Name
    Size
    Row
    Column | Use to add a folder to the mobile device's Start screen. | -| RequiredStartTiles

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. | - -### start:Group - -**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group. - ->[!NOTE] ->Windows 10 Mobile only supports one Start group. - - For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements: - -- **start:Tile** -- **start:SecondaryTile** -- **start:PhoneLegacyTile** -- **start:Folder** - -### Specify Start tiles - -To pin tiles to Start, you must use the right kind of tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.
    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - -#### start:Tile - -You can use the **start:Tile** tag to pin a Universal Windows app to Start. - -To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - -```XML - -``` - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - - Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app. - -#### start:PhoneLegacyTile - -You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app. - -The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag: - -```XML - -``` - -#### start:Folder - -You can use the **start:Folder** tag to add a folder to the mobile device's Start screen. - -You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**. - -Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string. - -The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder: - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. - -The following example shows how to add a medium folder that contains two apps inside it: - -```XML - - - - -``` - -#### RequiredStartTiles - -You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. - ->[!NOTE] ->Enabling this Start customization may be disruptive to the user experience. - -For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**. - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. -- Folder - Use to pin a folder to the mobile device's Start screen. - -Tiles specified within the **RequiredStartTiles** tag have the following behavior: - -- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen. -- If there’s a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen. - -The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated. - -- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed. -- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps. - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile: - -```XML - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings. - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can: -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles. - -## Add the LayoutModification.xml file to the image - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device: - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. -2. In the middle pane, click **Browse** to open File Explorer. -3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - - - - - - - - - - - - - - - - - - - -## Related topics - - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md deleted file mode 100644 index d09e5ae2be..0000000000 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Configure access to Windows Store (Windows 10) -description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. -ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, mobile -author: TrudyHa -localizationpriority: high ---- - -# Configure access to Windows Store - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - ->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. - -## Options to configure access to Windows Store - - -You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. - -## Block Windows Store using AppLocker - -Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile - - -AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers. - -For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md). - -**To block Windows Store using AppLocker** - -1. Type secpol in the search bar to find and start AppLocker. - -2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**. - -3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. - -4. On **Before You Begin**, click **Next**. - -5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. - -6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**. - -7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**. - - [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules. - -8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. - -## Block Windows Store using Group Policy - - -Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education - -> [!Note] -> Not supported on Windows 10 Pro. - -You can also use Group Policy to manage access to Windows Store. - -**To block Windows Store using Group Policy** - -1. Type gpedit in the search bar to find and start Group Policy Editor. - -2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**. - -3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**. - -4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. - -## Block Windows Store using management tool - - -Applies to: Windows 10 Mobile - -If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app. - -When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app: - -- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030) - -- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only) - -For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). - -## Show private store only using Group Policy -Applies to Windows 10 Enterprise, version 1607, Windows 10 Education - -If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. - -**To show private store only in Windows Store app** - -1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. - -2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. - -3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**. - - This opens the **Only display the private store within the Windows Store app** policy settings. - -4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**. - -## Related topics - -[Distribute apps using your private store](distribute-apps-from-your-private-store.md) - -[Manage access to private store](manage-access-to-private-store.md) - -  - -  - - - - - diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md deleted file mode 100644 index 85a835748e..0000000000 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. -ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A -keywords: ["start screen", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Manage Windows 10 Start and taskbar layout - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) - -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. - ->[!NOTE] ->Taskbar configuration is available starting in Windows 10, version 1607. - -## Start options - -![start layout sections](images/startannotated.png) - -Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. - -The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StartPolicySetting
    User tileGroup Policy: Remove Logoff on the Start menu
    Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

    Suggestions

    -

    -and-

    -

    Dynamically inserted app tile

    MDM: Allow Windows Consumer Features

    -

    Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

    -
    -Note   -

    This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

    -
    -
    -  -
    Settings > Personalization > Start > Occasionally show suggestions in Start
    Recently addednot applicableSettings > Personalization > Start > Show recently added apps
    Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
    PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
    Start layout

    MDM: Start layout

    -

    Group Policy: Start layout

    -

    Group Policy: Prevent users from customizing their Start Screen

    -
    -Note   -

    When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

    Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. -

    -
    -  -
    None
    Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
    Start size

    MDM: Force Start size

    -

    Group Policy: Force Start to be either full screen size or menu size

    Settings > Personalization > Start > Use Start full screen
    All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
    - - ## Taskbar options - -Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. - -There are three categories of apps that might be pinned to a taskbar: -* Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) -* Apps pinned by the enterprise, such as in an unattended Windows setup - - **Note**   - The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. - -The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). - -> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - -Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: -* Pin additional apps -* Change the order of pinned apps -* Unpin any app - -### Taskbar configuration applied to clean install of Windows 10 - -In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. - -### Taskbar configuration applied to Windows 10 upgrades - -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. - -The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: -* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. -* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. -* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. -* New apps specified in updated layout file are pinned to right of user's pinned apps. - - - -## Related topics - - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md deleted file mode 100644 index eb3af0eb51..0000000000 --- a/windows/manage/windows-spotlight.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Windows Spotlight on the lock screen - - -**Applies to** - -- Windows 10 - -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - - ->[!NOTE] ->In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. - -## What does Windows Spotlight include? - - -- **Background image** - - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. - - ![lock screen image](images/lockscreen.png) - -- **Feature suggestions, fun facts, tips** - - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. - -## How do you turn off Windows Spotlight locally? - - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - - -Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. - -**Windows 10 Pro, Enterprise, and Education** - -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. - -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - ->[!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. - -![lockscreen policy details](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. - -![fun facts](images/funfacts.png) - -## Related topics - - -[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) - -  - -  - - - - - From 5a04429faea6dd9ff778e6e97cf7fa95cd88a294 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 11:05:43 -0800 Subject: [PATCH 26/65] Adding content --- .openpublishing.redirection.json | 111 ++++++++++++++++++++++++++++--- 1 file changed, 101 insertions(+), 10 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2d7c53809a..7ce230c60e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -309,20 +309,111 @@ "source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", "redirect_document_id": true - }, - { - "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", - "redirect_url": "https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune", + }, + { + "source_path": "windows/deploy/provisioning-packages.md", + "redirect_url": "/itpro/windows/configure/provisioning-packages", "redirect_document_id": true - }, - { + }, + { + "source_path": "windows/deploy/provisioning-how-it-works.md", + "redirect_url": "/itpro/windows/configure/provisioning-how-it-works", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-install-icd.md", + "redirect_url": "/itpro/windows/configure/provisioning-install-icd", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-create-package.md", + "redirect_url": "/itpro/windows/configure/provisioning-create-package", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-apply-package.md", + "redirect_url": "/itpro/windows/configure/provisioning-apply-package", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-uninstall-package.md", + "redirect_url": "/itpro/windows/configure/provisioning-uninstall-package", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provision-pcs-for-initial-deployment.md", + "redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md", + "redirect_url": "/itpro/windows/configure/provision-pcs-with-apps-and-certificates", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-script-to-install-app.md", + "redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-nfc.md", + "redirect_url": "/itpro/windows/configure/provisioning-nfc", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-command-line.md", + "redirect_url": "/itpro/windows/configure/provisioning-command-line", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/provisioning-multivariant.md", + "redirect_url": "/itpro/windows/configure/provisioning-multivariant", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", + "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", + "redirect_document_id": true + }, + { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", "redirect_document_id": true }, - - - - + { + "source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md", + "redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md", + "redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/guidance-and-best-practices-edp.md", + "redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/overview-create-edp-policy.md", + "redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md", + "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/testing-scenarios-for-edp.md", + "redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/wip-enterprise-overview.md", + "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", + "redirect_document_id": true + }, ] } From 62597bcd9702f5f354b9ee3c1b1d0d4a181d1b12 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 11:13:03 -0800 Subject: [PATCH 27/65] Adding content --- .openpublishing.redirection.json | 7 +- .../create-vpn-and-edp-policy-using-intune.md | 5 - .../deploy-edp-policy-using-intune.md | 5 - .../enlightened-microsoft-apps-and-edp.md | 5 - .../guidance-and-best-practices-edp.md | 5 - .../keep-secure/overview-create-edp-policy.md | 5 - .../protect-enterprise-data-using-edp.md | 5 - .../keep-secure/testing-scenarios-for-edp.md | 5 - .../keep-secure/wip-enterprise-overview.md | 5 - .../set-up-a-device-for-anyone-to-use.md | 89 +++ ...osk-for-windows-10-for-desktop-editions.md | 444 +++++++++++++++ ...kiosk-for-windows-10-for-mobile-edition.md | 199 +++++++ .../settings-that-can-be-locked-down.md | 517 ++++++++++++++++++ windows/manage/start-layout-xml-desktop.md | 492 +++++++++++++++++ windows/manage/start-layout-xml-mobile.md | 392 +++++++++++++ ...-employees-from-using-the-windows-store.md | 124 +++++ ...ws-10-start-layout-options-and-policies.md | 178 ++++++ windows/manage/windows-spotlight.md | 85 +++ 18 files changed, 2526 insertions(+), 41 deletions(-) delete mode 100644 windows/keep-secure/create-vpn-and-edp-policy-using-intune.md delete mode 100644 windows/keep-secure/deploy-edp-policy-using-intune.md delete mode 100644 windows/keep-secure/enlightened-microsoft-apps-and-edp.md delete mode 100644 windows/keep-secure/guidance-and-best-practices-edp.md delete mode 100644 windows/keep-secure/overview-create-edp-policy.md delete mode 100644 windows/keep-secure/protect-enterprise-data-using-edp.md delete mode 100644 windows/keep-secure/testing-scenarios-for-edp.md delete mode 100644 windows/keep-secure/wip-enterprise-overview.md create mode 100644 windows/manage/set-up-a-device-for-anyone-to-use.md create mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md create mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md create mode 100644 windows/manage/settings-that-can-be-locked-down.md create mode 100644 windows/manage/start-layout-xml-desktop.md create mode 100644 windows/manage/start-layout-xml-mobile.md create mode 100644 windows/manage/stop-employees-from-using-the-windows-store.md create mode 100644 windows/manage/windows-10-start-layout-options-and-policies.md create mode 100644 windows/manage/windows-spotlight.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7ce230c60e..60633b20d6 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -414,6 +414,11 @@ "source_path": "windows/keep-secure/wip-enterprise-overview.md", "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", "redirect_document_id": true - }, + }, + { + "source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md", + "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", + "redirect_document_id": true + }, ] } diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md deleted file mode 100644 index edd007a4f0..0000000000 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) -description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md deleted file mode 100644 index c9528077e0..0000000000 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md deleted file mode 100644 index c152dca1e5..0000000000 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) -description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md deleted file mode 100644 index cfd70be3cc..0000000000 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) -description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md deleted file mode 100644 index 74ca414ed7..0000000000 --- a/windows/keep-secure/overview-create-edp-policy.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy (Windows 10) -description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy ---- \ No newline at end of file diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md deleted file mode 100644 index 3f8df3ef51..0000000000 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md deleted file mode 100644 index 3d16ef00df..0000000000 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing scenarios for enterprise data protection (EDP) (Windows 10) -description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md deleted file mode 100644 index 2b0b45fd93..0000000000 --- a/windows/keep-secure/wip-enterprise-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Windows Information Protection overview (Windows 10) -description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md new file mode 100644 index 0000000000..f274498ed1 --- /dev/null +++ b/windows/manage/set-up-a-device-for-anyone-to-use.md @@ -0,0 +1,89 @@ +--- +title: Set up a device for anyone to use (kiosk mode) (Windows 10) +description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 +keywords: ["kiosk", "lockdown", "assigned access"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Set up a device for anyone to use (kiosk mode) + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +**Looking for Windows Embedded 8.1 Industry information?** + +- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) + +You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. + +- A portable device that drivers can use to check a route on a map. + +- A device that a temporary worker uses to enter data. + +The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device. + +> [!NOTE]   +> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. + +  + +| Windows 10 edition | Universal Windows app | Classic Windows application | +|--------------------|------------------------------------|--------------------------------------| +| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | +| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | +| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | +| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | +| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | + +  + +## In this section + + + ++++ + + + + + + + + + + + + + + + + +
    TopicDescription

    [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)

    A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell.

    [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)

    A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.

    + + ## Learn more + +[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) + +  + +  + + + + + diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md new file mode 100644 index 0000000000..211f47f9c2 --- /dev/null +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -0,0 +1,444 @@ +--- +title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Set up a kiosk on Windows 10 Pro, Enterprise, or Education + + +**Applies to** + +- Windows 10 + +> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) + +A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). + +**Note**   +A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. + +  + +## Other settings to lock down + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +- Put device in **Tablet mode**. + + If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** + +- Hide **Ease of access** feature on the logon screen. + + Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. + +- Disable the hardware power button. + + Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. + +- Remove the power button from the sign-in screen. + + Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** + +- Disable the camera. + + Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. + +- Turn off app notifications on the lock screen. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. + +- Disable removable media. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. + + **Note**   + To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +   + +## Assigned access method for Universal Windows apps + + +Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: + +| Method | Account type | Windows 10 edition | +| --- | --- | --- | +| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | +| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | + + + +### Requirements + +- A domain or local user account. + +- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). + + The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + + The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. + +**Note**   +Assigned access does not work on a device that is connected to more than one monitor. + +  + +### Set up assigned access in PC settings + +1. Go to **Start** > **Settings** > **Accounts** > **Other users**. + +2. Choose **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, in step 3, choose **Don't use assigned access**. + +### Set up assigned access in MDM + +Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) + +### Set up assigned access using Windows Imaging and Configuration Designer (ICD) + +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +**Create a provisioning package for a kiosk device** + +1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). + +2. Choose **Advanced provisioning**. + +3. Name your project, and click **Next**. + +4. Choose **All Windows desktop editions** and click **Next**. + +5. On **New project**, click **Finish**. The workspace for your package opens. + +6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. + +7. Enter a string to specify the user account and app (by AUMID). For example: + + "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" + +8. On the **File** menu, select **Save.** + +9. On the **Export** menu, select **Provisioning package**. + +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +**Apply the provisioning package** + +1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. + +2. Consent to allow the package to be installed. + + After you allow the package to be installed, the settings will be applied to the device + +[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) + +### Set up assigned access using Windows PowerShell + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` + +``` +Set-AssignedAccess -AppName -UserName +``` + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + +### Set up automatic logon + +When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. + +Edit the registry to have an account automatically logged on. + +1. Open Registry Editor (regedit.exe). + + **Note**   + If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want logged in. + + - *DefaultPassword*: set value as the password for the account. + + > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. + +### Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +## Shell Launcher for Classic Windows applications + + +Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +### Requirements + +- A domain or local user account. + +- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + +### Configure Shell Launcher + +To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. +2. Select **Embedded Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` + +## Related topics + + +[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) + +[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) + +[Manage and update Windows 10](index.md) + +  + +  + + + + + diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md new file mode 100644 index 0000000000..1a11ff9c20 --- /dev/null +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -0,0 +1,199 @@ +--- +title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10) +description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. +ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7 +keywords: kiosk, lockdown, assigned access +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: mobile +author: jdeckerMS +localizationpriority: high +--- + +# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise + + +**Applies to** + +- Windows 10 Mobile + +A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. + +**Note**   +The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). + +  + +## Apps Corner + + +Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. + +**To set up Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. + +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) + +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. + +4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. + +5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. + +6. Press **Back** ![back](images/backicon.png) when you're done. + +**To use Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). + + **Tip**   + Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. + +   + +2. Give the device to someone else, so they can use the device and only the one app you chose. + +3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. + +## Enterprise Assigned Access + + +Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. + +**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. + +  + +### Set up Enterprise Assigned Access in MDM + +In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md). + +[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) + +### Set up assigned access using Windows Imaging and Configuration Designer (ICD) + +> **Important** +When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +**To create and apply a provisioning package for a kiosk device** + +1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). + + **Note**   + Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + +   + +2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). +3. Choose **Advanced provisioning**. + + + +4. Name your project, and click **Next**. + +5. Choose **All Windows mobile editions** and click **Next**. + +6. On **New project**, click **Finish**. The workspace for your package opens. + +7. Expand **Runtime settings** > **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**. + +8. Click **Browse** to select the *AssignedAccess*.xml file. + +9. On the **File** menu, select **Save.** + +10. On the **Export** menu, select **Provisioning package**. + +11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + +13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +14. Click **Next**. + +15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: + + - Removable media (USB/SD) + + **To apply a provisioning package from removable media** + + 1. Copy the provisioning package file to the root directory on a micro SD card. + + 2. On the device, insert the micro SD card containing the provisioning package. + + 3. Go to **Settings** > **Accounts** > **Provisioning.** + + 4. Tap **Add a package**. + + 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. + + 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. + + 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + - Email + + **To apply a provisioning package sent in email** + + 1. Send the provisioning package in email to an account on the device. + + 2. Open the email on the device, and then double-tap the attached file. + + 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + - USB tether (mobile only) + + **To apply a provisioning package using USB tether** + + 1. Connect the device to your PC by USB. + + 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. + + 3. The provisioning package installation dialog will appear on the phone. + + 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) + +## Related topics + + +[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) + +[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) + +[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) + +  + +  + + + + + diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md new file mode 100644 index 0000000000..c0348677ba --- /dev/null +++ b/windows/manage/settings-that-can-be-locked-down.md @@ -0,0 +1,517 @@ +--- +title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10) +description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. +ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 +keywords: ["lockdown"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: mobile +author: jdeckerMS +localizationpriority: high +--- + +# Settings and quick actions that can be locked down in Windows 10 Mobile + + +**Applies to** + +- Windows 10 Mobile + +This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. + +## Settings lockdown + + +You can use Lockdown.xml to configure lockdown settings. + +The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Main menuSub-menuPage name
    SystemSettingsPageGroupPCSystem
    DisplaySettingsPageDisplay
    Notifications & actionsSettingsPageAppsNotifications
    PhoneSettingsPageCalls
    MessagingSettingsPageMessaging
    BatterySettingsPageBatterySaver
    Apps for websitesSettingsPageAppsForWebsites
    StorageSettingsPageStorageSenseStorageOverview
    Driving modeSettingsPageDrivingMode
    Offline mapsSettingsPageMaps
    AboutSettingsPagePCSystemInfo
    DevicesSettingsPageGroupDevices
    Default cameraSettingsPagePhotos
    BluetoothSettingsPagePCSystemBluetooth
    NFCSettingsPagePhoneNFC
    MouseSettingsPageMouseTouchpad
    USBSettingsPageUsb
    Network and wirelessSettingsPageGroupNetwork
    Cellular & SIMSettingsPageNetworkCellular
    Wi-FiSettingsPageNetworkWiFi
    Airplane modeSettingsPageNetworkAirplaneMode
    Data usageSettingsPageDataSenseOverview
    Mobile hotspotSettingsPageNetworkMobileHotspot
    VPNSettingsPageNetworkVPN
    PersonalizationSettingsPageGroupPersonalization
    StartSettingsPageBackGround
    ColorsSettingsPageColors
    SoundsSettingsPageSounds
    Lock screenSettingsPageLockscreen
    Glance screenSettingsPageGlance
    Navigation barSettingsNagivationBar
    AccountsSettingsPageGroupAccounts
    Your infoSettingsPageAccountsPicture
    Sign-in optionsSettingsPageAccountsSignInOptions
    Email & app accountsSettingsPageAccountsEmailApp
    Access work or schoolSettingsPageWorkAccess
    Sync your settingsSettingsPageAccountsSync

    Apps corner

    +

    (disabled in Assigned Access)

    SettingsPageAppsCorner
    Time & languageSettingsPageGroupTimeRegion
    Date & timeSettingsPageTimeRegionDateTime
    LanguageSettingsPageTimeLanguage
    RegionSettingsPageTimeRegion
    KeyboardSettingsPageKeyboard
    SpeechSettingsPageSpeech
    Ease of accessSettingsPageGroupEaseOfAccess
    NarratorSettingsPageEaseOfAccessNarrator
    MagnifierSettingsPageEaseOfAccessMagnifier
    High contrastSettingsPageEaseOfAccessHighContrast
    Closed captionsSettingsPageEaseOfAccessClosedCaptioning
    More optionsSettingsPageEaseOfAccessMoreOptions
    PrivacySettingsPageGroupPrivacy
    LocationSettingsPagePrivacyLocation
    CameraSettingsPagePrivacyWebcam
    MicrophoneSettingsPagePrivacyMicrophone
    MotionSettingsPagePrivacyMotionData
    NotificationsSettingsPagePrivacyNotifications
    Speech. inking, & typingSettingsPagePrivacyPersonalization
    Account infoSettingsPagePrivacyAccountInfo
    ContactsSettingsPagePrivacyContacts
    CalendarSettingsPagePrivacyCalendar
    Phone callsSettingsPagePrivacyPhoneCall
    Call historySettingsPagePrivacyCallHistory
    EmailSettingsPagePrivacyEmail
    MessagingSettingsPagePrivacyMessaging
    RadiosSettingsPagePrivacyRadios
    Continue App ExperiencesSettingsPagePrivacyCDP
    Background appsSettingsPagePrivacyBackgroundApps
    Accessory appsSettingsPageAccessories
    Advertising IDSettingsPagePrivacyAdvertisingId
    Other devicesSettingsPagePrivacyCustomPeripherals
    Feedback and diagnosticsSettingsPagePrivacySIUFSettings
    Update and securitySettingsPageGroupRestore
    Phone updateSettingsPageRestoreMusUpdate
    Windows Insider ProgramSettingsPageFlights
    Device encryptionSettingsPageGroupPCSystemDeviceEncryption
    BackupSettingsPageRestoreOneBackup
    Find my phoneSettingsPageFindMyDevice
    For developersSettingsPageSystemDeveloperOptions
    OEMSettingsPageGroupExtensibility
    ExtensibilitySettingsPageExtensibility
    + +  + +## Quick actions lockdown + + +Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional. + +You can specify the quick actions as follows: + +``` syntax + + + + + + + + + + + + + + + + + + +``` + +Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. + +**Note**   +Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. + +  + +The following table lists the dependencies between quick actions and Settings groups/pages. + +| Quick action | Settings group | Settings page | +|-----|-------|-------| +| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | +| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | +| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | +| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | +| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | +| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | +| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | +| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | +| SystemSettings\_Launcher\_QuickNote | N/A | N/A | +| SystemSettings\_Flashlight\_Toggle | N/A | N/A | +| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | +| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | +| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | +| QuickActions\_Launcher\_AllSettings | N/A | N/A | +| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | +| SystemSettings\_QuickAction\_Camera | N/A | N/A | + +  + +## Related topics + + +[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) + +[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) + +  + +  + + + + + diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md new file mode 100644 index 0000000000..1a48aaad33 --- /dev/null +++ b/windows/manage/start-layout-xml-desktop.md @@ -0,0 +1,492 @@ +--- +title: Start layout XML for desktop editions of Windows 10 (Windows 10) +description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. +keywords: ["start screen"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Start layout XML for desktop editions of Windows 10 (reference) + + +**Applies to** + +- Windows 10 + +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) + +On Windows 10 for desktop editions, the customized Start works by: + +- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. + +- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: + - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles. + - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. + - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). + +## LayoutModification XML + +IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. + +>[!NOTE] +>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: +>- Do not leave spaces or white lines in between each element. +>- Do not add comments inside the StartLayout node or any of its children elements. +>- Do not add multiple rows of comments. + +The following table lists the supported elements and attributes for the LayoutModification.xml file. + +| Element | Attributes | Description | +| --- | --- | --- | +| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout | +| [LayoutOptions](#layoutoptions)

    Parent:
    LayoutModificationTemplate | StartTileGroupsColumnCount
    FullScreenStart | Use to specify:
    - Whether to use full screen Start on the desktop
    - The number of tile columns in the Start menu | +| RequiredStartGroupsCollection

    Parent:
    LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups | +| [RequiredStartGroups](#requiredstartgroups)

    Parent:
    RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | +| [AppendGroup](#appendgroup)

    Parent:
    RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | +| [start:Tile](#specify-start-tiles)

    Parent:
    AppendGroup | AppUserModelID
    Size
    Row
    Column | Use to specify any of the following:
    - A Universal Windows app
    - A Windows 8 or Windows 8.1 app | +| start:DesktopApplicationTile

    Parent:
    AppendGroup | DesktopApplicationID
    DesktopApplicationLinkPath
    Size
    Row
    Column | Use to specify any of the following:
    - A Windows desktop application with a known AppUserModelID
    - An application in a known folder with a link in a legacy Start Menu folder
    - A Windows desktop application link in a legacy Start Menu folder
    - A Web link tile with an associated .url file that is in a legacy Start Menu folder | +| start:SecondaryTile

    Parent:
    AppendGroup | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile | +| TopMFUApps

    Parent:
    LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area | +| Tile

    Parent:
    TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID | +| DesktopApplicationTile

    Parent:
    TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID | +| AppendOfficeSuite

    Parent:
    LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start

    Do not use this tag with AppendDownloadOfficeTile | +| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | + +### LayoutOptions + +New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: + +- Boot to tablet mode can be set on or off. +- Set full screen Start on desktop to on or off. + To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false. +- Specify the number of columns in the Start menu to 1 or 2. + To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. + +The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu: + +```XML + + + +``` + +For devices being upgraded to Windows 10 for desktop editions: + +- Devices being upgraded from Windows 7 will default to a Start menu with 1 column. +- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns. + +### RequiredStartGroups + +The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. + +>[!IMPORTANT] +>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. + +You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: + +```XML + +``` + +If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. + +If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start. + +### AppendGroup + +**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. + +For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. + +You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles. + +### Specify Start tiles + +To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin. + +#### Tile size and coordinates + +All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. + +The following table describes the attributes that you must use to specify the size and location for the tile. + +| Attribute | Description | +| --- | --- | +| Size | Determines how large the tile will be.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | +| Row | Specifies the row where the tile will appear. | +| Column | Specifies the column where the tile will appear. | + +For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. + +#### start:Tile + +You can use the **start:Tile** tag to pin any of the following apps to Start: + +- A Universal Windows app +- A Windows 8 app or Windows 8.1 app + +To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. + +The following example shows how to pin the Microsoft Edge Universal Windows app: + + ```XML + + ``` + +#### start:DesktopApplicationTile + +You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: + +- By using a path to a shortcut link (.lnk file) to a Windows desktop application. + + To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. + + The following example shows how to pin the Command Prompt: + + ```XML + + ``` + + You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. + + If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". + +- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. + + To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. + + The following example shows how to pin the Internet Explorer Windows desktop application: + + ```XML + + ``` + + +You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. + +To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. + +The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: + +```XML + +``` + +#### start:SecondaryTile + +You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag). + +The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: + +```XML + +``` + +The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**. + +| Attribute | Required/optional | Description | +| --- | --- | --- | +| AppUserModelID | Required | Must point to Microsoft Edge. | +| TileID | Required | Must uniquely identify your Web site tile. | +| Arguments | Required | Must contain the URL of your Web site. | +| DisplayName | Required | Must specify the text that you want users to see. | +| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | +| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | +| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | +| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | +| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | +| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | + +Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. + +#### TopMFUApps + +You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. + +You can use this tag to add: + +- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID. +- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. + +The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: + + ```XML + + + + + + + +``` + +#### AppendOfficeSuite + +You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. + +The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: + +```XML + + + +``` + +#### AppendDownloadOfficeTile + +You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group. + +The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: + +```XML + + + +``` + +## Sample LayoutModification.xml + +The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: + +```XML + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Use Windows Provisioning multivariant support + +The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx). + +The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. + +For example, if you want to ensure that there's a specific layout for a certain condition, you can: +1. Create a specific layout customization file and then name it LayoutCustomization1.xml. +2. Include the file as part of your provisioning package. +3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. + +The following example shows what the overall customization file might look like with multivariant support for Start: + +```XML + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + + + + + + + + + + + + 1 + 1 + 1 + + + 1 + + + + + + + + + c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML + + 1 + + + + + + +``` + +When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. + +You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. + +## Add the LayoutModification.xml file to the device + +Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. + +1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. +2. In the middle pane, click **Browse** to open File Explorer. +3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. +4. Select the file and then click **Open**. + +This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. + +>[!NOTE] +>There is currently no way to add the .url and .lnk files through Windows ICD. + +Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. + + + + + + + + + + + + +## Related topics + + +[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) + +[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) + +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) + +[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) + +[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) + +[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) + +  + +  + + + + + diff --git a/windows/manage/start-layout-xml-mobile.md b/windows/manage/start-layout-xml-mobile.md new file mode 100644 index 0000000000..9d10466302 --- /dev/null +++ b/windows/manage/start-layout-xml-mobile.md @@ -0,0 +1,392 @@ +--- +title: Start layout XML for mobile editions of Windows 10 (Windows 10) +description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions. +keywords: ["start screen"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Start layout XML for mobile editions of Windows 10 (reference) + + +**Applies to** + +- Windows 10 + +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) + + +On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. + +On Windows 10 Mobile, the customized Start works by: + +- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region. +- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten. +- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen. + +## Default Start layouts + +The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. + +![Start layout for Windows 10 Mobile](images\mobile-start-layout.png) + +The diagrams show: + +- Tile coordinates - These are determined by the row number and the column number. +- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up. +- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are: + - Rows 6-9 + - Rows 16-19 + +## LayoutModification XML + +IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. + +>[!NOTE] +>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file: +>- Do not leave spaces or white lines in between each element. +>- Do not add comments inside the StartLayout node or any of its children elements. +>- Do not add multiple rows of comments. + +The following table lists the supported elements and attributes for the LayoutModification.xml file. + +| Element | Attributes | Description | +| --- | --- | --- | +| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout. | +| DefaultLayoutOverride

