deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 10:07:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-225

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-12-16 11:23:47 -08:00 committed by GitHub
commit 2949bb1fd1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1223 changed files with 36002 additions and 126315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.acrolinx-config.edn
View File

@ -1,4 +1,4 @@
{:allowed-branchname-matches ["master"]
{:allowed-branchname-matches ["master" "main"]
:allowed-filename-matches ["windows/"]
:targets
@ -47,12 +47,12 @@ For more information about the exception criteria and exception process, see [Mi
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
| Article | Score | Issues | Scorecard | Processed |
| ------- | ----- | ------ | --------- | --------- |
| Article | Score | Issues | Spelling<br>issues | Scorecard | Processed |
| ------- | ----- | ------ | ------ | --------- | --------- |
"
:template-change
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | [link](${acrolinx/scorecard}) | ${s/status} |
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/spelling} | [link](${acrolinx/scorecard}) | ${s/status} |
"
:template-footer

97
.openpublishing.redirection.json
View File

@ -1,5 +1,60 @@
{
"redirections": [
{
"source_path": "windows/client-management/mdm/maps-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/maps-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/hotspot-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/filesystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-xsd.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
@ -16411,7 +16466,7 @@
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md",
"source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/gov",
"redirect_document_id": false
},
@ -19114,46 +19169,6 @@
"source_path": "windows/security/identity-protection/change-history-for-access-protection.md",
"redirect_url": "/windows/security/",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-11-deployment-information",
"redirect_document_id": false
},
{
"source_path": "windows/deploy-windows-cm/upgrade-to-windows-with-configuraton-manager.md",

2
browsers/edge/group-policies/index.yml
View File

@ -9,7 +9,7 @@ metadata:
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti
author: dougeby
ms.author: pashort
ms.topic: landing-page
ms.devlang: na

2
browsers/edge/index.yml
View File

@ -11,7 +11,7 @@ metadata:
ms.localizationpriority: medium
ms.topic: landing-page # Required
ms.collection: collection # Optional; Remove if no collection is used.
author: shortpatti #Required; your GitHub user alias, with correct capitalization.
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: pashort #Required; microsoft alias of author; optional team alias.
ms.date: 07/07/2020 #Required; mm/dd/yyyy format.

2
browsers/edge/microsoft-edge-faq.yml
View File

@ -62,7 +62,7 @@ sections:
- question: Will Internet Explorer 11 continue to receive updates?
answer: |
We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](/lifecycle/faq/internet-explorer-microsoft-edge). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
- question: How do I find out which version of Microsoft Edge I have?
answer: |

76
browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
View File

@ -201,68 +201,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | Off |
|Turn on Site Discovery XML output | Blank |
**Turn on WMI recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | On |
|Turn on Site Discovery XML output | Blank |
**To turn on XML recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | Off |
|Turn on Site Discovery XML output | XML file path |
**To turn on both WMI and XML recording**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | On |
|Turn on Site Discovery XML output | XML file path |
## Use Configuration Manager to collect your data
After youve collected your data, youll need to get the local files off of your employees computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:

135
browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
View File

@ -60,132 +60,21 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;rules&gt;</td>
<td>Root node for the schema.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;emie&gt;</td>
<td>The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;10.122.34.99:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the &lt;docMode&gt; section that uses the same value as a &lt;domain&gt; element in the &lt;emie&gt; section, the &lt;emie&gt; element is applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;docMode&gt;
&lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt;
&lt;/docMode&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;domain&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com:8080&lt;/domain&gt;
&lt;/emie&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;path&gt;</td>
<td>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path exclude="true"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;rules&gt; | Root node for the schema.<br>**Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br> &lt;/rules&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;emie&gt; |The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. <br> **Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; <br> </pre><p> **or** <br> For IPv6 ranges: <pre class="syntax"><br>&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; </pre><p> <br> **or**<br> For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; | Internet Explorer 11 and Microsoft Edge |
|&lt;docMode&gt; |The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the docMode section that uses the same value as a &lt;domain&gt; element in the emie section, the emie element is applied. <br> **Example** <pre class="syntax"> <br/>&lt;rules version="205"&gt; <br> &lt;docmode&gt; <br> &lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt; <br> &lt;/docmode&gt;<br>&lt;/rules&gt; |Internet Explorer 11 |
|&lt;domain&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element. <br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain&gt;contoso.com:8080&lt;/domain&gt;<br>&lt;/emie&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;version&gt;</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;exclude&gt;</td>
<td>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path exclude="true"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;docMode&gt; section.
<p><b>Example</b>
<pre class="syntax">
&lt;docMode&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path docMode="7"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/docMode&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|--- |--- |--- |
|&lt;version&gt;|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.|Internet Explorer 11 and Microsoft Edge|
|&lt;exclude&gt;|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
|&lt;docMode&gt;|Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt;elements in the &lt;docMode&gt; section.<br> **Example**<pre class="syntax">&lt;docMode&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path docMode="7"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/docMode&gt;|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that &lt;emie&gt; entries override &lt;docMode&gt; entries for the same domain.

198
browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
View File

@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;site-list&gt;</td>
<td>A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;.
<p><b>Example</b>
<pre class="syntax">
&lt;site-list version="205"&gt;
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;
&lt;/site-list&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;site&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;default&lt;/compat-mode&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:
<ul>
<li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li>
<li>&lt;open-in&gt;none&lt;/open-in&gt;</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;compat-mode&gt;</td>
<td>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
Where:
<ul>
<li><b>IE8Enterprise.</b> Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p>
<li><b>IE7Enterprise.</b> Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE7 Enterprise Mode.<p><b>Important</b><br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.</li><p>
<li><b>IE<i>[x]</i>.</b> Where <i>[x]</i> is the document mode number into which the site loads.</li><p>
<li><b>Default or not specified.</b> Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li>
</ul></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;open-in&gt;</td>
<td>A child element that controls what browser is used for sites. This element supports the <b>Open in IE11</b> or <b>Open in Microsoft Edge</b> experiences, for devices running Windows 10.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre><p>
Where:
<ul>
<li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.</li><p>
<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.</li><p>
<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;site-list&gt; |A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;. <br> **Example** <br> <pre class="syntax">&lt;site-list version="205"&gt;<br> &lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br> &lt;/site&gt;<br>&lt;/site-list&gt;</pre> | Internet Explorer 11 and Microsoft Edge |
|&lt;site&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element. <br> **Example** <pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;default&lt;/compat-mode&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt;<br>&lt;/site&gt;</pre> <br> **or** For IPv4 ranges: <br> <pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:<ul><li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li><li>&lt;open-in&gt;none&lt;/open-in&gt;</li>| Internet Explorer 11 and Microsoft Edge |
|&lt;compat-mode&gt; |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. <br> **Example** <pre class="syntax"><br>&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre> **or** <br> For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> Where<ul><li>**IE8Enterprise.** Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p><li>**IE7Enterprise.** Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode<p>**Important**<br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.<li>**IE<i>[x]</i>**. Where <i>[x]</i> is the document mode number into which the site loads.<li>**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li> |Internet Explorer 11 |
|&lt;open-in&gt; |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.<br> **Examples**<pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt; <br>&lt;/site&gt;</pre><p> <br> Where<ul><li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li> | Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The &lt;url&gt; attribute, as part of the &lt;site&gt; element in the v.2 version of the schema, replaces the &lt;domain&gt; element from the v.1 version of the schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>allow-redirect</td>
<td>A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com/travel"&gt;
&lt;open-in allow-redirect="true"&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>url</td>
<td>Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<br><b>Note</b><br>
Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both https://contoso.com and https://contoso.com.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|---------|---------|---------|
|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt; </pre> In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</li>| Internet Explorer 11 and Microsoft Edge|
|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
<table>
<thead>
<tr class="header">
<th>Deprecated attribute</th>
<th>New attribute</th>
<th>Replacement example</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;forceCompatView&gt;</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace &lt;forceCompatView="true"&gt; with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>&lt;doNotTransition&gt;</td>
<td>&lt;open-in&gt;</td>
<td>Replace &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;</td>
</tr>
<tr>
<td>&lt;domain&gt; and &lt;path&gt;</td>
<td>&lt;site&gt;</td>
<td>Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url="contoso.com"/&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<b>-AND-</b><p>
Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="true"&gt;contoso.com
&lt;path exclude="false" forceCompatView="true"&gt;/about&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url="contoso.com/about"&gt;
&lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre></td>
</tr>
</table>
|Deprecated attribute|New attribute|Replacement example|
|--- |--- |--- |
|&lt;forceCompatView&gt;|&lt;compat-mode>|Replace &lt;forceCompatView="true"> with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode>|
|&lt;docMode&gt;|&lt;compat-mode&gt;|Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;|
|&lt;doNotTransition&gt;|&lt;open-in&gt;|Replace:<br> &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;|
|&lt;domain&gt; and &lt;path&gt;|&lt;site&gt;|Replace:<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;contoso.com&lt;/domain&gt;<br>&lt;/emie&gt;</pre>With:<pre class="syntax">&lt;site url="contoso.com"/&gt; <br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre>**-AND-** <br>Replace:<pre class="syntax">&lt;emie&gt; <br> &lt;domain exclude="true"&gt;contoso.com <br> &lt;path exclude="false" forceCompatView="true"&gt;/about&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><br> With:<pre class="syntax">&lt;site url="contoso.com/about"&gt;<br> &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We dont recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.

100
browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
View File

@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br
|Data point |IE11 |IE10 |IE9 |IE8 |Description |
|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
|Domain | X | X | X | X |Top-level domain of the browsed site. |
|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
|Number of visits | X | X | X | X |Number of times a site has been visited. |
|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. |
|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. |
|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. |
|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. |
|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. |
|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. |
|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. |
|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. |
|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. |
|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. |
>**Important**<br>By default, IE doesnt collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so theres no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
@ -205,68 +205,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|Off|
|Turn on Site Discovery XML output|Blank|
**Turn on WMI recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|On|
|Turn on Site Discovery XML output|Blank|
**To turn on XML recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|Off|
|Turn on Site Discovery XML output|XML file path|
<strong>To turn on both WMI and XML recording</strong>
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
**To turn on both WMI and XML recording**
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|On|
|Turn on Site Discovery XML output|XML file path|
## Use Configuration Manager to collect your data
After youve collected your data, youll need to get the local files off of your employees computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:

166
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
View File

@ -65,162 +65,24 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;rules&gt;</td>
<td>Root node for the schema.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;emie&gt;</td>
<td>The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;10.122.34.99:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there&#39;s a &lt;domain&gt; element in the &lt;docMode&gt; section that uses the same value as a &lt;domain&gt; element in the &lt;emie&gt; section, the &lt;emie&gt; element is applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;docMode&gt;
&lt;domain docMode=&quot;7&quot;&gt;contoso.com&lt;/domain&gt;
&lt;/docMode&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;domain&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com:8080&lt;/domain&gt;
&lt;/emie&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;path&gt;</td>
<td>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot;&gt;fabrikam.com
&lt;path exclude=&quot;false&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> doesn&#39;t use IE8 Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;rules&gt; | Root node for the schema.<br>**Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br> &lt;/rules&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;emie&gt; |The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. <br> **Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; <br> </pre><p> **or** <br> For IPv6 ranges: <pre class="syntax"><br>&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; </pre><p> <br> **or**<br> For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; | Internet Explorer 11 and Microsoft Edge |
|&lt;docMode&gt; |The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the docMode section that uses the same value as a &lt;domain&gt; element in the emie section, the emie element is applied. <br> **Example** <pre class="syntax"> <br/>&lt;rules version="205"&gt; <br> &lt;docmode&gt; <br> &lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt; <br> &lt;/docmode&gt;<br>&lt;/rules&gt; |Internet Explorer 11 |
|&lt;domain&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element. <br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain&gt;contoso.com:8080&lt;/domain&gt;<br>&lt;/emie&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="true"&gt;fabrikam.com <br> &lt;path exclude="false"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>exclude</td>
<td>Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the &lt;domain&gt; and &lt;path&gt; elements in the &lt;emie&gt; section. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;false&quot;&gt;fabrikam.com
&lt;path exclude=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> uses IE8 Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> does not.</p></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>docMode</td>
<td>Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;docMode&gt; section.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;docMode&gt;
&lt;domain&gt;fabrikam.com
&lt;path docMode=&quot;9&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/docMode&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> loads in IE11 document mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> uses IE9 document mode.</p></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>doNotTransition</td>
<td>Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com
&lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> opens in the IE11 browser, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> loads in the current browser (eg. Microsoft Edge).</p></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>forceCompatView</td>
<td>Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot;&gt;fabrikam.com
&lt;path forceCompatView=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> does not use Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> uses IE7 Enterprise Mode.</p></td>
<td>Internet Explorer 11</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|--- |--- |--- |
|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.|Internet Explorer 11 and Microsoft Edge|
|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
|docMode|Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt;elements in the &lt;docMode&gt; section.<br> **Example**<pre class="syntax">&lt;docMode&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path docMode="9"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/docMode&gt;|Internet Explorer 11|
|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.<br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com <br> &lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. <br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude=&quot;true&quot;&gt;fabrikam.com <br> &lt;path forcecompatview=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that &lt;emie&gt; entries override &lt;docMode&gt; entries for the same domain.