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. | +| StartLayoutCollection

    Parent:
    DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. | +| StartLayout

    Parent:
    StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. | +| start:Group

    Parent:
    StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. | +| start:Tile

    Parent:
    start:Group | AppUserModelID
    Size
    Row
    Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. | +| start:SecondaryTile

    Parent:
    start:Group | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile. | +| start:PhoneLegacyTile

    Parent:
    start:Group | ProductID
    Size
    Row
    Column | Use to add a mobile app that has a valid **ProductID** attribute. | +| start:Folder

    Parent:
    start:Group | Name
    Size
    Row
    Column | Use to add a folder to the mobile device's Start screen. | +| RequiredStartTiles

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. | + +### start:Group + +**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group. + +>[!NOTE] +>Windows 10 Mobile only supports one Start group. + + For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements: + +- **start:Tile** +- **start:SecondaryTile** +- **start:PhoneLegacyTile** +- **start:Folder** + +### Specify Start tiles + +To pin tiles to Start, you must use the right kind of tile depending on what you want to pin. + +#### Tile size and coordinates + +All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. + +The following table describes the attributes that you must use to specify the size and location for the tile. + +| Attribute | Description | +| --- | --- | +| Size | Determines how large the tile will be.
    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | +| Row | Specifies the row where the tile will appear. | +| Column | Specifies the column where the tile will appear. | + +For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. + +#### start:Tile + +You can use the **start:Tile** tag to pin a Universal Windows app to Start. + +To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. + +The following example shows how to pin the Microsoft Edge Universal Windows app: + +```XML + +``` + +#### start:SecondaryTile + +You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. + +The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: + +```XML + +``` + +The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. + +| Attribute | Required/optional | Description | +| --- | --- | --- | +| AppUserModelID | Required | Must point to Microsoft Edge. | +| TileID | Required | Must uniquely identify your Web site tile. | +| Arguments | Required | Must contain the URL of your Web site. | +| DisplayName | Required | Must specify the text that you want users to see. | +| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | +| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | +| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | +| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | +| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | +| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | + + Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app. + +#### start:PhoneLegacyTile + +You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app. + +The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag: + +```XML + +``` + +#### start:Folder + +You can use the **start:Folder** tag to add a folder to the mobile device's Start screen. + +You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**. + +Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string. + +The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder: + +- Tile - Use to pin a Universal Windows app to Start. +- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. +- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. + +The following example shows how to add a medium folder that contains two apps inside it: + +```XML + + + + +``` + +#### RequiredStartTiles + +You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. + +>[!NOTE] +>Enabling this Start customization may be disruptive to the user experience. + +For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**. + +- Tile - Use to pin a Universal Windows app to Start. +- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. +- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. +- Folder - Use to pin a folder to the mobile device's Start screen. + +Tiles specified within the **RequiredStartTiles** tag have the following behavior: + +- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen. +- If there’s a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen. + +The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated. + +- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed. +- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps. + +## Sample LayoutModification.xml + +The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile: + +```XML + + + + + + + + + + + + + + + + + + + +``` + +## Use Windows Provisioning multivariant support + +The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings. + +The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against. + +For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can: +1. Create a specific layout customization file and then name it LayoutCustomization1.xml. +2. Include the file as part of your provisioning package. +3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. + +The following example shows what the overall customization file might look like with multivariant support for Start: + +```XML + + + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} + My Provisioning Package + 1.0 + OEM + 50 + + + + + + + + + + + + + + + + + + + + + + + 1 + 1 + 1 + + + 1 + + + + + + + + + c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML + + 1 + + + + + + +``` + +When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout. + +You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles. + +## Add the LayoutModification.xml file to the image + +Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device: + +1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. +2. In the middle pane, click **Browse** to open File Explorer. +3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. +4. Select the file and then click **Open**. + +This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. + + + + + + + + + + + + + + + + + + + +## Related topics + + +[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) + +[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) + +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) + +[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) + +[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) + +[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) + +  + +  + + + + + diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md new file mode 100644 index 0000000000..d09e5ae2be --- /dev/null +++ b/windows/manage/stop-employees-from-using-the-windows-store.md @@ -0,0 +1,124 @@ +--- +title: Configure access to Windows Store (Windows 10) +description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. +ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store, mobile +author: TrudyHa +localizationpriority: high +--- + +# Configure access to Windows Store + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). + +IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. + +## Options to configure access to Windows Store + + +You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. + +## Block Windows Store using AppLocker + +Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile + + +AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers. + +For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md). + +**To block Windows Store using AppLocker** + +1. Type secpol in the search bar to find and start AppLocker. + +2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**. + +3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. + +4. On **Before You Begin**, click **Next**. + +5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. + +6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**. + +7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**. + + [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules. + +8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. + +## Block Windows Store using Group Policy + + +Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education + +> [!Note] +> Not supported on Windows 10 Pro. + +You can also use Group Policy to manage access to Windows Store. + +**To block Windows Store using Group Policy** + +1. Type gpedit in the search bar to find and start Group Policy Editor. + +2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**. + +3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**. + +4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. + +## Block Windows Store using management tool + + +Applies to: Windows 10 Mobile + +If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app. + +When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app: + +- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030) + +- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only) + +For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). + +## Show private store only using Group Policy +Applies to Windows 10 Enterprise, version 1607, Windows 10 Education + +If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. + +**To show private store only in Windows Store app** + +1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. + +2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. + +3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**. + + This opens the **Only display the private store within the Windows Store app** policy settings. + +4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**. + +## Related topics + +[Distribute apps using your private store](distribute-apps-from-your-private-store.md) + +[Manage access to private store](manage-access-to-private-store.md) + +  + +  + + + + + diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md new file mode 100644 index 0000000000..85a835748e --- /dev/null +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -0,0 +1,178 @@ +--- +title: Manage Windows 10 Start and taskbar layout (Windows 10) +description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. +ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A +keywords: ["start screen", "start menu"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Manage Windows 10 Start and taskbar layout + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) + +Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. + +>[!NOTE] +>Taskbar configuration is available starting in Windows 10, version 1607. + +## Start options + +![start layout sections](images/startannotated.png) + +Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. + +The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StartPolicySetting
    User tileGroup Policy: Remove Logoff on the Start menu
    Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

    Suggestions

    +

    -and-

    +

    Dynamically inserted app tile

    MDM: Allow Windows Consumer Features

    +

    Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

    +
    +Note   +

    This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

    +
    +
    +  +
    Settings > Personalization > Start > Occasionally show suggestions in Start
    Recently addednot applicableSettings > Personalization > Start > Show recently added apps
    Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
    PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
    Start layout

    MDM: Start layout

    +

    Group Policy: Start layout

    +

    Group Policy: Prevent users from customizing their Start Screen

    +
    +Note   +

    When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

    Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. +

    +
    +  +
    None
    Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
    Start size

    MDM: Force Start size

    +

    Group Policy: Force Start to be either full screen size or menu size

    Settings > Personalization > Start > Use Start full screen
    All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
    + + ## Taskbar options + +Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. + +There are three categories of apps that might be pinned to a taskbar: +* Apps pinned by the user +* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) +* Apps pinned by the enterprise, such as in an unattended Windows setup + + **Note**   + The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + +The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). + +> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) + +Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: +* Pin additional apps +* Change the order of pinned apps +* Unpin any app + +### Taskbar configuration applied to clean install of Windows 10 + +In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. + +### Taskbar configuration applied to Windows 10 upgrades + +When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. + +The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: +* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. +* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. +* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. +* New apps specified in updated layout file are pinned to right of user's pinned apps. + + + +## Related topics + + +[Customize and export Start layout](customize-and-export-start-layout.md) + +[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) + +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) + +[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) + +[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) + +[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) + +  + +  + + + + + diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md new file mode 100644 index 0000000000..eb3af0eb51 --- /dev/null +++ b/windows/manage/windows-spotlight.md @@ -0,0 +1,85 @@ +--- +title: Windows Spotlight on the lock screen (Windows 10) +description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. +ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A +keywords: ["lockscreen"] +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Windows Spotlight on the lock screen + + +**Applies to** + +- Windows 10 + +Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. + +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. + + +>[!NOTE] +>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. + +## What does Windows Spotlight include? + + +- **Background image** + + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. + + ![lock screen image](images/lockscreen.png) + +- **Feature suggestions, fun facts, tips** + + The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + +## How do you turn off Windows Spotlight locally? + + +To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background + +![personalization background](images/spotlight.png) + +## How do you disable Windows Spotlight for managed devices? + + +Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. + +**Windows 10 Pro, Enterprise, and Education** + +- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. + +**Windows 10 Enterprise and Education** + +* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. +* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) + +Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + +>[!WARNING] +> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. + +![lockscreen policy details](images/lockscreenpolicy.png) + +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. + +![fun facts](images/funfacts.png) + +## Related topics + + +[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) + +  + +  + + + + + From 6835ec3945309e01c8c1bded3863b706663031c4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 11:34:49 -0800 Subject: [PATCH 28/65] Redirection files --- .../provision-pcs-for-initial-deployment.md | 123 ------- ...rovision-pcs-with-apps-and-certificates.md | 196 ----------- windows/deploy/provisioning-apply-package.md | 119 ------- windows/deploy/provisioning-command-line.md | 68 ---- windows/deploy/provisioning-create-package.md | 149 -------- windows/deploy/provisioning-how-it-works.md | 184 ---------- windows/deploy/provisioning-install-icd.md | 106 ------ windows/deploy/provisioning-multivariant.md | 322 ------------------ windows/deploy/provisioning-nfc.md | 153 --------- windows/deploy/provisioning-packages.md | 127 ------- .../provisioning-script-to-install-app.md | 222 ------------ .../deploy/provisioning-uninstall-package.md | 98 ------ 12 files changed, 1867 deletions(-) delete mode 100644 windows/deploy/provision-pcs-for-initial-deployment.md delete mode 100644 windows/deploy/provision-pcs-with-apps-and-certificates.md delete mode 100644 windows/deploy/provisioning-apply-package.md delete mode 100644 windows/deploy/provisioning-command-line.md delete mode 100644 windows/deploy/provisioning-create-package.md delete mode 100644 windows/deploy/provisioning-how-it-works.md delete mode 100644 windows/deploy/provisioning-install-icd.md delete mode 100644 windows/deploy/provisioning-multivariant.md delete mode 100644 windows/deploy/provisioning-nfc.md delete mode 100644 windows/deploy/provisioning-packages.md delete mode 100644 windows/deploy/provisioning-script-to-install-app.md delete mode 100644 windows/deploy/provisioning-uninstall-package.md diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md deleted file mode 100644 index 86c8e234ff..0000000000 --- a/windows/deploy/provision-pcs-for-initial-deployment.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Provision PCs with common settings (Windows 10) -description: Create a provisioning package to apply common settings to a PC running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provision PCs with common settings for initial deployment (simple provisioning) - - -**Applies to** - -- Windows 10 - -This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. - -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) - -## What does simple provisioning do? - -In a simple provisioning package, you can configure: - -- Device name -- Upgraded product edition -- Wi-Fi network -- Active Directory enrollment -- Local administrator account - -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). - -> [!TIP] -> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. - -![open advanced editor](images/icd-simple-edit.png) - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). - -2. Click **Simple provisioning**. - - ![ICD start options](images/icdstart-option.png) - -3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. - - ![ICD simple provisioning](images/icd-simple.png) - -4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. - -5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - -6. Click **Set up network**. - -7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. - -8. Click **Enroll into Active Directory**. - -9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. - - > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -10. Click **Finish**. - -11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. - -12. Click **Create**. - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -  -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md deleted file mode 100644 index 6e4614a977..0000000000 --- a/windows/deploy/provision-pcs-with-apps-and-certificates.md +++ /dev/null @@ -1,196 +0,0 @@ ---- -title: Provision PCs with apps and certificates (Windows 10) -description: Create a provisioning package to apply settings to a PC running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provision PCs with apps and certificates for initial deployment (advanced provisioning) - - -**Applies to** - -- Windows 10 - - -This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). - -2. Click **Advanced provisioning**. - - ![ICD start options](images/icdstart-option.png) - -3. Name your project and click **Next**. - -3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. - - -### Add a desktop app to your package - -1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. - -2. Add all the files required for the app install, including the data files and the installer. - -3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. - -> [!NOTE] -> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). - - -### Add a universal app to your package - -Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. - -1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. - -2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. - - ![details for offline app package](images/uwp-family.png) - -3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). - -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. - - ![required frameworks for offline app package](images/uwp-dependencies.png) - -5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - - - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. - - ![generate license for offline app](images/uwp-license.png) - - - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. - -6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. - -7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file. - -[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) - -> [!NOTE] -> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. - - - -### Add a certificate to your package - -1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. - -2. Enter a **CertificateName** and then click **Add**. - -2. Enter the **CertificatePassword**. - -3. For **CertificatePath**, browse and select the certificate to be used. - -4. Set **ExportCertificate** to **False**. - -5. For **KeyLocation**, select **Software only**. - - -### Add other settings to your package - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -### Build your package - -1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. - -2. Read the warning that project files may contain sensitive information, and click **OK**. -> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -3. On the **Export** menu, click **Provisioning package**. - -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -10. Set a value for **Package Version**. - - > [!TIP]   - > You can make changes to existing packages and change the version number to update previously applied packages. - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

    -Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

    -If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

    -If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) - - - Email - - - USB tether (mobile only) - - - NFC (mobile only) - - - -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) -  - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - diff --git a/windows/deploy/provisioning-apply-package.md b/windows/deploy/provisioning-apply-package.md deleted file mode 100644 index 1125dd6985..0000000000 --- a/windows/deploy/provisioning-apply-package.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -title: Apply a provisioning package (Windows 10) -description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime"). -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Apply a provisioning package - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). - -## Desktop editions - -### During initial setup, from a USB drive - -1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - - ![The first screen to set up a new PC](images/oobe.jpg) - -2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. - - ![Set up device?](images/setupmsg.jpg) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/prov.jpg) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - - ![Choose a package](images/choose-package.png) - -5. Select **Yes, add it**. - - ![Do you trust this package?](images/trust-package.png) - -6. Read and accept the Microsoft Software License Terms. - - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) - -### After setup, from a USB drive, network folder, or SharePoint site - -On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - -![add a package option](images/package.png) - -## Mobile editions - -### Using removable media - -1. Insert an SD card containing the provisioning package into the device. -2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. - - ![add a package option](images/packages-mobile.png) - -3. Click **Add**. - -4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust](images/package-trust.png) - -### Copying the provisioning package to the device - -1. Connect the device to your PC through USB. - -2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. - -3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. - - ![Is this package from a source you trust](images/package-trust.png) - - - - - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-command-line.md b/windows/deploy/provisioning-command-line.md deleted file mode 100644 index d5c52aabac..0000000000 --- a/windows/deploy/provisioning-command-line.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Windows ICD command-line interface (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Windows ICD command-line interface (reference) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. - -- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges. - -- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). - - - -## Syntax - -``` -icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: -[/StoreFile:] [/MSPackageRoot:] [/OEMInputXML:] -[/ProductName:] [/Variables::] [[+|-]Encrypted] [[+|-]Overwrite] [/?] -``` - -## Switches and arguments - -| Switch | Required? | Arguments | -| --- | --- | --- | -| /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. | -| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | -| /StoreFile | No


    See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.


    **Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | -| /Variables | No | Specifies a semicolon separated and macro pair. The format for the argument must be =. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.


    Precede with + for encryption or - for no encryption. The default is no encryption. | -| Overwrite | No | Denotes whether to overwrite an existing provisioning package.


    Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | -| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | - - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) -  - - - - - diff --git a/windows/deploy/provisioning-create-package.md b/windows/deploy/provisioning-create-package.md deleted file mode 100644 index f543e6d10f..0000000000 --- a/windows/deploy/provisioning-create-package.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: Create a provisioning package (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Create a provisioning package for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. - ->[Learn how to install Windows ICD.](provisioning-install-icd.md) - -## Start a new project - -1. Open Windows ICD: - - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, - - or - - - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. - -2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image: - - ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png) - - - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. - - >[!TIP] - >You can start a project in the simple editor and then switch the project to the advanced editor. - > - >![Switch to advanced editor](images/icd-switch.png) - -3. Enter a name for your project, and then click **Next**. - -4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options. - - | Windows edition | Settings available for customization | Provisioning package can apply to | - | --- | --- | --- | - | All Windows editions | Common settings | All Windows 10 devices | - | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | - | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices | - | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | - | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) | - | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) | - -5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**. - ->[!TIP] ->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. - -After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. - -- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). -- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain). - - -## Configure settings - -For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. - -![What the ICD interface looks like](images/icd-runtime.png) - -The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). - -The process for configuring settings is similar for all settings. The following table shows an example. - - - - - - - -
    ![step one](images/one.png)
    Expand a category.
    ![Expand Certificates category](images/icd-step1.png)
    ![step two](images/two.png)
    Select a setting.
    ![Select ClientCertificates](images/icd-step2.png)
    ![step three](images/three.png)
    Enter a value for the setting. Click **Add** if the button is displayed.
    ![Enter a name for the certificate](images/icd-step3.png)
    ![step four](images/four.png)
    Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.
    ![Additional settings for client certificate](images/icd-step4.png)
    ![step five](images/five.png)
    When the setting is configured, it is displayed in the **Selected customizations** pane.
    ![Selected customizations pane](images/icd-step5.png)
    - -For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image. - -![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) - - - ## Build package - -1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**. - - ![Export on top bar](images/icd-export-menu.png) - -2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**: - - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field. - - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. - -3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections. - - - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - - >[!NOTE] - >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. - > - >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. - -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location. - -5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page. - -6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - -7. When you are done, click **Finish** to close the wizard and go back to the Customizations page. - -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-how-it-works.md b/windows/deploy/provisioning-how-it-works.md deleted file mode 100644 index 1f9b72eb6c..0000000000 --- a/windows/deploy/provisioning-how-it-works.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: How provisioning works in Windows 10 (Windows 10) -description: A provisioning package (.ppkg) is a container for a collection of configuration settings. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# How provisioning works in Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). - -## Provisioning packages - -A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device. - -To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source. - -A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format: - -- Package metadata – The metadata contains basic information about the package such as package name, description, version, ranking, and so on. - -- XML descriptors – Each descriptor defines a customization asset or configuration setting included in the package. - -- Asset payloads – The payloads of a customization asset or a configuration setting associated with an app or data asset. - -You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location. - -## Precedence for provisioning packages - -When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence: - -1. Microsoft - -2. Silicon Vender - -3. OEM - -4. System Integrator - -5. Mobile Operator - -6. IT Admin - -The valid value range of package rank level is 0 to 99. - -When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. - -## Windows provisioning XML - -Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. - -Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. - -When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. - -## Provisioning engine - -The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10. - -The provisioning engine provides the following functionality: - -- Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device. -- Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device. -- Responding to triggers or events and initiating a provisioning stage. -- Authenticating the provisioning packages. -- Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied. -- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined. - -## Configuration manager - -The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. - -The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. - -Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions. - -## Policy and resource manager - -The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself. - -The key differences between enterprise enrollment and the configuration performed by the provisioning engine are: -- Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable. -- The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used. -- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings. - -In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager. - -## Triggers and stages - -Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive). - -When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings: -- **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created. -- **System**: Run during OOBE and configure system-wide settings. -- **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators. -- **Update**: Runs after an update to apply potential updated settings changes. -- **User**: runs during a user account first run to configure per-user settings. - - - - - - - - - -## Device provisioning during OOBE - -The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. - -Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. - -The following table shows how device provisioning can be initiated when a user first boots to OOBE. - - -| Package delivery | Initiation method | Supported device | -| --- | --- | --- | -| Removable media - USB drive or SD card
    (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices | -| From an administrator device through machine to machine NFC or NFC tag
    (The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | - -The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. - -When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). - -## Device provisioning at runtime - -At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime. - -The following table shows when provisioning at device runtime can be initiated. - -| Package delivery | Initiation method | Supported device | -| --- | --- | --- | -| Removable media - USB drive or SD card
    (Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices | -| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices | -| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices | - -When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device. - -When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. - -After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device. - - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - -  - -  - - - - - diff --git a/windows/deploy/provisioning-install-icd.md b/windows/deploy/provisioning-install-icd.md deleted file mode 100644 index 9727bc089d..0000000000 --- a/windows/deploy/provisioning-install-icd.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Install Windows Imaging and Configuration Designer (Windows 10) -description: Learn how to install and run Windows ICD. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Install Windows Imaging and Configuration Designer (ICD) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. - -## Supported platforms - -Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems: - -- Windows 10 - x86 and amd64 -- Windows 8.1 Update - x86 and amd64 -- Windows 8.1 - x86 and amd64 -- Windows 8 - x86 and amd64 -- Windows 7 - x86 and amd64 -- Windows Server 2016 -- Windows Server 2012 R2 Update -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -## Install Windows ICD - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607). - - >[!NOTE] - >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example. - -2. Save **adksetup.exe** and then run it. - -3. On the **Specify Location** page, select an installation path and then click **Next**. - >[!NOTE] - >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB. -4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. - -5. Accept the **License Agreement**, and then click **Next**. - -6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - - ![Only Configuration Designer selected for installation](images/icd-install.png) - -## Current Windows ICD limitations - - -- You can only run one instance of Windows ICD on your computer at a time. - -- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. - -- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). - -- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time. - -- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. - -- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. - - For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC. - -- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. - -**Next step**: [How to create a provisioning package](provisioning-create-package.md) - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - -  - -  - - - - - diff --git a/windows/deploy/provisioning-multivariant.md b/windows/deploy/provisioning-multivariant.md deleted file mode 100644 index 3bc7652233..0000000000 --- a/windows/deploy/provisioning-multivariant.md +++ /dev/null @@ -1,322 +0,0 @@ ---- -title: Create a provisioning package with multivariant settings (Windows 10) -description: Create a provisioning package with multivariant settings to customize the provisioned settings. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Create a provisioning package with multivariant settings - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales. - -To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. - -The following events trigger provisioning on Windows 10 devices: - -| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) | -| --- | --- | --- | -| System boot | Supported | Supported | -| Operating system update | Supported | Planned | -| Package installation during device first run experience | Supported | Supported | -| Detection of SIM presence or update | Supported | Not supported | -| Package installation at runtime | Supported | Supported | -| Roaming detected | Supported | Not supported | - -## Target, TargetState, Condition, and priorities - -Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant. - -- You can define multiple **Target** child elements for each **Id** that you need for the customization setting. - -- Within a **Target** you can define multiple **TargetState** elements. - -- Within a **TargetState** element you can create multiple **Condition** elements. - -- A **Condition** element defines the matching type between the condition and the specified value. - -The following table shows the conditions supported in Windows 10 provisioning: - ->[!NOTE] ->You can use any of these supported conditions when defining your **TargetState**. - -| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | -| --- | --- | --- | --- | --- | --- | -| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | -| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | -| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. | -| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | -| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | -| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | -| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | -| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:


    - 0 - Empty
    - 1 - Ready
    - 2 - Locked | -| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


    - 0 - Slot 0
    - 1 - Slot 1 | -| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. | -| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. | -| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. | -| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | -| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. | -| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. | -| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". | - -The matching types supported in Windows 10 are: - -| Matching type | Syntax | Example | -| --- | --- | --- | -| Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> | -| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | -| Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> | - - -- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic). - -- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization. - - -You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**. - -A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. - -The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed: - -1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions. - - -2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions. - - -3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions. - - -6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal. - - -## Create a provisioning package with multivariant settings - -Follow these steps to create a provisioning package with multivariant capabilities. - - -1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). - - -2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. - - -3. Open the project folder and copy the customizations.xml file. - -4. Use an XML or text editor to open the customizations.xml file. - - The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings. - - The following example shows the contents of a sample customizations.xml file. - - ```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - 0 - 0 - 0 - - - 0 - - - - - - ``` - -4. Edit the customizations.xml file and create a **Targets** section to describe the conditions that will handle your multivariant settings. - - The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. - - ```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - 0 - 0 - 0 - - - 0 - - - - - - - - - - - - - - - - - - - - - - - - ``` - -5. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: - - a. Define a child **TargetRefs** element. - - b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings. - - c. Move compliant settings from the **Common** section to the **Variant** section. - - If any of the TargetRef elements matches the Target, all settings in the Variant are applied (OR logic). - - >[!NOTE] - >You can define multiple Variant sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. - - The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. - - ```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - ``` - -6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. - - -7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. - - For example: - - ``` - icd.exe /Build-ProvisioningPackage /CustomizationXML:"C:\CustomProject\customizations.xml" /PackagePath:"C:\CustomProject\output.ppkg" /StoreFile:C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\Microsoft-Common-Provisioning.dat" - ``` - - -In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition. - ->[!NOTE] ->The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project. - - - - - - - - - - - - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) - -  - - - - - diff --git a/windows/deploy/provisioning-nfc.md b/windows/deploy/provisioning-nfc.md deleted file mode 100644 index 114e6d5545..0000000000 --- a/windows/deploy/provisioning-nfc.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: NFC-based device provisioning (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# NFC-based device provisioning - - -**Applies to** - -- Windows 10 Mobile - -Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. - -The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. - -## Provisioning OOBE UI - -All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE. - -On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. - -![Example of Provision this device screen](images/nfc.png) - -If there is an error during NFC provisioning, the device will show a message if any of the following errors occur: - -- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API. -- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time. -- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices. -- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled. - -## NFC tag - -You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages. - -The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes: - -- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk. -- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data. - - ->[!NOTE] ->The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag. - -### NFC tag components - -NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB. - -To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag. - -The following table describes the information that is required when writing to an NFC tag. - -| Required field | Description | -| --- | --- | -| **Type** | Windows.ProvPlugins.Chunk

    The receiving device uses this information to understand information in the Data field. | -| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. | - - - -### NFC provisioning helper - -The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format: - -
    **Version**
    (1 byte)
    **Leading**
    (1 byte)
    **Order**
    (1 byte)
    **Total**
    (1 byte)
    **Chunk payload**
    (N bytes)
    - -For each part: -- **Version** should always be 0x00. -- **Leading byte** should always be 0xFF. -- **Order** represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0). -- **Total** represents the total number of chunks to be transferred for the whole message. -- **Chunk payload** represents each of the split parts. - -The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk. - -**Code example** - -The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device. - -``` - private async void WriteProvPkgToTag(IStorageFile provPkgFile) - { - var buffer = await FileIO.ReadBufferAsync(provPkgFile); - if (null == buffer) - { - return; - } - - var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault(); - if (null == proximityDevice) - { - return; - } - - var dataWriter = new DataWriter(); - var header = new NfcProvHeader(); - - header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00. - header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF. - header.index = 0; // Assume we only have 1 chunk. - header.total = 1; // Assume we only have 1 chunk. - - // Write the header first and then the raw data of the provisioning package. - dataWriter.WriteBytes(GetBytes(header)); - dataWriter.WriteBuffer(buffer); - - var chunkPubId = proximityDevice.PublishBinaryMessage( - "Windows:WriteTag.ProvPlugins.Chunk", - dataWriter.DetachBuffer()); - } -``` - - -### NFC-enabled device tag components - -Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds. - -To provision from an NFC-enabled source device, use [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section. - -For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device. - - - - - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - -  - -  - - - - - diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md deleted file mode 100644 index 557bf3e595..0000000000 --- a/windows/deploy/provisioning-packages.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provisioning packages for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. - -Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. - -The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. - -## New in Windows 10, version 1607 - -Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios. - -![Configuration Designer options](images/icd.png) - -Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators: - -* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - - > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) - -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) - -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) - -> [!NOTE] -> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). - -## Benefits of provisioning packages - - -Provisioning packages let you: - -- Quickly configure a new device without going through the process of installing a new image. - -- Save time by configuring multiple devices using one provisioning package. - -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. - -- Set up a device without the device having network connectivity. - -Provisioning packages can be: - -- Installed using removable media such as an SD card or USB flash drive. - -- Attached to an email. - -- Downloaded from a network share. - -## What you can configure - - -The following table provides some examples of what you can configure using provisioning packages. - -| Customization options | Examples | -|--------------------------|-----------------------------------------------------------------------------------------------| -| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. -  - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - -  - -  - - - - - diff --git a/windows/deploy/provisioning-script-to-install-app.md b/windows/deploy/provisioning-script-to-install-app.md deleted file mode 100644 index 8754c66299..0000000000 --- a/windows/deploy/provisioning-script-to-install-app.md +++ /dev/null @@ -1,222 +0,0 @@ ---- -title: Use a script to install a desktop app in provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Use a script to install a desktop app in provisioning packages - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below). - ->**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher - ->[!NOTE] ->This scenario is only supported for installing applications on Windows 10 for desktop, version 1511 or higher. - -## Assemble the application assets - -1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application. - -2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. - -## Cab the application assets - -1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. - - ``` - ;*** MSDN Sample Source Code MakeCAB Directive file example - - ; - - .OPTION EXPLICIT ; Generate errors on variable typos - - .set DiskDirectoryTemplate=CDROM ; All cabinets go in a single directory - - .Set MaxDiskFileCount=1000; Limit file count per cabinet, so that - - ; scanning is not too slow - - .Set FolderSizeThreshold=200000 ; Aim for ~200K per folder - - .Set CompressionType=MSZIP - - ;** All files are compressed in cabinet files - - .Set Cabinet=on - - .Set Compress=on - - ;------------------------------------------------------------------- - - ;** CabinetNameTemplate = name of cab - - ;** DiskDirectory1 = output directory where cab will be created - - ;------------------------------------------------------------------- - - .Set CabinetNameTemplate=tt.cab - - .Set DiskDirectory1=. - - ;------------------------------------------------------------------- - - ; Replace with actual files you want to package - - ;------------------------------------------------------------------- - - - - - - ;*** - ``` - -2. Use makecab to create the cab files. - - ``` - Makecab -f - ``` - -## Create the script to install the application - -Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. - ->[!NOTE] ->All actions performed by the script must happen silently, showing no UI and requiring no user interaction. -> ->The scripts will be run on the device in system context. - -### Debugging example - -Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs. - -``` -set LOGFILE=%SystemDrive%\HelloWorld.log -echo Hello, World >> %LOGFILE% -``` -### .exe example - -This example script shows how to create a log output file on the system drive, install an app from a .exe installer, and echo the results to the log file. - -``` -set LOGFILE=%SystemDrive%\Fiddler_install.log -echo Installing Fiddler.exe >> %LOGFILE% -fiddler4setup.exe /S >> %LOGFILE% -echo result: %ERRORLEVEL% >> %LOGFILE% -``` - -### .msi example - -This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package. - -``` -set LOGFILE=%SystemDrive%\IPOverUsb_install.log -echo Installing IpOverUsbInstaller.msi >> %LOGFILE% -msiexec /i IpOverUsbInstaller.msi /quiet >> %LOGFILE% -echo result: %ERRORLEVEL% >> %LOGFILE% -``` - -### PowerShell example - -This is an example script with logging that shows how to run a powershell script from the provisioning commands setting. Note that the PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction. - -``` -set LOGFILE=%SystemDrive%\my_powershell_script.log -echo Running my_powershell_script.ps1 in system context >> %LOGFILE% -echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE% -PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' >> %LOGFILE% -echo result: %ERRORLEVEL% >> %LOGFILE% -``` - -### Extract from a .CAB example - -This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe - -``` -set LOGFILE=%SystemDrive%\install_my_app.log -echo Expanding installer_assets.cab >> %LOGFILE% -expand -r installer_assets.cab -F:* . >> %LOGFILE% -echo result: %ERRORLEVEL% >> %LOGFILE% -echo Installing MyApp >> %LOGFILE% -setup.exe >> %LOGFILE% -echo result: %ERRORLEVEL% >> %LOGFILE% -``` - -### Calling multiple scripts in the package - -You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. - -Here’s a table describing this relationship, using the PowerShell example from above: - - -|ICD Setting | Value | Description | -| --- | --- | --- | -| ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. | -| ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. | -| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | - - -### Add script to provisioning package - -When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). - -Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: - -``` -cmd /c InstallMyApp.bat -``` - -In ICD, this looks like: - -![Command line in Selected customizations](images/icd-script1.png) - -You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. - -In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. - -![Command files in Selected customizations](images/icd-script2.png) - -When you are done, [build the package](provisioning-create-package.md#build-package). - - -### Remarks -1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience: - a. Echo to console - b. Display anything on the screen - c. Prompt the user with a dialog or install wizard -2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool. -3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options). -4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. - a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` - b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` -5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. -6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. - - >[!NOTE] - >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. -7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-uninstall-package.md b/windows/deploy/provisioning-uninstall-package.md deleted file mode 100644 index b3836ede88..0000000000 --- a/windows/deploy/provisioning-uninstall-package.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: Settings changed when you uninstall a provisioning package (Windows 10) -description: This topic lists the settings that are reverted when you uninstall a provisioning package. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Settings changed when you uninstall a provisioning package - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -When you uninstall a provisioning package, only certain settings are revertible. This topic lists the settings that are reverted when you uninstall a provisioning package. - - -As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. - -When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible. - -Only settings in the following lists are revertible. - -## Registry-based settings - -The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). - - -- [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx) -- [CountryAndRegion](https://msdn.microsoft.com/library/windows/hardware/mt219726.aspx) -- DeviceManagement / PGList/ LogicalProxyName -- UniversalAppInstall / LaunchAppAtLogin -- [Power](https://msdn.microsoft.com/library/windows/hardware/dn953704.aspx) -- [TabletMode](https://msdn.microsoft.com/library/windows/hardware/mt297550.aspx) -- [Maps](https://msdn.microsoft.com/library/windows/hardware/mt131464.aspx) -- [Browser](https://msdn.microsoft.com/library/windows/hardware/mt573151.aspx) -- [DeviceFormFactor](https://msdn.microsoft.com/library/windows/hardware/mt243449.aspx) -- [USBErrorsOEMOverride](https://msdn.microsoft.com/library/windows/hardware/mt769908.aspx) -- [WeakCharger](https://msdn.microsoft.com/library/windows/hardware/mt346401.aspx) - - - -## CSP-based settings - -Here is the list of revertible settings based on configuration service providers (CSPs). - -[ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017.aspx) -[AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) -[BrowserFavorite CSP](https://msdn.microsoft.com/library/windows/hardware/dn914758.aspx) -[CertificateStore CSP](https://msdn.microsoft.com/library/windows/hardware/dn920021.aspx) -[ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) -[RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) -[CM_CellularEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914761.aspx) -[CM_ProxyEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914762.aspx) -[CMPolicy CSP](https://msdn.microsoft.com/library/windows/hardware/dn914760.aspx) -[CMPolicyEnterprise CSP](https://msdn.microsoft.com/library/windows/hardware/mt706463.aspx) -[EMAIL2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953.aspx) -[EnterpriseAPN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617.aspx) -[EnterpriseAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn904955.aspx) -[EnterpriseDesktopAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn958620.aspx) -[EnterpriseModernAppManagement CSP](https://msdn.microsoft.com/library/windows/hardware/dn904956.aspx) -[NAP CSP](https://msdn.microsoft.com/library/windows/hardware/dn914767.aspx) -[PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099.aspx) -[Provisioning CSP](https://msdn.microsoft.com/library/windows/hardware/mt203665.aspx) -[PROXY CSP](https://msdn.microsoft.com/library/windows/hardware/dn914770.aspx) -[SecureAssessment CSP](https://msdn.microsoft.com/library/windows/hardware/mt718628.aspx) -[VPN CSP](https://msdn.microsoft.com/library/windows/hardware/dn904978.aspx) -[VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) -[WiFi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981.aspx) - - - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - -  - -  - - - - - From 6d897e787e8f0999707269b919c62246cd54e6fc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 11:37:29 -0800 Subject: [PATCH 29/65] Redirect files --- .../set-up-a-device-for-anyone-to-use.md | 89 --- ...osk-for-windows-10-for-desktop-editions.md | 444 --------------- ...kiosk-for-windows-10-for-mobile-edition.md | 199 ------- .../settings-that-can-be-locked-down.md | 517 ------------------ windows/manage/start-layout-xml-desktop.md | 492 ----------------- windows/manage/start-layout-xml-mobile.md | 392 ------------- ...-employees-from-using-the-windows-store.md | 124 ----- ...ws-10-start-layout-options-and-policies.md | 178 ------ windows/manage/windows-spotlight.md | 85 --- 9 files changed, 2520 deletions(-) delete mode 100644 windows/manage/set-up-a-device-for-anyone-to-use.md delete mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md delete mode 100644 windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md delete mode 100644 windows/manage/settings-that-can-be-locked-down.md delete mode 100644 windows/manage/start-layout-xml-desktop.md delete mode 100644 windows/manage/start-layout-xml-mobile.md delete mode 100644 windows/manage/stop-employees-from-using-the-windows-store.md delete mode 100644 windows/manage/windows-10-start-layout-options-and-policies.md delete mode 100644 windows/manage/windows-spotlight.md diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md deleted file mode 100644 index f274498ed1..0000000000 --- a/windows/manage/set-up-a-device-for-anyone-to-use.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up a device for anyone to use (kiosk mode) (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. -ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 -keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Set up a device for anyone to use (kiosk mode) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for Windows Embedded 8.1 Industry information?** - -- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) - -You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device. - -> [!NOTE]   -> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - -  - -| Windows 10 edition | Universal Windows app | Classic Windows application | -|--------------------|------------------------------------|--------------------------------------| -| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | -| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | - -  - -## In this section - - - ---- - - - - - - - - - - - - - - - - -
    TopicDescription

    [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)

    A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the assigned access feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use Shell Launcher to set a custom user interface as the shell.

    [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)

    A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.

    - - ## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -  - -  - - - - - diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md deleted file mode 100644 index 211f47f9c2..0000000000 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ /dev/null @@ -1,444 +0,0 @@ ---- -title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Set up a kiosk on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 - -> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) - -A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). - -**Note**   -A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - -  - -## Other settings to lock down - - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: - -- Put device in **Tablet mode**. - - If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** - -- Hide **Ease of access** feature on the logon screen. - - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. - -- Disable the hardware power button. - - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. - -- Remove the power button from the sign-in screen. - - Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** - -- Disable the camera. - - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. - -- Turn off app notifications on the lock screen. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. - -- Disable removable media. - - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. - - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -   - -## Assigned access method for Universal Windows apps - - -Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: - -| Method | Account type | Windows 10 edition | -| --- | --- | --- | -| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | -| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | - - - -### Requirements - -- A domain or local user account. - -- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - - The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - - The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. - -**Note**   -Assigned access does not work on a device that is connected to more than one monitor. - -  - -### Set up assigned access in PC settings - -1. Go to **Start** > **Settings** > **Accounts** > **Other users**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, in step 3, choose **Don't use assigned access**. - -### Set up assigned access in MDM - -Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) - -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**Create a provisioning package for a kiosk device** - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. - -7. Enter a string to specify the user account and app (by AUMID). For example: - - "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -**Apply the provisioning package** - -1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. - -2. Consent to allow the package to be installed. - - After you allow the package to be installed, the settings will be applied to the device - -[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) - -### Set up assigned access using Windows PowerShell - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - -### Set up automatic logon - -When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - -Edit the registry to have an account automatically logged on. - -1. Open Registry Editor (regedit.exe). - - **Note**   - If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - -### Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -## Shell Launcher for Classic Windows applications - - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. -2. Select **Embedded Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Related topics - - -[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Manage and update Windows 10](index.md) - -  - -  - - - - - diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md deleted file mode 100644 index 1a11ff9c20..0000000000 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ /dev/null @@ -1,199 +0,0 @@ ---- -title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10) -description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. -ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7 -keywords: kiosk, lockdown, assigned access -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -localizationpriority: high ---- - -# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise - - -**Applies to** - -- Windows 10 Mobile - -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. - -**Note**   -The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - -  - -## Apps Corner - - -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back](images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). - - **Tip**   - Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -   - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. - -## Enterprise Assigned Access - - -Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. - -**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. - -  - -### Set up Enterprise Assigned Access in MDM - -In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md). - -[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) - -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) - -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**To create and apply a provisioning package for a kiosk device** - -1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - - **Note**   - Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. - -   - -2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -3. Choose **Advanced provisioning**. - - - -4. Name your project, and click **Next**. - -5. Choose **All Windows mobile editions** and click **Next**. - -6. On **New project**, click **Finish**. The workspace for your package opens. - -7. Expand **Runtime settings** > **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**. - -8. Click **Browse** to select the *AssignedAccess*.xml file. - -9. On the **File** menu, select **Save.** - -10. On the **Export** menu, select **Provisioning package**. - -11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -14. Click **Next**. - -15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: - - - Removable media (USB/SD) - - **To apply a provisioning package from removable media** - - 1. Copy the provisioning package file to the root directory on a micro SD card. - - 2. On the device, insert the micro SD card containing the provisioning package. - - 3. Go to **Settings** > **Accounts** > **Provisioning.** - - 4. Tap **Add a package**. - - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - - Email - - **To apply a provisioning package sent in email** - - 1. Send the provisioning package in email to an account on the device. - - 2. Open the email on the device, and then double-tap the attached file. - - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - - USB tether (mobile only) - - **To apply a provisioning package using USB tether** - - 1. Connect the device to your PC by USB. - - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - - 3. The provisioning package installation dialog will appear on the phone. - - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - - [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) - -## Related topics - - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md deleted file mode 100644 index c0348677ba..0000000000 --- a/windows/manage/settings-that-can-be-locked-down.md +++ /dev/null @@ -1,517 +0,0 @@ ---- -title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10) -description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 -keywords: ["lockdown"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -localizationpriority: high ---- - -# Settings and quick actions that can be locked down in Windows 10 Mobile - - -**Applies to** - -- Windows 10 Mobile - -This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. - -## Settings lockdown - - -You can use Lockdown.xml to configure lockdown settings. - -The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Main menuSub-menuPage name
    SystemSettingsPageGroupPCSystem
    DisplaySettingsPageDisplay
    Notifications & actionsSettingsPageAppsNotifications
    PhoneSettingsPageCalls
    MessagingSettingsPageMessaging
    BatterySettingsPageBatterySaver
    Apps for websitesSettingsPageAppsForWebsites
    StorageSettingsPageStorageSenseStorageOverview
    Driving modeSettingsPageDrivingMode
    Offline mapsSettingsPageMaps
    AboutSettingsPagePCSystemInfo
    DevicesSettingsPageGroupDevices
    Default cameraSettingsPagePhotos
    BluetoothSettingsPagePCSystemBluetooth
    NFCSettingsPagePhoneNFC
    MouseSettingsPageMouseTouchpad
    USBSettingsPageUsb
    Network and wirelessSettingsPageGroupNetwork
    Cellular & SIMSettingsPageNetworkCellular
    Wi-FiSettingsPageNetworkWiFi
    Airplane modeSettingsPageNetworkAirplaneMode
    Data usageSettingsPageDataSenseOverview
    Mobile hotspotSettingsPageNetworkMobileHotspot
    VPNSettingsPageNetworkVPN
    PersonalizationSettingsPageGroupPersonalization
    StartSettingsPageBackGround
    ColorsSettingsPageColors
    SoundsSettingsPageSounds
    Lock screenSettingsPageLockscreen
    Glance screenSettingsPageGlance
    Navigation barSettingsNagivationBar
    AccountsSettingsPageGroupAccounts
    Your infoSettingsPageAccountsPicture
    Sign-in optionsSettingsPageAccountsSignInOptions
    Email & app accountsSettingsPageAccountsEmailApp
    Access work or schoolSettingsPageWorkAccess
    Sync your settingsSettingsPageAccountsSync

    Apps corner

    -

    (disabled in Assigned Access)

    SettingsPageAppsCorner
    Time & languageSettingsPageGroupTimeRegion
    Date & timeSettingsPageTimeRegionDateTime
    LanguageSettingsPageTimeLanguage
    RegionSettingsPageTimeRegion
    KeyboardSettingsPageKeyboard
    SpeechSettingsPageSpeech
    Ease of accessSettingsPageGroupEaseOfAccess
    NarratorSettingsPageEaseOfAccessNarrator
    MagnifierSettingsPageEaseOfAccessMagnifier
    High contrastSettingsPageEaseOfAccessHighContrast
    Closed captionsSettingsPageEaseOfAccessClosedCaptioning
    More optionsSettingsPageEaseOfAccessMoreOptions
    PrivacySettingsPageGroupPrivacy
    LocationSettingsPagePrivacyLocation
    CameraSettingsPagePrivacyWebcam
    MicrophoneSettingsPagePrivacyMicrophone
    MotionSettingsPagePrivacyMotionData
    NotificationsSettingsPagePrivacyNotifications
    Speech. inking, & typingSettingsPagePrivacyPersonalization
    Account infoSettingsPagePrivacyAccountInfo
    ContactsSettingsPagePrivacyContacts
    CalendarSettingsPagePrivacyCalendar
    Phone callsSettingsPagePrivacyPhoneCall
    Call historySettingsPagePrivacyCallHistory
    EmailSettingsPagePrivacyEmail
    MessagingSettingsPagePrivacyMessaging
    RadiosSettingsPagePrivacyRadios
    Continue App ExperiencesSettingsPagePrivacyCDP
    Background appsSettingsPagePrivacyBackgroundApps
    Accessory appsSettingsPageAccessories
    Advertising IDSettingsPagePrivacyAdvertisingId
    Other devicesSettingsPagePrivacyCustomPeripherals
    Feedback and diagnosticsSettingsPagePrivacySIUFSettings
    Update and securitySettingsPageGroupRestore
    Phone updateSettingsPageRestoreMusUpdate
    Windows Insider ProgramSettingsPageFlights
    Device encryptionSettingsPageGroupPCSystemDeviceEncryption
    BackupSettingsPageRestoreOneBackup
    Find my phoneSettingsPageFindMyDevice
    For developersSettingsPageSystemDeveloperOptions
    OEMSettingsPageGroupExtensibility
    ExtensibilitySettingsPageExtensibility
    - -  - -## Quick actions lockdown - - -Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional. - -You can specify the quick actions as follows: - -``` syntax - - - - - - - - - - - - - - - - - - -``` - -Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. - -**Note**   -Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. - -  - -The following table lists the dependencies between quick actions and Settings groups/pages. - -| Quick action | Settings group | Settings page | -|-----|-------|-------| -| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | -| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | -| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | -| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | -| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | -| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | -| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | -| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | -| SystemSettings\_Launcher\_QuickNote | N/A | N/A | -| SystemSettings\_Flashlight\_Toggle | N/A | N/A | -| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | -| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | -| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | -| QuickActions\_Launcher\_AllSettings | N/A | N/A | -| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | -| SystemSettings\_QuickAction\_Camera | N/A | N/A | - -  - -## Related topics - - -[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) - -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md deleted file mode 100644 index 1a48aaad33..0000000000 --- a/windows/manage/start-layout-xml-desktop.md +++ /dev/null @@ -1,492 +0,0 @@ ---- -title: Start layout XML for desktop editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Start layout XML for desktop editions of Windows 10 (reference) - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -On Windows 10 for desktop editions, the customized Start works by: - -- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. - -- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: - - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles. - - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. - - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). - -## LayoutModification XML - -IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout | -| [LayoutOptions](#layoutoptions)

    Parent:
    LayoutModificationTemplate | StartTileGroupsColumnCount
    FullScreenStart | Use to specify:
    - Whether to use full screen Start on the desktop
    - The number of tile columns in the Start menu | -| RequiredStartGroupsCollection

    Parent:
    LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups | -| [RequiredStartGroups](#requiredstartgroups)

    Parent:
    RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | -| [AppendGroup](#appendgroup)

    Parent:
    RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | -| [start:Tile](#specify-start-tiles)

    Parent:
    AppendGroup | AppUserModelID
    Size
    Row
    Column | Use to specify any of the following:
    - A Universal Windows app
    - A Windows 8 or Windows 8.1 app | -| start:DesktopApplicationTile

    Parent:
    AppendGroup | DesktopApplicationID
    DesktopApplicationLinkPath
    Size
    Row
    Column | Use to specify any of the following:
    - A Windows desktop application with a known AppUserModelID
    - An application in a known folder with a link in a legacy Start Menu folder
    - A Windows desktop application link in a legacy Start Menu folder
    - A Web link tile with an associated .url file that is in a legacy Start Menu folder | -| start:SecondaryTile

    Parent:
    AppendGroup | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile | -| TopMFUApps

    Parent:
    LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area | -| Tile

    Parent:
    TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID | -| DesktopApplicationTile

    Parent:
    TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID | -| AppendOfficeSuite

    Parent:
    LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start

    Do not use this tag with AppendDownloadOfficeTile | -| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | - -### LayoutOptions - -New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: - -- Boot to tablet mode can be set on or off. -- Set full screen Start on desktop to on or off. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false. -- Specify the number of columns in the Start menu to 1 or 2. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. - -The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu: - -```XML - - - -``` - -For devices being upgraded to Windows 10 for desktop editions: - -- Devices being upgraded from Windows 7 will default to a Start menu with 1 column. -- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns. - -### RequiredStartGroups - -The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. - ->[!IMPORTANT] ->For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. - -You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: - -```XML - -``` - -If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. - -If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start. - -### AppendGroup - -**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. - -For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. - -You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles. - -### Specify Start tiles - -To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - -#### start:Tile - -You can use the **start:Tile** tag to pin any of the following apps to Start: - -- A Universal Windows app -- A Windows 8 app or Windows 8.1 app - -To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - - ```XML - - ``` - -#### start:DesktopApplicationTile - -You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: - -- By using a path to a shortcut link (.lnk file) to a Windows desktop application. - - To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. - - The following example shows how to pin the Command Prompt: - - ```XML - - ``` - - You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. - - If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". - -- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. - - To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - - The following example shows how to pin the Internet Explorer Windows desktop application: - - ```XML - - ``` - - -You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. - -To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. - -The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: - -```XML - -``` - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag). - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - -Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. - -#### TopMFUApps - -You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. - -You can use this tag to add: - -- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID. -- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. - -The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: - - ```XML - - - - - - - -``` - -#### AppendOfficeSuite - -You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. - -The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: - -```XML - - - -``` - -#### AppendDownloadOfficeTile - -You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group. - -The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: - -```XML - - - -``` - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: - -```XML - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx). - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain condition, you can: -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. - -## Add the LayoutModification.xml file to the device - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. -2. In the middle pane, click **Browse** to open File Explorer. -3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - ->[!NOTE] ->There is currently no way to add the .url and .lnk files through Windows ICD. - -Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. - - - - - - - - - - - - -## Related topics - - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/start-layout-xml-mobile.md b/windows/manage/start-layout-xml-mobile.md deleted file mode 100644 index 9d10466302..0000000000 --- a/windows/manage/start-layout-xml-mobile.md +++ /dev/null @@ -1,392 +0,0 @@ ---- -title: Start layout XML for mobile editions of Windows 10 (Windows 10) -description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions. -keywords: ["start screen"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Start layout XML for mobile editions of Windows 10 (reference) - - -**Applies to** - -- Windows 10 - ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - - -On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. - -On Windows 10 Mobile, the customized Start works by: - -- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region. -- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten. -- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen. - -## Default Start layouts - -The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. - -![Start layout for Windows 10 Mobile](images\mobile-start-layout.png) - -The diagrams show: - -- Tile coordinates - These are determined by the row number and the column number. -- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up. -- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are: - - Rows 6-9 - - Rows 16-19 - -## LayoutModification XML - -IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. - ->[!NOTE] ->To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file: ->- Do not leave spaces or white lines in between each element. ->- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. - -The following table lists the supported elements and attributes for the LayoutModification.xml file. - -| Element | Attributes | Description | -| --- | --- | --- | -| LayoutModificationTemplate | xmlns
    xmlns:defaultlayout
    xmlns:start
    Version | Use to describe the changes to the default Start layout. | -| DefaultLayoutOverride

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. | -| StartLayoutCollection

    Parent:
    DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. | -| StartLayout

    Parent:
    StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. | -| start:Group

    Parent:
    StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. | -| start:Tile

    Parent:
    start:Group | AppUserModelID
    Size
    Row
    Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. | -| start:SecondaryTile

    Parent:
    start:Group | AppUserModelID
    TileID
    Arguments
    DisplayName
    Square150x150LogoUri
    ShowNameOnSquare150x150Logo
    ShowNameOnWide310x150Logo
    Wide310x150LogoUri
    BackgroundColor
    ForegroundText
    IsSuggestedApp
    Size
    Row
    Column | Use to pin a Web link through a Microsoft Edge secondary tile. | -| start:PhoneLegacyTile

    Parent:
    start:Group | ProductID
    Size
    Row
    Column | Use to add a mobile app that has a valid **ProductID** attribute. | -| start:Folder

    Parent:
    start:Group | Name
    Size
    Row
    Column | Use to add a folder to the mobile device's Start screen. | -| RequiredStartTiles