200
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
View File

@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;site-list&gt;</td>
<td>A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;.
<p><b>Example</b>
<pre class="syntax">
&lt;site-list version=&quot;205&quot;&gt;
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;
&lt;/site-list&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;site&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;default&lt;/compat-mode&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url=&quot;10.122.34.99:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url=&quot;[10.122.34.99]:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
You can also use the self-closing version, &lt;url=&quot;contoso.com&quot; /&gt;, which also sets:
<ul>
<li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li>
<li>&lt;open-in&gt;none&lt;/open-in&gt;</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;compat-mode&gt;</td>
<td>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url=&quot;10.122.34.99:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url=&quot;[10.122.34.99]:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
Where:
<ul>
<li><b>IE8Enterprise.</b> Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p>
<li><b>IE7Enterprise.</b> Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE7 Enterprise Mode.<p><b>Important</b><br>This tag replaces the combination of the <code>&quot;forceCompatView&quot;=&quot;true&quot;</code> attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.</li><p>
<li><b>IE<i>[x]</i>.</b> Where <i>[x]</i> is the document mode number into which the site loads.</li><p>
<li><b>Default or not specified.</b> Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li>
</ul></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;open-in&gt;</td>
<td>A child element that controls what browser is used for sites. This element supports the <b>Open in IE11</b> or <b>Open in Microsoft Edge</b> experiences, for devices running Windows 10.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre><p>
Where:
<ul>
<li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.</li><p>
<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.</li><p>
<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;site-list&gt; |A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;. <br> **Example** <br> <pre class="syntax">&lt;site-list version="205"&gt;<br> &lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br> &lt;/site&gt;<br>&lt;/site-list&gt;</pre> | Internet Explorer 11 and Microsoft Edge |
|&lt;site&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element. <br> **Example** <pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;default&lt;/compat-mode&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt;<br>&lt;/site&gt;</pre> <br> **or** For IPv4 ranges: <br> <pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:<ul><li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li><li>&lt;open-in&gt;none&lt;/open-in&gt;</li>| Internet Explorer 11 and Microsoft Edge |
|&lt;compat-mode&gt; |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. <br> **Example** <pre class="syntax"><br>&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre> **or** <br> For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> Where<ul><li>**IE8Enterprise.** Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p><li>**IE7Enterprise.** Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode<p>**Important**<br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.<li>**IE<i>[x]</i>**. Where <i>[x]</i> is the document mode number into which the site loads.<li>**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li> |Internet Explorer 11 |
|&lt;open-in&gt; |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.<br> **Examples**<pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt; <br>&lt;/site&gt;</pre><p> <br> Where<ul><li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li> | Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The &lt;url&gt; attribute, as part of the &lt;site&gt; element in the v.2 version of the schema, replaces the &lt;domain&gt; element from the v.1 version of the schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>allow-redirect</td>
<td>A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to &quot;true&quot; indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to &quot;false&quot; (sites in redirect chain will not open in another browser).
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com/travel&quot;&gt;
&lt;open-in allow-redirect=&quot;true&quot;&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, if <a href="https://contoso.com/travel" data-raw-source="https://contoso.com/travel">https://contoso.com/travel</a> is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>url</td>
<td>Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<br><b>Note</b><br>
Make sure that you don&#39;t specify a protocol. Using &lt;site url=&quot;contoso.com&quot;&gt; applies to both <a href="http://contoso.com" data-raw-source="http://contoso.com">http://contoso.com</a> and <a href="https://contoso.com" data-raw-source="https://contoso.com">https://contoso.com</a>.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, going to <a href="https://contoso.com:8080" data-raw-source="https://contoso.com:8080">https://contoso.com:8080</a> using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|---------|---------|---------|
|allow-redirect|A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt;</pre> In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. <li>| Internet Explorer 11 and Microsoft Edge|
|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
<table>
<thead>
<tr class="header">
<th>Deprecated element/attribute</th>
<th>New element</th>
<th>Replacement example</th>
</tr>
</thead>
<tbody>
<tr>
<td>forceCompatView</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace forceCompatView=&quot;true&quot; with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>docMode</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace docMode=&quot;IE5&quot; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>doNotTransition</td>
<td>&lt;open-in&gt;</td>
<td>Replace doNotTransition=&quot;true&quot; with &lt;open-in&gt;none&lt;/open-in&gt;</td>
</tr>
<tr>
<td>&lt;domain&gt; and &lt;path&gt;</td>
<td>&lt;site&gt;</td>
<td>Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;/&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
<b>-AND-</b><p>
Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot; doNotTransition=&quot;true&quot;&gt;
contoso.com
&lt;path forceCompatView=&quot;true&quot;&gt;/about&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url=&quot;contoso.com/about&quot;&gt;
&lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre></td>
</tr>
</table>
|Deprecated attribute|New attribute|Replacement example|
|--- |--- |--- |
|forceCompatView|&lt;compat-mode>|Replace &lt;forceCompatView="true"> with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode>|
|docMode|&lt;compat-mode&gt;|Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;|
|doNotTransition|&lt;open-in&gt;|Replace:<br> &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;|
|&lt;domain&gt; and &lt;path&gt;|&lt;site&gt;|Replace:<pre class="syntax">&lt;emie&gt;<br> &lt;domain&gt;contoso.com&lt;/domain&gt;<br>&lt;/emie&gt;</pre>With:<pre class="syntax">&lt;site url="contoso.com"/&gt; <br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>**-AND-** <br>Replace:<pre class="syntax">&lt;emie&gt; <br> &lt;domain exclude="true" donotTransition="true"&gt;contoso.com <br> &lt;path forceCompatView="true"&gt;/about&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><br> With:<pre class="syntax">&lt;site url="contoso.com/about"&gt;<br> &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We dont recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.

6
browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
View File

@ -14,9 +14,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
<p>
<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
</p>
:::image type="content" source="images/docmode-decisions-lg.png" alt-text="Full-sized flowchart detailing how document modes are chosen in IE11" lightbox="images/docmode-decisions-lg.png":::

9
browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
View File

@ -36,11 +36,4 @@ Use the topics in this section to learn about how to auto detect your settings,
|------|------------|
|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. |
|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. | 
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |

5
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
View File

@ -24,9 +24,6 @@ summary: |
sections:
- name: Ignored
questions:
- question: |
Frequently Asked Questions
answer: |
- question: |
What operating system does IE11 run on?
answer: |
@ -250,4 +247,4 @@ additionalContent: |
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)

4
browsers/internet-explorer/internet-explorer.yml
View File

@ -31,7 +31,7 @@ landingContent:
- text: Use Enterprise Mode to improve compatibility
url: /microsoft-edge/deploy/emie-to-improve-compatibility
- text: Lifecycle FAQ - Internet Explorer
url: https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- text: Download IE11 with Windows 10
@ -123,7 +123,7 @@ landingContent:
- text: Group Policy preferences for IE11
url: ./ie11-deploy-guide/group-policy-preferences-and-ie11.md
- text: Configure Group Policy preferences
url: https://support.microsoft.com/help/2898604/how-to-configure-group-policy-preference-settings-for-internet-explorer-11-in-windows-8.1-or-windows-server-2012-r2
url: /troubleshoot/browsers/how-to-configure-group-policy-preference-settings
- text: Blocked out-of-date ActiveX controls
url: ./ie11-deploy-guide/blocked-out-of-date-activex-controls.md
- text: Out-of-date ActiveX control blocking

4
browsers/internet-explorer/kb-support/ie-edge-faqs.yml
View File

@ -148,7 +148,7 @@ sections:
- question: |
Where to find Internet Explorer security zones registry entries
answer: |
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](/troubleshoot/browsers/ie-security-zones-registry-entries).
This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
@ -193,7 +193,7 @@ sections:
answer: |
Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](/lifecycle/faq/internet-explorer-microsoft-edge).
- question: |
How to configure TLS (SSL) for Internet Explorer

19
education/includes/education-content-updates.md
View File

@ -2,11 +2,22 @@
## Week of October 25, 2021
## Week of November 29, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 10/28/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 10/28/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 10/28/2021 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
| 11/29/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | added |
| 11/29/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | added |
## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 11/16/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 11/16/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 11/18/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 11/18/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 11/18/2021 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |

4
education/itadmins.yml
View File

@ -79,7 +79,7 @@ productDirectory:
- url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
text: Azure information protection deployment acceleration guide
- url: /cloud-app-security/getting-started-with-cloud-app-security
text: Microsoft Cloud app security
text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
text: Office 365 data loss prevention
- url: /microsoft-365/compliance/
@ -117,4 +117,4 @@ productDirectory:
- url: https://support.office.com/en-us/education
text: Education help center
- url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
text: Teacher training packs
text: Teacher training packs

6
education/windows/TOC.yml
View File

@ -1,3 +1,9 @@
- name: Windows 11 SE for Education
items:
- name: Overview
href: windows-11-se-overview.md
- name: Settings and CSP list
href: windows-11-se-settings-list.md
- name: Windows 10 for Education
href: index.md
items:

450
education/windows/chromebook-migration-guide.md
View File

@ -126,96 +126,23 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con
Table 2. Settings in the Device Management node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Section</th>
<th align="left">Settings</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Network</td>
<td align="left"><p>These settings configure the network connections for Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>Wi-Fi.</strong> Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.</p></li>
<li><p><strong>Ethernet.</strong> Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.</p></li>
<li><p><strong>VPN.</strong> Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.</p></li>
<li><p><strong>Certificates.</strong> Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Mobile</td>
<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>Device management settings.</strong> Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.</p></li>
<li><p><strong>Device activation.</strong> Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.</p></li>
<li><p><strong>Managed devices.</strong> Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.</p></li>
<li><p><strong>Set Up Apple Push Certificate.</strong> Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.</p></li>
<li><p><strong>Set Up Android for Work.</strong> Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Chrome management</td>
<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>User settings.</strong> Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
<li><p><strong>Public session settings.</strong> Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don&#39;t need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.</p></li>
<li><p><strong>Device settings.</strong> Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
<li><p><strong>Devices.</strong> Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.</p></li>
<li><p><strong>App Management.</strong> Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.</p></li>
</ul></td>
</tr>
</tbody>
</table>
|Section |Settings |
|---------|---------|
|Network | <p>These settings configure the network connections for Chromebook devices and include the following settings categories:<ul></p><li> **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.</p></li> <li>**Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.</p><li>**VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.</p><li>**Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.</p> |
|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:<ul> <li>**Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.<li>**Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.<li>**Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.<li> **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. <li>**Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. |
|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:<ul> <li>**User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.<li>**Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don&#39;t need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.<li> **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.<li>**Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices <li>**App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. |
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Section</th>
<th align="left">Settings</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Basic settings</p></td>
<td align="left"><p>These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.</p>
<p>Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Password monitoring</p></td>
<td align="left"><p>This section is used to monitor the strength of user passwords. You dont need to migrate any settings in this section.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>API reference</p></td>
<td align="left"><p>This section is used to enable access to various Google Apps Administrative APIs. You dont need to migrate any settings in this section.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Set up single sign-on (SSO)</p></td>
<td align="left"><p>This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you dont need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Advanced settings</p></td>
<td align="left"><p>This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You dont need to migrate any settings in this section.</p></td>
</tr>
</tbody>
</table>
|Section|Settings|
|--- |--- |
|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
|Password monitoring|This section is used to monitor the strength of user passwords. You dont need to migrate any settings in this section.|
|API reference|This section is used to enable access to various Google Apps Administrative APIs. You dont need to migrate any settings in this section.|
|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you dont need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You dont need to migrate any settings in this section.|
**Identify locally-configured settings to migrate**
@ -428,62 +355,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis
Table 5. Select on-premises AD DS, Azure AD, or hybrid
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">If you plan to...</th>
<th align="left">On-premises AD DS</th>
<th align="left">Azure AD</th>
<th align="left">Hybrid</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Use Office 365</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Use Intune for management</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
<tr class="odd">
<td align="left">Use Microsoft Endpoint Manager for management</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Use Group Policy for management</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="odd">
<td align="left">Have devices that are domain-joined</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
</tbody>
</table>
|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
|--- |--- |--- |--- |
|Use Office 365||✔️|✔️|
|Use Intune for management||✔️|✔️|
|Use Microsoft Endpoint Manager for management|✔️||✔️|
|Use Group Policy for management|✔️||✔️|
|Have devices that are domain-joined|✔️||✔️|
|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
### <a href="" id="plan-userdevapp-manage"></a>
@ -497,113 +376,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
Table 6. Device, user, and app management products and technologies
<table>
<colgroup>
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Desired feature</th>
<th align="left">Windows provisioning packages</th>
<th align="left">Group Policy</th>
<th align="left">Configuration Manager</th>
<th align="left">Intune</th>
<th align="left">MDT</th>
<th align="left">Windows Software Update Services</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Deploy operating system images</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Deploy apps during operating system deployment</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Deploy apps after operating system deployment</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Deploy software updates during operating system deployment</td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Deploy software updates after operating system deployment</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Support devices that are domain-joined</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Support devices that are not domain-joined</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Use on-premises resources</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Use cloud-based services</td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
</tr>
</tbody>
</table>
|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
|--- |--- |--- |--- |--- |--- |--- |
|Deploy operating system images|✔️||✔️||✔️||
|Deploy apps during operating system deployment|✔️||✔️||✔️||
|Deploy apps after operating system deployment|✔️|✔️|✔️||||
|Deploy software updates during operating system deployment|||✔️||✔️||
|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
|Support devices that are not domain-joined|✔️|||✔️|✔️||
|Use on-premises resources|✔️|✔️|✔️||✔️||
|Use cloud-based services||||✔️|||
You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
@ -665,35 +448,10 @@ It is important that you perform any network infrastructure remediation first be
Table 7. Network infrastructure products and technologies and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product or technology</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">DHCP</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10)" data-raw-source="[DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))">DHCP Deployment Guide</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">DNS</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10)" data-raw-source="[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))">Deploying Domain Name System (DNS)</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Product or technology|Resources|
|--- |--- |
|DHCP|<li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li> [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))|
|DNS|<li>[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@ -707,37 +465,10 @@ In the [Plan for Active Directory services](#plan-adservices) section, you deter
Table 8. AD DS, Azure AD and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product or technology</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">AD DS</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11)" data-raw-source="[Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))">Active Directory Domain Services Overview</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Azure AD</td>
<td align="left"><ul>
<li><p><a href="/azure/active-directory/" data-raw-source="[Azure Active Directory documentation](/azure/active-directory/)">Azure Active Directory documentation</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690259" data-raw-source="[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)">Manage and support Azure Active Directory Premium</a></p></li>
<li><p><a href="/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100" data-raw-source="[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)">Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Product or technology|Resources|
|--- |--- |
|AD DS| <li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
|Azure AD| <li> [Azure Active Directory documentation](/azure/active-directory/) <li>[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259) <li>[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -750,59 +481,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
Table 9. Management systems and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Management system</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Windows provisioning packages</td>
<td align="left"><ul>
<li><p><a href="/windows/configuration/provisioning-packages/provisioning-create-package" data-raw-source="[Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)">Build and apply a provisioning package</a></p></li>
<li><p><a href="/windows/configuration/provisioning-packages/provisioning-install-icd" data-raw-source="[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)">Windows Imaging and Configuration Designer</a></p></li>
<li><p><a href="/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages" data-raw-source="[Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)">Step-By-Step: Building Windows 10 Provisioning Packages</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Group Policy</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)" data-raw-source="[Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))">Core Network Companion Guide: Group Policy Deployment</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10)" data-raw-source="[Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))">Deploying Group Policy</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Configuration Manager</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)" data-raw-source="[Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))">Site Administration for System Center 2012 Configuration Manager</a></p></li>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10)" data-raw-source="[Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))">Deploying Clients for System Center 2012 Configuration Manager</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Intune</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690262" data-raw-source="[Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)">Set up and manage devices with Microsoft Intune</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690263" data-raw-source="[Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)">Smoother Management Of Office 365 Deployments with Windows Intune</a></p></li>
<li><p><a href="/learn/?l=fCzIjVKy_6404984382" data-raw-source="[System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)">System Center 2012 R2 Configuration Manager &amp; Windows Intune</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">MDT</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690324" data-raw-source="[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)">MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013</a></p></li>
<li><p><a href="/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key" data-raw-source="[Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)">Step-By-Step: Installing Windows 8.1 From A USB Key</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Management system|Resources|
|--- |--- |
|Windows provisioning packages| <li> [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) <li>[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) <li> [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
|Group Policy|<li> [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) <li> [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
|Configuration Manager| <li> [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) <li> [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
|Intune| <li> [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) <li> [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263) <li> [System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
|MDT| <li>[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) <li> [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -815,44 +500,11 @@ In this step, you need to configure your management system to deploy the apps to
Table 10. Management systems and app deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Management system</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Group Policy</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)" data-raw-source="[Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))">Editing an AppLocker Policy</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)" data-raw-source="[Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))">Group Policy Software Deployment Background</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10)" data-raw-source="[Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))">Assigning and Publishing Software</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Configuration Manager</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)" data-raw-source="[How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))">How to Deploy Applications in Configuration Manager</a></p></li>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10)" data-raw-source="[Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))">Application Management in Configuration Manager</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Intune</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=733913" data-raw-source="[Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)">Deploy apps to mobile devices in Microsoft Intune</a></p></li>
<li><p><a href="/mem/intune/" data-raw-source="[Manage apps with Microsoft Intune](/mem/intune/)">Manage apps with Microsoft Intune</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Management system|Resources|
|--- |--- |
|Group Policy| <li> [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) <li> [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) <li> [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
|Configuration Manager| <li> [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) <li> [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
|Intune| <li> [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913) <li> [Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.