    Parent:
    LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. | - -### start:Group - -**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group. - ->[!NOTE] ->Windows 10 Mobile only supports one Start group. - - For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements: - -- **start:Tile** -- **start:SecondaryTile** -- **start:PhoneLegacyTile** -- **start:Folder** - -### Specify Start tiles - -To pin tiles to Start, you must use the right kind of tile depending on what you want to pin. - -#### Tile size and coordinates - -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. - -The following table describes the attributes that you must use to specify the size and location for the tile. - -| Attribute | Description | -| --- | --- | -| Size | Determines how large the tile will be.
    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | -| Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | - -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. - -#### start:Tile - -You can use the **start:Tile** tag to pin a Universal Windows app to Start. - -To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. - -The following example shows how to pin the Microsoft Edge Universal Windows app: - -```XML - -``` - -#### start:SecondaryTile - -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. - -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: - -```XML - -``` - -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. - -| Attribute | Required/optional | Description | -| --- | --- | --- | -| AppUserModelID | Required | Must point to Microsoft Edge. | -| TileID | Required | Must uniquely identify your Web site tile. | -| Arguments | Required | Must contain the URL of your Web site. | -| DisplayName | Required | Must specify the text that you want users to see. | -| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. | -| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. | -| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. | -| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | - - Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app. - -#### start:PhoneLegacyTile - -You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app. - -The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag: - -```XML - -``` - -#### start:Folder - -You can use the **start:Folder** tag to add a folder to the mobile device's Start screen. - -You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**. - -Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string. - -The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder: - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. - -The following example shows how to add a medium folder that contains two apps inside it: - -```XML - - - - -``` - -#### RequiredStartTiles - -You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. - ->[!NOTE] ->Enabling this Start customization may be disruptive to the user experience. - -For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**. - -- Tile - Use to pin a Universal Windows app to Start. -- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile. -- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID. -- Folder - Use to pin a folder to the mobile device's Start screen. - -Tiles specified within the **RequiredStartTiles** tag have the following behavior: - -- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen. -- If there’s a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen. - -The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated. - -- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed. -- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps. - -## Sample LayoutModification.xml - -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile: - -```XML - - - - - - - - - - - - - - - - - - - -``` - -## Use Windows Provisioning multivariant support - -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings. - -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against. - -For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can: -1. Create a specific layout customization file and then name it LayoutCustomization1.xml. -2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. - -The following example shows what the overall customization file might look like with multivariant support for Start: - -```XML - - - - {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} - My Provisioning Package - 1.0 - OEM - 50 - - - - - - - - - - - - - - - - - - - - - - - 1 - 1 - 1 - - - 1 - - - - - - - - - c:\users\\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML - - 1 - - - - - - -``` - -When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout. - -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles. - -## Add the LayoutModification.xml file to the image - -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device: - -1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting. -2. In the middle pane, click **Browse** to open File Explorer. -3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. - -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. - - - - - - - - - - - - - - - - - - - -## Related topics - - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md deleted file mode 100644 index d09e5ae2be..0000000000 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Configure access to Windows Store (Windows 10) -description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. -ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, mobile -author: TrudyHa -localizationpriority: high ---- - -# Configure access to Windows Store - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - ->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. - -## Options to configure access to Windows Store - - -You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. - -## Block Windows Store using AppLocker - -Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile - - -AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers. - -For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md). - -**To block Windows Store using AppLocker** - -1. Type secpol in the search bar to find and start AppLocker. - -2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**. - -3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. - -4. On **Before You Begin**, click **Next**. - -5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. - -6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**. - -7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**. - - [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules. - -8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. - -## Block Windows Store using Group Policy - - -Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education - -> [!Note] -> Not supported on Windows 10 Pro. - -You can also use Group Policy to manage access to Windows Store. - -**To block Windows Store using Group Policy** - -1. Type gpedit in the search bar to find and start Group Policy Editor. - -2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**. - -3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**. - -4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. - -## Block Windows Store using management tool - - -Applies to: Windows 10 Mobile - -If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app. - -When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app: - -- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030) - -- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only) - -For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). - -## Show private store only using Group Policy -Applies to Windows 10 Enterprise, version 1607, Windows 10 Education - -If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. - -**To show private store only in Windows Store app** - -1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. - -2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. - -3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**. - - This opens the **Only display the private store within the Windows Store app** policy settings. - -4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**. - -## Related topics - -[Distribute apps using your private store](distribute-apps-from-your-private-store.md) - -[Manage access to private store](manage-access-to-private-store.md) - -  - -  - - - - - diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md deleted file mode 100644 index 85a835748e..0000000000 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. -ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A -keywords: ["start screen", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Manage Windows 10 Start and taskbar layout - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) - -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. - ->[!NOTE] ->Taskbar configuration is available starting in Windows 10, version 1607. - -## Start options - -![start layout sections](images/startannotated.png) - -Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. - -The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StartPolicySetting
    User tileGroup Policy: Remove Logoff on the Start menu
    Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

    Suggestions

    -

    -and-

    -

    Dynamically inserted app tile

    MDM: Allow Windows Consumer Features

    -

    Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

    -
    -Note   -

    This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

    -
    -
    -  -
    Settings > Personalization > Start > Occasionally show suggestions in Start
    Recently addednot applicableSettings > Personalization > Start > Show recently added apps
    Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
    PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
    Start layout

    MDM: Start layout

    -

    Group Policy: Start layout

    -

    Group Policy: Prevent users from customizing their Start Screen

    -
    -Note   -

    When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

    Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. -

    -
    -  -
    None
    Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
    Start size

    MDM: Force Start size

    -

    Group Policy: Force Start to be either full screen size or menu size

    Settings > Personalization > Start > Use Start full screen
    All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
    - - ## Taskbar options - -Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. - -There are three categories of apps that might be pinned to a taskbar: -* Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) -* Apps pinned by the enterprise, such as in an unattended Windows setup - - **Note**   - The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. - -The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). - -> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - -Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: -* Pin additional apps -* Change the order of pinned apps -* Unpin any app - -### Taskbar configuration applied to clean install of Windows 10 - -In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. - -### Taskbar configuration applied to Windows 10 upgrades - -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. - -The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: -* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. -* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. -* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. -* New apps specified in updated layout file are pinned to right of user's pinned apps. - - - -## Related topics - - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md deleted file mode 100644 index eb3af0eb51..0000000000 --- a/windows/manage/windows-spotlight.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Windows Spotlight on the lock screen - - -**Applies to** - -- Windows 10 - -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - - ->[!NOTE] ->In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. - -## What does Windows Spotlight include? - - -- **Background image** - - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. - - ![lock screen image](images/lockscreen.png) - -- **Feature suggestions, fun facts, tips** - - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. - -## How do you turn off Windows Spotlight locally? - - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - - -Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. - -**Windows 10 Pro, Enterprise, and Education** - -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. - -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - ->[!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. - -![lockscreen policy details](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. - -![fun facts](images/funfacts.png) - -## Related topics - - -[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) - -  - -  - - - - - From b0107d3f8f729e0f69a759d019f50830f31f61f6 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 12:01:39 -0800 Subject: [PATCH 30/65] fixes --- windows/deploy/configure-a-pxe-server-to-load-windows-pe.md | 3 +++ windows/deploy/windows-10-poc-sc-config-mgr.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index 9591616e9d..f0830b38a4 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -163,6 +163,9 @@ ramdisksdidevice boot ramdisksdipath \boot\boot.sdi ``` +>[!TIP] +>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. + ## PXE boot process summary The following summarizes the PXE client boot process. diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index d9278a15c5..5d553fb969 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -163,8 +163,8 @@ Topics and procedures in this guide are summarized in the following table. An es adsiedit.msc ``` -6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**. +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. 8. Click **container** and then click **Next**. 9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. 10. Right-click **CN=system Management** and then click **Properties**. @@ -194,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es - **Settings Summary**: Review settings and click **Next**. - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored. + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. From ff7c062b3a97e0516d44915de530ca505790039c Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 12:10:58 -0800 Subject: [PATCH 31/65] fixes --- windows/plan/windows-10-infrastructure-requirements.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index d92c0e8afd..ff50a10a6c 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -43,6 +43,8 @@ For System Center Configuration Manager, Windows 10 support is offered with var | System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | | System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | + +>Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.   For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). From 118a7b8fc08df23c34726e9ab6eeee0052959b55 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 12:45:09 -0800 Subject: [PATCH 32/65] Adding content --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 60633b20d6..decdddbbaa 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -419,6 +419,6 @@ "source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md", "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", "redirect_document_id": true - }, - ] + }, + ] } From 01376bdae9dce3d68049a17fa95c2c9366ee01fb Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 13:56:39 -0800 Subject: [PATCH 33/65] Adding content --- .openpublishing.redirection.json | 443 +++++++++++++++++- ...-devices-to-stop-data-flow-to-microsoft.md | 4 - ...onnect-your-organization-from-microsoft.md | 4 - .../configure/manage-cortana-in-enterprise.md | 5 - ...ws-10-images-with-provisioning-packages.md | 125 ----- ...rade-analytics-prepare-your-environment.md | 4 - .../deploy/upgrade-analytics-release-notes.md | 5 - ...upgrade-analytics-review-site-discovery.md | 7 - ...tion-windows-advanced-threat-protection.md | 7 - 9 files changed, 442 insertions(+), 162 deletions(-) delete mode 100644 windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md delete mode 100644 windows/configure/disconnect-your-organization-from-microsoft.md delete mode 100644 windows/configure/manage-cortana-in-enterprise.md delete mode 100644 windows/deploy/update-windows-10-images-with-provisioning-packages.md delete mode 100644 windows/deploy/upgrade-analytics-prepare-your-environment.md delete mode 100644 windows/deploy/upgrade-analytics-release-notes.md delete mode 100644 windows/deploy/upgrade-analytics-review-site-discovery.md delete mode 100644 windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index decdddbbaa..6c35a30e70 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -420,5 +420,446 @@ "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", "redirect_document_id": true }, + { + "source_path": "windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true + }, + { + "source_path": "windows/configure/disconnect-your-organization-from-microsoft.md", + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true + }, + { + "source_path": "windows/configure/manage-cortana-in-enterprise.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md", + "redirect_url": "/itpro/windows/configure/provisioning-packages", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md", + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/upgrade-analytics-release-notes.md", + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements", + "redirect_document_id": true + }, + { + "source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md", + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights", + "redirect_document_id": true + }, + { + "source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", + "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": ".md", + "redirect_url": "", + "redirect_document_id": true + }, + ] -} +} \ No newline at end of file diff --git a/windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/configure/disconnect-your-organization-from-microsoft.md b/windows/configure/disconnect-your-organization-from-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/configure/disconnect-your-organization-from-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/configure/manage-cortana-in-enterprise.md b/windows/configure/manage-cortana-in-enterprise.md deleted file mode 100644 index 33b7160191..0000000000 --- a/windows/configure/manage-cortana-in-enterprise.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Cortana integration in your business or enterprise (Windows 10) -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview ---- \ No newline at end of file diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md deleted file mode 100644 index 27b3025c15..0000000000 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: Update Windows 10 images with provisioning packages (Windows 10) -description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. -ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: provisioning, bulk deployment, image -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages ---- - -# Update Windows 10 images with provisioning packages -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. - -In Windows 10, you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can include provisioning packages when you build a Windows image. This way, you can create a single provisioning package that you can add to different hardware-specific images. - -You can also put a provisioning package on a USB drive or SD card to apply to off-the-shelf devices. You can even send the provisioning package to someone in email. - -Rather than wiping a device and applying a new system image when you need to change configuration, you can reset the device to its original state and then apply a new provisioning package. - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple for people to apply. - -- Ensure compliance and security before a device is enrolled in MDM. - -## Create package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Choose **New provisioning package**. - -3. Name your project, and click **Next**. - -4. Choose **Common to all Windows editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916) - -7. On the **File** menu, select **Save.** - -8. On the **Export** menu, select **Provisioning package**. - -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -10. Set a value for **Package Version**. - - **Tip**   - You can make changes to existing packages and change the version number to update previously applied packages. - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

    -Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

    -If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

    -If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) - - - Email - - - USB tether (mobile only) - - - NFC (mobile only) - -## Add package to image -**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)** - -- Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371). - -**To add a provisioning package to a Windows 10 Mobile image** - -- Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371).