785
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -83,7 +83,7 @@ This district configuration has the following characteristics:
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@ -128,7 +128,7 @@ Office 365 Education allows:
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
### How to configure a district
@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">MDT</td>
<td><p>MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)</li>
<li>Dont have an existing AD DS infrastructure.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage device drivers during initial deployment.</li>
<li>You can deploy Windows desktop apps (during initial deployment)</li>
<li>It doesnt require an AD DS infrastructure.</li>
<li>It doesnt have additional infrastructure requirements.</li>
<li>MDT doesnt incur additional cost: its a free tool.</li>
<li>You can deploy Windows 10 operating systems to institution-owned and personal devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Cant manage applications throughout entire application life cycle (by itself).</li>
<li>Cant manage software updates for Windows 10 and apps (by itself).</li>
<li>Doesnt provide antivirus and malware protection (by itself).</li>
<li>Has limited scaling to large numbers of users and devices.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Microsoft Endpoint Configuration Manager</td>
<td><p>Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
<li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).</li>
<li>Typically deploy Windows 10 to on-premises devices.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.</li>
<li>You can manage software updates for Windows 10 and apps.</li>
<li>You can manage antivirus and malware protection.</li>
<li>It scales to large number of users and devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Method|Description|
|--- |--- |
|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.<br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) <li> Dont have an existing AD DS infrastructure. <li> Need to manage devices regardless of where they are (on or off premises). <br>The advantages of this method are that: <br> <li> You can deploy Windows 10 operating systems <li> You can manage device drivers during initial deployment. <li>You can deploy Windows desktop apps (during initial deployment)<li> It doesnt require an AD DS infrastructure.<li>It doesnt have additional infrastructure requirements.<li>MDT doesnt incur additional cost: its a free tool.<li>You can deploy Windows 10 operating systems to institution-owned and personal devices. <br> The disadvantages of this method are that it:<br> <li>Cant manage applications throughout entire application life cycle (by itself).<li>Cant manage software updates for Windows 10 and apps (by itself).<li>Doesnt provide antivirus and malware protection (by itself).<li>Has limited scaling to large numbers of users and devices.|
|Microsoft Endpoint Configuration Manager|<li> Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle <li>You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. <br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). <li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). <li>Typically deploy Windows 10 to on-premises devices. <br> The advantages of this method are that: <li>You can deploy Windows 10 operating systems.<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large number of users and devices. <br>The disadvantages of this method are that it:<li>Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 2. Deployment methods*
@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Group Policy</td>
<td><p>Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
<li>Want more granular control of device and user settings.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Typically manage on-premises devices.</li>
<li>Can manage a required setting only by using Group Policy.</li>
</ul>
<p>The advantages of this method include:</p>
<ul>
<li>No cost beyond the AD DS infrastructure.</li>
<li>A larger number of settings (compared to Intune).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Can only manage domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).</li>
<li>Has rudimentary app management capabilities.</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Intune</td>
<td><p>Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
<li>Dont need granular control over device and user settings (compared to Group Policy).</li>
<li>Dont have an existing AD DS infrastructure.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
<li>Want to provide application management for the entire application life cycle.</li>
<li>Can manage a required setting only by using Intune.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can manage institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It doesnt require any on-premises infrastructure.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Doesnt offer granular control over device and user settings (compared to Group Policy).</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Method|Description|
|--- |--- |
|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. <br> Select this method when you <li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).<li> Want more granular control of device and user settings. <li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Can manage a required setting only by using Group Policy. <br>The advantages of this method include: <li>No cost beyond the AD DS infrastructure. <li>A larger number of settings (compared to Intune).<br>The disadvantages of this method are that it:<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).<li> Has rudimentary app management capabilities.<li> Cannot deploy Windows 10 operating systems.|
|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (does not require that the device be domain joined).<li>Dont need granular control over device and user settings (compared to Group Policy).<li>Dont have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It doesnt require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Intune subscription licenses.<li>Doesnt offer granular control over device and user settings (compared to Group Policy).<li>Cannot deploy Windows 10 operating systems.|
*Table 4. Configuration setting management methods*
@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Selection</th>
<th align="left">Management method</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Microsoft Endpoint Configuration Manager</td>
<td><p>Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.<br/><br/>Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.<br/><br/>Select this method when you:</p>
<ul>
<li>Selected Configuration Manager to deploy Windows 10.</li>
<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).</li>
<li>Want to manage AD DS domain-joined devices.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Typically manage on-premises devices.</li>
<li>Want to deploy operating systems.</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage applications throughout the entire application life cycle.</li>
<li>You can manage software updates for Windows 10 and apps.</li>
<li>You can manage antivirus and malware protection.</li>
<li>It scales to large numbers of users and devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
<li>Can only manage domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Intune</td>
<td><p>Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
Select this method when you:</p>
<ul>
<li>Selected MDT only to deploy Windows 10.</li>
<li>Want to manage institution-owned and personal devices that are not domain joined.</li>
<li>Want to manage Azure AD domain-joined devices.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can manage institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It doesnt require on-premises infrastructure.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Microsoft Endpoint Manager and Intune (hybrid)</td>
<td><p>Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br/><br/>
Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.<br/><br/>
Select this method when you:</p>
<ul>
<li>Selected Microsoft Endpoint Manager to deploy Windows 10.</li>
<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
<li>Want to manage domain-joined devices.</li>
<li>Want to manage Azure AD domain-joined devices.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Want to manage devices regardless of their connectivity.</li>
<li>Want to deploy operating systems.</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy operating systems.</li>
<li>You can manage applications throughout the entire application life cycle.</li>
<li>You can scale to large numbers of users and devices.</li>
<li>You can support institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Selection|Management method|
|--- |--- |
|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that are not domain joined.<li>Want to manage Azure AD domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It doesnt require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Intune subscription licenses.<li>Cannot deploy Windows 10 operating systems.|
|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br>Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br>Select this method when you:<li>Selected Microsoft Endpoint Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.<li>Carries an additional cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 6. App and update management products*
@ -683,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
Office 365 uses the domain portion of the users email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@ -695,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
> [!NOTE]
> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@ -714,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
> [!NOTE]
> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@ -887,7 +643,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|-------|---------------------------------------------|
|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
*Table 12. AD DS bulk-import account methods*
@ -935,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
> [!NOTE]
> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@ -949,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
> [!NOTE]
> If your institution has AD DS, dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
@ -966,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
#### Summary
@ -1083,63 +839,11 @@ This guide discusses thick image deployment. For information about thin image de
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description and reason to select this method</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Windows Deployment Services</td>
<td><p>This method:</p>
<ul>
<li>Uses diskless booting to initiate LTI and ZTI deployments.</li>
<li>Works only with devices that support PXE boot.</li>
<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
<li>Deploys images more slowly than when you use local media.</li>
<li>Requires that you deploy a Windows Deployment Services server.</li>
</ul>
<br/>Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
</td>
</tr>
<tr>
<td valign="top">Bootable media</td>
<td><p>This method:</p>
<ul>
<li>Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.</li>
<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
<li>Deploys images more slowly than when using local media.</li>
<li>Requires no additional infrastructure.</li>
</ul>
<br/>Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
</td>
</tr>
<tr>
<td valign="top">Deployment media</td>
<td><p>This method:</p>
<ul>
<li>Initiates LTI or ZTI deployment by booting from a local USB hard disk.</li>
<li>Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.</li>
<li>Deploys images more quickly than network-based methods do.</li>
<li>Requires a USB hard disk because of the deployment shares storage requirements (up to 100 GB).</li>
</ul>
<br/>Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
</td>
</tr>
</tbody>
</table>
|Method|Description and reason to select this method|
|--- |--- |
|Windows Deployment Services|This method:<li>Uses diskless booting to initiate LTI and ZTI deployments.<li>Works only with devices that support PXE boot.<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.<li>Deploys images more slowly than when you use local media.<li>Requires that you deploy a Windows Deployment Services server.<br><br>Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
|Bootable media|This method:<li>Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.<li>Deploys images more slowly than when using local media.<li>Requires no additional infrastructure.<br> <br>Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
|Deployment media|This method:<li>Initiates LTI or ZTI deployment by booting from a local USB hard disk.<li>Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.<li>Deploys images more quickly than network-based methods do.<li>Requires a USB hard disk because of the deployment shares storage requirements (up to 100 GB).<br> <br>Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
*Table 15. Methods to initiate LTI and ZTI deployments*
@ -1154,91 +858,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">1. Import operating systems</td>
<td>Import the operating systems that you selected in the <a href="#select-the-operating-systems" data-raw-source="[Select the operating systems](#select-the-operating-systems)">Select the operating systems</a> section into the deployment share. For more information about how to import operating systems, see <a href="/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench" data-raw-source="[Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench)">Import an Operating System into the Deployment Workbench</a>.</td>
</tr>
<tr>
<td valign="top">2. Import device drivers</td>
<td>Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/>
Import device drivers for each device in your institution. For more information about how to import device drivers, see <a href="/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench" data-raw-source="[Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)">Import Device Drivers into the Deployment Workbench</a>.
</td>
</tr>
<tr>
<td valign="top">3. Create MDT applications for Microsoft Store apps</td>
<td>Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using <i>sideloading</i>, which allows you to use the <strong>Add-AppxPackage</strong> Windows PowerShell cmdlet to deploy the .appx files associated with the app (called <em>provisioned apps</em>). Use this method to deploy up to 24 apps to Windows 10.<br/><br/>
<p>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:</p>
<ul>
<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.</li>
<li>For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.</li>
</ul>
<br/>If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br/><br/>
If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> and <a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a> sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br/><br/>
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<br/><br/>
<ul>
<li>Prepare your environment for sideloading, see <a href="/previous-versions/windows/" data-raw-source="[Try it out: sideload Microsoft Store apps](/previous-versions/windows/)">Try it out: sideload Microsoft Store apps</a>.</li>
<li>Create an MDT application, see <a href="/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench" data-raw-source="[Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench)">Create a New Application in the Deployment Workbench</a>.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">4. Create MDT applications for Windows desktop apps</td>
<td>You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in <a href="/deployoffice/deploy-microsoft-365-apps-local-source" data-raw-source="[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source)">Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool</a>.<br/><br/>
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
<br/><br/>
<strong>Note</strong>&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> section.
For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
</td>
</tr>
<tr>
<td valign="top">5. Create task sequences</td>
<td><p>You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:</p>
<ul>
<li>Deploy 64-bit Windows 10 Education to devices.</li>
<li>Deploy 32-bit Windows 10 Education to devices.</li>
<li>Upgrade existing devices to 64-bit Windows 10 Education.</li>
<li>Upgrade existing devices to 32-bit Windows 10 Education.</li>
</ul>
<br/>Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see <a href="/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench" data-raw-source="[Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench)">Create a New Task Sequence in the Deployment Workbench</a>.
</td>
</tr>
<tr>
<td valign="top">6. Update the deployment share</td>
<td>Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/>
For more information about how to update a deployment share, see <a href="/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench" data-raw-source="[Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench)">Update a Deployment Share in the Deployment Workbench</a>.
</td>
</tr>
</tbody>
</table>
|Task|Description|
|--- |--- |
|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|2. Import device drivers|Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br>Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.<br>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.<li>For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.<br> <br> If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br>If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br>In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<li>Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).<br> If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.<br>This is the preferred method for deploying and managing Windows desktop apps.<br>**Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) <br>For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:<li>Deploy 64-bit Windows 10 Education to devices.<li>Deploy 32-bit Windows 10 Education to devices.<li>Upgrade existing devices to 64-bit Windows 10 Education.<li>Upgrade existing devices to 32-bit Windows 10 Education.<br> <br>Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br>For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
*Table 16. Tasks to configure the MDT deployment share*
@ -1276,7 +903,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
### Configure Window Deployment Services for MDT
### Configure Windows Deployment Services for MDT
You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target devices. These boot images can be Windows PE images (which you generated in step 6 in Table 16) or custom images that can deploy operating systems directly to the target devices.
@ -1298,7 +925,7 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
### Configure Window Deployment Services for Microsoft Endpoint Configuration Manager
### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
> [!NOTE]
> If you have already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
@ -1430,116 +1057,20 @@ Microsoft has several recommended settings for educational institutions. Table 1
Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
<table>
<colgroup>
<col width="75%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Recommendation</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Use of Microsoft accounts</td>
<td>You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>
**Note**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users cant add Microsoft accounts** setting option.<br/><br/>
**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
</td>
</tr>
<tr>
<td valign="top">Restrict the local administrator accounts on the devices</td>
<td>Ensure that only authorized users are local administrators on institution-owned devices. Typically, you dont want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>
<strong>Group Policy.</strong> Create a <strong>Local Group</strong> Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
<tr>
<td valign="top">Manage the built-in administrator account created during device deployment</td>
<td>When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br/><br/>
<strong>Group Policy.</strong> To rename the built-in Administrator account, use the <strong>Accounts: Rename administrator account</strong> Group Policy setting. For more information about how to rename the built-in Administrator account, see <a href="/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)" data-raw-source="[To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10))">To rename the Administrator account using the Group Policy Management Console</a>. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the <strong>Accounts: Administrator account status</strong> Group Policy setting. For more information about how to disable the built-in Administrator account, see <a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)" data-raw-source="[Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11))">Accounts: Administrator account status</a>.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
<tr>
<td valign="top">Control Microsoft Store access</td>
<td>You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>
<strong>Group Policy.</strong> To disable the Microsoft Store app, use the <strong>Turn off the Store Application</strong> group policy setting. To prevent Microsoft Store apps from receiving updates, use the <strong>Turn off Automatic Download and Install of updates</strong> Group Policy setting. For more information about configuring these settings, see <a href="/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP" data-raw-source="[Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP)">Can I use Group Policy to control the Microsoft Store in my enterprise environment?</a>.<br/><br/>
<strong>Intune.</strong> To enable or disable Microsoft Store access, use the <strong>Allow application store</strong> policy setting in the <strong>Apps</strong> section of a <strong>Windows 10 General Configuration policy</strong>.
</td>
</tr>
<tr>
<td valign="top">Use of Remote Desktop connections to devices</td>
<td>Remote Desktop connections could allow unauthorized access to the device. Depending on your institutions policies, you may want to disable Remote Desktop connections on your devices.<br/><br/>
<strong>Group Policy.</strong> To enable or disable Remote Desktop connections to devices, use the <strong>Allow Users to connect remotely using Remote Desktop</strong> setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
|Recommendation|Description|
|--- |--- |
|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users cant add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you dont want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br>**Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. <br>**Intune**. Not available.|
|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br> **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br> **Intune**. Not available.|
|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br>**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?<br>**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institutions policies, you may want to disable Remote Desktop connections on your devices.<br>**Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.<br>**Intune**. Not available.|
|Use of camera|A devices camera can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the camera on your devices.<br>**Group policy**. Not available.<br>**Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the Sound Recorder app on your devices.<br>**Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).<br>**Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the ability to perform screen captures on your devices.<br>**Group policy**. Not available.<br>**Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
|Use of location services|Providing a devices location can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the location service on your devices.<br>**Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.<br>**Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institutions policies, you may want to prevent users from changing the wallpaper on institution-owned devices.<br>**Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.<br>**Intune**. Not available.|
<tr>
<td valign="top">Use of camera</td>
<td>A devices camera can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the camera on your devices.<br/><br/>
<strong>Group Policy.</strong> Not available.<br/><br/>
<strong>Intune.</strong> To enable or disable the camera, use the <strong>Allow camera</strong> policy setting in the <strong>Hardware</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of audio recording</td>
<td>Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the Sound Recorder app on your devices.<br/><br/>
<strong>Group Policy.</strong> To disable the Sound Recorder app, use the <strong>Do not allow Sound Recorder to run</strong> Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in <a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)" data-raw-source="[Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))">Editing an AppLocker Policy</a> and <a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)" data-raw-source="[Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11))">Create Your AppLocker Policies</a>.<br/><br/>
<strong>Intune.</strong> To enable or disable audio recording, use the <strong>Allow voice recording</strong> policy setting in the <strong>Features</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of screen capture</td>
<td>Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the ability to perform screen captures on your devices.<br/><br/>
<strong>Group Policy.</strong> Not available.<br/><br/>
<strong>Intune.</strong> To enable or disable screen capture, use the <strong>Allow screen capture</strong> policy setting in the <strong>System</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of location services</td>
<td>Providing a devices location can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the location service on your devices.<br/><br/>
<strong>Group Policy.</strong> To enable or disable location services, use the <strong>Turn off location</strong> group policy setting in User Configuration\Windows Components\Location and Sensors.<br/><br/>
<strong>Intune.</strong> To enable or disable location services, use the <strong>Allow geolocation</strong> policy setting in the <strong>Hardware</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Changing wallpaper</td>
<td>Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institutions policies, you may want to prevent users from changing the wallpaper on institution-owned devices.<br/><br/>
<strong>Group Policy.</strong> To configure the wallpaper, use the <strong>Desktop WallPaper</strong> setting in User Configuration\Administrative Templates\Desktop\Desktop.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
</tbody>
</table>
<br/>
<em>Table 17. Recommended settings for educational institutions</em>
@ -1719,205 +1250,23 @@ After the initial deployment, you need to perform certain tasks to maintain the
Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
<table>
<colgroup>
<col width="10%" />
<col width="10%" />
<col width="10%" />
<col width="70%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task and resources</th>
<th align="left">Monthly</th>
<th align="left">New semester or academic year</th>
<th align="left">As required</th>
</tr>
</thead>
<tbody>
<tr>
<td>Verify that Windows Update is active and current with operating system and software updates.<br/><br/>
For more information about completing this task when you have:
<ul>
<li>Intune, see <a href="/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune" data-raw-source="[Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)">Keep Windows PCs up to date with software updates in Microsoft Intune</a>.</li>
<li>Group Policy, see <a href="/windows/deployment/update/waas-manage-updates-wufb" data-raw-source="[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)">Windows Update for Business</a>.</li>
<li>WSUS, see <a href="/windows/deployment/deploy-whats-new" data-raw-source="[Windows Server Update Services](/windows/deployment/deploy-whats-new)">Windows Server Update Services</a>.</li>
<li>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, &amp; activate” in <a href="https://support.microsoft.com/products/windows?os=windows-10" data-raw-source="[Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10)">Windows 10 help</a>.</li>
</ul>
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that Windows Defender is active and current with malware Security intelligence.<br/><br/>
For more information about completing this task, see <a href="https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02" data-raw-source="[Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)">Turn Windows Defender on or off</a> and <a href="https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03" data-raw-source="[Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03)">Updating Windows Defender</a>.
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br/><br/>
For more information about completing this task, see the “How do I find and remove a virus?” topic in <a href="https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses" data-raw-source="[Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses)">Protect my PC from viruses</a>.
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Download and approve updates for Windows 10, apps, device driver, and other software.<br/><br/>
For more information, see:
<ul>
<li><a href="#manage-updates-by-using-intune" data-raw-source="[Manage updates by using Intune](#manage-updates-by-using-intune)">Manage updates by using Intune</a></li>
<li><a href="#manage-updates-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)">Manage updates by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br/><br/>
For more information about Windows 10 servicing options for updates and upgrades, see <a href="/windows/deployment/update/" data-raw-source="[Windows 10 servicing options](/windows/deployment/update/)">Windows 10 servicing options</a>.
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Refresh the operating system and apps on devices.<br/><br/>
For more information about completing this task, see the following resources:
<ul>
<li><a href="#prepare-for-deployment" data-raw-source="[Prepare for deployment](#prepare-for-deployment)">Prepare for deployment</a></li>
<li><a href="#capture-the-reference-image" data-raw-source="[Capture the reference image](#capture-the-reference-image)">Capture the reference image</a></li>
<li><a href="#deploy-windows-10-to-devices" data-raw-source="[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)">Deploy Windows 10 to devices</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br/><br/>
For more information, see:
<ul>
<li><a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a></li>
<li><a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install new or update existing Microsoft Store apps used in the curriculum.<br/><br/>
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br/><br/>
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
<ul>
<li><a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a></li>
<li><a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Remove unnecessary user accounts, see <a href="/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center" data-raw-source="[Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)">Active Directory Administrative Center</a>.</li>
<li>Remove licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Add user accounts, see <a href="#bulk-import-user-and-group-accounts-into-ad-ds" data-raw-source="[Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)">Bulk-import user and group accounts into AD DS</a>.</li>
<li>Assign licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Remove unnecessary user accounts, see <a href="https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e" data-raw-source="[Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)">Delete or restore users</a>.</li>
<li>Remove licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Add new accounts (and corresponding licenses) to Office 365 (if you dont have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Add user accounts, see <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" data-raw-source="[Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc)">Add users to Office 365 for business</a> and <a href="https://www.youtube.com/watch?v=zDs3VltTJps" data-raw-source="[Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps)">Add users individually or in bulk to Office 365</a>.</li>
<li>Assign licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Create or modify security groups, and manage group membership in Office 365.<br/><br/>
For more information about how to:
<ul>
<li>Create or modify security groups, see <a href="https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&amp;rs=en-001&amp;ad=US" data-raw-source="[Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&amp;rs=en-001&amp;ad=US)">Create an Office 365 Group in the admin center</a>.</li>
<li>Manage group membership, see <a href="https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a" data-raw-source="[Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a)">Manage Group membership in the admin center</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.<br/><br/>
For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see <a href="/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups" data-raw-source="[Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups)">Create and manage distribution groups</a> and <a href="https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB" data-raw-source="[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB)">Create, edit, or delete a security group</a>.
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install new student devices.<br/><br/>
Follow the same steps you followed in the <a href="#deploy-windows-10-to-devices" data-raw-source="[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)">Deploy Windows 10 to devices</a> section.
</td>
<td></td>
<td></td>
<td>x</td>
</tr>
</tbody>
</table>
<br/>
|Task and resources|Monthly|New semester or academic year|As required|
|--- |--- |--- |--- |
|Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br>For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
|Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br>For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
|Refresh the operating system and apps on devices.<br>For more information about completing this task, see the following resources:<li>[Prepare for deployment](#prepare-for-deployment)<li>[Capture the reference image](#capture-the-reference-image)<li>[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
|Install new or update existing Microsoft Store apps used in the curriculum.<br>Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br>You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. <br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) <li>Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)<li>Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)<li> Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
|Add new accounts (and corresponding licenses) to Office 365 (if you dont have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).<li>Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
|Create or modify security groups, and manage group membership in Office 365.<br>For more information about how to:<li>Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)<li>Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.<br>For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
|Install new student devices.<br> Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️|
*Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
@ -1936,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
* [Reprovision devices at the end of the school year (video)](./index.md)
* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
* [Use Microsoft Store for Business in a school environment (video)](./index.md)
* [Use Microsoft Store for Business in a school environment (video)](./index.md)

6
education/windows/deploy-windows-10-in-a-school.md
View File

@ -441,7 +441,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|---|---|
| **Ldifde.exe** | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you arent comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
| **VBScript** | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx). |
| **Windows PowerShell** | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
| **Windows PowerShell** | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
---
@ -670,13 +670,13 @@ The first step in preparation for Windows 10 deployment is to configure—that i
| **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). |
| **2. Import device drives** | Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/> Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). |
| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using <em>sideloading</em>, which allows you to use the <strong>Add-AppxPackage</strong> Windows PowerShell cmdlet to deploy the .appx files associated with the app (called <em>provisioned apps</em>). Use this method to deploy up to 24 apps to Windows 10.<br/><br/>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br/><br/>If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br/><br/>In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:<br/><br/>- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).<br/>- Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).<br/><br/>If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/> You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).<br/><br/>If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/> You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:<br/><br/>- Deploy Windows 10 Education 64-bit to devices.<br/>- Deploy Windows 10 Education 32-bit to devices.<br/>- Upgrade existing devices to Windows 10 Education 64-bit.<br/>- Upgrade existing devices to Windows 10 Education 32-bit.<br/><br/>Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). |
| **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/> For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
---
### Configure Window Deployment Services for MDT
### Configure Windows Deployment Services for MDT
You can use Windows Deployment Services with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.

2
education/windows/school-get-minecraft.md
View File

@ -250,7 +250,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
<!--- ## Manage Minecraft: Education Edition -->
<!--- ### Access to Microsoft Store for Business
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Windows Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
However, tenant admins can control whether or not teachers automatically sign up for Microsoft Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Microsoft Store for Business.** You'll find this on the **Permissions** page.

111
education/windows/windows-11-se-overview.md Normal file
View File

@ -0,0 +1,111 @@
---
title: What is Windows 11 SE
description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education.
ms.reviewer:
manager: dougeby
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
ms.author: mandia
author: MandiOhlinger
ms.localizationpriority: medium
ms.topic: article
---
# Windows 11 SE for Education
**Applies to**:
- Windows 11 SE
- Microsoft Intune for Education
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
- A simplified and secure experience for students. Student privacy is prioritized.
- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education).
- It's built for low-cost devices.
- It has a curated app experience, and is designed to only run essential education apps.
## Get Windows 11 SE
Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed.
## Available apps
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
---
| Application | Min version | Vendor |
| --- | --- | --- |
| Chrome | 95.0.4638.54 | Google |
| Dragon Assistant | 3.2.98.061 | Nuance Communications |
| Dragon Professional Individual | 15.00.100 | Nuance Communications |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking |
| Free NaturalReader | 16.1.2 | Natural Soft |
| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific |
| Kite Student Portal | 8.0.1 | Dynamic Learning Maps |
| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. |
| NonVisual Desktop Access | 2021.2 | NV Access |
| Read and Write | 12.0.71 | Texthelp Systems Ltd. |
| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access |
| Text Aloud | 4.0.64 | Nextup.com |
| Zoom | 5.8.3 (1581) | Zoom Inc |
| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion |
| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared |
---
### Enabled apps
| App type | Enabled |
| --- | --- |
| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. |
| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails. <br/><br/>✔️ If there are specific installation-type of apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). |
### Add your own apps
If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more.
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions
- Assistive technologies
- Classroom communication apps
- Essential diagnostics, management, and supportability apps
- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements).
- Apps must meet the following security requirements:
- All app binaries are code-signed.
- All files include the `OriginalFileName` in the resource file header.
- All kernel drivers are WHQL-signed.
- Apps don't have an equivalent web application.
- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE.
If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE.
When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices.
For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
### 0x87D300D9 error with an app
When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article).
- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA.
## Related articles
- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview)

106
education/windows/windows-11-se-settings-list.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.reviewer:
manager: dougeby
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
ms.author: mandia
author: MandiOhlinger
ms.localizationpriority: medium
ms.topic: article
---
# Windows 11 SE for Education settings list
**Applies to**:
- Windows 11 SE
- Microsoft Intune for Education
Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings.
This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).
## Settings that can be changed
The following table lists and describes the settings that can be changed by administrators.
| Setting | Description |
| --- | --- |
| Block manual unenrollment | Default: Blocked<br/><br/>Users can't unenroll their devices from device management services. <br/><br/>[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment)|
| Allow option to Show Network | Default: Allowed<br/><br/>Gives users the option to see the **Show Network** folder in File Explorer. |
| Allow option to Show This PC | Default: Allowed<br/><br/>Gives user the option to see the **Show This PC** folder in File Explorer. |
| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads<br/><br/>Gives user access to these folders. |
| Set Allowed Storage Locations | Default: Blocks Local Drives and Network Drives<br/><br/>Blocks user access to these storage locations. |
| Allow News and Interests | Default: Hide<br/><br/>Hides Widgets. |
| Disable advertising ID | Default: Disabled<br/><br/>Blocks apps from using usage data to tailor advertisements. <br/><br/>[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
| Visible settings pages | Default: <br/><br/> |
| Enable App Install Control | Default: Turned On<br/><br/>Users cant download apps from the internet.<br/><br/>[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days<br/><br/>If a file hasnt been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again. <br/><br/>[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
| Allow Telemetry | Default: Required Telemetry Only<br/><br/>Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date. <br/><br/>[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
| Allow Experimentation | Default: Disabled<br/><br/>Microsoft can't experiment with the product to study user preferences or device behavior. <br/><br/>[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
| Block external extensions | Default: Blocked<br/><br/>In Microsoft Edge, users can't install external extensions. <br/><br/>[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions)|
| Configure new tab page | Default: `Office.com`<br/><br/>In Microsoft Edge, the new tab page defaults to `office.com`. <br/><br/>[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url)|
| Configure homepage | Default: `Office.com`<br/><br/>In Microsoft Edge, the homepage defaults to `office.com`. <br/><br/>[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage)|
| Prevent SmartScreen prompt override | Default: Enabled<br/><br/>In Microsoft Edge, users can't override Windows Defender SmartScreen warnings. <br/><br/>[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride)|
## Settings that can't be changed
The following settings can't be changed.
| Category | Description |
| --- | --- |
| Visible Folders in File Explorer | By default, the Desktop, Downloads, Documents, and Pictures folders are visible to users in File Explorer. Users can make other folders, like **This PC**, visible in **View** > **Options**. |
| Launch Windows Maximized | All Windows are opened in the maximized view. |
| Windows Snapping | Windows snapping is limited to two Windows. |
| Allowed Account Types | Microsoft accounts and Azure AD accounts are allowed. |
| Virtual Desktops | Virtual Desktops are blocked. |
| Microsoft Store | The Microsoft Store is blocked. |
| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
## What's available in the Settings app
On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
- Accessibility
- Accounts
- Email & accounts
- Apps
- Bluetooth & devices
- Bluetooth
- Printers & scanners
- Mouse
- Touchpad
- Typing
- Pen
- AutoPlay
- Network & internet
- WiFi
- VPN
- Personalization
- Taskbar
- Privacy & security
- System
- Display
- Notifications
- Tablet mode
- Multitasking
- Projecting to this PC
- Time & Language
- Language & region
## Next steps
[Windows 11 SE for Education overview](windows-11-se-overview.md)