    -The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages. - -## Learn more -- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651) - -- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics -- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md deleted file mode 100644 index 78eeaa078b..0000000000 --- a/windows/deploy/upgrade-analytics-prepare-your-environment.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Upgrade Analytics - Identify important apps (Windows 10) -redirect_url: upgrade-analytics-identify-apps ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md deleted file mode 100644 index dbf92527d7..0000000000 --- a/windows/deploy/upgrade-analytics-release-notes.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade Analytics release notes (Windows 10) -description: Provides tips and limitations about Upgrade Analytics. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md deleted file mode 100644 index e42b53e9d0..0000000000 --- a/windows/deploy/upgrade-analytics-review-site-discovery.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Review site discovery -redirect_url: upgrade-analytics-additional-insights ---- - - - diff --git a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md deleted file mode 100644 index 1f2d6310fd..0000000000 --- a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Additional Windows Defender ATP configuration settings - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file From 8be46249c06b09660f402c8d838bffa87ae4edc0 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 14:17:37 -0800 Subject: [PATCH 34/65] Adding content --- .openpublishing.redirection.json | 193 +++++++++--------- ...schema-extensions-to-support-tpm-backup.md | 5 - ...g-a-device-guard-policy-for-signed-apps.md | 5 - ...vice-guard-certification-and-compliance.md | 4 - .../enable-phone-signin-to-pc-and-vpn.md | 19 -- ...o-run-on-device-guard-protected-devices.md | 4 - ...microsoft-passport-in-your-organization.md | 19 -- ...y-verification-using-microsoft-passport.md | 18 -- ...microsoft-passport-and-password-changes.md | 13 -- ...oft-passport-errors-during-pin-creation.md | 15 -- .../keep-secure/microsoft-passport-guide.md | 18 -- ...ding-windows-advanced-threat-protection.md | 7 - windows/keep-secure/passport-event-300.md | 15 -- ...repare-people-to-use-microsoft-passport.md | 17 -- .../why-a-pin-is-better-than-a-password.md | 15 -- .../windows-hello-in-enterprise.md | 14 -- 16 files changed, 99 insertions(+), 282 deletions(-) delete mode 100644 windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md delete mode 100644 windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md delete mode 100644 windows/keep-secure/device-guard-certification-and-compliance.md delete mode 100644 windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md delete mode 100644 windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md delete mode 100644 windows/keep-secure/implement-microsoft-passport-in-your-organization.md delete mode 100644 windows/keep-secure/manage-identity-verification-using-microsoft-passport.md delete mode 100644 windows/keep-secure/microsoft-passport-and-password-changes.md delete mode 100644 windows/keep-secure/microsoft-passport-errors-during-pin-creation.md delete mode 100644 windows/keep-secure/microsoft-passport-guide.md delete mode 100644 windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md delete mode 100644 windows/keep-secure/passport-event-300.md delete mode 100644 windows/keep-secure/prepare-people-to-use-microsoft-passport.md delete mode 100644 windows/keep-secure/why-a-pin-is-better-than-a-password.md delete mode 100644 windows/keep-secure/windows-hello-in-enterprise.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6c35a30e70..1baa8e55a1 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -460,403 +460,408 @@ "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", "redirect_document_id": true }, + { + "source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md", + "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", + "redirect_document_id": true + }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md", + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/device-guard-certification-and-compliance.md", + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md", + "redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md", + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md", + "redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md", + "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md", + "redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md", + "redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/microsoft-passport-guide.md", + "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", + "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/passport-event-300.md", + "redirect_url": "/itpro/windows/keep-secure/hello-event-300", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md", + "redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md", + "redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password", "redirect_document_id": true }, { - "source_path": ".md", - "redirect_url": "", + "source_path": "windows/keep-secure/windows-hello-in-enterprise.md", + "redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, { - "source_path": ".md", + "source_path": "", "redirect_url": "", "redirect_document_id": true }, diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md deleted file mode 100644 index 0efd393b76..0000000000 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: AD DS schema extensions to support TPM backup -redirect_url: https://technet.microsoft.com/library/jj635854.aspx ---- - diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md deleted file mode 100644 index 6d70cbad2b..0000000000 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- - diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md deleted file mode 100644 index 566a6df4da..0000000000 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Device Guard certification and compliance (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md deleted file mode 100644 index b3077d445a..0000000000 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md deleted file mode 100644 index 88a3f076b6..0000000000 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md deleted file mode 100644 index 20c4be5a7e..0000000000 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Implement Windows Hello in your organization (Windows 10) -description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization ---- - -# Implement Windows Hello for Business in your organization - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md deleted file mode 100644 index 81cef9cc41..0000000000 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Manage identity verification using Windows Hello for Business (Windows 10) -description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- -# Manage identity verification using Windows Hello for Business - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md deleted file mode 100644 index fffa48b90f..0000000000 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Windows Hello and password changes (Windows 10) -description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes ---- -# Windows Hello and password changes - diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md deleted file mode 100644 index aa890d3cd9..0000000000 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Windows Hello errors during PIN creation (Windows 10) -description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. -ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 -keywords: PIN, error, create a work PIN -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation ---- - -# Windows Hello errors during PIN creation - diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md deleted file mode 100644 index faa85f4206..0000000000 --- a/windows/keep-secure/microsoft-passport-guide.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Microsoft Passport guide (Windows 10) -description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. -ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 -keywords: security, credential, password, authentication -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: security -author: challum -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- - -# Microsoft Passport guide - -**Applies to** -- Windows 10 - diff --git a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md deleted file mode 100644 index 2f8775683c..0000000000 --- a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Monitor the Windows Defender Advanced Threat Protection onboarding - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md deleted file mode 100644 index f516f124d0..0000000000 --- a/windows/keep-secure/passport-event-300.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Event ID 300 - Windows Hello successfully created (Windows 10) -description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -keywords: ngc -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300 ---- - -# Event ID 300 - Windows Hello successfully created - diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md deleted file mode 100644 index 9594deccca..0000000000 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Prepare people to use Windows Hello (Windows 10) -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use ---- - -# Prepare people to use Windows Hello - - - diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md deleted file mode 100644 index 1640262ffd..0000000000 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Why a PIN is better than a password (Windows 10) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . -ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 -keywords: pin, security, password, hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password ---- - -# Why a PIN is better than a password - diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md deleted file mode 100644 index 379a453284..0000000000 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Windows Hello biometrics in the enterprise (Windows 10) -description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. -ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: Windows Hello, enterprise biometrics -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise ---- - -# Windows Hello biometrics in the enterprise From a0180ed5ef99dcff4474851d9c95720b05d0d620 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 14:23:17 -0800 Subject: [PATCH 35/65] Adding content --- .openpublishing.redirection.json | 16 +- ...managemement-windows-store-for-business.md | 12 -- ...on-development-for-windows-as-a-service.md | 165 ------------------ windows/manage/appv-accessibility.md | 4 - ...accessing-the-client-management-console.md | 4 - 5 files changed, 8 insertions(+), 193 deletions(-) delete mode 100644 windows/manage/app-inventory-managemement-windows-store-for-business.md delete mode 100644 windows/manage/application-development-for-windows-as-a-service.md delete mode 100644 windows/manage/appv-accessibility.md delete mode 100644 windows/manage/appv-accessing-the-client-management-console.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1baa8e55a1..6dab959913 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -536,23 +536,23 @@ "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md", + "redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/manage/application-development-for-windows-as-a-service.md", + "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/manage/appv-accessibility.md", + "redirect_url": "/itpro/windows/manage/appv-getting-started", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/manage/appv-accessing-the-client-management-console.md", + "redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", "redirect_document_id": true }, { diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md deleted file mode 100644 index 1dedc043ff..0000000000 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: App inventory management for Windows Store for Business (Windows 10) -description: You can manage all apps that you've acquired on your Inventory page. -ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store -author: TrudyHa ---- - diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md deleted file mode 100644 index 080fccc711..0000000000 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Application development for Windows as a service (Windows 10) -description: Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. -ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service ---- - -# Application development for Windows as a service - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Core - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting. - -Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever. - -## Windows 10 release types and cadences - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: - -**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year. - -**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. - -The following table shows describes the various servicing branches and their key attributes. - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md). - -## Supporting apps in Windows as a service - -The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence. - -In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work. - -In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](https://go.microsoft.com/fwlink/?LinkID=780549). - -This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS: - -| Example of an application lifecycle support statement | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. | -  -In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio. - -## Key changes since Windows 7 to ensure app compatibility - -We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when -a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market. - -In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8, we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought. -Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this: -- **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing. -- **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience. -- **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass. -- **Communication**: Tighter control over API changes and improved communication. -- **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want. - -## Best practices for app compatibility - -Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, we’d like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment. - -The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10. - -### Windows version check - -The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies), the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10. - -The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations: -- App installers might not be able to install the app, and apps might not be able to start. -- Apps might become unstable or crash. -- Apps might generate error messages, but continue to function properly. - -Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches: -- If the app is dependent on specific API functionality, ensure you target the correct API version. -- Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug. -- Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number. -- If you are using the [GetVersion](https://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1. - -If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program. - -### Undocumented APIs - -Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program. - -### Develop Universal Windows Platform (UWP) and Centennial apps - -We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](https://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](https://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](https://go.microsoft.com/fwlink/?LinkID=780563), so it’s easier for you to update your users to a consistent version automatically, lowering your support costs. - -If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customer’s first experience with your app, so ensure that this works well. All too often, this doesn’t work well or it hasn’t been fully tested for all scenarios. The [Windows App Certification Kit](https://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do. - -**Best practices:** -- Use installers that work for both 32-bit and 64-bit versions of Windows. -- Design your installers to run on multiple scenarios (user or machine level). -- Keep all Windows redistributables in the original packaging – if you repackage these, it’s possible that this will break the installer. -- Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle. - -## Optimized test strategies and flighting - -Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on. - -If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds. - -### Step 1: Become a Windows Insider and participate in flighting -As a [Windows Insider,](https://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events. - -Since you’ll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, you’ll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store. - -This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform. - -Before you become a Windows Insider, please note that participation is intended for users who: -- Want to try out software that’s still in development. -- Want to share feedback about the software and the platform. -- Don’t mind lots of updates or a UI design that might change significantly over time. -- Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary. -- Know what an ISO file is and how to use it. -- Aren't installing it on their everyday computer or device. - -### Step 2: Test your scenarios - -Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems. -**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then it’s likely that the issue is caused by underlying OS changes or bugs in the app. -If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions. - -**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldn’t cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience. - -**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didn’t pass the upgrade test and you have not been able to narrow down the cause of these issues, it’s possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10. - -**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage: -- Audio -- USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on) -- Bluetooth -- Graphics\\display (multi-monitor, projection, screen rotation, and so on) -- Touch screen (orientation, on-screen keyboard, pen, gestures, and so on) -- Touchpad (left\\right buttons, tap, scroll, and so on) -- Pen (single\\double tap, press, hold, eraser, and so on) -- Print\\Scan -- Sensors (accelerometer, fusion, and so on) -- Camera - -### Step 3: Provide feedback - -Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together. - -### Step 4: Register on Windows 10 -The [Ready for Windows 10](https://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. It’s intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10. - -## Related topics -[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) -  -  diff --git a/windows/manage/appv-accessibility.md b/windows/manage/appv-accessibility.md deleted file mode 100644 index 34a3ab0a09..0000000000 --- a/windows/manage/appv-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-getting-started ---- diff --git a/windows/manage/appv-accessing-the-client-management-console.md b/windows/manage/appv-accessing-the-client-management-console.md deleted file mode 100644 index d6ad0b2b1a..0000000000 --- a/windows/manage/appv-accessing-the-client-management-console.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to access the client management console (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-using-the-client-management-console ---- From 20d2499eb8ab73ba9c55d59979c38315bb703dde Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Feb 2017 14:26:12 -0800 Subject: [PATCH 36/65] Adding content --- .openpublishing.redirection.json | 755 +++++++++---------------------- 1 file changed, 222 insertions(+), 533 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6dab959913..1b59d592e8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -2,869 +2,558 @@ "redirections": [ { "source_path": "windows/manage/waas-quick-start.md", - "redirect_url": "/itpro/windows/update/waas-quick-start", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-quick-start", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-overview.md", - "redirect_url": "/itpro/windows/update/waas-overview", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-overview", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md", - "redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md", - "redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md", - "redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates", + "redirect_document_id": true }, { "source_path": "windows/manage/update-compliance-monitor.md", - "redirect_url": "/itpro/windows/update/update-compliance-monitor", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/update-compliance-monitor", + "redirect_document_id": true }, { "source_path": "windows/manage/update-compliance-get-started.md", - "redirect_url": "/itpro/windows/update/update-compliance-get-started", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/update-compliance-get-started", + "redirect_document_id": true }, { "source_path": "windows/manage/update-compliance-using.md", - "redirect_url": "/itpro/windows/update/update-compliance-using", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/update-compliance-using", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-optimize-windows-10-updates.md", - "redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-delivery-optimization.md", - "redirect_url": "/itpro/windows/update/waas-delivery-optimization", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-delivery-optimization", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-branchcache.md", - "redirect_url": "/itpro/windows/update/waas-branchcache", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-branchcache", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-mobile-updates.md", - "redirect_url": "/itpro/windows/update/waas-mobile-updates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-mobile-updates", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-manage-updates-wufb.md", - "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-configure-wufb.md", - "redirect_url": "/itpro/windows/update/waas-configure-wufb", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-configure-wufb", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-integrate-wufb.md", - "redirect_url": "/itpro/windows/update/waas-integrate-wufb", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-integrate-wufb", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-wufb-group-policy.md", - "redirect_url": "/itpro/windows/update/waas-wufb-group-policy", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-wufb-group-policy", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-wufb-intune.md", - "redirect_url": "/itpro/windows/update/waas-wufb-intune.md", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-wufb-intune.md", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-manage-updates-wsus.md", - "redirect_url": "/itpro/windows/update/waas-manage-updates-wsus", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-manage-updates-wsus", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-manage-updates-configuration-manager.md", - "redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-restart.md", - "redirect_url": "/itpro/windows/update/waas-restart", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/waas-restart", + "redirect_document_id": true }, { "source_path": "windows/manage/waas-update-windows-10.md", - "redirect_url": "/itpro/windows/update/index", - "redirect_document_id": true + "redirect_url": "/itpro/windows/update/index", + "redirect_document_id": true }, { "source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", - "redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization", + "redirect_document_id": true }, { "source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", - "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true }, { "source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md", - "redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use", + "redirect_document_id": true }, { "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md", - "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions", + "redirect_document_id": true }, { "source_path": "windows/manage/guidelines-for-assigned-access-app.md", - "redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app", + "redirect_document_id": true }, { "source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md", - "redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps", + "redirect_document_id": true }, { "source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", - "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition", + "redirect_document_id": true }, { "source_path": "windows/manage/lockdown-xml.md", - "redirect_url": "/itpro/windows/configure/lockdown-xml", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/lockdown-xml", + "redirect_document_id": true }, { "source_path": "windows/manage/settings-that-can-be-locked-down.md", - "redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down", + "redirect_document_id": true }, { "source_path": "windows/manage/product-ids-in-windows-10-mobile.md", - "redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", + "redirect_document_id": true }, { "source_path": "windows/manage/windows-spotlight.md", - "redirect_url": "/itpro/windows/configure/windows-spotlight", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/windows-spotlight", + "redirect_document_id": true }, { "source_path": "windows/manage/manage-tips-and-suggestions.md", - "redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", + "redirect_document_id": true }, { "source_path": "windows/manage/windows-10-start-layout-options-and-policies.md", - "redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies", + "redirect_document_id": true }, { "source_path": "windows/manage/configure-windows-10-taskbar.md", - "redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar", + "redirect_document_id": true }, { "source_path": "windows/manage/customize-and-export-start-layout.md", - "redirect_url": "/itpro/windows/configure/customize-and-export-start-layout", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/customize-and-export-start-layout", + "redirect_document_id": true }, { "source_path": "windows/manage/start-layout-xml-desktop.md", - "redirect_url": "/itpro/windows/configure/start-layout-xml-desktop", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/start-layout-xml-desktop", + "redirect_document_id": true }, { "source_path": "windows/manage/start-layout-xml-mobile.md", - "redirect_url": "/itpro/windows/configure/start-layout-xml-mobile", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/start-layout-xml-mobile", + "redirect_document_id": true }, { "source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md", - "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy", + "redirect_document_id": true }, { "source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md", - "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd", + "redirect_document_id": true }, { "source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md", - "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-overview.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-testing-scenarios.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-scenario-1.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1", - "redirect_document_id": true - }, + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1", + "redirect_document_id": true + }, { "source_path": "windows/manage/cortana-at-work-scenario-2.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-scenario-3.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-scenario-4.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-scenario-5.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-scenario-6.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-o365.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-o365", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-o365", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-crm.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-powerbi.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-voice-commands.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-policy-settings.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings", + "redirect_document_id": true }, { "source_path": "windows/manage/cortana-at-work-feedback.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-feedback", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-feedback", + "redirect_document_id": true }, { "source_path": "windows/manage/stop-employees-from-using-the-windows-store.md", - "redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store", + "redirect_document_id": true }, { "source_path": "windows/manage/configure-devices-without-mdm.md", - "redirect_url": "/itpro/windows/configure/configure-devices-without-mdm", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/configure-devices-without-mdm", + "redirect_document_id": true }, { "source_path": "windows/manage/changes-to-start-policies-in-windows-10.md", - "redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10", + "redirect_document_id": true }, { "source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md", - "redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers", + "redirect_document_id": true }, { "source_path": "windows/manage/lock-down-windows-10.md", - "redirect_url": "/itpro/windows/configure/index", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/index", + "redirect_document_id": true }, { "source_path": "windows/manage/lockdown-features-windows-10.md", - "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", + "redirect_document_id": true }, { "source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", - "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-packages.md", - "redirect_url": "/itpro/windows/configure/provisioning-packages", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-packages", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-how-it-works.md", - "redirect_url": "/itpro/windows/configure/provisioning-how-it-works", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-how-it-works", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-install-icd.md", - "redirect_url": "/itpro/windows/configure/provisioning-install-icd", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-install-icd", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-create-package.md", - "redirect_url": "/itpro/windows/configure/provisioning-create-package", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-create-package", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-apply-package.md", - "redirect_url": "/itpro/windows/configure/provisioning-apply-package", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-apply-package", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-uninstall-package.md", - "redirect_url": "/itpro/windows/configure/provisioning-uninstall-package", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-uninstall-package", + "redirect_document_id": true }, { "source_path": "windows/deploy/provision-pcs-for-initial-deployment.md", - "redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment", + "redirect_document_id": true }, { "source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md", - "redirect_url": "/itpro/windows/configure/provision-pcs-with-apps-and-certificates", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provision-pcs-with-apps-and-certificates", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-script-to-install-app.md", - "redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-nfc.md", - "redirect_url": "/itpro/windows/configure/provisioning-nfc", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-nfc", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-command-line.md", - "redirect_url": "/itpro/windows/configure/provisioning-command-line", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/provisioning-command-line", + "redirect_document_id": true }, { "source_path": "windows/deploy/provisioning-multivariant.md", - "redirect_url": "/itpro/windows/configure/provisioning-multivariant", - "redirect_document_id": true - }, + "redirect_url": "/itpro/windows/configure/provisioning-multivariant", + "redirect_document_id": true + }, { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", - "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", - "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md", - "redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md", - "redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/guidance-and-best-practices-edp.md", - "redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/overview-create-edp-policy.md", - "redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md", - "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/testing-scenarios-for-edp.md", - "redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/wip-enterprise-overview.md", - "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md", - "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", + "redirect_document_id": true }, { "source_path": "windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", - "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true }, { "source_path": "windows/configure/disconnect-your-organization-from-microsoft.md", - "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true }, { "source_path": "windows/configure/manage-cortana-in-enterprise.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", - "redirect_document_id": true + "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", + "redirect_document_id": true }, { "source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md", "redirect_url": "/itpro/windows/configure/provisioning-packages", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md", - "redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps", - "redirect_document_id": true + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps", + "redirect_document_id": true }, { "source_path": "windows/deploy/upgrade-analytics-release-notes.md", - "redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements", - "redirect_document_id": true + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements", + "redirect_document_id": true }, { "source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md", - "redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights", - "redirect_document_id": true + "redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", - "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md", - "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", - "redirect_document_id": true + "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md", - "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/device-guard-certification-and-compliance.md", - "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md", - "redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md", - "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md", - "redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md", - "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md", - "redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md", - "redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/microsoft-passport-guide.md", - "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", - "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/passport-event-300.md", "redirect_url": "/itpro/windows/keep-secure/hello-event-300", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md", - "redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md", - "redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password", + "redirect_document_id": true }, { "source_path": "windows/keep-secure/windows-hello-in-enterprise.md", - "redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise", - "redirect_document_id": true + "redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise", + "redirect_document_id": true }, { "source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md", - "redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business", - "redirect_document_id": true + "redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business", + "redirect_document_id": true }, { "source_path": "windows/manage/application-development-for-windows-as-a-service.md", - "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", - "redirect_document_id": true + "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", + "redirect_document_id": true }, { "source_path": "windows/manage/appv-accessibility.md", - "redirect_url": "/itpro/windows/manage/appv-getting-started", - "redirect_document_id": true + "redirect_url": "/itpro/windows/manage/appv-getting-started", + "redirect_document_id": true }, { "source_path": "windows/manage/appv-accessing-the-client-management-console.md", - "redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", - "redirect_document_id": true + "redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", + "redirect_document_id": true }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, - ] } \ No newline at end of file From cb6889d2e87502d60dbaf7d4dcac121c94799da1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 16 Feb 2017 14:46:42 -0800 Subject: [PATCH 37/65] update toc order --- windows/keep-secure/TOC.md | 43 +++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 3a3d3bcda1..374e888b9b 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -722,6 +722,7 @@ #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Preview features and updates](preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) @@ -735,21 +736,53 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) -##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) +###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) +###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) +##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) +###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +##### [Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) +#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) +##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +###### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) +###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) +###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +####### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +####### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +####### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) +##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) +##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) +##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) +##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) From ca23d271824246f5840e61c1e2c8ec7a97ec8929 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 16 Feb 2017 14:52:56 -0800 Subject: [PATCH 38/65] Revert "update toc order" This reverts commit cb6889d2e87502d60dbaf7d4dcac121c94799da1. --- windows/keep-secure/TOC.md | 43 +++++--------------------------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 374e888b9b..3a3d3bcda1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -722,7 +722,6 @@ #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Preview features and updates](preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) @@ -736,53 +735,21 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) -##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) -###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) -###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) +##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) -##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) -###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) -###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -##### [Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) -##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) -###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) -###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) -##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) -##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) -##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) -##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) -##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) +#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) From efcfec78dda9220fab392e08f9e8e0dce2d37816 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 17:27:05 -0800 Subject: [PATCH 39/65] fixes --- .../deploy/windows-10-poc-sc-config-mgr.md | 101 ++++++++++-------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index 5d553fb969..ff0b497b45 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es ## Download MDOP and install DaRT -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -292,19 +292,19 @@ This section contains several procedures to support Zero Touch installation with 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - - Enable PXE support for clients. Click **Yes** in the popup that appears. - - Allow this distribution point to respond to incoming PXE requests - - Enable unknown computer support. Click **OK** in the popup that appears. - - Require a password when computers use PXE - - Password and Confirm password: pass@word1 - - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: Config Mgr PXE 5. Click **OK**. -6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: +6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: ``` cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 @@ -340,7 +340,7 @@ This section contains several procedures to support Zero Touch installation with >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. -## Create a boot image for Configuration Manager +### Create a boot image for Configuration Manager 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. 2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. @@ -357,13 +357,15 @@ This section contains several procedures to support Zero Touch installation with ``` Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' ``` - >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) - ``` -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) + ``` + +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: @@ -380,7 +382,7 @@ This section contains several procedures to support Zero Touch installation with >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. -## Create a Windows 10 reference image +### Create a Windows 10 reference image If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. @@ -534,7 +536,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. -## Add a Windows 10 operating system image +### Add a Windows 10 operating system image 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: @@ -553,11 +555,11 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. >If content distribution is not successful, verify that sufficient disk space is available. -## Create a task sequence +### Create a task sequence >Complete this section slowly. There are a large number of similar settings from which to choose. @@ -567,37 +569,37 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. -4. On the Details page, enter the following settings:
    - - Join a domain: contoso.com
    - - Account: click **Set**
    - - User name: contoso\CM_JD
    - - Password: pass@word1
    - - Confirm password: pass@word1
    - - Click **OK**
    - - Windows Settings
    - - User name: Contoso
    - - Organization name: Contoso
    - - Product key: \
    - - Administrator Account: Enable the account and specify the local administrator password
    - - Password: pass@word1
    - - Confirm password: pass@word1
    - - Click Next
    +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **Next** 5. On the Capture Settings page, accept the default settings and click **Next**. -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**. +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. -8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**. +8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**. +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. 10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**. +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**. +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. 13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. @@ -640,7 +642,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Click **OK**
    . -## Finalize the operating system configuration +### Finalize the operating system configuration >If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. @@ -670,7 +672,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode - + [Default] DoCapture=NO ComputerBackupLocation=NONE @@ -681,6 +683,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi EventService=http://SRV1:9800 ApplyGPOPack=NO ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + 7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. @@ -705,6 +715,8 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi ## Deploy Windows 10 using PXE and Configuration Manager +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` @@ -718,7 +730,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. -4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. @@ -745,6 +757,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Join the computer to the contoso.com domain - Install any applications that were specified in the reference image + 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. 13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. @@ -927,7 +940,7 @@ vmconnect localhost PC1 - Task sequence comments: **USMT backup only** 4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. 8. On the Summary page, review the details and then click **Next**. From b3dff896604b09450a3d01e609ff34c1b7ca8ddc Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 16 Feb 2017 18:15:35 -0800 Subject: [PATCH 40/65] waas-DO - changes following PM review --- windows/manage/waas-delivery-optimization.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 0090502c90..fcaf02a4f4 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -55,13 +55,16 @@ When configuring Delivery Optimization on Windows 10 devices, the first and most While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. -[Group ID](#group-id) enables administrators to create custom device groups that will share content between devices in the group. +[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. -Delivery Optimization uses locally cached updates. In cases where devices have limited local storage space, or if you would rather control cache usage, various settings can be used to control that: +Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. +>[!NOTE] +>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). + There are additional options available to robustly control the impact Delivery Optimization has on your network: - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. @@ -129,6 +132,7 @@ This setting allows for an alternate Delivery Optimization cache location on the This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. + ## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). From 125641c10f3287b98a4f99df0f6c2a23bae43940 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 09:38:31 -0800 Subject: [PATCH 41/65] Adding content --- .openpublishing.redirection.json | 437 +++++- ...pv-client-for-shared-content-store-mode.md | 4 - ...with-the-admx-template-and-group-policy.md | 4 - ...grating-from-a-previous-version-of-appv.md | 4 - ...-devices-to-stop-data-flow-to-microsoft.md | 4 - ...onnect-your-organization-from-microsoft.md | 4 - .../introduction-to-windows-10-servicing.md | 493 ------- .../manage/manage-cortana-in-enterprise.md | 5 - ...ge-inventory-windows-store-for-business.md | 10 - windows/manage/uev-accessibility.md | 4 - windows/manage/uev-privacy-statement.md | 4 - .../plan/act-community-ratings-and-process.md | 5 - windows/plan/act-database-configuration.md | 5 - windows/plan/act-database-migration.md | 5 - windows/plan/act-deployment-options.md | 5 - windows/plan/act-glossary.md | 5 - windows/plan/act-lps-share-permissions.md | 5 - .../act-operatingsystem-application-report.md | 5 - .../act-operatingsystem-computer-report.md | 5 - .../plan/act-operatingsystem-device-report.md | 5 - ...act-product-and-documentation-resources.md | 13 - ...act-settings-dialog-box-preferences-tab.md | 5 - .../act-settings-dialog-box-settings-tab.md | 5 - windows/plan/act-toolbar-icons-in-acm.md | 5 - .../plan/act-tools-packages-and-services.md | 5 - windows/plan/act-user-interface-reference.md | 5 - .../activating-and-closing-windows-in-acm.md | 13 - windows/plan/adding-or-editing-a-solution.md | 5 - windows/plan/adding-or-editing-an-issue.md | 5 - .../plan/analyzing-your-compatibility-data.md | 5 - windows/plan/application-dialog-box.md | 5 - .../categorizing-your-compatibility-data.md | 5 - windows/plan/chromebook-migration-guide.md | 854 ----------- windows/plan/common-compatibility-issues.md | 6 - .../plan/compatibility-monitor-users-guide.md | 5 - windows/plan/computer-dialog-box.md | 5 - windows/plan/configuring-act.md | 5 - .../creating-a-runtime-analysis-package.md | 11 - ...e-environment-for-compatibility-testing.md | 5 - ...creating-an-inventory-collector-package.md | 5 - ...eating-and-editing-issues-and-solutions.md | 5 - windows/plan/customizing-your-report-views.md | 5 - ...gh-the-microsoft-compatibility-exchange.md | 5 - ...x-an-application-or-deploy-a-workaround.md | 5 - .../deciding-which-applications-to-test.md | 5 - .../deleting-a-data-collection-package.md | 5 - windows/plan/deploy-windows-10-in-a-school.md | 1263 ----------------- .../deploying-a-runtime-analysis-package.md | 5 - ...eploying-an-inventory-collector-package.md | 5 - windows/plan/example-filter-queries.md | 5 - .../exporting-a-data-collection-package.md | 5 - .../plan/filtering-your-compatibility-data.md | 5 - windows/plan/fixing-compatibility-issues.md | 5 - ...ying-computers-for-inventory-collection.md | 5 - .../integration-with-management-solutions-.md | 53 - .../plan/internet-explorer-web-site-report.md | 5 - windows/plan/labeling-data-in-acm.md | 5 - ...-locations-for-data-collection-packages.md | 5 - .../managing-your-data-collection-packages.md | 5 - ...ganizational-tasks-for-each-report-type.md | 5 - .../organizing-your-compatibility-data.md | 5 - .../prioritizing-your-compatibility-data.md | 5 - windows/plan/ratings-icons-in-acm.md | 5 - windows/plan/resolving-an-issue.md | 5 - .../saving-opening-and-exporting-reports.md | 5 - ...d-and-receive-status-for-an-application.md | 5 - .../selecting-your-compatibility-rating.md | 5 - .../plan/selecting-your-deployment-status.md | 5 - ...ending-and-receiving-compatibility-data.md | 5 - windows/plan/settings-for-acm.md | 5 - windows/plan/setup-and-deployment.md | 184 --- windows/plan/software-requirements-for-act.md | 5 - windows/plan/software-requirements-for-rap.md | 5 - .../taking-inventory-of-your-organization.md | 5 - ...ng-compatibility-on-the-target-platform.md | 5 - .../troubleshooting-act-database-issues.md | 5 - windows/plan/troubleshooting-act.md | 5 - ...leshooting-the-act-configuration-wizard.md | 5 - ...shooting-the-act-log-processing-service.md | 5 - windows/plan/using-act.md | 5 - ...-compatibility-monitor-to-send-feedback.md | 5 - .../viewing-your-compatibility-reports.md | 5 - windows/plan/websiteurl-dialog-box.md | 5 - windows/plan/welcome-to-act.md | 5 - windows/plan/whats-new-in-act-60.md | 5 - 85 files changed, 435 insertions(+), 3265 deletions(-) delete mode 100644 windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md delete mode 100644 windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md delete mode 100644 windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md delete mode 100644 windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md delete mode 100644 windows/manage/disconnect-your-organization-from-microsoft.md delete mode 100644 windows/manage/introduction-to-windows-10-servicing.md delete mode 100644 windows/manage/manage-cortana-in-enterprise.md delete mode 100644 windows/manage/manage-inventory-windows-store-for-business.md delete mode 100644 windows/manage/uev-accessibility.md delete mode 100644 windows/manage/uev-privacy-statement.md delete mode 100644 windows/plan/act-community-ratings-and-process.md delete mode 100644 windows/plan/act-database-configuration.md delete mode 100644 windows/plan/act-database-migration.md delete mode 100644 windows/plan/act-deployment-options.md delete mode 100644 windows/plan/act-glossary.md delete mode 100644 windows/plan/act-lps-share-permissions.md delete mode 100644 windows/plan/act-operatingsystem-application-report.md delete mode 100644 windows/plan/act-operatingsystem-computer-report.md delete mode 100644 windows/plan/act-operatingsystem-device-report.md delete mode 100644 windows/plan/act-product-and-documentation-resources.md delete mode 100644 windows/plan/act-settings-dialog-box-preferences-tab.md delete mode 100644 windows/plan/act-settings-dialog-box-settings-tab.md delete mode 100644 windows/plan/act-toolbar-icons-in-acm.md delete mode 100644 windows/plan/act-tools-packages-and-services.md delete mode 100644 windows/plan/act-user-interface-reference.md delete mode 100644 windows/plan/activating-and-closing-windows-in-acm.md delete mode 100644 windows/plan/adding-or-editing-a-solution.md delete mode 100644 windows/plan/adding-or-editing-an-issue.md delete mode 100644 windows/plan/analyzing-your-compatibility-data.md delete mode 100644 windows/plan/application-dialog-box.md delete mode 100644 windows/plan/categorizing-your-compatibility-data.md delete mode 100644 windows/plan/chromebook-migration-guide.md delete mode 100644 windows/plan/common-compatibility-issues.md delete mode 100644 windows/plan/compatibility-monitor-users-guide.md delete mode 100644 windows/plan/computer-dialog-box.md delete mode 100644 windows/plan/configuring-act.md delete mode 100644 windows/plan/creating-a-runtime-analysis-package.md delete mode 100644 windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md delete mode 100644 windows/plan/creating-an-inventory-collector-package.md delete mode 100644 windows/plan/creating-and-editing-issues-and-solutions.md delete mode 100644 windows/plan/customizing-your-report-views.md delete mode 100644 windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md delete mode 100644 windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md delete mode 100644 windows/plan/deciding-which-applications-to-test.md delete mode 100644 windows/plan/deleting-a-data-collection-package.md delete mode 100644 windows/plan/deploy-windows-10-in-a-school.md delete mode 100644 windows/plan/deploying-a-runtime-analysis-package.md delete mode 100644 windows/plan/deploying-an-inventory-collector-package.md delete mode 100644 windows/plan/example-filter-queries.md delete mode 100644 windows/plan/exporting-a-data-collection-package.md delete mode 100644 windows/plan/filtering-your-compatibility-data.md delete mode 100644 windows/plan/fixing-compatibility-issues.md delete mode 100644 windows/plan/identifying-computers-for-inventory-collection.md delete mode 100644 windows/plan/integration-with-management-solutions-.md delete mode 100644 windows/plan/internet-explorer-web-site-report.md delete mode 100644 windows/plan/labeling-data-in-acm.md delete mode 100644 windows/plan/log-file-locations-for-data-collection-packages.md delete mode 100644 windows/plan/managing-your-data-collection-packages.md delete mode 100644 windows/plan/organizational-tasks-for-each-report-type.md delete mode 100644 windows/plan/organizing-your-compatibility-data.md delete mode 100644 windows/plan/prioritizing-your-compatibility-data.md delete mode 100644 windows/plan/ratings-icons-in-acm.md delete mode 100644 windows/plan/resolving-an-issue.md delete mode 100644 windows/plan/saving-opening-and-exporting-reports.md delete mode 100644 windows/plan/selecting-the-send-and-receive-status-for-an-application.md delete mode 100644 windows/plan/selecting-your-compatibility-rating.md delete mode 100644 windows/plan/selecting-your-deployment-status.md delete mode 100644 windows/plan/sending-and-receiving-compatibility-data.md delete mode 100644 windows/plan/settings-for-acm.md delete mode 100644 windows/plan/setup-and-deployment.md delete mode 100644 windows/plan/software-requirements-for-act.md delete mode 100644 windows/plan/software-requirements-for-rap.md delete mode 100644 windows/plan/taking-inventory-of-your-organization.md delete mode 100644 windows/plan/testing-compatibility-on-the-target-platform.md delete mode 100644 windows/plan/troubleshooting-act-database-issues.md delete mode 100644 windows/plan/troubleshooting-act.md delete mode 100644 windows/plan/troubleshooting-the-act-configuration-wizard.md delete mode 100644 windows/plan/troubleshooting-the-act-log-processing-service.md delete mode 100644 windows/plan/using-act.md delete mode 100644 windows/plan/using-compatibility-monitor-to-send-feedback.md delete mode 100644 windows/plan/viewing-your-compatibility-reports.md delete mode 100644 windows/plan/websiteurl-dialog-box.md delete mode 100644 windows/plan/welcome-to-act.md delete mode 100644 windows/plan/whats-new-in-act-60.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1b59d592e8..18cbe2fcf4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -369,7 +369,7 @@ "source_path": "windows/deploy/provisioning-multivariant.md", "redirect_url": "/itpro/windows/configure/provisioning-multivariant", "redirect_document_id": true - }, + }, { "source_path": "windows/keep-secure/create-edp-policy-using-intune.md", "redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", @@ -555,5 +555,438 @@ "redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", "redirect_document_id": true }, + { + "source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md", + "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md", + "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md", + "redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/disconnect-your-organization-from-microsoft.md", + "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/introduction-to-windows-10-servicing.md", + "redirect_url": "/itpro/windows/update/index", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/manage-cortana-in-enterprise.md", + "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/manage-inventory-windows-store-for-business.md", + "redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/uev-accessibility.md", + "redirect_url": "/itpro/windows/manage/uev-for-windows", + "redirect_document_id": true + }, + { + "source_path": "windows/manage/uev-privacy-statement.md", + "redirect_url": "/itpro/windows/manage/uev-security-considerations", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-community-ratings-and-process.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-database-configuration.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-database-migration.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-deployment-options.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-glossary.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/activating-and-closing-windows-in-acm.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-lps-share-permissions.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-operatingsystem-application-report.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-operatingsystem-computer-report.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-operatingsystem-device-report.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-product-and-documentation-resources.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-settings-dialog-box-settings-tab.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-toolbar-icons-in-acm.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-tools-packages-and-services.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/act-user-interface-reference.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/adding-or-editing-an-issue.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/adding-or-editing-a-solution.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/analyzing-your-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/application-dialog-box.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/categorizing-your-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/chromebook-migration-guide.md", + "redirect_url": "edu/windows/chromebook-migration-guide", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/common-compatibility-issues.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/compatibility-monitor-users-guide.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/computer-dialog-box.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/configuring-act.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/creating-and-editing-issues-and-solutions.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/creating-an-inventory-collector-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/creating-a-runtime-analysis-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/customizing-your-report-views.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deciding-which-applications-to-test.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deleting-a-data-collection-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deploying-an-inventory-collector-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deploying-a-runtime-analysis-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/deploy-windows-10-in-a-school.md", + "redirect_url": "/edu/windows/deploy-windows-10-in-a-school", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/example-filter-queries.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/exporting-a-data-collection-package.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/filtering-your-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/fixing-compatibility-issues.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/identifying-computers-for-inventory-collection.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/integration-with-management-solutions-.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/internet-explorer-web-site-report.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/labeling-data-in-acm.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/log-file-locations-for-data-collection-packages.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/managing-your-data-collection-packages.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/organizational-tasks-for-each-report-type.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/organizing-your-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/prioritizing-your-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/ratings-icons-in-acm.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/resolving-an-issue.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/saving-opening-and-exporting-reports.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/selecting-your-compatibility-rating.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/selecting-your-deployment-status.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/sending-and-receiving-compatibility-data.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/settings-for-acm.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/setup-and-deployment.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/software-requirements-for-act.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/software-requirements-for-rap.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/taking-inventory-of-your-organization.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/testing-compatibility-on-the-target-platform.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/troubleshooting-act.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/troubleshooting-act-database-issues.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/using-act.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/viewing-your-compatibility-reports.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/websiteurl-dialog-box.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/welcome-to-act.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/whats-new-in-act-60.md", + "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", + "redirect_document_id": true + }, + + + + + + + + ] -} \ No newline at end of file +} diff --git a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md b/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md deleted file mode 100644 index 77ee61220b..0000000000 --- a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Install the App-V Client for Shared Content Store Mode (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md b/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md deleted file mode 100644 index 5d1058e257..0000000000 --- a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md b/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md deleted file mode 100644 index 5b98eac02b..0000000000 --- a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Planning for Migrating from a Previous Version of App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version ---- diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md deleted file mode 100644 index f57d4145be..0000000000 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ /dev/null @@ -1,493 +0,0 @@ ---- -title: Windows 10 servicing options for updates and upgrades (Windows 10) -description: This article describes the new servicing options available in Windows 10. -ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42 -keywords: update, LTSB, lifecycle, Windows update, upgrade -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10 ---- - -# Windows 10 servicing options - -**Applies to** -- Windows 10 -- Windows 10 IoT Core (IoT Core) - -This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). - -For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx). -  -## Key terminology - -The following terms are used When discussing the new Windows 10 servicing model: - - - - - - - - - - - - - - - - - - - - - - -
    **Term****Description**
    UpgradeA new Windows 10 release that contains additional features and capabilities, released two to three times per year.
    UpdatePackages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
    BranchThe windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.
    RingA ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.
    - -## Windows 10 servicing - -The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project. - -Table 1. Windows 10 servicing options - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -## Streamlined product development and release cycles - -**Product cycles and builds** - -The Windows engineering team adds new features and functionality to Windows through *product cycles* comprised of development, testing, and release phases. Each day during a product cycle, the team compiles the source code for Windows and assembles the output into a *build* that users can install on their devices. The first recipients of builds are Microsoft employees who begin what Microsoft calls *selfhost* testing. - -**Testing and release prior to Windows 10** - -Prior to Windows 10, Microsoft issued and extensively tested many builds internally before selecting one for testing outside Microsoft. After repeating the external test cycle several times against builds of progressively better quality, the engineering team selected a build to enter the release phase. At the end of this phase, the team published the build as a new version of Windows – an event referred to as the *Release to Manufacturing* (RTM) milestone. In total, product cycles took between one and three years to complete, with testing and release processes taking up as much as half of the total investment in time. - -**A different approach for Windows 10** - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation development and delivery called *Windows as a Service* (WaaS). -The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle, and provide feedback to Microsoft through an iterative methodology called *flighting*. -Builds distributed as *flights* provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery, and better public release quality than ever. - -**Windows 10 release types and cadences** - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: -- **Feature upgrades** that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. -- **Servicing updates** that focus on the installation of security fixes and other important updates. -Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -**The cumulative nature of all Windows 10 releases** -It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be *cumulative*. This means new feature upgrades and servicing updates will contain the *payloads* of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.   - -## New Windows 10 delivery and installation alternatives - -As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases using Windows Update, Windows Server Update Services, System Center Configuration Manager, and third-party configuration management tools. Because of the importance of the Windows as a Service (WaaS) approach to delivering innovations to businesses, and the proven ability of Windows Update to deploy releases quickly and seamlessly to consumers and small businesses, several of the largest investments in Windows 10 focus on enabling broader use of Windows Update within enterprises. - -**Windows Update use by consumers and small businesses** - -Since Microsoft introduced the first generation of Windows Update with Windows 95, Windows Update has evolved to become the standard way for consumers and small businesses to help keep devices running Windows secure and running reliably. Almost one billion Windows devices communicate with the Windows Update service on a regular basis. The process of downloading and installing updates has evolved to be less and less obtrusive to users. More recently, Microsoft also has used Windows Update to deliver larger, feature-centric updates, such as the upgrade from Windows 8 to Windows 8.1, and is using Windows Update to upgrade devices running Windows 7 and Windows 8.1 to Windows 10. - -**Windows Update use within enterprises** - -Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not using Windows Update as broadly as consumers and small businesses. This is largely because Windows Update maintains control over which updates are installed and the timing of installation. This makes it difficult for IT administrators to test updates before deployment in their specific environment. - -**The role of Windows Server Update Services** - -To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in 2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Windows Server Update Services also provides IT administrators with an all or nothing way to specify when they want an approved update to be installed. Because IT administrators ultimately select and install most updates identified by Windows Update, the role of Windows Server Update Services in many enterprises is to provide IT administrators with the additional time they need to gain confidence in the quality of updates prior to deployment. - -**New Windows Update capabilities in Windows 10** - -To enable enterprises to manage more of their devices using Windows Update directly, Windows 10 provides IT administrators with a way to configure devices so that Windows Update will defer new feature upgrade installations until approximately four months after Microsoft first publishes them. The additional time can be used to perform testing or enable releases to gain additional time in market prior to deployment. -At the end of each approximately four month period, Microsoft executes a set of processes that require no action from enterprise IT administrators. First, Microsoft creates new installation media for the feature upgrade by combining the original installation media with all the servicing updates published by Microsoft since the original media’s release. This reduces the time it can take to install a feature upgrade on a device. Second, Microsoft *republishes* the new media to Windows Update with *targeting* instructions that state (in effect) “install this media on devices that are configured for deferred installation of new feature upgrades.” At this point, devices configured to defer installation will begin receiving and installing the feature upgrade automatically. - -**The role of Windows Update for Business** - -Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](https://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available. - -## Windows 10 servicing branches - -Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available. -In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to: -- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb). -- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb). -- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb). -The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices. - -## Current Branch versus Current Branch for Business - -When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded. - -The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/fig1-deferupgrades.png) - -Figure 1. Configure the **Defer upgrades** setting - -Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period. - -For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later. - -With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager. - -For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015. - -With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10. - -Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule: - -- Begin your evaluation process with the Windows Insider Program releases. -- Perform initial pilot deployments by using the Current Branch. -- Expand to broad deployment after the Current Branch for Business is available. -- Complete deployments by using that release in advance of the availability of the next Current Branch. - -![figure 2](images/fig2-deploymenttimeline.png) - -Figure 2. Deployment timeline - -Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release: - -![figure 3](images/fig3-overlaprelease.png) - -Figure 3. Overlapping releases - -As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall. - -## Long-Term Servicing Branch - -For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS. - -These LTSB images can be used to upgrade existing machines or to create new custom images. - -Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps. - -As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them. - -## Windows Insider Program - -During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process. - -To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account. - -Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation. - -## Switching between branches - -During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    For a PC that uses…Changing to…You need to:
    Windows Insider ProgramCurrent BranchWait for the final Current Branch release.
    Current Branch for BusinessNot directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.
    Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
    Current BranchInsiderUse the Settings app to enroll the device in the Windows Insider Program.
    Current Branch for BusinessSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
    Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
    Current Branch for BusinessInsiderUse the Settings app to enroll the device in the Windows Insider Program.
    Current BranchDisable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.
    Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
    Long-Term Servicing BranchInsiderUse media to upgrade to the latest Windows Insider Program build.
    Current BranchUse media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
    Current Branch for BusinessUse media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
    - -## Plan for Windows 10 deployment - -The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment: -- **When should new feature upgrades be deployed?** Should the device install new feature upgrades when they are published by Microsoft? If so, should installation occur immediately or on a deferred basis? -- **How will releases be installed on devices?** Will Windows Update or Windows Server Update Services be used to install new releases, or will installation be performed using a configuration management system such as -Configuration Manager? - -The content that follows will provide IT administrators with the context needed to understand why these areas are pivotal, and the choices available to them. - -**How Microsoft releases Windows 10 feature upgrades** - ->Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes. - -When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations. - -![figure 4](images/w10servicing-f1-branches.png) - -Figure 4. Feature upgrades and servicing branches - -In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years. - -As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades. - -![figure 5](images/win10servicing-fig2-featureupgrade.png) - -Figure 5. Producing feature upgrades from servicing branches - -Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users. - -Concurrently, Microsoft also changes the way the feature upgrade is published in the Windows Update service. In particular, the files used by Windows Update to distribute and install the feature upgrade are refreshed with the updated versions, and the targeting instructions are changed so that the updated feature upgrade will now be installed on devices configured for *deferred* installation of feature upgrades. - -**How Microsoft publishes the Windows 10 Enterprise LTSB Edition** - -If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way. - -**How Microsoft releases Windows 10 servicing updates** - -As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation. - -![figure 6](images/win10servicing-fig3.png) - -Figure 6. Producing servicing updates from servicing branches - -**Release installation alternatives** - -When IT administrators select Windows Update and/or Windows Server Update Services to deploy feature upgrades and servicing updates, Windows 10 and Windows Update will determine and deploy the correct releases for each of the three servicing options at the appropriate times. If there are multiple feature upgrades receiving long-term servicing support at the same time, Windows Update will select updates for each device that are appropriate for the feature upgrades they are running. - -When IT administrators manage deployments of feature upgrades and servicing updates directly with configuration management products such as Configuration Manager, they are responsible for the timing of installation of both feature upgrades and servicing updates. It is important to note that until IT administrators install a new servicing update, devices may remain exposed to security vulnerabilities. Therefore, when managing deployments directly, IT administrators should deploy new servicing updates as soon as possible. - -## Servicing options and servicing branch designations - -Servicing options have several different attributes that affect deployment planning decisions. For example, each servicing option: -- Is supported on a selected set of Windows 10 editions (and no Windows 10 edition supports all three servicing options). -- Has a policy that determines the periods of time during which Microsoft will produce servicing updates for a given feature upgrade. -- Has a policy that determines when devices being managed by Windows Update or Windows Server Update Services will install new feature upgrades when they become available from Microsoft. - -Because the servicing lifetime of a feature upgrade typically ends when the servicing lifetime of the subsequent feature upgrade begins, the length of servicing lifetimes will also vary. To simplify referring to these ranges, -Microsoft created *servicing branch designations* for each of the three time range/servicing branch combinations. The designations are Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). -Because there is a one-to-one mapping between servicing options and servicing branch designations, Microsoft occasionally refers to servicing options using servicing branch-centric terminology. The following sections describe servicing options and servicing branch designations, including terminology, servicing lifetime policies, upgrade behavior, and edition support, in more detail. - -**Service lifetime and feature upgrade installation paths** - -Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary. - -![figure 7](images/win10servicing-fig4-upgradereleases.png) - -Figure 7. Example release cadence across multiple feature upgrades - -To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only. - -The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning. - -To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions. - -### - -**Immediate feature upgrade installation with Current Branch (CB) servicing** -As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation. - -![figure 8](images/win10servicing-fig5.png) - -Figure 8. Immediate installation with Current Branch Servicing - -The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release. -Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *immediate* feature upgrade installation. -- When devices are being managed by using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain installation media from Microsoft and deploy new feature upgrades immediately by using standard change control processes. IT administrators who use configuration management systems should also make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. -It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates. - -### - -**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing** -As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation. - -![figure 9](images/win10servicing-fig6.png) - -Figure 9. Deferred installation with Current Branch for Business Servicing - -The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible. -Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *deferred* feature upgrade installation. It is important to note that, even when devices are configured to defer installations, all servicing updates that are applicable to the feature upgrade that is running on a device will be installed immediately after being published by Microsoft in the Windows Update service. -- When devices are being managed through Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain media published for deferred installation from Microsoft and deploy new feature upgrades by using standard change control processes. When deferring feature upgrade installations, IT administrators should still deploy all applicable servicing updates as soon as they become available from Microsoft. -Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end. - -### - -**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing** - -As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section). - -![figure 10](images/win10servicing-fig7.png) - -Figure 10. Servicing updates only using LTSB Servicing - -The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments. -Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, Windows Update will install only servicing updates, and do so as soon as they are published by Microsoft in the Windows Update service. Windows Update does not install feature upgrades on devices configured for long-term servicing. -- When devices are being managed using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as System Center Configuration Manager to manage deployments, IT administrators should make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. - -**Note**   -It is important to note again that not all feature upgrades will have an LTSB. The initial release of Windows 10, published in July 2015, has an LTSB and Microsoft expects to designate one additional feature upgrade in the next 12 months for long-term support. After that, Microsoft expects to publish feature upgrades with long-term servicing support approximately every two to three years. Microsoft will provide additional information in advance of publishing new feature upgrades so that IT administrators can make informed deployment planning decisions. -  -### - -**Considerations when configuring devices for servicing updates only** -Before deciding to configure a device for LTSB-based servicing, IT administrators should carefully consider the implications of changing to a different servicing option later, and the effect of using Windows 10 Enterprise LTSB on the availability of *in-box* applications. - -Regarding edition changes, it is possible to reconfigure a device running Windows 10 Enterprise LTSB to run Windows 10 Enterprise while preserving the data and applications already on the device. Reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed. -Regarding in-box applications, Windows 10 Enterprise LTSB does not include all the universal apps that are included with other Windows 10 editions. This is because the universal apps included with Windows 10 will be continually upgraded by Microsoft, and new releases of in-box universal apps are unlikely to remain compatible with a feature upgrade of Windows 10 Enterprise LTSB for the duration of its servicing lifetime. Examples of apps that Windows 10 Enterprise LTSB does not include are Microsoft Edge, Windows Store Client, Cortana (limited search capabilities remain available), Outlook Mail, Outlook Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. - -Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible with Windows 32 versions of Microsoft Office. IT administrators can also install universal apps on devices when apps are compatible with the feature upgrades running on the device. They should do so with care, however, as servicing updates targeted for devices running Windows 10 Enterprise LTSB will not include security or non-security fixes for universal apps. Additionally, Microsoft will not provide servicing updates for specific releases of apps on any Windows 10 edition after the feature upgrade of Windows 10 with which the apps were included reaches the end of its servicing lifetime. - -**Servicing option summary** - -Table 2. Servicing option summary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ComparisonWindows 10 servicing options
    Current Branch (CB)Current Branch for Business (CBB)Long-Term Servicing Branch (LTSB)
    Availability of new feature upgrades for installationImmediateDeferred by ~4 monthsNot applicable
    Supported editionsWindows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, -IoT Core, IoT Core ProWindows 10 Pro, -Windows 10 Education, -Windows 10 Enterprise, -IoT Core ProWindows 10 Enterprise LTSB
    Minimum length of servicing lifetimeApproximately 4 MonthsApproximately 8 months10 years
    Ongoing installation of new feature upgrades required to receive servicing updatesYesYesNo
    Supports Windows Update for release deploymentYesYesYes
    Supports Windows Server Update Services for release deploymentYes -(excludes Home) -YesYes
    Supports Configuration Manager/configuration management systems for release deploymentYes -(excludes Home) -YesYes
    First party browsers includedMicrosoft Edge, -Internet Explorer 11Microsoft Edge, -IE11IE11
    Notable Windows -system apps removed -NoneNoneMicrosoft Edge, Windows Store Client, Cortana (limited search available)
    Notable Windows -universal apps removed -NoneNoneOutlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock
    -  -## Related topics - -[Plan for Windows 10 deployment](../plan/index.md) - -[Deploy Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624776) - -[Manage and update Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624796) -  -  diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md deleted file mode 100644 index 33b7160191..0000000000 --- a/windows/manage/manage-cortana-in-enterprise.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Cortana integration in your business or enterprise (Windows 10) -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview ---- \ No newline at end of file diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md deleted file mode 100644 index f8db99379b..0000000000 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Manage inventory in Windows Store for Business (Windows 10) -description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library ---- - - diff --git a/windows/manage/uev-accessibility.md b/windows/manage/uev-accessibility.md deleted file mode 100644 index 08416f8349..0000000000 --- a/windows/manage/uev-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for UE-V -redirect_url: https://technet.microsoft.com/itpro/windows/manage/uev-for-windows ---- \ No newline at end of file diff --git a/windows/manage/uev-privacy-statement.md b/windows/manage/uev-privacy-statement.md deleted file mode 100644 index eb9e64f8a1..0000000000 --- a/windows/manage/uev-privacy-statement.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: User Experience Virtualization Privacy Statement -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/uev-security-considerations ---- \ No newline at end of file diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md deleted file mode 100644 index e9c34a2026..0000000000 --- a/windows/plan/act-community-ratings-and-process.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Community Ratings and Process (Windows 10) -description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md deleted file mode 100644 index 7c07865d8a..0000000000 --- a/windows/plan/act-database-configuration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Configuration (Windows 10) -description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md deleted file mode 100644 index e8b5e9b74f..0000000000 --- a/windows/plan/act-database-migration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Migration (Windows 10) -description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md deleted file mode 100644 index a550b72152..0000000000 --- a/windows/plan/act-deployment-options.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Deployment Options (Windows 10) -description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md deleted file mode 100644 index 17f66a70be..0000000000 --- a/windows/plan/act-glossary.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Glossary (Windows 10) -description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md deleted file mode 100644 index 37a6534881..0000000000 --- a/windows/plan/act-lps-share-permissions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT LPS Share Permissions (Windows 10) -description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md deleted file mode 100644 index 62da93a40d..0000000000 --- a/windows/plan/act-operatingsystem-application-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Application Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md deleted file mode 100644 index bf508ee97a..0000000000 --- a/windows/plan/act-operatingsystem-computer-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Computer Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md deleted file mode 100644 index 6668aa3041..0000000000 --- a/windows/plan/act-operatingsystem-device-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Device Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md deleted file mode 100644 index 2c3290db5b..0000000000 --- a/windows/plan/act-product-and-documentation-resources.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: ACT Product and Documentation Resources (Windows 10) -description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md deleted file mode 100644 index eaa5fec362..0000000000 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Preferences Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md deleted file mode 100644 index 30e7000dd2..0000000000 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Settings Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md deleted file mode 100644 index bd6b97dcde..0000000000 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Toolbar Icons in ACM (Windows 10) -description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md deleted file mode 100644 index 7e20751a4a..0000000000 --- a/windows/plan/act-tools-packages-and-services.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Tools, Packages, and Services (Windows 10) -description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md deleted file mode 100644 index affbef996f..0000000000 --- a/windows/plan/act-user-interface-reference.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT User Interface Reference (Windows 10) -description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md deleted file mode 100644 index 4640049e22..0000000000 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Activating and Closing Windows in ACM (Windows 10) -description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md deleted file mode 100644 index b5a52a45c2..0000000000 --- a/windows/plan/adding-or-editing-a-solution.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing a Solution (Windows 10) -description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md deleted file mode 100644 index 08d2098675..0000000000 --- a/windows/plan/adding-or-editing-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing an Issue (Windows 10) -description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md deleted file mode 100644 index 2d69b55931..0000000000 --- a/windows/plan/analyzing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Analyzing Your Compatibility Data (Windows 10) -description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md deleted file mode 100644 index 7615d0949e..0000000000 --- a/windows/plan/application-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Application Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md deleted file mode 100644 index e77b9ca34e..0000000000 --- a/windows/plan/categorizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Categorizing Your Compatibility Data (Windows 10) -description: Steps to customize and filter your compatibility reports through categories and subcategories. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md deleted file mode 100644 index 8db7b3b57c..0000000000 --- a/windows/plan/chromebook-migration-guide.md +++ /dev/null @@ -1,854 +0,0 @@ ---- -title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. -redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide -ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu; devices -author: craigash - ---- -# Chromebook migration guide - -**Applies to** -- Windows 10 - -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. - -## Plan Chromebook migration - -Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. - -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. - -## Plan for app migration or replacement - -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. - -**Identify the apps currently in use on Chromebook devices** - -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). - -> **Note**  The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. - -You can divide the apps into the following categories: - -- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. -- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). - -Record the following information about each app in your app portfolio: - -- App name -- App type (such as offline app, online app, web app, and so on) -- App publisher or developer -- App version currently in use -- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) - -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. - -### - -**Select Google Apps replacements** - -Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. - -Table 1. Google App replacements - -| If you use this Google app on a Chromebook | Use this app on a Windows device | -|--------------------------------------------|--------------------------------------| -| Google Docs | Word 2016 or Word Online | -| Google Sheets | Excel 2016 or Excel Online | -| Google Slides | PowerPoint 2016 or PowerPoint Online | -| Google Apps Gmail | Outlook 2016 or Outlook Web App | -| Google Hangouts | Microsoft Skype for Business | -| Chrome | Microsoft Edge | -| Google Drive | Microsoft OneDrive for Business | -  -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. - -**Find the same or similar apps in the Windows Store** - -In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. - -In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. - -Record the Windows app that replaces the Chromebook app in your app portfolio. - -### - -**Perform app compatibility testing for web apps** - -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. - -Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. - -## Plan for migration of user and device settings - -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. - -However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. - -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the -case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. - -**Identify Google Admin Console settings to migrate** - -You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. - -![figure 1](images/chromebook-fig1-googleadmin.png) - -Figure 1. Google Admin Console - -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 2. Settings in the Device Management node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - -
    SectionSettings
    Network