167
smb/cloud-mode-business-setup.md
View File

@ -34,7 +34,7 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol
- Create policies and app deployment rules
- Log in as a user and start using your Windows device
Go to the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
Go to [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) to learn more about pricing and purchasing options for your business.
## Prerequisites
@ -50,16 +50,17 @@ Here's a few things to keep in mind before you get started:
To set up a cloud infrastructure for your organization, follow the steps in this section.
### 1.1 Set up Office 365 for business
See <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
See [Microsoft 365 admin center for business](/microsoft-365/admin) and [Microsoft 365 resources for nonprofits](https://www.microsoft.com/nonprofits/microsoft-365) to learn more about the setup steps for businesses and nonprofits who have Office 365. You can learn how to:
- Plan your setup
- Create Office 365 accounts and how to add your domain.
- Install Office
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
To set up your Microsoft 365 for business tenant, see [Get Started with Microsoft 365 for business](/microsoft-365/business-video/what-is-microsoft-365).
If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started:
1. Go to the <a href="https://products.office.com/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
1. Go to [Try or buy a Microsoft 365 for business subscription](/microsoft-365/commerce/try-or-buy-microsoft-365). In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@ -68,7 +69,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
2. Fill out the sign up form and provide information about you and your company.
3. Create a user ID and password to use to sign into your account.
This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the admin portal).
This step creates an `onmicrosoft.com` email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into [https://portal.office.com](https://portal.office.com) (the admin portal).
4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code.
5. Select **You're ready to go...** which will take you to the Microsoft 365 admin center.
@ -78,7 +79,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 2** - Microsoft 365 admin center
![Opens the Microsoft 365 admin center.](images/office365_portal.png)
:::image type="content" alt-text="Opens the Microsoft 365 admin center." source="images/office365_portal.png":::
6. Select the **Admin** tile to go to the admin center.
@ -88,22 +89,22 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 3** - Admin center
![Complete the Office 365 setup in the Microsoft 365 admin center.](images/office365_admin_portal.png)
:::image type="content" alt-text="Complete the Office 365 setup in the Microsoft 365 admin center." source="images/office365_admin_portal.png":::
8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
8. Go back to the [admin center](https://portal.office.com/adminportal/home#/homepage) to add or buy a domain.
1. Select the **Domains** option.
**Figure 4** - Option to add or buy a domain
![Add or buy a domain in admin center.](images/office365_buy_domain.png)
:::image type="content" alt-text="Add or buy a domain in admin center." source="images/office365_buy_domain.png":::
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`.
**Figure 5** - Microsoft-provided domain
![Microsoft-provided domain.](images/office365_ms_provided_domain.png)
:::image type="content" alt-text="Microsoft-provided domain." source="images/office365_ms_provided_domain.png":::
- If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
- If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@ -112,7 +113,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 6** - Domains
![Verify your domains in the admin center.](images/office365_additional_domain.png)
:::image type="content" alt-text="Verify your domains in the admin center." source="images/office365_additional_domain.png":::
### 1.2 Add users and assign product licenses
Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@ -121,55 +122,55 @@ When adding users, you can also assign admin privileges to certain users in your
**To add users and assign product licenses**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Users > Active users**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Users > Active users**.
**Figure 7** - Add users
![Add Office 365 users.](images/office365_users.png)
:::image type="content" alt-text="Add Office 365 users." source="images/office365_users.png":::
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users).
**Figure 8** - Add an individual user
![Add an individual user.](images/office365_add_individual_user.png)
:::image type="content" alt-text="Add an individual user." source="images/office365_add_individual_user.png":::
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users). Once you've added all the users, don't forget to assign **Product licenses** to the new users.
**Figure 9** - Import multiple users
![Import multiple users.](images/office365_import_multiple_users.png)
:::image type="content" alt-text="Import multiple users." source="images/office365_import_multiple_users.png":::
3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
**Figure 10** - List of active users
![Verify users and assigned product licenses.](images/o365_active_users.png)
:::image type="content" alt-text="Verify users and assigned product licenses." source="images/o365_active_users.png":::
### 1.3 Add Microsoft Intune
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see <a href="/intune/understand-explore/introduction-to-microsoft-intune" target="_blank">What is Intune?</a>
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see [Microsoft Intune is an MDM and MAM provider](/mem/intune/fundamentals/what-is-intune).
**To add Microsoft Intune to your tenant**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Billing > Purchase services**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Billing > Purchase services**.
2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now.
3. Confirm your order to enable access to Microsoft Intune.
4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**.
**Figure 11** - Assign Intune licenses
![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
:::image type="content" alt-text="Assign Microsoft Intune licenses to users." source="images/o365_assign_intune_license.png":::
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This step opens the Endpoint Manager admin center.
**Figure 12** - Microsoft Intune management portal
![Microsoft Intune management portal.](images/intune_portal_home.png)
:::image type="content" alt-text="Microsoft Intune management portal." source="images/intune_portal_home.png":::
Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
@ -178,7 +179,7 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**To add Azure AD to your domain**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Admin centers > Azure AD**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Admin centers > Azure AD**.
> [!NOTE]
> You will need Azure AD Premium to configure automatic MDM enrollment with Intune.
@ -187,57 +188,57 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**Figure 13** - Access to Azure AD is not available
![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
:::image type="content" alt-text="Access to Azure AD not available." source="images/azure_ad_access_not_available.png":::
3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365.
4. Select **Azure subscription**. This step will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png)
:::image type="content" alt-text="Sign up for Microsoft Azure." source="images/azure_ad_sign_up_screen.png":::
5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
**Figure 15** - Start managing your Azure subscription
![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
:::image type="content" alt-text="Start managing your Azure subscription." source="images/azure_ad_successful_signup.png":::
This step will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
This step will take you to the [Microsoft Azure portal](https://portal.azure.com).
### 1.5 Add groups in Azure AD
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see [Managing access to resources with Azure Active Directory groups](/azure/active-directory/active-directory-manage-groups.
To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal (https://manage.windowsazure.com)</a>. See <a href="/azure/active-directory/active-directory-accessmanagement-manage-groups" target="_blank">Managing groups in Azure Active Directory</a> for more information about managing groups.
To add Azure AD group(s), use the [Microsoft Azure portal](https://portal.azure.com). See [Managing groups in Azure Active Directory](/azure/active-directory/active-directory-accessmanagement-manage-groups) for more information about managing groups.
**To add groups in Azure AD**
1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node in the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, you will see a screen informing you that your directory is ready for use.
1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node, you will see a screen informing you that your directory is ready for use.
Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory.
**Figure 16** - Azure first sign-in screen
![Select Azure AD.](images/azure_portal_classic_configure_directory.png)
:::image type="content" alt-text="Select Azure AD." source="images/azure_portal_classic_configure_directory.png":::
2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
**Figure 17** - Directory home page
![Directory home page.](images/azure_portal_classic_directory_ready.png)
:::image type="content" alt-text="Directory home page." source="images/azure_portal_classic_directory_ready.png":::
3. From the menu options on top, select **Groups**.
**Figure 18** - Azure AD groups
![Add groups in Azure AD.](images/azure_portal_classic_groups.png)
:::image type="content" alt-text="Add groups in Azure AD." source="images/azure_portal_classic_groups.png":::
4. Select **Add a group** (from the top) or **Add group** at the bottom.
5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
**Figure 19** - Newly added group in Azure AD
![Verify the new group appears on the list.](images/azure_portal_classic_all_users_group.png)
:::image type="content" alt-text="Verify the new group appears on the list." source="images/azure_portal_classic_all_users_group.png":::
6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
@ -245,34 +246,34 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
**Figure 20** - Members in the new group
![Members added to the new group.](images/azure_portal_classic_members_added.png)
:::image type="content" alt-text="Members added to the new group." source="images/azure_portal_classic_members_added.png":::
7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
### 1.6 Configure automatic MDM enrollment with Intune
Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in.
You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/" target="_blank">this blog post</a> to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough.
You can read the [Windows 10, Azure AD and Microsoft Intune blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/) to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough.
> [!IMPORTANT]
> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune.
**To enable automatic MDM enrollment**
1. In the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
1. In the Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
**Figure 21** - List of applications for your company
![List of applications for your company.](images/azure_portal_classic_applications.png)
:::image type="content" alt-text="List of applications for your company." source="images/azure_portal_classic_applications.png":::
2. Select **Microsoft Intune** to configure the application.
3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
**Figure 22** - Configure Microsoft Intune in Azure
![Configure Microsoft Intune in Azure.](images/azure_portal_classic_configure_intune_app.png)
:::image type="content" alt-text="Configure Microsoft Intune in Azure." source="images/azure_portal_classic_configure_intune_app.png":::
4. In the Microsoft Intune configuration page:
- In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
@ -291,66 +292,66 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
**Figure 23** - Configure Microsoft Intune
![Configure automatic MDM enrollment with Intune.](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
:::image type="content" alt-text="Configure automatic MDM enrollment with Intune." source="images/azure_portal_classic_configure_intune_mdm_enrollment.png":::
### 1.7 Configure Microsoft Store for Business for app distribution
Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a>.
In this part of the walkthrough, use the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps).
**To associate your Store account with Intune and configure synchronization**
1. From the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a>, select **Admin**.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
**Figure 24** - Mobile device management
![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
:::image type="content" alt-text="Set up mobile device management in Intune." source="images/intune_admin_mdm_configure.png":::
3. Sign into <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
3. Sign into [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps) using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
**Figure 25** - Activate Intune as the Store management tool
![Activate Intune from the Store portal.](images/wsfb_management_tools_activate.png)
:::image type="content" alt-text="Activate Intune from the Store portal." source="images/wsfb_management_tools_activate.png":::
7. Go back to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
7. Go back to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png)
:::image type="content" alt-text="Configure Store for Business sync in Intune." source="images/intune_admin_mdm_store_sync.png":::
9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
**Figure 27** - Enable Microsoft Store for Business sync in Intune
![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png)
:::image type="content" alt-text="Enable Store for Business sync in Intune." source="images/intune_configure_store_app_sync_dialog.png":::
The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
**To buy apps from the Store**
In your <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
In your [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
- Excel Mobile
- Word Mobile
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
In the following example, we'll show you how to buy apps through the Microsoft Store for Business and then make sure the apps appear on Intune.
**Example 1 - Add other apps like Reader and InstaNote**
1. In the <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
1. In the [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png)
:::image type="content" alt-text="Shop for Store apps." source="images/wsfb_shop_microsoft_apps.png":::
2. Click to select an app, such as **Reader**. This opens the app page.
3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@ -360,7 +361,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 29** - App inventory shows the purchased apps
![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png)
:::image type="content" alt-text="Confirm that your inventory shows purchased apps." source="images/wsfb_manage_inventory_newapps.png":::
> [!NOTE]
> Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@ -369,18 +370,18 @@ In the following example, we'll show you how to buy apps through the Microsoft S
If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync.
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management > Windows > Store for Business**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management > Windows > Store for Business**.
2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync.
**Figure 30** - Force a sync in Intune
![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png)
:::image type="content" alt-text="Force a sync in Intune." source="images/intune_admin_mdm_forcesync.png":::
**To view purchased apps**
- In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
- In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
**To add more apps**
- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see <a href="/intune/deploy-use/add-apps-for-mobile-devices-in-microsoft-intune" target="_blank">Add apps for enrolled devices to Intune</a> for more info on how to do this.
- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) for more info on how to do this.
## 2. Set up devices
@ -395,7 +396,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 31** - First screen in Windows device setup
![First screen in Windows device setup.](images/win10_hithere.png)
:::image type="content" alt-text="First screen in Windows device setup." source="images/win10_hithere.png":::
> [!NOTE]
> During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@ -405,13 +406,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 32** - Choose how you'll connect your Windows device
![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
:::image type="content" alt-text="Choose how you'll connect the Windows device." source="images/win10_choosehowtoconnect.png":::
4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png)
:::image type="content" alt-text="Sign in using one of the accounts you added." source="images/win10_signin_admin_account.png":::
5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
@ -425,16 +426,16 @@ Verify that the device is set up correctly and boots without any issues.
2. Confirm that the Store and built-in apps are working.
### 2.3 Verify the device is Azure AD joined
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
**To verify if the device is joined to Azure AD**
1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**.
**Figure 34** - Check the PC name on your device
![Check the PC name on your device.](images/win10_settings_pcname.png)
:::image type="content" alt-text="Check the PC name on your device." source="images/win10_settings_pcname.png":::
2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
2. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
3. Select **Groups** and then go to **Devices**.
4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC.
- Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
@ -443,7 +444,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
**Figure 35** - Check that the device appears in Intune
![Check that the device appears in Intune.](images/intune_groups_devices_list.png)
:::image type="content" alt-text="Check that the device appears in Intune." source="images/intune_groups_devices_list.png":::
## 3. Manage device settings and features
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@ -454,7 +455,7 @@ In this section, we'll show you how to reconfigure app deployment settings and a
In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible.
**To reconfigure app deployment settings**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps** and go to **Apps > Volume-Purchased Apps**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps** and go to **Apps > Volume-Purchased Apps**.
2. Select the app, right-click, then select **Manage Deployment...**.
3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
@ -462,7 +463,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 36** - Reconfigure an app's deployment setting in Intune
![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png)
:::image type="content" alt-text="Reconfigure app deployment settings in Intune." source="images/intune_apps_deploymentaction.png":::
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@ -472,12 +473,12 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 37** - Confirm that additional apps were deployed to the device
![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png)
:::image type="content" alt-text="Confirm that additional apps were deployed to the device." source="images/win10_deploy_apps_immediately.png":::
### 3.2 Configure other settings in Intune
**To disable the camera**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Policy > Configuration Policies**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices > Configuration Policies**.
2. In the **Policies** window, click **Add** to create a new policy.
3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**.
4. On the **Create Policy** page, select **Device Capabilities**.
@ -488,7 +489,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 38** - Add a configuration policy
![Add a configuration policy.](images/intune_policy_disablecamera.png)
:::image type="content" alt-text="Add a configuration policy." source="images/intune_policy_disablecamera.png":::
7. Click **Save Policy**. A confirmation window will pop up.
8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@ -497,16 +498,16 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 39** - The new policy should appear in the **Policies** list.
![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png)
:::image type="content" alt-text="New policy appears on the list." source="images/intune_policies_newpolicy_deployed.png":::
**To turn off Windows Hello and PINs during device setup**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin**.
1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Mobile Device Management > Windows > Windows Hello for Business**.
3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**.
**Figure 40** - Policy to disable Windows Hello for Business
![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png)
:::image type="content" alt-text="Disable Windows Hello for Business." source="images/intune_policy_disable_windowshello.png":::
4. Click **Save**.
@ -533,49 +534,49 @@ For other devices, such as those personally-owned by employees who need to conne
**Figure 41** - Add an Azure AD account to the device
![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png)
:::image type="content" alt-text="Add an Azure AD account to the device." source="images/win10_add_new_user_join_aad.png":::
4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
**Figure 42** - Enter the account details
![Enter the account details.](images/win10_add_new_user_account_aadwork.png)
:::image type="content" alt-text="Enter the account details." source="images/win10_add_new_user_account_aadwork.png":::
5. You will be asked to update the password so enter a new password.
6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
**Figure 43** - Make sure this is your organization
![Make sure this is your organization.](images/win10_confirm_organization_details.png)
:::image type="content" alt-text="Make sure this is your organization." source="images/win10_confirm_organization_details.png":::
7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
**Figure 44** - Confirmation that the device is now connected
![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png)
:::image type="content" alt-text="Confirmation that the device is now connected." source="images/win10_confirm_device_connected_to_org.png":::
8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
**Figure 45** - Device is now enrolled in Azure AD
![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png)
:::image type="content" alt-text="Device is enrolled in Azure AD." source="images/win10_device_enrolled_in_aad.png":::
9. You can confirm that the new device and user are showing up as Intune-managed by going to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
9. You can confirm that the new device and user are showing up as Intune-managed by going to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
### 4.2 Add a new user
You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and verify that the same users were added to the Intune groups as well.
## Get more info
### For IT admins
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- More info about managing devices, apps, data, troubleshooting, and more in <a href="/intune/" target="_blank">Intune documentation</a>
- [Set up Office 365 for business](/microsoft-365/admin/setup)
- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="/microsoft-store/" target="_blank">Microsoft Store for Business</a>
- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:

4
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,8 +2,10 @@
## Week of April 26, 2021
## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 11/16/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
| 11/19/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |

2
store-for-business/manage-users-and-groups-microsoft-store-for-business.md
View File

@ -44,5 +44,5 @@ If you created a new Azure AD directory when you signed up for Store for Busines
You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
For more information, see:
- [Add user accounts using Office 365 admin dashboard](https://support.office.com/en-us/article/add-users-individually-or-in-bulk-to-office-365-admin-help-1970f7d6-03b5-442f-b385-5880b9c256ec)
- [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)
- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)

338
store-for-business/microsoft-store-for-business-overview.md
View File

@ -27,7 +27,7 @@ ms.date: 07/21/2021
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. There will be no support for Microsoft Store for Business and Education on Windows 11.
> [!IMPORTANT]
> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set
Store for Business and Education is currently available in these markets.
### Support for free and paid products
<table>
<tr>
<th align="center" colspan="4">Supports all free and paid products</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Afghanistan</li>
<li>Algeria</li>
<li>Andorra</li>
<li>Angola</li>
<li>Anguilla</li>
<li>Antigua and Barbuda</li>
<li>Argentina</li>
<li>Australia</li>
<li>Austria</li>
<li>Bahamas</li>
<li>Bahrain</li>
<li>Bangladesh</li>
<li>Barbados</li>
<li>Belgium</li>
<li>Belize</li>
<li>Bermuda</li>
<li>Benin</li>
<li>Bhutan</li>
<li>Bolivia</li>
<li>Bonaire</li>
<li>Botswana</li>
<li>Brunei Darussalam</li>
<li>Bulgaria</li>
<li>Burundi</li>
<li>Cambodia</li>
<li>Cameroon</li>
<li>Canada</li>
<li>Cayman Islands</li>
<li>Chile</li>
<li>Colombia</li>
<li>Comoros</li>
<li>Costa Rica</li>
<li>C&ocirc;te D&#39;ivoire</li>
<li>Croatia</li>
<li>Cur&ccedil;ao</li>
<li>Cyprus</li>
<li>Czech Republic</li>
<li>Denmark</li>
<li>Dominican Republic</li>
<li>Ecuador</li>
</ul>
</td>
<td>
<ul>
<li>Egypt</li>
<li>El Salvador</li>
<li>Estonia</li>
<li>Ethiopia</li>
<li>Faroe Islands</li>
<li>Fiji</li>
<li>Finland</li>
<li>France</li>
<li>French Guiana</li>
<li>French Polynesia</li>
<li>Germany</li>
<li>Ghana</li>
<li>Greece</li>
<li>Greenland</li>
<li>Guadeloupe</li>
<li>Guatemala</li>
<li>Honduras</li>
<li>Hong Kong SAR</li>
<li>Hungary</li>
<li>Iceland</li>
<li>Indonesia</li>
<li>Iraq</li>
<li>Ireland</li>
<li>Israel</li>
<li>Italy</li>
<li>Jamaica</li>
<li>Japan</li>
<li>Jersey</li>
<li>Jordan</li>
<li>Kenya</li>
<li>Kuwait</li>
<li>Laos</li>
<li>Latvia</li>
<li>Lebanon</li>
<li>Libya</li>
<li>Liechtenstein</li>
<li>Lithuania</li>
<li>Luxembourg</li>
<li>Macedonia</li>
<li>Madagascar</li>
</ul>
</td>
<td>
<ul>
<li>Malawi</li>
<li>Malaysia</li>
<li>Maldives</li>
<li>Mali</li>
<li>Malta</li>
<li>Marshall Islands</li>
<li>Martinique</li>
<li>Mauritius</li>
<li>Mayotte</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
<li>Morocco</li>
<li>Mozambique</li>
<li>Myanamar</li>
<li>Namibia</li>
<li>Nepal</li>
<li>Netherlands</li>
<li>New Caledonia</li>
<li>New Zealand</li>
<li>Nicaragua</li>
<li>Nigeria</li>
<li>Norway</li>
<li>Oman</li>
<li>Pakistan</li>
<li>Palestinian Authority</li>
<li>Panama</li>
<li>Papua New Guinea</li>
<li>Paraguay</li>
<li>Peru</li>
<li>Philippines</li>
<li>Poland</li>
<li>Portugal</li>
<li>Qatar</li>
<li>Republic of Cabo Verde</li>
<li>Reunion</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
</ul>
</td>
<td>
<ul>
<li>Saint Lucia</li>
<li>Saint Martin</li>
<li>Saint Vincent and the Grenadines</li>
<li>San marino</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
<li>Serbia</li>
<li>Seychelles</li>
<li>Singapore</li>
<li>Sint Maarten</li>
<li>Slovakia</li>
<li>Slovenia</li>
<li>South Africa</li>
<li>Spain</li>
<li>Sri Lanka</li>
<li>Suriname</li>
<li>Sweden</li>
<li>Switzerland</li>
<li>Tanzania</li>
<li>Thailand</li>
<li>Timor-Leste</li>
<li>Togo</li>
<li>Tonga</li>
<li>Trinidad and Tobago</li>
<li>Tunisia</li>
<li>Turkey</li>
<li>Turks and Caicos Islands</li>
<li>Uganda</li>
<li>United Arab Emirates</li>
<li>United Kingdom</li>
<li>United States</li>
<li>Uruguay</li>
<li>Vatican City</li>
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;</li><br/> </ul>
</td>
</tr>
</table>
- Afghanistan
- Algeria
- Andorra
- Angola
- Anguilla
- Antigua and Barbuda
- Argentina
- Australia
- Austria
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belgium
- Belize
- Bermuda
- Benin
- Bhutan
- Bolivia
- Bonaire
- Botswana
- Brunei Darussalam
- Bulgaria
- Burundi
- Cambodia
- Cameroon
- Canada
- Cayman Islands
- Chile
- Colombia
- Comoros
- Costa Rica
- Côte D'ivoire
- Croatia
- Curçao
- Cyprus
- Czech Republic
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Faroe Islands
- Fiji
- Finland
- France
- French Guiana
- French Polynesia
- Germany
- Ghana
- Greece
- Greenland
- Guadeloupe
- Guatemala
- Honduras
- Hong Kong SAR
- Hungary
- Iceland
- Indonesia
- Iraq
- Ireland
- Israel
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kenya
- Kuwait
- Laos
- Latvia
- Lebanon
- Libya
- Liechtenstein
- Lithuania
- Luxembourg
- Macedonia
- Madagascar
- Malawi
- Malaysia
- Maldives
- Mali
- Malta
- Marshall Islands
- Martinique
- Mauritius
- Mayotte
- Mexico
- Mongolia
- Montenegro
- Morocco
- Mozambique
- Myanamar
- Namibia
- Nepal
- Netherlands
- New Caledonia
- New Zealand
- Nicaragua
- Nigeria
- Norway
- Oman
- Pakistan
- Palestinian Authority
- Panama
- Papua New Guinea
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Republic of Cabo Verde
- Reunion
- Romania
- Rwanda
- Saint Kitts and Nevis
- Saint Lucia
- Saint Martin
- Saint Vincent and the Grenadines
- San marino
- Saudi Arabia
- Senegal
- Serbia
- Seychelles
- Singapore
- Sint Maarten
- Slovakia
- Slovenia
- South Africa
- Spain
- Sri Lanka
- Suriname
- Sweden
- Switzerland
- Tanzania
- Thailand
- Timor-Leste
- Togo
- Tonga
- Trinidad and Tobago
- Tunisia
- Turkey
- Turks and Caicos Islands
- Uganda
- United Arab Emirates
- United Kingdom
- United States
- Uruguay
- Vatican City
- Viet Nam
- Virgin Islands, U.S.
- Zambia
- Zimbabwe
### Support for free apps
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:

6
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -1,6 +1,6 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
title: Microsoft Store for Business and Education release history
description: Know the release history of Microsoft Store for Business and Microsoft Store for Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -18,7 +18,7 @@ manager: dansimp
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)

8
store-for-business/sfb-change-history.md
View File

@ -76,6 +76,7 @@ ms.localizationpriority: medium
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
## June 2017
@ -84,10 +85,3 @@ ms.localizationpriority: medium
| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
| [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
## July 2017
| New or changed topic | Description |
| -------------------- | ----------- |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |

2
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -56,7 +56,7 @@ The private store for your organization is a page in Microsoft Store app that co
## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w).
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration).
## Still having trouble?

1
windows/application-management/add-apps-and-features.md
View File

@ -12,6 +12,7 @@ ms.date: 08/30/2021
ms.reviewer:
manager: dougeby
ms.topic: article
ms.collection: highpri
---
# Add or hide features on the Windows client OS

4
windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
View File

@ -63,7 +63,7 @@ The computer on which you are installing the Office Deployment Tool must have th
| Prerequisite | Description |
|----------------------|--------------------|
| Prerequisite software | .Net Framework 4 |
| Prerequisite software | .NET Framework 4 |
| Supported operating systems | 64-bit version of Windows 10/11<br>64-bit version of Windows 8 or 8.1<br>64-bit version of Windows 7 |
>[!NOTE]
@ -120,7 +120,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
|--------------|----------------------------|----------------|
| Add element | Specifies which products and languages the package will include. | N/A |
| **OfficeClientEdition** (attribute of **Add** element) | Specifies whether Office 2016 32-bit or 64-bit edition will be used. **OfficeClientEdition**  must be set to a valid value for the operation to succeed. | `OfficeClientEdition="32"`<br>`OfficeClientEdition="64"` |
| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297). | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](/office365/troubleshoot/installation). | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
| Language element | Specifies which language the applications support. | `Language ID="en-us"` |
| Version (attribute of **Add** element) | Optional. Specifies which build the package will use.<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |

59
windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
View File

@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting.
2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
<table>
<colgroup>
<col width="30%" />
<col width="70%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Setting</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>ReportingEnabled</p></td>
<td align="left"><p>Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingServerURL</p></td>
<td align="left"><p>Specifies the location on the reporting server where client information is saved. For example, https://&lt;reportingservername&gt;:&lt;reportingportnumber&gt;.</p>
<div class="alert">
<strong>Note</strong><br/><p>This is the port number that was assigned during the Reporting Server setup</p>
</div>
<div>
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>Reporting Start Time</p></td>
<td align="left"><p>This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingRandomDelay</p></td>
<td align="left"><p>Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>ReportingInterval</p></td>
<td align="left"><p>Specifies the retry interval that the client will use to resend data to the reporting server.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingDataCacheLimit</p></td>
<td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>ReportingDataBlockSize</p></td>
<td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
</tr>
</tbody>
</table>
|Setting|Description|
|--- |--- |
|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.|
|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://&lt;reportingservername&gt;:&lt;reportingportnumber&gt;.<br> **Note:** <br>This is the port number that was assigned during the Reporting Server setup|
|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.|
|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.|
|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.|
|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.

56
windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
View File

@ -69,28 +69,10 @@ This topic explains the following procedures:
2. Use the following cmdlets, and add the optional **UserSID** parameter, where **-UserSID** represents the end users security identifier (SID):
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Cmdlet</th>
<th align="left">Examples</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enable-AppVClientConnectionGroup</p></td>
<td align="left"><p>Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
</tr>
<tr class="even">
<td align="left"><p>Disable-AppVClientConnectionGroup</p></td>
<td align="left"><p>Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
</tr>
</tbody>
</table>
|Cmdlet|Examples|
|--- |--- |
|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
## To allow only administrators to enable connection groups
@ -102,33 +84,9 @@ This topic explains the following procedures:
2. Run the following cmdlet and parameter:
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Cmdlet</th>
<th align="left">Parameter and values</th>
<th align="left">Example</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Set-AppvClientConfiguration</p></td>
<td align="left"><p>-RequirePublishAsAdmin</p>
<ul>
<li><p>0 - False</p></li>
<li><p>1 - True</p></li>
</ul></td>
<td align="left"><p>Set-AppvClientConfiguration -RequirePublishAsAdmin 1</p></td>
</tr>
</tbody>
</table>
|Cmdlet|Parameter and values|Example|
|--- |--- |--- |
|Set-AppvClientConfiguration|-RequirePublishAsAdmin<li>0 - False<li>1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin<br>1|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

54
windows/application-management/app-v/appv-managing-connection-groups.md
View File

@ -24,50 +24,16 @@ In some previous versions of App-V, connection groups were referred to as Dynami
**In this section:**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><a href="appv-connection-group-virtual-environment.md" data-raw-source="[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)">About the Connection Group Virtual Environment</a></p></td>
<td align="left"><p>Describes the connection group virtual environment.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-connection-group-file.md" data-raw-source="[About the Connection Group File](appv-connection-group-file.md)">About the Connection Group File</a></p></td>
<td align="left"><p>Describes the connection group file.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-create-a-connection-group.md" data-raw-source="[How to Create a Connection Group](appv-create-a-connection-group.md)">How to Create a Connection Group</a></p></td>
<td align="left"><p>Explains how to create a new connection group.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-create-a-connection-group-with-user-published-and-globally-published-packages.md" data-raw-source="[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)">How to Create a Connection Group with User-Published and Globally Published Packages</a></p></td>
<td align="left"><p>Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-delete-a-connection-group.md" data-raw-source="[How to Delete a Connection Group](appv-delete-a-connection-group.md)">How to Delete a Connection Group</a></p></td>
<td align="left"><p>Explains how to delete a connection group.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-publish-a-connection-group.md" data-raw-source="[How to Publish a Connection Group](appv-publish-a-connection-group.md)">How to Publish a Connection Group</a></p></td>
<td align="left"><p>Explains how to publish a connection group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-configure-connection-groups-to-ignore-the-package-version.md" data-raw-source="[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)">How to Make a Connection Group Ignore the Package Version</a></p></td>
<td align="left"><p>Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-allow-administrators-to-enable-connection-groups.md" data-raw-source="[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)">How to Allow Only Administrators to Enable Connection Groups</a></p></td>
<td align="left"><p>Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.</p></td>
</tr></tbody>
</table>
|Links|Description|
|--- |--- |
|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|
|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.|
|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.|
|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.|
|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.|
|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.|
[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