    These settings configure the network connections for Chromebook devices and include the following settings categories:

    -
      -
    • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

    • -
    • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

    • -
    • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

    • -
    • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

    • -
    Mobile

    These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

    -
      -
    • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.

    • -
    • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.

    • -
    • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.

    • -
    • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.

    • -
    • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.

    • -
    Chrome management

    These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

    -
      -
    • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • -
    • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.

    • -
    • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • -
    • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.

    • -
    • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.

    • -
    -  -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 3. Settings in the Security node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    SectionSettings

    Basic settings

    These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.

    -

    Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.

    Password monitoring

    This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.

    API reference

    This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.

    Set up single sign-on (SSO)

    This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.

    Advanced settings

    This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.

    -  -**Identify locally-configured settings to migrate** - -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). - -![figure 2](images/fig2-locallyconfig.png) - -Figure 2. Locally-configured settings on Chromebook - -Table 4. Locally-configured settings - -| Section | Settings | -| - | - | -| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | -| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | -| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | -| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. | -| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. | -| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. | -| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. | -| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. | -| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. | -| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. | -| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. | -| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. | -| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. | -| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. | -  -Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. -Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. - -**Prioritize settings to migrate** - -After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. - -## Plan for email migration - -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -**Identify the list of user mailboxes to migrate** - -In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. - -Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. - -Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](https://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. - -**Identify companion devices that access Google Apps Gmail** - -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. - -After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. - -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). -**Identify the optimal timing for the migration** - -Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. - -Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. - -## Plan for cloud storage migration - -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. - -In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. - -**Identify cloud storage services currently in use** - -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: -- Name of the cloud storage service -- Cloud storage service vendor -- Associated licensing costs or fees -- Approximate storage currently in use per user - -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. - -**Optimize cloud storage services migration plan** - -Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. - -Consider the following to help optimize your cloud storage services migration plan: - -- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. -- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. - -Record your optimization changes in your cloud storage services migration plan. - -## Plan for cloud services migration - -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. - -In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. - -### - -**Identify cloud services currently in use** - -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: -- Cloud service name -- Cloud service provider -- Number of users that use the cloud service - -**Select cloud services to migrate** - -One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. - -Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. -- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. -- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. -- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). -Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. - -**Prioritize cloud services** - -After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. -Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. - -Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. - -### - -**Select cloud services migration strategy** - -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. - -Consider the following when you create your cloud services migration strategy: - -- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. -- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. -- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. -- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. - -## Plan for Windows device deployment - -You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. - -In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. - -### - -**Select a Windows device deployment strategy** - -What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. - -For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: - -- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. -- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - - If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. - -Record the combination of Windows device deployment strategies that you selected. - -### - -**Plan for AD DS and Azure AD services** - -The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. - -In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. -Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. - -Table 5. Select on-premises AD DS, Azure AD, or hybrid - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    If you plan to...On-premises AD DSAzure ADHybrid
    Use Office 365XX
    Use Intune for managementXX
    Use System Center 2012 R2 Configuration Manager for managementXX
    Use Group Policy for managementXX
    Have devices that are domain-joinedXX
    Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
    -  -### - -**Plan device, user, and app management** - -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. -Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. -Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. - -Table 6. Device, user, and app management products and technologies - - --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
    Deploy operating system imagesXXX
    Deploy apps during operating system deploymentXXX
    Deploy apps after operating system deploymentXXX
    Deploy software updates during operating system deploymentXX
    Deploy software updates after operating system deploymentXXXXX
    Support devices that are domain-joinedXXXXX
    Support devices that are not domain-joinedXXX
    Use on-premises resourcesXXXX
    Use cloud-based servicesX
    -  -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. - -Record the device, user, and app management products and technologies that you selected. - -### - -**Plan network infrastructure remediation** - -In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. - -Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: - -- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - -- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. - - If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. - -- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. - -- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. - - However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. - - For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: - - - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255) - - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256) - - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) - -- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. - -At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. - -## Perform Chromebook migration - -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. - -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. - -You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. - -## Perform network infrastructure remediation - -The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. - -It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. - -Table 7. Network infrastructure products and technologies and deployment resources - - ---- - - - - - - - - - - - - - - - - -
    Product or technologyResources
    DHCP
      -
    • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -
    • [DHCP Deployment Guide](https://go.microsoft.com/fwlink/p/?LinkId=734021)

    • -
    DNS
      -
    • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -
    • [Deploying Domain Name System (DNS)](https://go.microsoft.com/fwlink/p/?LinkId=734022)

    • -
    -  -If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. - -## Perform AD DS and Azure AD services deployment or remediation - -It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. - -Table 8. AD DS, Azure AD and deployment resources - - ---- - - - - - - - - - - - - - - - - -
    Product or technologyResources
    AD DS
      -
    • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -
    • [Active Directory Domain Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=733909)

    • -
    Azure AD
      -
    • [Azure Active Directory documentation](https://go.microsoft.com/fwlink/p/?LinkId=690258)

    • -
    • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)

    • -
    • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](https://go.microsoft.com/fwlink/p/?LinkId=690260)

    • -
    -  -If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. -## Prepare device, user, and app management systems - -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. - -Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. - -Table 9. Management systems and deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Management systemResources
    Windows provisioning packages
      -
    • [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918)

    • -
    • [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)

    • -
    • [Step-By-Step: Building Windows 10 Provisioning Packages](https://go.microsoft.com/fwlink/p/?LinkId=690261)

    • -
    Group Policy
      -
    • [Core Network Companion Guide: Group Policy Deployment](https://go.microsoft.com/fwlink/p/?LinkId=733915)

    • -
    • [Deploying Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=734024)

    • -
    Configuration Manager
      -
    • [Site Administration for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733914)

    • -
    • [Deploying Clients for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733919)

    • -
    Intune
      -
    • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)

    • -
    • [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)

    • -
    • [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690264)

    • -
    MDT
      -
    • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)

    • -
    • [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265)

    • -
    -  -If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform app migration or replacement - -In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. - -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. - -Table 10. Management systems and app deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - -
    Management systemResources
    Group Policy
      -
    • [Editing an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=734025)

    • -
    • [Group Policy Software Deployment Background](https://go.microsoft.com/fwlink/p/?LinkId=734026)

    • -
    • [Assigning and Publishing Software](https://go.microsoft.com/fwlink/p/?LinkId=734027)

    • -
    Configuration Manager
      -
    • [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733917)

    • -
    • [Application Management in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733907)

    • -
    Intune
      -
    • [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)

    • -
    • [Manage apps with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733910)

    • -
    -  -If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform migration of user and device settings - -In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. - -Perform the user and device setting migration by using the following steps: - -1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). -2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. -3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. -4. Verify that all higher-priority user and device settings have been configured in your management system. - -If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. - -## Perform email migration - -In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. - -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -Alternatively, if you want to migrate to Office 365 from: -- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266) - - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690267) - - [Step-By-Step: Migrating from Exchange 2007 to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690268) -- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. - -## Perform cloud storage migration - -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. - -Manually migrate the cloud storage migration by using the following steps: - -1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. -2. Sign in as the user in the Google Drive app. -3. Sign in as the user in the OneDrive for Business or OneDrive app. -4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. -5. Optionally uninstall the Google Drive app. - -There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. - -## Perform cloud services migration - -In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. - -Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. - -There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. - -## Perform Windows device deployment - -In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. - -For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. - -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy -Windows 10 images to the devices, see the following resources: - -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911) -- [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918) -- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) -- [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265) -- [Operating System Deployment in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733916) - -In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: - -- Enroll the device with your management system. -- Ensure that Windows Defender is enabled and configured to receive updates. -- Ensure that Windows Update is enabled and configured to receive updates. -- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). - -After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. - -## Related topics -- [Try it out: Windows 10 deployment (for education)](https://go.microsoft.com/fwlink/p/?LinkId=623254) -- [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255) -  -  diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md deleted file mode 100644 index 0883298316..0000000000 --- a/windows/plan/common-compatibility-issues.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Common Compatibility Issues (Windows 10) -ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f -description: List of common compatibility issues, based on the type of technology. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md deleted file mode 100644 index a183923ba1..0000000000 --- a/windows/plan/compatibility-monitor-users-guide.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Compatibility Monitor User's Guide (Windows 10) -description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md deleted file mode 100644 index 89054bac9a..0000000000 --- a/windows/plan/computer-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Computer Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md deleted file mode 100644 index 372e1dcaf1..0000000000 --- a/windows/plan/configuring-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configuring ACT (Windows 10) -description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md deleted file mode 100644 index e6b56c752b..0000000000 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Creating a Runtime-Analysis Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - - - - - diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md deleted file mode 100644 index 2953ad9c9f..0000000000 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) -description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md deleted file mode 100644 index c52e8f3965..0000000000 --- a/windows/plan/creating-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Inventory-Collector Package (Windows 10) -description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md deleted file mode 100644 index e1897a0122..0000000000 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating and Editing Issues and Solutions (Windows 10) -description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md deleted file mode 100644 index 1c69e77305..0000000000 --- a/windows/plan/customizing-your-report-views.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Customizing Your Report Views (Windows 10) -description: You can customize how you view your report data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md deleted file mode 100644 index 97e2f14378..0000000000 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) -description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md deleted file mode 100644 index d4d3319cbc..0000000000 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) -description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md deleted file mode 100644 index 4b548c65f6..0000000000 --- a/windows/plan/deciding-which-applications-to-test.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Which Applications to Test (Windows 10) -description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md deleted file mode 100644 index c5401542c9..0000000000 --- a/windows/plan/deleting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deleting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md deleted file mode 100644 index b451e7b8aa..0000000000 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ /dev/null @@ -1,1263 +0,0 @@ ---- -title: Deploy Windows 10 in a school (Windows 10) -description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. -redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school -keywords: configure, tools, device, school -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: edu -ms.sitesec: library -author: craigash ---- - -# Deploy Windows 10 in a school - - -**Applies to** - -- Windows 10 - -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system. - -## Prepare for school deployment - -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. - -### Plan a typical school configuration - -As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. - -![fig 1](images/deploy-win-10-school-figure1.png) - -*Figure 1. Typical school configuration for this guide* - -Figure 2 shows the classroom configuration this guide uses. - -![fig 2](images/deploy-win-10-school-figure2.png) - -*Figure 2. Typical classroom configuration in a school* - -This school configuration has the following characteristics: -- It contains one or more admin devices. -- It contains two or more classrooms. -- Each classroom contains one teacher device. -- The classrooms connect to each other through multiple subnets. -- All devices in each classroom connect to a single subnet. -- All devices have high-speed, persistent connections to each other and to the Internet. -- All teachers and students have access to Windows Store or Windows Store for Business. -- All devices receive software updates from Intune (or another device management system). -- You install a 64-bit version of Windows 10 on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. ->**Note:**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. -- The devices use Azure AD in Office 365 Education for identity management. -- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). -- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. -- Each device supports a one-student-per-device or multiple-students-per-device scenario. -- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. -- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). -- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education. - -Office 365 Education allows: - -- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. -- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. -- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty. -- Teachers to employ Sway to create interactive educational digital storytelling. -- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. -- Faculty to use advanced email features like email archiving and legal hold capabilities. -- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management. -- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. -- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype. -- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. -- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. -- Students and faculty to use Office 365 Video to manage videos. -- Students and faculty to use Yammer to collaborate through private social networking. -- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). - -For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic). - -## How to configure a school - -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. - -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). - -You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments. - -MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices. - -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. - -The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. - -The configuration process requires the following devices: - -- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. -- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. - -The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: - -1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. -3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). -4. On the admin device, create and configure a Windows Store for Business portal. -5. On the admin device, prepare for management of the Windows 10 devices after deployment. -6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. -7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. - -![fig 3](images/deploy-win-10-school-figure3.png) - -*Figure 3. How school configuration works* - -Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. - -### Summary - -In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school. - -## Prepare the admin device - -Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share. - -### Install the Windows ADK - -The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management. - -When you install the Windows ADK on the admin device, select the following features: - -- Deployment tools -- Windows Preinstallation Environment (Windows PE) -- User State Migration Tool (USMT) - -For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). - -### Install MDT - -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft. - -You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. - ->**Note:**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. - -For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com//library/dn759415.aspx#InstallingaNewInstanceofMDT). - -Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. - -### Create a deployment share - -MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). - -For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). - -### Summary - -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. - -## Create and configure Office 365 - -Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business. - -As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx). - -### Select the appropriate Office 365 Education license plan - -Complete the following steps to select the appropriate Office 365 Education license plan for your school: - -

      -
    1. Determine the number of faculty members and students who will use the classroom.
      Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. -
    2. -
    3. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
    4. -
      -*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans* -
      - ----- - - - - - - - - - - - - -
      PlanAdvantagesDisadvantages
      Standard
      • Less expensive than Office 365 ProPlus
      • Can be run from any device
      • No installation necessary
      • Must have an Internet connection to use it
      • Does not support all the features found in Office 365 ProPlus
      Office ProPlus
      • Only requires an Internet connection every 30 days (for activation)
      • Supports full set of Office features
      • Requires installation
      • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
      -
      -The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. -
      -
    5. Determine whether students or faculty need Azure Rights Management.
      You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
    6. -
    7. Record the Office 365 Education license plans needed for the classroom in Table 2.