167
windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
View File

@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain
You can also use the `OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files information is converted and placed within the new package.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows client</th>
<th align="left">Prior to App-V for Windows 10</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:</p>
<ul>
<li><p>environment variables</p></li>
<li><p>shortcuts</p></li>
<li><p>file type associations</p></li>
<li><p>registry information</p></li>
<li><p>scripts</p></li>
</ul>
<p>You can now choose to add information from a subset of the .osd files in the source directory to the package using the <code>-OSDsToIncludeInPackage</code> parameter.</p></td>
<td align="left"><p>Registry information and scripts included in .osd files associated with a package were not included in package converter output.</p>
<p>The package converter would populate the new package with information from all of the .osd files in the source directory.</p></td>
</tr>
</tbody>
</table>
|New in App-V for Windows client|Prior to App-V for Windows 10|
|--- |--- |
|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:<li>environment variables<li>shortcuts<li>file type associations<li>registry information<li>scripts<br> <br>You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.<br> <br>The package converter would populate the new package with information from all of the .osd files in the source directory.|
### Example conversion statement
@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage SourcePath \\OldPkgStore\ContosoApp\
**In the above example:**
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">These Source directory files…</th>
<th align="left">…are converted to these Destination directory files…</th>
<th align="left">…and will contain these items</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li><p>X.osd</p></li>
<li><p>Y.osd</p></li>
<li><p>Z.osd</p></li>
</ul></td>
<td align="left"><ul>
<li><p>X_Config.xml</p></li>
<li><p>Y_Config.xml</p></li>
<li><p>Z_Config.xml</p></li>
</ul></td>
<td align="left"><ul>
<li><p>Environment variables</p></li>
<li><p>Shortcuts</p></li>
<li><p>File type associations</p></li>
<li><p>Registry information</p></li>
<li><p>Scripts</p></li>
</ul></td>
<td align="left"><p>Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.</p>
<p>In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.</p></td>
</tr>
<tr class="even">
<td align="left"><ul>
<li><p>X.osd</p></li>
<li><p>Y.osd</p></li>
</ul></td>
<td align="left"><ul>
<li><p>ContosoApp.appv</p></li>
<li><p>ContosoApp_DeploymentConfig.xml</p></li>
<li><p>ContosoApp_UserConfig.xml</p></li>
</ul></td>
<td align="left"><ul>
<li><p>Environment variables</p></li>
<li><p>Shortcuts</p></li>
<li><p>File type associations</p></li>
</ul></td>
<td align="left"><p>The information from the .osd files specified in the <code>-OSDsToIncludeInPackage</code> parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.</p>
<p>In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the <code>-OSDsToIncludeInPackage</code> parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.</p></td>
</tr>
</tbody>
</table>
|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
|--- |--- |--- |--- |
|<li>X.osd<li>Y.osd<li>Z.osd|<li>X_Config.xml<li>Y_Config.xml<li>Z_Config.xml|<li>Environment variables:<li>Shortcuts<li>File type associations<li>Registry information<li>Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.<br>In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
|<li>X.osd<li>Y.osd|<li>ContosoApp.appv <li>ContosoApp_DeploymentConfig.xml <li>ContosoApp_UserConfig.xml|<li>Environment variables<li>Shortcuts<li>File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.<br>In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
## Converting packages created using a prior version of App-V
@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo
**What to know before you convert existing packages**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Issue</th>
<th align="left">Workaround</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Virtual packages using DSC are not linked after conversion.</p></td>
<td align="left"><p>Link the packages using connection groups. See <a href="appv-managing-connection-groups.md" data-raw-source="[Managing Connection Groups](appv-managing-connection-groups.md)">Managing Connection Groups</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Environment variable conflicts are detected during conversion.</p></td>
<td align="left"><p>Resolve any conflicts in the associated <strong>.osd</strong> file.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Hard-coded paths are detected during conversion.</p></td>
<td align="left"><p>Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.</p></td>
</tr>
</tbody>
</table>
|Issue|Workaround|
|--- |--- |
|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende
There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">More Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Review prerequisites.</p></td>
<td align="left"><p><a href="appv-prerequisites.md#app-v-server-prerequisite-software" data-raw-source="[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)">App-V Server prerequisite software</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enable the App-V client.</p></td>
<td align="left"><p><a href="appv-enable-the-app-v-desktop-client.md" data-raw-source="[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)">Enable the App-V desktop client</a>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Install App-V Server.</p></td>
<td align="left"><p><a href="appv-deploy-the-appv-server.md" data-raw-source="[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)">How to Deploy the App-V Server</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Migrate existing packages.</p></td>
<td align="left"><p>See <a href="#converting-packages-created-using-a-prior-version-of-app-v" data-raw-source="[Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v)">Converting packages created using a prior version of App-V</a> earlier in this topic.</p></td>
</tr>
</tbody>
</table>
|Task|More Information|
|--- |--- |
|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