      - -*Table 2. Office 365 Education license plans needed for the classroom* -
      - ---- - - - - - - - - - - - - -
      QuantityPlan
      Office 365 Education for students
      Office 365 Education for faculty
      Azure Rights Management for students
      Azure Rights Management for faculty
      -
      -You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
    - -### Create a new Office 365 Education subscription - -To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. - ->**Note:**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). - -#### To create a new Office 365 subscription - -1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - - >**Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
    - - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. - - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. - -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. -3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. - -### Add domains and subdomains - -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. - -#### To add additional domains and subdomains - -1. In the Office 365 admin center, in the list view, click **DOMAINS**. -2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. -3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**. -4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**. -5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider. -6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution. - -### Configure automatic tenant join - -To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. - ->**Note:**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. - -Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - -- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. - -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. - ->**Note:**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. - -All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join* - - -| Action | Windows PowerShell command | -|------- |----------------------------| -| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| -| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`| -

    ->**Note:**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. - -### Disable automatic licensing - -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. - ->**Note:**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. - -Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 4. Windows PowerShell commands to enable or disable automatic licensing* - -| Action | Windows PowerShell command| -| -------| --------------------------| -| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| -|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| -

    -### Enable Azure AD Premium - -When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. - -Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). - -The Azure AD Premium features that are not in Azure AD Basic include: - -- Allow designated users to manage group membership -- Dynamic group membership based on user metadata -- Multifactor authentication (MFA) -- Identify cloud apps that your users run -- Automatic enrollment in a mobile device management (MDM) system (such as Intune) -- Self-service recovery of BitLocker -- Add local administrator accounts to Windows 10 devices -- Azure AD Connect health monitoring -- Extended reporting capabilities - -You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. - -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. - -For more information about: - -- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). - -### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. - -## Select an Office 365 user account–creation method - - -Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: - -- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. -- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. - -### Method 1: Automatic synchronization between AD DS and Azure AD - -In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. - ->**Note:**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com//library/dn510997.aspx?f=255&MSPPError=-2147217396). - -![fig 4](images/deploy-win-10-school-figure4.png) - -*Figure 4. Automatic synchronization between AD DS and Azure AD* - -For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. - -### Method 2: Bulk import into Azure AD from a .csv file - -In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. - -![fig 5](images/deploy-win-10-school-figure5.png) - -*Figure 5. Bulk import into Azure AD from other sources* - -To implement this method, perform the following steps: - -1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. -2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. - -### Summary - -In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. - -## Integrate on-premises AD DS with Azure AD - -You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. - ->**Note:**  If your institution does not have an on-premises AD DS domain, you can skip this section. - -### Select synchronization model - -Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. - -You can deploy the Azure AD Connect tool by using one of the following methods: - -- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - - ![fig 6](images/deploy-win-10-school-figure6.png) - - *Figure 6. Azure AD Connect on premises* - -- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - - ![fig 7](images/deploy-win-10-school-figure7.png) - - *Figure 7. Azure AD Connect in Azure* - -This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com//library/dn635310.aspx). - -### Deploy Azure AD Connect on premises - -In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. - -#### To deploy AD DS and Azure AD synchronization - -1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). -2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. -3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). -4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). - -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. - -### Verify synchronization - -Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. - -#### To verify AD DS and Azure AD synchronization - -1. Open https://portal.office.com in your web browser. -2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. -3. In the list view, expand **USERS**, and then click **Active Users**. -4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. -5. In the list view, click **GROUPS**. -6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. -7. In the details pane, double-click one of the security groups. -8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. -9. Close the browser. - -Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. - -### Summary - -In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. - -## Bulk-import user and group accounts into AD DS - -You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. - ->**Note:**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. - -### Select the bulk import method - -Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. - -*Table 5. AD DS bulk-import account methods* - -|Method | Description and reason to select this method | -|-------| ---------------------------------------------| -|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com//scriptcenter/dd939958.aspx).| -|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

    -### Create a source file that contains the user and group accounts - -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. - -*Table 6. Source file format for each bulk import method* - -| Method | Source file format | -|--------| -------------------| -|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).| -| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

    -### Import the user accounts into AD DS - -With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. - ->**Note:**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. - -For more information about how to import user accounts into AD DS by using: - -- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). -- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx). -- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). - -### Summary - -In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. - -## Bulk-import user accounts into Office 365 - -You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. - -### Create user accounts in Office 365 - -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. - -You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). - -The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. - -For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). - ->**Note:**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. - -The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. - -### Create Office 365 security groups - -Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. - ->**Note:**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. - -For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -You can add and remove users from security groups at any time. - ->**Note:**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. - -### Create email distribution groups - -Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. - -You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. - ->**Note:**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. - -For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -### Summary - -Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. - -## Assign user licenses for Azure AD Premium - -Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. - -You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. - -For more information about: - -- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). - -## Create and configure a Windows Store for Business portal - -Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: - -- Find and acquire Windows Store apps. -- Manage apps, app licenses, and updates. -- Distribute apps to your users. - -For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). - -The following section shows you how to create a Windows Store for Business portal and configure it for your school. - -### Create and configure your Windows Store for Business portal - -To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. - -#### To create and configure a Windows Store for Business portal - -1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. -2. On the **Windows Store for Business** page, click **Sign in with an organizational account**. ->**Note:**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. -3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. -4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** -5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. - -After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. - -*Table 7. Menu selections to configure Windows Store for Business settings* - -| Menu selection | What you can do in this menu | -|---------------| -------------------| -|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| -|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| -|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| -|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| -|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| -|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| -|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| -

    -### Find, acquire, and distribute apps in the portal - -Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. - ->**Note:**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. - -You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. - -For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). - -### Summary - -At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. - -## Plan for deployment - -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. - -### Select the operating systems - -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: - -- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. - -Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: - -- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. -- **Windows 10 Pro**. Use this operating system to: - - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. - - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. -- **Windows 10 Education**. Use this operating system to: - - Upgrade institution-owned devices to Windows 10 Education. - - Deploy new instances of Windows 10 Education so that new devices have a known configuration. - ->**Note:**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. - -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. - ->**Note:**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. - -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. - -### Select an image approach - -A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. - -The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. - -The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. - -### Select a method to initiate deployment - -The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. - -*Table 8. Methods to initiate MDT deployment* - - ---- - - - - - - - - - - - - - - - - - - - - - - - -
    MethodDescription and reason to select this method
    Windows Deployment ServicesThis method:

    -
      -
    • Uses diskless booting to initiate MDT deployment.
    • -
    • Works only with devices that support PXE boot.
    • -
    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • -
    • Deploys images more slowly than when using local media.
    • -
    • Requires that you deploy a Windows Deployment Services server.
    • -
    - -Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
    Bootable mediaThis method:

    -
      -
    • Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
    • -
    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • -
    • Deploys images more slowly than when using local media.
    • -
    • Requires no additional infrastructure.
    • -
    - -Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
    MDT deployment mediaThis method:

    -
      -
    • Initiates MDT deployment by booting from a local USB hard disk.
    • -
    • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
    • -
    • Deploys images more quickly than network-based methods do.
    • -
    • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
    • -
    - -Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
    - -### Summary - -At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment. - -## Prepare for deployment - -To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment. - -### Configure the MDT deployment share - -The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9. - -*Table 9. Tasks to configure the MDT deployment share* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TaskDescription
    1. Import operating systemsImport the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
    2. Import device drivesDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

    - -Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). - -
    3. Create MDT applications for Windows Store appsCreate an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

    - -Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.

    - -If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.

    - -In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:

    -
      -
    • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).
    • -
    • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    • -
    - - -
    4. Create MDT applications for Windows desktop apps -You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

    - -To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com//library/jj219423.aspx?f=255&MSPPError=-2147217396).

    - -If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

    **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

    - -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). - -
    5. Create task sequences. -You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will: -

    -
    • Deploy Windows 10 Education 64-bit to devices.
    • -
    • Deploy Windows 10 Education 32-bit to devices.
    • -
    • Upgrade existing devices to Windows 10 Education 64-bit.
    • -
    • Upgrade existing devices to Windows 10 Education 32-bit.
    • -
    - -Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). - -
    6. Update the deployment share. -Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

    - -For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
    - -### Configure Window Deployment Services for MDT - -You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers. - -#### To configure Windows Deployment Services for MDT - -1. Set up and configure Windows Deployment Services.

    Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: - - - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) - - The Windows Deployment Services Help file, included in Windows Deployment Services - - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com//library/jj648426.aspx) - -2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com//library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). - -### Summary - -Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. - -## Prepare for device management - -Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. - -### Select the management method - -If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. - -For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. - -*Table 10. School management methods* - - ---- - - - - - - - - - - - - - - - - - - - -
    MethodDescription
    Group Policy -Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: -
      -
    • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
    • -
    • Want more granular control of device and user settings.
    • -
    • Have an existing AD DS infrastructure.
    • -
    • Typically manage on-premises devices.
    • -
    • Can manage a required setting only by using Group Policy.
    • -
    - -The advantages of this method include: -
      -
    • No cost beyond the AD DS infrastructure.
    • -
    • A larger number of settings (compared to Intune).
    • -
    -The disadvantages of this method are: -
      -
    • Can only manage domain-joined (institution-owned devices).
    • -
    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
    • -
    • Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
    • -
    -
    IntuneIntune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. -Select this method when you: -
      -
    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
    • -
    • Don’t require the level of granular control over device and user settings (compared to Group Policy).
    • -
    • Don’t have an existing AD DS infrastructure.
    • -
    • Need to manage devices regardless of where they are (on or off premises).
    • -
    • Can manage a required setting only by using Intune.
    • -
    - -The advantages of this method are: -
      -
    • You can manage institution-owned and personal devices.
    • -
    • It doesn’t require that devices be domain joined.
    • -
    • It doesn’t require any on-premises infrastructure.
    • -
    • It can manage devices regardless of their location (on or off premises).
    • - -
    -The disadvantages of this method are: -
      -
    • Carries an additional cost for subscription.
    • -
    • Doesn’t have a granular level control over device and user settings (compared to Group Policy).
    • -
    - -

    - -### Select Microsoft-recommended settings - -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. - -*Table 11. Recommended settings for educational institutions* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    RecommendationDescription
    Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

    -**Note:**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

    -**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com//library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

    -**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. -
    Restrict local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

    -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

    -**Intune**. Not available. -
    Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

    -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

    -**Intune**. Not available. -
    Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

    -**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com//library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com//library/jj852165.aspx).

    -**Intune**. Not available. -
    Control Windows Store accessYou can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.

    -**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com//library/hh832040.aspx#BKMK_UseGP).

    -**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. -
    Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

    -**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

    -**Intune**. Not available. -
    Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

    -**Group Policy**. Not available.

    -**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
    Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

    -**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com//library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com//library/ee791899.aspx).

    -**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. -
    Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

    -**Group Policy**. Not available.

    -**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. -
    Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

    -**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

    -**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
    Changing wallpaperDisplaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

    -**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

    -**Intune**. Not available. -

    - -### Configure settings by using Group Policy - -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com//library/cc754948.aspx). - -#### To configure Group Policy settings - -1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com//library/cc738830.aspx). -2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com//library/cc739902.aspx). -3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com//library/cc738954(v=ws.10).aspx). - -### Configure settings by using Intune - -Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -#### To configure Intune settings - -1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). -2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com//library/dn646962.aspx). -3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com//library/dn646984.aspx). -4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com//library/dn646959.aspx). - -### Deploy apps by using Intune - -You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. - -For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -### Summary - -In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. - -## Deploy Windows 10 to devices - -You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. - -### Prepare for deployment - -Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. - -*Table 12. Deployment preparation checklist* - -|Task | | -| ---| --- | -| |The target devices have sufficient system resources to run Windows 10. | -| | Identify the necessary devices drivers, and import them to the MDT deployment share.| -| | Create an MDT application for each Windows Store and Windows desktop app.| -| | Notify the students and faculty about the deployment.| -

    -### Perform the deployment - -Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. - ->**Note:**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com//library/dn781089.aspx). - -In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. - -#### To deploy Windows 10 - -1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com//library/dn759415.aspx#Running%20the%20Deployment%20Wizard). - -### Set up printers - -After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. - ->**Note:**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. - -#### To set up printers - -1. Review the printer manufacturer’s instructions for installing the printer drivers. -2. On the admin device, download the printer drivers. -3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. -5. Insert the USB drive in the device. -6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. -7. Verify that the printer drivers were installed correctly by printing a test page. -8. Complete steps 1–8 for each printer. - -### Verify deployment - -As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: - -- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. -- Windows Update is active and current with software updates. -- Windows Defender is active and current with malware signatures. -- The SmartScreen Filter is active. -- All Windows Store apps are properly installed and updated. -- All Windows desktop apps are properly installed and updated. -- Printers are properly configured. - -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. - -### Summary - -You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. - -## Maintain Windows devices and Office 365 - -After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - -- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. -- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. -- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. - -Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. - -*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Task and resourcesMonthlyNew semester or academic yearAs required
    Verify that Windows Update is active and current with operating system and software updates.

    -For more information about completing this task when you have: -
      -
    • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • -
    • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
    • -
    • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
    • -
    • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
    • -
    -
    XXX
    Verify that Windows Defender is active and current with malware signatures.

    -For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03).
    XXX
    Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

    -For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) -
    XXX
    Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

    -For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).
    XX
    Refresh the operating system and apps on devices.

    -For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -
    XX
    Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

    -For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -
    XX
    Install new or update existing Windows Store apps that are used in the curriculum.

    -Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.

    -You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -
    XX
    Remove unnecessary user accounts (and corresponding licenses) from Office 365.

    -For more information about how to: -
      -
    • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
    • -
    • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • -
    - -
    XX
    Add new accounts (and corresponding licenses) to Office 365.

    -For more information about how to: -
      -
    • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
    • -
    • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • -
    -
    XX
    Create or modify security groups and manage group membership in Office 365.

    -For more information about how to: -
      -
    • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
    • -
    • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
    • -
    - -
    XX
    Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

    -For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). - -
    XX
    Install new student devices

    -Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -
    X
    -

    -### Summary - -Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. - -##Related resources -

      -
    • [Try it out: Windows 10 deployment (for educational institutions)](https://go.microsoft.com/fwlink/p/?LinkId=623254)
    • -
    • [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255)
    • -
    • [Chromebook migration guide](https://go.microsoft.com/fwlink/p/?LinkId=623249)
    • -
    - diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md deleted file mode 100644 index 38f478a9b9..0000000000 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying a Runtime-Analysis Package (Windows 10) -description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md deleted file mode 100644 index 784ecd61b4..0000000000 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying an Inventory-Collector Package (Windows 10) -description: How to deploy an inventory-collector package to your destination computers. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md deleted file mode 100644 index 8494d2a4b1..0000000000 --- a/windows/plan/example-filter-queries.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Example Filter Queries (Windows 10) -description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md deleted file mode 100644 index e3b5a9ce64..0000000000 --- a/windows/plan/exporting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exporting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md deleted file mode 100644 index 83040f196c..0000000000 --- a/windows/plan/filtering-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filtering Your Compatibility Data (Windows 10) -description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md deleted file mode 100644 index 50f8032d64..0000000000 --- a/windows/plan/fixing-compatibility-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixing Compatibility Issues (Windows 10) -description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md deleted file mode 100644 index 524304a7cf..0000000000 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Identifying Computers for Inventory Collection (Windows 10) -description: To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md deleted file mode 100644 index 7246b22a3a..0000000000 --- a/windows/plan/integration-with-management-solutions-.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Integration with management solutions (Windows 10) -description: You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. -ms.assetid: E0CB0CD3-4FE1-46BF-BA6F-5A5A8BD14CC9 -keywords: update, upgrade, deployment, manage, tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Integration with management solutions - -**Applies to** -- Windows 10 - -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. - -## System Center Configuration Manager - -For Windows 10, version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”. - -![figure 1](images/wuforbusiness-fig10-sccmconsole.png) - -## WSUS standalone - -For Windows 10, version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS. - -## Enterprise Mobility Suite: Intune - -You can configure Windows Update for Business by using MDM policy. To configure Windows Update for Business with Intune: -1. Create a new Windows 10 custom policy. (Add a policy, and choose **Custom Configuration for Windows 10 Desktop and phone…**). - - ![figure 2](images/wuforbusiness-fig11-intune.png) - -2. Configure the device to Consumer Branch for Business by selecting to defer upgrades (as described in [Setup and deployment](setup-and-deployment.md). - - **Note**   - As noted, because WSUS and Windows Update for Business are mutually exclusive policies, do not set **UpdateServiceUrl** if you want to configure to defer upgrades. -   -3. Establish deferral windows for updates and upgrades. - - ![figure 3](images/wuforbusiness-fig12a-updates.png) - - ![figure 4](images/wuforbusiness-fig13a-upgrades.png) - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Setup and deployment](setup-and-deployment.md) diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md deleted file mode 100644 index f30fc92bd6..0000000000 --- a/windows/plan/internet-explorer-web-site-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Internet Explorer - Web Site Report (Windows 10) -description: The Internet Explorer - Web Site Report screen shows the URL, your organization's compatibility rating, issue count, and resolved issue count, for each of the websites visited in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md deleted file mode 100644 index 92f7448f84..0000000000 --- a/windows/plan/labeling-data-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Labeling Data in ACM (Windows 10) -description: Application data and its associated compatibility issues can vary within an organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md deleted file mode 100644 index 5fa3b6c466..0000000000 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Log File Locations for Data-Collection Packages (Windows 10) -description: Selecting the output for your data-collection package log files. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md deleted file mode 100644 index 03cbe4849d..0000000000 --- a/windows/plan/managing-your-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Managing Your Data-Collection Packages (Windows 10) -description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md deleted file mode 100644 index 61498e165d..0000000000 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizational Tasks for Each Report Type (Windows 10) -description: The following table shows which tasks can be performed for each report type. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md deleted file mode 100644 index 30d2918977..0000000000 --- a/windows/plan/organizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizing Your Compatibility Data (Windows 10) -description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md deleted file mode 100644 index 7304d6dbb9..0000000000 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prioritizing Your Compatibility Data (Windows 10) -description: Prioritizing your apps, websites, computers, and devices to help customize and filter your compatibilty reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md deleted file mode 100644 index c1f0184338..0000000000 --- a/windows/plan/ratings-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ratings Icons in ACM (Windows 10) -description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md deleted file mode 100644 index e6a5b97651..0000000000 --- a/windows/plan/resolving-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolving an Issue (Windows 10) -description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md deleted file mode 100644 index 65bfc93fba..0000000000 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Saving, Opening, and Exporting Reports (Windows 10) -description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md deleted file mode 100644 index 3674f73b68..0000000000 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting the Send and Receive Status for an Application (Windows 10) -description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md deleted file mode 100644 index e0b0defc6d..0000000000 --- a/windows/plan/selecting-your-compatibility-rating.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Compatibility Rating (Windows 10) -description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md deleted file mode 100644 index 61fdf90369..0000000000 --- a/windows/plan/selecting-your-deployment-status.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Deployment Status (Windows 10) -description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md deleted file mode 100644 index fe2e0356a0..0000000000 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sending and Receiving Compatibility Data (Windows 10) -description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md deleted file mode 100644 index fe209d179d..0000000000 --- a/windows/plan/settings-for-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings for ACM (Windows 10) -description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md deleted file mode 100644 index 2b2e1e2a43..0000000000 --- a/windows/plan/setup-and-deployment.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Setup and deployment (Windows 10) -description: This article describes the basic features of a Windows Update for Business deployment. -ms.assetid: E176BB36-3B1B-4707-9665-968D80050DD1 -keywords: update, upgrade, deployment -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Setup and deployment - -**Applies to** -- Windows 10 - -This article describes the basic features of a Windows Update for Business deployment. Use this information to familiarize yourself with a simple deployment with a single group of machines connected to Windows Update, in addition to more complex scenarios such as the creation of Windows Update for Business validation groups that receive updates from Windows Update at different time intervals, as well as Windows Update for Business deployments integrated with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, or Microsoft Intune. - -## Configure your systems to receive updates on CBB - -To use Windows Update for Business, Windows 10-based devices must first be configured for the Current Branch for Business (CBB). You can configure devices manually, by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/wuforbus-fig1-manuallyset.png) - -![figure 2](images/wuforbusiness-fig2-gp.png) - -![figure 3](images/wuforbusiness-fig3-mdm.png) - -## Defer OS upgrade and update deployments - -Windows Update for Business allows administrators to control when upgrades and updates are deployed to their Windows 10 clients by specifying deferral windows from when they are initially made available on the Windows Update service. As mentioned, there are restrictions as to how long you can delay upgrades and updates. The following table details these restrictions, per deployment category type: - - - - - - - - - - - - - - - - -
    -

    Group Policy keys

    -
    -

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod

    -
      -
    • -

      Values: 0-8 where each unit for upgrade is a month -

      -
    • -
    -
    -

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod

    -
      -
    • -

      Values: 0-4 where each unit for update is a week -

      -
    • -
    -
    -

    MDM

    -

    ./Vendor/MSFT/Update/DeferUpgrade

    -
    -

    Software\Microsoft\PolicyManager\current\Update\RequireDeferUpgrade -

    -
      -
    • -

      Values: 0-8 where each unit for upgrade is a month - -

      -
    • -
    -
    -

    Software\Microsoft\PolicyManager\current\Update\RequireDeferUpdate

    -
      -
    • -

      Values: 0-4 where each unit for update is a week -

      -
    • -
    -
    -  -Administrators can control deferral periods with Group Policy Objects by using the [Local Group Policy Editor (GPEdit)](https://go.microsoft.com/fwlink/p/?LinkId=734030) or, for domain joined systems, [Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=699325). For additional details on Group Policy management see [Group Policy management for IT pros](https://go.microsoft.com/fwlink/p/?LinkId=699282). -**Set different deferrals based on update classification in GPedit.msc** -![figure 4](images/wuforbusiness-fig4-localpoleditor.png) -![figure 5](images/wuforbusiness-fig5-deferupgrade.png) -## Pause upgrades and updates -Although administrators can use deferral periods to stagger the rate at which deployments go out to their organization (which provides time to verify quality and address any issues), there may be cases where additional time is needed before an update is set to deploy to a machine, or group of machines. Windows Update for Business provides a means for administrators to *pause* updates and upgrades on a per-machine basis. This pause functionality ensures that no updates or upgrades will be made available for the specified machine; the machine will remain in this state until the machine is specifically “unpaused”, or when a period of five weeks (35 days) has passed, at which point updates are auto-resumed. -**Note**   -The five-week period ensures that pause functionality overlaps a possible subsequent Update Tuesday release. -  -**Note**   -Group Policy does not allow you to set a future "unpause” — administrators must actively select to unpause a deployment if they wish to do so before the time expiration. -  - ---- - - - - - - - - - - -

    Group Policy keys

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Pause

    MDM

    -

    ./Vendor/MSFT/Update/DeferUpgrade

    Software\Microsoft\PolicyManager\current\Update\Pause

    -
      -
    • Values (bool): 0, 1

    • -
    -  -![figure 6](images/wuforbusiness-fig6-pause.png) - -## Create validation groups for deployments - -By grouping machines into similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be used as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause, administrators can effectively control and measure update deployments by rolling out to a small pool of devices first to verify quality, prior to a broader roll-out to their organization. - -Administrators can establish validation groups to maintain a level of control over update/driver deployments which allows them to: -- Control the date, time, and frequency updates will be applied and devices rebooted -- Deploy a small set of machines to verify quality prior to broad roll-out -- Stage broad roll-out in waves to continue quality verification and minimize disruptions -- Manage membership of waves based on criteria defined by IT -- Halt and roll-back deployment of updates/drivers that may be causing trouble - -![figure 7](images/wuforbusiness-fig7-validationgroup.png) - -## Peer-to-peer networking for deployments - -Windows Update Delivery Optimization enables Windows Update for Business enrolled devices to download Windows updates and Windows Store apps from sources other than Microsoft. With multiple devices, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all of your Windows Update for Business enrolled systems up to date. It can also help ensure that devices get updates and apps more quickly if they have a limited or unreliable Internet connection. - -In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from. - -### How Delivery Optimization works - -- **PCs on your local network.** When Windows downloads an update or app, it will look for other PCs on your local network that have already downloaded the update or app using Delivery Optimization. Windows then downloads parts of the file from those PCs and parts of the file from Microsoft. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows uses the fastest, most reliable download source for each part of the file. -- **PCs on your local network and PCs on the Internet.** Windows uses the same process as when getting updates and apps from PCs on your local network, and also looks for PCs on the Internet that can be used as a source to download parts of updates and apps. - -### Delivery Optimization settings - -Delivery Optimization is turned on by default for the Enterprise and Education editions of Windows 10, where the default option is that updates will only be pulled and shared from PCs on your LAN and not the Internet. -Delivery Optimization configuration settings can be viewed by going to: Settings > Update and Security > Advanced Options > Choose how your updates are delivered - -![figure 8](images/wuforbusiness-fig8a-chooseupdates.png) - -## Use Group Policy to configure Windows Update Delivery Optimization - -You can use Group Policy to configure Windows Update Delivery Optimization. To do this, use the following steps: - -1. Download the [Administrative Templates (.admx) file for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699283) from the Microsoft Download Center. -2. Copy the following files to the SYSVOL central store: - - DeliveryOptimization.admx from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions - - DeliveryOptimization.adml from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions\\en-US -3. Start the Gpeditor tool. -4. Browse to the following location: - - Computer Configuration\\Administrative Templates\\Windows Components\\Delivery Optimization -5. Make the following Windows Update Delivery Optimization settings, as appropriate. - - ![figure 9](images/wuforbusiness-fig9-dosettings.jpg) - -**Virus-scan claim** - -Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it. - -For more information about Windows Update Delivery Optimization in Windows 10, see the [Windows Update Delivery Optimization FAQ](https://go.microsoft.com/fwlink/p/?LinkId=699284). - -For additional resources, see [How to use Group Policy to configure Windows Update Delivery Optimization in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699288). - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Integration with management solutions](integration-with-management-solutions-.md) diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md deleted file mode 100644 index d631eef7aa..0000000000 --- a/windows/plan/software-requirements-for-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md deleted file mode 100644 index b9914238fc..0000000000 --- a/windows/plan/software-requirements-for-rap.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for RAP (Windows 10) -description: The runtime-analysis package (RAP) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md deleted file mode 100644 index d199af1ab6..0000000000 --- a/windows/plan/taking-inventory-of-your-organization.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Taking Inventory of Your Organization (Windows 10) -description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md deleted file mode 100644 index 9ba06e8cb3..0000000000 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing Compatibility on the Target Platform (Windows 10) -description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md deleted file mode 100644 index e0fb05fd2a..0000000000 --- a/windows/plan/troubleshooting-act-database-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT Database Issues (Windows 10) -description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md deleted file mode 100644 index 1366988ae6..0000000000 --- a/windows/plan/troubleshooting-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT (Windows 10) -description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md deleted file mode 100644 index 08200ff49f..0000000000 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Configuration Wizard (Windows 10) -description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md deleted file mode 100644 index 5f338b3141..0000000000 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Log Processing Service (Windows 10) -description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md deleted file mode 100644 index 3e3ffff7d2..0000000000 --- a/windows/plan/using-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using ACT (Windows 10) -description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md deleted file mode 100644 index c5e20c52ba..0000000000 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using Compatibility Monitor to Send Feedback (Windows 10) -description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md deleted file mode 100644 index 57ba7d07a9..0000000000 --- a/windows/plan/viewing-your-compatibility-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Viewing Your Compatibility Reports (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md deleted file mode 100644 index e07214a067..0000000000 --- a/windows/plan/websiteurl-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: WebsiteURL Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md deleted file mode 100644 index b4ef6d3088..0000000000 --- a/windows/plan/welcome-to-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Welcome to ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md deleted file mode 100644 index 89d6afdf1c..0000000000 --- a/windows/plan/whats-new-in-act-60.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: What's New in ACT 6.1 (Windows 10) -description: Two major updates have been released since ACT 6.1. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file From 8d94c01124b675c61573382797f09f9a2889c1ae Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 09:49:18 -0800 Subject: [PATCH 42/65] Fixed dism command - the word syntax was displaying --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 9d3a33d12c..0303e6b968 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -178,11 +178,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic 1. Open an elevated command prompt. 2. Add the Hyper-V Hypervisor by running the following command: - ``` syntax + ``` dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` 3. Add the Isolated User Mode feature by running the following command: - ``` syntax + ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` From 8fb7df86db1fd56cb90fd83b9de9d6d639c74230 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 09:59:46 -0800 Subject: [PATCH 43/65] Adding content --- .openpublishing.redirection.json | 108 ++++++++++++++++-- ...-10-guidance-for-education-environments.md | 39 ------- windows/plan/windows-10-servicing-options.md | 79 ------------- windows/plan/windows-update-for-business.md | 97 ---------------- windows/whats-new/applocker.md | 30 ----- windows/whats-new/bitlocker.md | 41 ------- ...ge-history-for-what-s-new-in-windows-10.md | 68 ----------- windows/whats-new/credential-guard.md | 32 ------ windows/whats-new/device-guard-overview.md | 34 ------ windows/whats-new/device-management.md | 17 --- .../whats-new/edge-ie11-whats-new-overview.md | 6 - windows/whats-new/edp-whats-new-overview.md | 5 - .../whats-new/lockdown-features-windows-10.md | 16 --- windows/whats-new/microsoft-passport.md | 16 --- 14 files changed, 100 insertions(+), 488 deletions(-) delete mode 100644 windows/plan/windows-10-guidance-for-education-environments.md delete mode 100644 windows/plan/windows-10-servicing-options.md delete mode 100644 windows/plan/windows-update-for-business.md delete mode 100644 windows/whats-new/applocker.md delete mode 100644 windows/whats-new/bitlocker.md delete mode 100644 windows/whats-new/change-history-for-what-s-new-in-windows-10.md delete mode 100644 windows/whats-new/credential-guard.md delete mode 100644 windows/whats-new/device-guard-overview.md delete mode 100644 windows/whats-new/device-management.md delete mode 100644 windows/whats-new/edge-ie11-whats-new-overview.md delete mode 100644 windows/whats-new/edp-whats-new-overview.md delete mode 100644 windows/whats-new/lockdown-features-windows-10.md delete mode 100644 windows/whats-new/microsoft-passport.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 18cbe2fcf4..57dc769ece 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -980,13 +980,105 @@ "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", "redirect_document_id": true }, - - - - - - - - + { + "source_path": "windows/plan/windows-10-guidance-for-education-environments.md", + "redirect_url": "/edu/windows/index", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/windows-10-servicing-options.md", + "redirect_url": "/itpro/windows/update/waas-overview", + "redirect_document_id": true + }, + { + "source_path": "windows/plan/windows-update-for-business.md", + "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/applocker.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/bitlocker.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md", + "redirect_url": "/itpro/windows/whats-new/index", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/credential-guard.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/device-guard-overview.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/device-management.md", + "redirect_url": "/itpro/windows/manage/manage-corporate-devices", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/edge-ie11-whats-new-overview.md", + "redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/edp-whats-new-overview.md", + "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/lockdown-features-windows-10.md", + "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", + "redirect_document_id": true + }, + { + "source_path": "windows/whats-new/microsoft-passport.md", + "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, + { + "source_path": "", + "redirect_url": "", + "redirect_document_id": true + }, ] } diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md deleted file mode 100644 index f4ce0e1a32..0000000000 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Guidance for education environments (Windows 10) -description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. -redirect_url: https://technet.microsoft.com/edu/windows/index -ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu, security -author: craigash ---- - -# Guidance for education environments - -Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. - -## In this section - - ---- - - - - - - - - - - - - -
    TopicDescription

    [Chromebook migration guide](chromebook-migration-guide.md)

    In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.

    -  -  -  diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md deleted file mode 100644 index 8ad9c29c5a..0000000000 --- a/windows/plan/windows-10-servicing-options.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Windows 10 servicing overview (Windows 10) -description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. -ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: deploy, upgrade, update, servicing -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: servicing -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview ---- - -# Windows 10 servicing overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -This topic provides an overview of the new servicing model for Windows 10. For more detailed information about this model, refer to [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md). - -## The Windows servicing model - -Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a "wipe and load" process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks. - -With Windows 10, a new model is being adopted. This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process. - -## Windows as a service - -Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility. - -This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time. - -## Windows 10 servicing branches - -The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model. - -Microsoft has implemented the following new servicing options in Windows 10: - -**Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
    -**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
    -**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
    -**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
    -![branches](images/branch.png) - -These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below: - -| Industry | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch | -|--------------------|-------------------------|----------------|-----------------------------|----------------------------| -| Retail | <1% | 10% | 60% | 30% | -| Manufacturing | <1% | 10% | 55% | 45% | -| Pharmaceuticals | <1% | 10% | 50% | 40% | -| Consulting | 10% | 50% | 35% | 5% | -| Software developer | 30% | 60% | 5% | 5% | -
    -Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch. - -- Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features. - -- Manufacturers typically have critical devices (for example, control systems) in factories; these are also good candidates for the Long-Term Servicing Branch. But as with retailers, information workers that support those factories are better suited to the Current Branch for Business. - -- Pharmaceutical firms often have regulatory requirements for PCs used for the development of their products, which are best satisfied by using Long-Term Servicing Branch. But not all PCs are subject to these regulatory requirements; those that are not can use the Current Branch for Business. - -- Consulting firms want their employees to have the latest functionality so they can be as productive as possible. They also want to develop expertise with new capabilities as soon as possible, hence more emphasis on Current Branch. But they also have information workers that provide services to the consultants; these workers can leverage Current Branch for Business. - -- Software developers typically work on software that will release in conjunction with a new Windows upgrade. To enable that, a significant percentage of developers may use the Windows Insider Program preview branch for initial efforts, which shifts to Current Branch as development progresses. - -Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them. - -With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. - -Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
    -[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
    -[Windows 10 compatibility](windows-10-compatibility.md)
    -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md deleted file mode 100644 index 87315ba806..0000000000 --- a/windows/plan/windows-update-for-business.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Windows Update for Business (Windows 10) -description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. -ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: update, upgrade, deployment, WSUS -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing; devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Windows Update for Business - -**Applies to** -- Windows 10 - -Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. - -## Introduction - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://go.microsoft.com/fwlink/p/?LinkId=734043) and [System Center Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=734044). - -## Deploy Windows Update for Business in your organization - -For Windows 10, version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution. - -## Eligible devices - -All devices running Windows 10 Pro, Enterprise, and Education on the Current Branch for Business (CBB) are Windows Update for Business eligible. - -## OS upgrades and updates - -In Windows 10, Windows Update for Business recognizes three deployment categories that clients receive from Windows Update: -- **Upgrades** - - Examples: Windows 10 (Build 10240) to Windows 10, version 1511; CBB 1 to CBB 2 - **Note**   - In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year. -   -- **Updates** - - General OS updates, typically released the second Tuesday of each month. These include Security, Critical, and Driver updates. -- **Other/non-deferrable** - - Definition updates (these cannot be deferred) -Both upgrades and updates can be deferred from deployment to client machines by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update service. This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients. The following table defines maximum deferral periods allowed by deployment type: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    CategoryMaximum deferralDeferral incrementsClassification typeClassification GUID
    OS upgrades8 months1 monthUpgrade3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
    OS updates4 weeks1 weekSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
    DriversEBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    UpdatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    Other/non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
    - -## Related topics - -[Setup and deployment](setup-and-deployment.md) - -[Integration with management solutions](integration-with-management-solutions-.md) - -[Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md) diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md deleted file mode 100644 index 2e082cd98c..0000000000 --- a/windows/whats-new/applocker.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: What's new in AppLocker (Windows 10) -description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F -ms.pagetype: security, mobile -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in AppLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -In Windows 10, AppLocker has added some improvements. - -## New features in Windows 10 - -- A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md). -  -  diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md deleted file mode 100644 index 9f0df242bf..0000000000 --- a/windows/whats-new/bitlocker.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: What's new in BitLocker (Windows 10) -description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in BitLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. - -## New features in Windows 10, version 1511 - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - **Note**   - Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -   -## New features in Windows 10 - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md). - -[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md). - -## Related topics - -[Trusted Platform Module](../keep-secure/trusted-platform-module-overview.md) -  \ No newline at end of file diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md deleted file mode 100644 index a38cbf4702..0000000000 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Change history for What's new in Windows 10 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/whats-new/index ---- - -# Change history for What's new in Windows 10 -This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). - - -## April 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Enterprise data protection (EDP) overview](edp-whats-new-overview.md) |Updated to remove content that's duplicated in the EDP content and added pointer. | - -## February 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md) |Updated to include policy setting names for USB filter and Toast notification filter| - -## January 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md) |Updated to include the **Applies to** section | - -## December 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[Security](security.md) |New | -|[Windows Update for Business](windows-update-for-business.md) |New | - -## November 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[AppLocker](applocker.md) |New | -|[BitLocker](bitlocker.md) |New | -|[Credential Guard](credential-guard.md) |New | -|[Device Guard](device-guard-overview.md) |New | -|[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) |New | -|[Security auditing](security-auditing.md) |New | -|[Trusted Platform Module](trusted-platform-module.md) |New | -|[Windows spotlight on the lock screen](windows-spotlight.md) |New | -|[Windows Store for Business overview](windows-store-for-business-overview.md) |New | - -## Related topics -- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) -- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md) -- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) - -  - -  - - - - - diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md deleted file mode 100644 index 3edfe53458..0000000000 --- a/windows/whats-new/credential-guard.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in Credential Guard (Windows 10) -description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Credential Guard? - -**Applies to** -- Windows 10 -- Windows Server 2016 - -Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. - -## New features in Windows 10, version 1511 - -- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: - - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. - - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. -- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. -- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. - -[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md). -  -  diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md deleted file mode 100644 index e42271af40..0000000000 --- a/windows/whats-new/device-guard-overview.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Device Guard overview (Windows 10) -description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. -ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2 -ms.pagetype: mobile, security -keywords: Device Guard -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# Device Guard overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. - -Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - -For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -## Why use Device Guard -With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise. -Device Guard also helps protect against [zero day attacks](https://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](https://go.microsoft.com/fwlink/p/?LinkId=534210). -## Virtualization-based security using Windows 10 Enterprise Hypervisor - -Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. - ->**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md deleted file mode 100644 index 79260f0f69..0000000000 --- a/windows/whats-new/device-management.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Enterprise management for Windows 10 devices (Windows 10) -description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices. -ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4 -ms.prod: w10 -ms.pagetype: devices, mobile -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-corporate-devices ---- - -# Enterprise management for Windows 10 devices - -This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**. - - diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md deleted file mode 100644 index 8c053fd990..0000000000 --- a/windows/whats-new/edge-ie11-whats-new-overview.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) -description: Resources to help you explore the Windows 10 browsing options for your enterprise. -redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11 ---- - diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md deleted file mode 100644 index a6816c161f..0000000000 --- a/windows/whats-new/edp-whats-new-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enterprise data protection (EDP) overview (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md deleted file mode 100644 index 67a759be13..0000000000 --- a/windows/whats-new/lockdown-features-windows-10.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 -keywords: lockdown, embedded -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/lockdown-features-windows-10 ---- - -# Lockdown features from Windows Embedded 8.1 Industry - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md deleted file mode 100644 index e8b4935152..0000000000 --- a/windows/whats-new/microsoft-passport.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Hello overview (Windows 10) -description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication. -ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B -keywords: password, hello, fingerprint, iris, biometric, passport -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile, security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport ---- - -# Windows Hello overview - -This topic has been redirected. \ No newline at end of file From 8358d9a750833ebdbc5160137c9aff88252f2a36 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 10:28:05 -0800 Subject: [PATCH 44/65] Adding content --- .openpublishing.redirection.json | 28 ++-- .../whats-new/new-provisioning-packages.md | 16 --- windows/whats-new/security-auditing.md | 125 ------------------ windows/whats-new/trusted-platform-module.md | 46 ------- windows/whats-new/user-account-control.md | 32 ----- windows/whats-new/windows-spotlight.md | 16 --- .../windows-store-for-business-overview.md | 11 -- .../whats-new/windows-update-for-business.md | 50 ------- 8 files changed, 14 insertions(+), 310 deletions(-) delete mode 100644 windows/whats-new/new-provisioning-packages.md delete mode 100644 windows/whats-new/security-auditing.md delete mode 100644 windows/whats-new/trusted-platform-module.md delete mode 100644 windows/whats-new/user-account-control.md delete mode 100644 windows/whats-new/windows-spotlight.md delete mode 100644 windows/whats-new/windows-store-for-business-overview.md delete mode 100644 windows/whats-new/windows-update-for-business.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 57dc769ece..b87fda171e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1046,38 +1046,38 @@ "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/new-provisioning-packages.md", + "redirect_url": "/itpro/windows/configure/provisioning-packages", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/security-auditing.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/trusted-platform-module.md", + "redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/user-account-control.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/windows-spotlight.md", + "redirect_url": "/itpro/windows/configure/windows-spotlight", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/windows-store-for-business-overview.md", + "redirect_url": "/itpro/windows/manage/windows-store-for-business-overview", "redirect_document_id": true }, { - "source_path": "", - "redirect_url": "", + "source_path": "windows/whats-new/windows-update-for-business.md", + "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", "redirect_document_id": true }, ] diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md deleted file mode 100644 index 18725fae2a..0000000000 --- a/windows/whats-new/new-provisioning-packages.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-packages ---- - -# Provisioning packages - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md deleted file mode 100644 index 8683fc520d..0000000000 --- a/windows/whats-new/security-auditing.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: What's new in security auditing (Windows 10) -description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. -ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -ms.pagetype: security, mobile -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in security auditing? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. - -## New features in Windows 10, version 1511 - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -## New features in Windows 10 - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -### More info added to existing audit events - -With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. -[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md). diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md deleted file mode 100644 index e4a2614653..0000000000 --- a/windows/whats-new/trusted-platform-module.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: What's new in Trusted Platform Module (Windows 10) -description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. -ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview ---- - -# What's new in Trusted Platform Module? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. - -## New features in Windows 10, version 1511 - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -## New features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](microsoft-passport.md) support -- [Device Guard](device-guard-overview.md) support -- [Credential Guard](credential-guard.md) support - -## Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. -  -[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md). -  -  diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md deleted file mode 100644 index 4a670324d3..0000000000 --- a/windows/whats-new/user-account-control.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in User Account Control (Windows 10) -description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. -ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in User Account Control? - -**Applies to** -- Windows 10 - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md). - -In Windows 10, User Account Control has added some improvements. - -## New features in Windows 10 - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md). -  -  diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md deleted file mode 100644 index 15caeeb2a9..0000000000 --- a/windows/whats-new/windows-spotlight.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/windows-spotlight ---- - -# Windows Spotlight on the lock screen - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md deleted file mode 100644 index abb7c7f8f3..0000000000 --- a/windows/whats-new/windows-store-for-business-overview.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Windows Store for Business overview (Windows 10) -description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps. -ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C -ms.prod: w10 -ms.pagetype: store, mobile -ms.mktglfcycl: manage -ms.sitesec: library -redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview -author: TrudyHa ---- diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md deleted file mode 100644 index 4b69cf6ecd..0000000000 --- a/windows/whats-new/windows-update-for-business.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: What's new in Windows Update for Business (Windows 10) -description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Windows Update for Business? - - -**Applies to** - -- Windows 10 - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -## Benefits of Windows Update for Business - - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx). - -## Learn more - - -[Windows Update for Business](../plan/windows-update-for-business.md) - -[Setup and deployment](../plan/setup-and-deployment.md) - -[Integration with management solutions](../plan/integration-with-management-solutions-.md) - -  - -  - - - - - From f9468536b0b9f81cd57cd9b95b9b03677458b80f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 10:31:25 -0800 Subject: [PATCH 45/65] Adding content --- .openpublishing.redirection.json | 212 +++++++++++++++---------------- 1 file changed, 106 insertions(+), 106 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b87fda171e..e3ba0be1fd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -558,527 +558,527 @@ { "source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md", "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md", "redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md", "redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "", "redirect_url": "", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/disconnect-your-organization-from-microsoft.md", "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/introduction-to-windows-10-servicing.md", "redirect_url": "/itpro/windows/update/index", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/manage-cortana-in-enterprise.md", "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/manage-inventory-windows-store-for-business.md", "redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/uev-accessibility.md", "redirect_url": "/itpro/windows/manage/uev-for-windows", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/manage/uev-privacy-statement.md", "redirect_url": "/itpro/windows/manage/uev-security-considerations", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-community-ratings-and-process.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-database-configuration.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-database-migration.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-deployment-options.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-glossary.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/activating-and-closing-windows-in-acm.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-lps-share-permissions.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-operatingsystem-application-report.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-operatingsystem-computer-report.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-operatingsystem-device-report.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-product-and-documentation-resources.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-settings-dialog-box-settings-tab.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-toolbar-icons-in-acm.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-tools-packages-and-services.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/act-user-interface-reference.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/adding-or-editing-an-issue.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/adding-or-editing-a-solution.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/analyzing-your-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/application-dialog-box.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/categorizing-your-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/chromebook-migration-guide.md", "redirect_url": "edu/windows/chromebook-migration-guide", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/common-compatibility-issues.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/compatibility-monitor-users-guide.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/computer-dialog-box.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/configuring-act.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/creating-and-editing-issues-and-solutions.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/creating-an-inventory-collector-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/creating-a-runtime-analysis-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/customizing-your-report-views.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deciding-which-applications-to-test.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deleting-a-data-collection-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deploying-an-inventory-collector-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deploying-a-runtime-analysis-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/deploy-windows-10-in-a-school.md", "redirect_url": "/edu/windows/deploy-windows-10-in-a-school", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/example-filter-queries.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/exporting-a-data-collection-package.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/filtering-your-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/fixing-compatibility-issues.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/identifying-computers-for-inventory-collection.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/integration-with-management-solutions-.md", "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/internet-explorer-web-site-report.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/labeling-data-in-acm.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/log-file-locations-for-data-collection-packages.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/managing-your-data-collection-packages.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/organizational-tasks-for-each-report-type.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/organizing-your-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/prioritizing-your-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/ratings-icons-in-acm.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/resolving-an-issue.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/saving-opening-and-exporting-reports.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/selecting-your-compatibility-rating.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/selecting-your-deployment-status.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/sending-and-receiving-compatibility-data.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/settings-for-acm.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/setup-and-deployment.md", "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/software-requirements-for-act.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/software-requirements-for-rap.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/taking-inventory-of-your-organization.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/testing-compatibility-on-the-target-platform.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/troubleshooting-act.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/troubleshooting-act-database-issues.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/using-act.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/viewing-your-compatibility-reports.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/websiteurl-dialog-box.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/welcome-to-act.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/whats-new-in-act-60.md", "redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/windows-10-guidance-for-education-environments.md", "redirect_url": "/edu/windows/index", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/windows-10-servicing-options.md", "redirect_url": "/itpro/windows/update/waas-overview", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/plan/windows-update-for-business.md", "redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/applocker.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/bitlocker.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md", "redirect_url": "/itpro/windows/whats-new/index", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/credential-guard.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/device-guard-overview.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/device-management.md", "redirect_url": "/itpro/windows/manage/manage-corporate-devices", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/edge-ie11-whats-new-overview.md", "redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/edp-whats-new-overview.md", "redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/lockdown-features-windows-10.md", "redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/microsoft-passport.md", "redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/new-provisioning-packages.md", "redirect_url": "/itpro/windows/configure/provisioning-packages", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/security-auditing.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/trusted-platform-module.md", "redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/user-account-control.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/windows-spotlight.md", "redirect_url": "/itpro/windows/configure/windows-spotlight", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/windows-store-for-business-overview.md", "redirect_url": "/itpro/windows/manage/windows-store-for-business-overview", - "redirect_document_id": true + "redirect_document_id": true }, { "source_path": "windows/whats-new/windows-update-for-business.md", "redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": true + "redirect_document_id": true }, ] -} +} \ No newline at end of file From 03a80e1ad164907438e971eb636a4b1dd134150b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 10:35:15 -0800 Subject: [PATCH 46/65] Adding content --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e3ba0be1fd..cafe7e4861 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -255,7 +255,7 @@ "redirect_url": "/itpro/windows/configure/cortana-at-work-crm", "redirect_document_id": true }, - { + { "source_path": "windows/manage/cortana-at-work-powerbi.md", "redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", "redirect_document_id": true @@ -310,7 +310,7 @@ "redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", "redirect_document_id": true }, - { + { "source_path": "windows/deploy/provisioning-packages.md", "redirect_url": "/itpro/windows/configure/provisioning-packages", "redirect_document_id": true From b2f992bc92f4579d127e9781b859419d0ccdf01e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 11:06:36 -0800 Subject: [PATCH 47/65] Adding content --- .openpublishing.redirection.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cafe7e4861..112694c7fb 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -570,11 +570,6 @@ "redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version", "redirect_document_id": true }, - { - "source_path": "", - "redirect_url": "", - "redirect_document_id": true - }, { "source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", From 0ad77803523a4a73603ec9562e5f15d49bf0846a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 12:35:13 -0800 Subject: [PATCH 48/65] Fixing warnings --- .openpublishing.redirection.json | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 112694c7fb..8ab1e55136 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -420,21 +420,6 @@ "redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", "redirect_document_id": true }, - { - "source_path": "windows/configure/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", - "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true - }, - { - "source_path": "windows/configure/disconnect-your-organization-from-microsoft.md", - "redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", - "redirect_document_id": true - }, - { - "source_path": "windows/configure/manage-cortana-in-enterprise.md", - "redirect_url": "/itpro/windows/configure/cortana-at-work-overview", - "redirect_document_id": true - }, { "source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md", "redirect_url": "/itpro/windows/configure/provisioning-packages", From 0ac0bff302bd31260efc0ceadbf44a366bd2c5fa Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 12:44:12 -0800 Subject: [PATCH 49/65] Fixing links --- .../how-it-pros-can-use-configuration-service-providers.md | 2 +- windows/configure/manage-tips-and-suggestions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configure/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md index b571b0e4b4..1f827f11a3 100644 --- a/windows/configure/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md @@ -58,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. -In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. +In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at=work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. ### CSPs in Windows Imaging and Configuration Designer (ICD) diff --git a/windows/configure/manage-tips-and-suggestions.md b/windows/configure/manage-tips-and-suggestions.md index 547f77a1aa..e9a6c5a0c5 100644 --- a/windows/configure/manage-tips-and-suggestions.md +++ b/windows/configure/manage-tips-and-suggestions.md @@ -49,7 +49,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi ## Related topics - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) -- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) +- [Cortana integration in your business or enterprise](cortana-at=work-overview.md) - [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md) - [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) From 8d17f3496bfeed4d2bdd837358ad044a2cc1625c Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 17 Feb 2017 13:04:18 -0800 Subject: [PATCH 50/65] waas-optimize changed sccm client peer cache note --- windows/manage/waas-optimize-windows-10-updates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md index 08251d8c02..a692f9ef34 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/manage/waas-optimize-windows-10-updates.md @@ -40,9 +40,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | >[!NOTE] ->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases. +>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). > ->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx). +>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). ## Express update delivery From f53fc70e76846abea76f62d7ade66833ee1f7c5c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 13:34:29 -0800 Subject: [PATCH 51/65] Fixing broken links --- .../how-it-pros-can-use-configuration-service-providers.md | 2 +- windows/configure/manage-tips-and-suggestions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configure/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md index 1f827f11a3..98152602d5 100644 --- a/windows/configure/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md @@ -58,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. -In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at=work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. +In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. ### CSPs in Windows Imaging and Configuration Designer (ICD) diff --git a/windows/configure/manage-tips-and-suggestions.md b/windows/configure/manage-tips-and-suggestions.md index e9a6c5a0c5..c3394002a8 100644 --- a/windows/configure/manage-tips-and-suggestions.md +++ b/windows/configure/manage-tips-and-suggestions.md @@ -49,7 +49,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi ## Related topics - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) -- [Cortana integration in your business or enterprise](cortana-at=work-overview.md) +- [Cortana integration in your business or enterprise](cortana-at-work-overview.md) - [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md) - [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) From 5205bbc3ec6a704237ca81df4d0be4f58da8634e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 17 Feb 2017 13:37:59 -0800 Subject: [PATCH 52/65] Fixing link --- .../change-history-for-manage-and-update-windows-10.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index a13e4d75af..f4de8fbb12 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -60,7 +60,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also | --- | --- | | [Manage device restarts after updates](waas-restart.md) | New | | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. | | [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. | | [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. | @@ -138,7 +138,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | ---|---| | [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New | | [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | ## February 2016 @@ -156,7 +156,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | New or changed topic | Description | | ---|---| -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | From a9d7e872526b6637c0f318337e36a4f425221f49 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 14:28:12 -0800 Subject: [PATCH 53/65] Clarified how -UserPEs relates to UMCI (Option 0) --- ...e-integrity-policies-policy-rules-and-file-rules.md | 10 ++++++---- .../deploy-code-integrity-policies-steps.md | 8 ++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md index e61e798a6f..e1046621fc 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see: +Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see: - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies." - [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard." @@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure This topic includes the following sections: - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics. -- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. +- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy. - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted. - [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied. @@ -31,7 +31,7 @@ This topic includes the following sections: A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). -> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies. +> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies. Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. @@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy: -- To enable UMCI, add rule option 0 to an existing policy by running the following command: +- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: ` Set-RuleOption -FilePath -Option 0` + Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. + - To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command: ` Set-RuleOption -FilePath -Option 0 -Delete` diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 2febd90862..82ce96bb82 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e > **Notes** - > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:
    **Set-RuleOption -FilePath $InitialCIPolicy -Option 0** + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - - > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. From 87dc84d81a5a375794265ca4308f1a9a6ae92772 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:08:43 -0800 Subject: [PATCH 54/65] Add Windows Libraries topic --- windows/manage/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index f5417ba0f7..70f2e9290f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -162,6 +162,7 @@ ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) + #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) @@ -221,4 +222,5 @@ #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) +## [Windows Libraries](windows-libraries.md) ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) From 8fc55f52aaac0c7a8c50bc249b66bfc2e62e76f1 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:17:57 -0800 Subject: [PATCH 55/65] Added Windows Libraries --- windows/manage/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/manage/index.md b/windows/manage/index.md index 61fd0bf61e..bdb730b559 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.

[Windows Store for Business](windows-store-for-business.md)

Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.

[Windows Libraries](windows-libraries.md)

Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).

[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).