545
windows/application-management/app-v/appv-performance-guidance.md
View File

@ -35,16 +35,16 @@ You should read and understand the following information before reading this doc
- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760)
**Note**  
Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk <strong>*</strong> review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
> [!Note]
> Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk `*`, review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
To help determine what information is relevant to your environment you should review each sections brief overview and applicability checklist.
To help determine what information is relevant to your environment, you should review each sections brief overview and applicability checklist.
## <a href="" id="---------app-v-5-1-in-stateful--non-persistent-deployments"></a> App-V in stateful\* non-persistent deployments
This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesnt have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience.
This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesnt have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
Use the information in the following section for more information:
@ -72,199 +72,97 @@ Use the information in the following section for more information:
### <a href="" id="applicability-checklist-"></a>Applicability Checklist
Deployment Environment
|Checklist|Deployment Environment|
|--- |--- |
|![Checklist box](images/checklistbox.gif)|Non-Persistent VDI or RDSH.|
|![Checklist box](images/checklistbox.gif)|User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).|
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Non-Persistent VDI or RDSH.</p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>User Experience Virtualization (UE-V), other UPM solutions or User Profile Disks (UPD).</p></td>
</tr>
</tbody>
</table>
|Checklist|Expected Configuration|
|--- |--- |
|![Checklist box](images/checklistbox.gif)|User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.|
|![Checklist box](images/checklistbox.gif)|App-V Shared Content Store (SCS) is configured or can be configured.|
Expected Configuration
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>User Experience Virtualization (UE-V) with the App-V user state template enabled or User Profile Management (UPM) software. Non-UE-V UPM software must be capable of triggering on Login or Process/Application Start and Logoff.</p></td>
</tr>
<tr class="even">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>App-V Shared Content Store (SCS) is configured or can be configured.</p></td>
</tr>
</tbody>
</table>
IT Administration
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><img src="images/checklistbox.gif" alt="Checklist box" /></td>
<td align="left"><p>Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.</p></td>
</tr>
</tbody>
</table>
|Checklist|IT Administration|
|--- |--- |
|![Checklist box](images/checklistbox.gif)|Admin may need to update the VM base image regularly to ensure optimal performance or Admin may need to manage multiple images for different user groups.|
### <a href="" id="bkmk-us"></a>Usage Scenarios
As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Optimized for Performance</th>
<th align="left">Optimized for Storage</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.</p>
<p>The following describes many performance improvements in stateful non-persistent deployments. For more information, see <a href="#sequencing-steps-to-optimize-packages-for-publishing-performance" data-raw-source="[Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance)">Sequencing Steps to Optimize Packages for Publishing Performance</a> later in this topic.</p></td>
<td align="left"><p>The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.</p>
<p>The impact of this alteration is detailed in the <a href="#bkmk-uewt" data-raw-source="[User Experience Walk-through](#bkmk-uewt)">User Experience Walk-through</a> section of this document.</p></td>
</tr>
</tbody>
</table>
- **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead.
The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article).
- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article).
### <a href="" id="bkmk-pe"></a>Preparing your Environment
The following table displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
The following information displays the required steps to prepare the base image and the UE-V or another UPM solution for the approach.
**Prepare the Base Image**
#### Prepare the Base Image
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Optimized for Performance</th>
<th align="left">Optimized for Storage</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p></p>
<ul>
<li><p>Enable the App-V client as described in <a href="appv-enable-the-app-v-desktop-client.md" data-raw-source="[Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md)">Enable the App-V in-box client</a>.</p></li>
<li><p>Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.</p></li>
<li><p>Configure for Shared Content Store (SCS) mode. For more information see <a href="appv-deploying-the-appv-sequencer-and-client.md" data-raw-source="[Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)">Deploying the App-V Sequencer and Configuring the Client</a>.</p></li>
<li><p>Configure Preserve User Integrations on Login Registry DWORD.</p></li>
<li><p>Pre-configure all user- and global-targeted packages for example, <strong>Add-AppvClientPackage</strong>.</p></li>
<li><p>Pre-configure all user- and global-targeted connection groups for example, <strong>Add-AppvClientConnectionGroup</strong>.</p></li>
<li><p>Pre-publish all global-targeted packages.</p>
<p></p>
<p>Alternatively,</p>
<ul>
<li><p>Perform a global publishing/refresh.</p></li>
<li><p>Perform a user publishing/refresh.</p></li>
<li><p>Un-publish all user-targeted packages.</p></li>
<li><p>Delete the following user-Virtual File System (VFS) entries.</p></li>
</ul>
<p><code>AppData\Local\Microsoft\AppV\Client\VFS</code></p>
<p><code>AppData\Roaming\Microsoft\AppV\Client\VFS</code></p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>Enable the App-V client as described in <a href="appv-enable-the-app-v-desktop-client.md" data-raw-source="[Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md)">Enable the App-V in-box client</a>.</p></li>
<li><p>Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.</p></li>
<li><p>Configure for Shared Content Store (SCS) mode. For more information see <a href="appv-deploying-the-appv-sequencer-and-client.md" data-raw-source="[Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)">Deploying the App-V Sequencer and Configuring the Client</a>.</p></li>
<li><p>Configure Preserve User Integrations on Login Registry DWORD.</p></li>
<li><p>Pre-configure all global-targeted packages for example, <strong>Add-AppvClientPackage</strong>.</p></li>
<li><p>Pre-configure all global-targeted connection groups for example, <strong>Add-AppvClientConnectionGroup</strong>.</p></li>
<li><p>Pre-publish all global-targeted packages.</p>
<p></p></li>
</ul></td>
</tr>
</tbody>
</table>
- **Performance**:
- Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
- Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
- Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
- Configure Preserve User Integrations on Login Registry DWORD.
- Pre-configure all user and global-targeted packages, for example, **Add-AppvClientPackage**.
- Pre-configure all user- and global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
- Pre-publish all global-targeted packages. Or:
- Perform a global publishing/refresh.
- Perform a user publishing/refresh.
- Unpublish all user-targeted packages.
- Delete the following user-Virtual File System (VFS) entries:
**Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
- `AppData\Local\Microsoft\AppV\Client\VFS`
- `AppData\Roaming\Microsoft\AppV\Client\VFS`
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Configuration Setting</th>
<th align="left">What does this do?</th>
<th align="left">How should I use it?</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Shared Content Store (SCS) Mode</p>
<ul>
<li><p>Configurable in Windows PowerShell with <code>Set-AppvClientConfiguration -SharedContentStoreMode 1</code><br>or configurable with Group Policy, as described in <a href="appv-deploying-the-appv-sequencer-and-client.md" data-raw-source="[Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)">Deploying the App-V Sequencer and Configuring the Client</a>.</p></li>
</ul></td>
<td align="left"><p>When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM).</p>
<p>This helps to conserve local storage and minimize disk I/O per second (IOPS).</p></td>
<td align="left"><p>This is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.</p></td>
</tr>
<tr class="even">
<td align="left"><p>PreserveUserIntegrationsOnLogin</p>
<ul>
<li><p>Configure in the Registry under <strong>HKEY_LOCAL_MACHINE</strong> \ <strong>Software</strong> \ <strong>Microsoft</strong> \ <strong>AppV</strong> \ <strong>Client</strong> \ <strong>Integration</strong>.</p></li>
<li><p>Create the DWORD value <strong>PreserveUserIntegrationsOnLogin</strong> with a value of <strong>1</strong>.</p></li>
<li><p>Restart the App-V client service or restart the computer running the App-V Client.</p></li>
</ul></td>
<td align="left"><p>If you have not pre-configured (<strong>Add-AppvClientPackage</strong>) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then re-integrate*.</p>
<p>For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.</p></td>
<td align="left"><p>If you dont plan to pre-configure every available user package in the base image, use this setting.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>MaxConcurrentPublishingRefresh</p>
<ul>
<li><p>Configure in the Registry under <strong>HKEY_LOCAL_MACHINE</strong> \ <strong>Software</strong> \ <strong>Microsoft</strong> \ <strong>AppV</strong> \ <strong>Client</strong> \ <strong>Publishing</strong>.</p></li>
<li><p>Create the DWORD value <strong>MaxConcurrentPublishingrefresh</strong> with the desired maximum number of concurrent publishing refreshes.</p></li>
<li><p>The App-V client service and computer do not need to be restarted.</p></li>
</ul></td>
<td align="left"><p>This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.</p></td>
<td align="left"><p>Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.</p>
<p>If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.</p></td>
</tr>
</tbody>
</table>
- **Storage**:
- Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
- Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
- Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the
App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
- Configure Preserve User Integrations on Login Registry DWORD.
- Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**.
- Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
- Pre-publish all global-targeted packages.
#### Configurations
For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings:
- **Shared Content Store (SCS) Mode**: When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). This helps to conserve local storage and minimize disk I/O per second (IOPS).
This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
- Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1`
- Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
If you dont plan to pre-configure every available user package in the base image, use this setting.
- Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
- Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1.
- Restart the App-V client service or restart the computer running the App-V Client.
- **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
- Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`.
- Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes.
- The App-V client service and computer do not need to be restarted.
### Configure UE-V solution for App-V Approach
@ -278,8 +176,8 @@ For more information, see:
In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
**Note**  
Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
> [!Note]
> Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every users device will have the same set of applications installed to the same location and every .lnk file is valid for all the users devices. For example, UE-V would not currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
@ -287,12 +185,10 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
- If a user has an application installed on one device but not another with .lnk files enabled.
**Important**  
This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
> [!Important]
> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types.
## Configure other User Profile Management (UPM) solutions for App-V Approach
@ -308,12 +204,11 @@ To enable an optimized login experience, for example the App-V approach for the
- Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
**Note**  
App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
> [!Note]
>
> App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
>
> App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
- Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
@ -355,84 +250,62 @@ Registry HKEY\_CURRENT\_USER
This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Optimized for Performance</th>
<th align="left">Optimized for Storage</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>After implementing this approach in the VDI/RDSH environment, on first login,</p>
<ul>
<li><p>(Operation) A user-publishing/refresh is initiated. (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.</p></li>
<li><p>(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.</p></li>
</ul>
<p>On subsequent logins:</p>
<ul>
<li><p>(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.</p>
<p>(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.</p></li>
<li><p>(Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. (Expectation) If there are no entitlement changes, publishing1 will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity* of virtual applications</p></li>
<li><p>(Operation) UPM solution will capture user integrations again at logoff. (Expectation) Same as previous.</p></li>
</ul>
<p>¹ The publishing operation (<strong>Publish-AppVClientPackage</strong>) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.</p></td>
<td align="left"><p>After implementing this approach in the VDI/RDSH environment, on first login,</p>
<ul>
<li><p>(Operation) A user-publishing/refresh is initiated. (Expectation)</p>
<ul>
<li><p>If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.</p></li>
<li><p>First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).</p>
<p></p></li>
</ul></li>
<li><p>(Operation) After the publishing/refresh, the UPM solution captures the user integrations. (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state</p></li>
</ul>
<p>On subsequent logins:</p>
<ul>
<li><p>(Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.</p></li>
<li><p>(Operation) Add/refresh must pre-configure all user targeted applications. (Expectation)</p>
<ul>
<li><p>This may increase the time to application availability significantly (on the order of 10s of seconds).</p></li>
<li><p>This will increase the publishing refresh time relative to the number and complexity* of virtual applications.</p>
<p></p></li>
</ul></li>
<li><p>(Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.</p></li>
</ul></td>
</tr>
</tbody>
</table>
- **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
- (Operation) A user-publishing/refresh is initiated.
(Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
(Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
**On subsequent logins**:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Outcome</th>
<th align="left">Outcome</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p></p>
<ul>
<li><p>Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.</p></li>
<li><p>The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.</p></li>
</ul></td>
<td align="left"><p>Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.</p></td>
</tr>
</tbody>
</table>
- (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
- (Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements.
(Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
- (Operation) UPM solution will capture user integrations again at logoff.
(Expectation) Same as previous.
**Outcome**:
- Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
- The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
- **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
- (Operation) A user-publishing/refresh is initiated.
(Expectation):
- If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
- First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
(Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
**On subsequent logins**:
- (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
- (Operation) Add/refresh must pre-configure all user targeted applications.
- (Expectation):
- This may increase the time to application availability significantly (on the order of 10s of seconds).
- This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
- (Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
**Outcome**: Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
### <a href="" id="bkmk-plc"></a>Impact to Package Life Cycle
Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
@ -489,36 +362,9 @@ Server Performance Tuning Guidelines for
Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Step</th>
<th align="left">Consideration</th>
<th align="left">Benefits</th>
<th align="left">Tradeoffs</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>No Feature Block 1 (FB1, also known as Primary FB)</p></td>
<td align="left"><p>No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:</p>
<ul>
<li><p>Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.</p></li>
<li><p>Delay launch until the entire FB1 has been streamed.</p></li>
</ul></td>
<td align="left"><p>Stream faulting decreases the launch time.</p></td>
<td align="left"><p>Virtual application packages with FB1 configured will need to be re-sequenced.</p></td>
</tr>
</tbody>
</table>
|Step|Consideration|Benefits|Tradeoffs|
|--- |--- |--- |--- |
|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:<br><li>Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.<li>Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be re-sequenced.|
### Removing FB1
@ -554,37 +400,13 @@ Removing FB1 does not require the original application installer. After completi
"C:\\UpgradedPackages"
**Note**  
This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
> [!Note]
> This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
|Step|Considerations|Benefits|Tradeoffs|
|--- |--- |--- |--- |
|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.|
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Step</th>
<th align="left">Considerations</th>
<th align="left">Benefits</th>
<th align="left">Tradeoffs</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>No SXS Install at Publish (Pre-Install SxS assemblies)</p></td>
<td align="left"><p>Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.</p></td>
<td align="left"><p>The SxS Assembly dependencies will not install at publishing time.</p></td>
<td align="left"><p>SxS Assembly dependencies must be pre-installed.</p></td>
</tr>
</tbody>
</table>
### Creating a new virtual application package on the sequencer
@ -594,33 +416,9 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Step</th>
<th align="left">Considerations</th>
<th align="left">Benefits</th>
<th align="left">Tradeoffs</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Selectively Employ Dynamic Configuration files</p></td>
<td align="left"><p>The App-V client must parse and process these Dynamic Configuration files.</p>
<p>Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.</p>
<p>Numerous virtual application packages may already have User- or computerspecific dynamic configurations files.</p></td>
<td align="left"><p>Publishing times will improve if these files are used selectively or not at all.</p></td>
<td align="left"><p>Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.</p></td>
</tr>
</tbody>
</table>
|Step|Considerations|Benefits|Tradeoffs|
|--- |--- |--- |--- |
|Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files. <br> <br>Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.<br> <br>Numerous virtual application packages may already have User- or computerspecific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.|
### Disabling a Dynamic Configuration by using Windows PowerShell
@ -639,39 +437,10 @@ For documentation on How to Apply a Dynamic Configuration, see:
- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Step</th>
<th align="left">Considerations</th>
<th align="left">Benefits</th>
<th align="left">Tradeoffs</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Account for Synchronous Script Execution during Package Lifecycle.</p></td>
<td align="left"><p>If script collateral is embedded in the package, Add cmdlets may be significantly slower.</p>
<p>Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.</p></td>
<td align="left"><p>Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.</p></td>
<td align="left"><p>This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Remove Extraneous Virtual Fonts from Package.</p></td>
<td align="left"><p>The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.</p></td>
<td align="left"><p>Virtual Fonts impact publishing refresh performance.</p></td>
<td align="left"><p>Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.</p></td>
</tr>
</tbody>
</table>
|Step|Considerations|Benefits|Tradeoffs|
|--- |--- |--- |--- |
|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be significantly slower.<br>Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.|
|Remove Extraneous Virtual Fonts from Package.|The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.|
### Determining what virtual fonts exist in the package
@ -681,15 +450,15 @@ For documentation on How to Apply a Dynamic Configuration, see:
- Open AppxManifest.xml and locate the following:
```
```xml
<appv:Extension Category="AppV.Fonts">
<appv:Fonts>
<appv:Font Path="[{Fonts}]\private\CalibriL.ttf" DelayLoad="true"></appv:Font>
</appv:Fonts>
```
**Note**&nbsp;&nbsp;If there are fonts marked as **DelayLoad**, those will not impact first launch.
> [!Note]
> If there are fonts marked as **DelayLoad**, those will not impact first launch.
### Excluding virtual fonts from the package
@ -699,7 +468,7 @@ Use the dynamic configuration file that best suits the user scope deployment
Fonts
```
```xml
-->
<Fonts Enabled="false" />
<!--
@ -744,4 +513,4 @@ The following terms are used when describing concepts and actions related to App
## Related topics
[Application Virtualization (App-V) overview](appv-for-windows.md)
[Application Virtualization (App-V) overview](appv-for-windows.md)

159
windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
View File

@ -19,90 +19,81 @@ ms.author: greglin
The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later
<table border="1">
<thead>
<th>Problem</th>
<th>Workaround</th>
</thead>
<tbody>
<tr>
<td>Unable to manually create a system-owned folder needed for the <code>set-AppVClientConfiguration</code> PowerShell cmdlet when using the <i>PackageInstallationRoot</i>, <i>IntegrationRootUser</i>, or <i>IntegrationRootGlobal</i> parameters.</td>
<td>Don&#39;t create this file manually, instead let the <code>Add-AppVClientPackage</code> cmdlet auto-generate it.</td>
</tr>
<tr>
<td>Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.</td>
<td>Make sure you have the complete App-V package or the MSI file from the original app.</td>
</tr>
<tr>
<td>Unable to modify the locale for auto-sequencing.</td>
<td>Open the <code>C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml</code> file and include the language code for your locale. For example, if you wanted Spanish (Spain), you&#39;d use: <strong>es-ES</strong>.</td>
</tr>
<tr>
<td>Filetype and protocol handlers aren&#39;t registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the <strong>Settings &gt; Apps&gt; Default Apps</strong> area.</td>
<td>The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <strong>&lt;appv:Extensions&gt;</strong> tag:
<pre><code>
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;ftp&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;http&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;https&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
</code></pre><br/> </td>
</tr>
</tbody>
</table>
- **Problem**: Unable to manually create a system-owned folder needed for the `set-AppVClientConfiguration` PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.
**Workaround**: Don't create this file manually, instead let the `Add-AppVClientPackage` cmdlet auto-generate it.
- **Problem**: Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.
**Workaround**: Make sure you have the complete App-V package or the MSI file from the original app.
- **Problem**: Unable to modify the locale for auto-sequencing.
**Workaround**: Open the `C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml` file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
- **Problem**: Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.
**Workaround**: The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the `<appv:Extensions>` tag:
```xml
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>ftp</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>http</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>https</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
```
## Related resources list
For information that can help with troubleshooting App-V for Windows client, see:
@ -120,4 +111,4 @@ For information that can help with troubleshooting App-V for Windows client, see
## Related topics
- [What's new in App-V for Windows client](appv-about-appv.md)
- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)

87
windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
View File

@ -54,56 +54,35 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
1. Using the information in the following table, create a new registry key using the name of the executable file, for example, **MyApp.exe**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Package publishing method</th>
<th align="left">Where to create the registry key</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Published globally</p></td>
<td align="left"><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual</p>
<p><strong>Example</strong>: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe</p></td>
</tr>
<tr class="even">
<td align="left"><p>Published to the user</p></td>
<td align="left"><p>HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual</p>
<p><strong>Example</strong>: HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Connection group can contain:</p>
<ul>
<li><p>Packages that are published just globally or just to the user</p></li>
<li><p>Packages that are published globally and to the user</p></li>
</ul></td>
<td align="left"><p>Either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER key, but all of the following must be true:</p>
<ul>
<li><p>If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.</p></li>
<li><p>Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.</p></li>
<li><p>The key under which you create the subkey must match the publishing method you used for the package.</p>
<p>For example, if you published the package to the user, you must create the subkey under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual</code>. Do not add a key for the same application under both hives.</p></li>
</ul></td>
</tr>
</tbody>
</table>
- **Published globally**: Create the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual` registry key.
 
For example, create `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`.
- **Published to the user**: Create the `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual` registry key.
For example, create `HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`.
- Connection group can be:
- Packages that are published just globally or just to the user
- Packages that are published globally and to the user
Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following must be true:
- If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.
- Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.
- The key under which you create the subkey must match the publishing method you used for the package.
For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Do not add a key for the same application under both hives.
2. Set the new registry subkeys value to the PackageId and VersionId of the package, separating the values with an underscore.
**Syntax**: &lt;PackageId&gt;\_&lt;VersionId&gt;
**Syntax**: `<PackageId>_<VersionId>`
**Example**: 4c909996-afc9-4352-b606-0b74542a09c1\_be463724-Oct1-48f1-8604-c4bd7ca92fa
The application in the previous example would produce a registry export file (.reg file) like the following:
``` syntax
```registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual]
@=""
@ -116,24 +95,24 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
You can use the **Start-AppVVirtualProcess** cmdlet to retrieve the package name and then start a process within the specified package's virtual environment. This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
Use the following example syntax, and substitute the name of your package for **&lt;Package&gt;**:
Use the following example syntax, and substitute the name of your package for `<Package>`:
`$AppVName = Get-AppvClientPackage <Package>`
`Start-AppvVirtualProcess -AppvClientObject $AppVName cmd.exe`
If you dont know the exact name of your package, you can use the command line <strong>Get-AppvClientPackage \*executable\*</strong>, where **executable** is the name of the application, for example:<br>Get-AppvClientPackage \*Word\*
If you dont know the exact name of your package, you can use the command line `Get-AppvClientPackage YourExecutable`, where `YourExecutable` is the name of the application. For example, enter `Get-AppvClientPackage Word`.
## <a href="" id="bkmk-cl-switch-appvpid"></a>Command line switch /appvpid:&lt;PID&gt;
## <a href="" id="bkmk-cl-switch-appvpid"></a>Command line switch `/appvpid:<PID>`
You can apply the **/appvpid:&lt;PID&gt;** switch to any command, which enables that command to run within a virtual process that you select by specifying its process ID (PID). Using this method launches the new executable in the same App-V environment as an executable that is already running.
You can apply the `/appvpid:<PID>` switch to any command, which enables that command to run within a virtual process that you select by specifying its process ID (PID). Using this method launches the new executable in the same App-V environment as an executable that is already running.
Example: `cmd.exe /appvpid:8108`
To find the process ID (PID) of your App-V process, run the command **tasklist.exe** from an elevated command prompt.
## <a href="" id="bkmk-cl-hook-switch-appvve"></a>Command line hook switch /appvve:&lt;GUID&gt;
## <a href="" id="bkmk-cl-hook-switch-appvve"></a>Command line hook switch `/appvve:<GUID>`
This switch lets you run a local command within the virtual environment of an App-V package. Unlike the **/appvid** switch, where the virtual environment must already be running, this switch enables you to start the virtual environment.
@ -152,25 +131,11 @@ To get the package GUID and version GUID of your application, run the **Get-Appv
- Version ID of the desired package
If you dont know the exact name of your package, use the command line <strong>Get-AppvClientPackage \*executable\*</strong>, where **executable** is the name of the application, for example:<br>Get-AppvClientPackage \*Word\*
If you dont know the exact name of your package, use the command line `Get-AppvClientPackage YourExecutable`, where `YourExecutable` is the name of the application. For example, enter `Get-AppvClientPackage Word`.
This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Technical Reference for App-V](appv-technical-reference.md)
 
 

2
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -18,7 +18,7 @@ ms.topic: article
- Windows 10
- Windows 11
- Window Server 2019
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012

59
windows/application-management/app-v/appv-using-the-client-management-console.md
View File

@ -42,49 +42,30 @@ You can obtain information about the App-V client or perform specific tasks by u
The client management console contains the following described main tabs.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Tab</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Overview</p></td>
<td align="left"><p>The <strong>Overview</strong> tab contains the following elements:</p>
<ul>
<li><p>Update Use the <strong>Update</strong> tile to refresh a virtualized application or to receive a new virtualized package.</p>
<p>The <strong>Last Refresh</strong> displays the current version of the virtualized package.</p></li>
<li><p>Download all virtual applications Use the <strong>Download</strong> tile to download all of the packages provisioned to the current user.</p>
<p>(Associated Windows PowerShell cmdlet: <strong>Mount-AppvClientPackage</strong>)</p>
<p></p></li>
<li><p>Work Offline Use this tile to disallow all automatic and manual virtual application updates.</p>
<p>(Associated Windows PowerShell cmdlet: <strong>Set-AppvPublishServer UserRefreshEnabled GlobalRefreshEnabled</strong>)</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Virtual Apps</p></td>
<td align="left"><p>The <strong>VIRTUAL APPS</strong> tab displays all of the packages that have been published to the user. You can also click a specific package and see all of the applications that are part of that package. This displays information about packages that are currently in use and how much of each package has been downloaded to the computer. You can also start and stop package downloads. Additionally, you can repair the user state. A repair will delete all user data that is associated with a package.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>App Connection Groups</p></td>
<td align="left"><p>The <strong>APP CONNECTION GROUPS</strong> tab displays all of the connection groups that are available to the current user. Click a specific connection group to see all of the packages that are part of the selected group. This displays information about connection groups that are already in use and how much of the connection group contents have been downloaded to the computer. Additionally, you can start and stop connection group downloads. You can use this section to initiate a repair. A repair will remove all of the user state that is associated a connection group.</p>
<p>(Associated Windows PowerShell cmdlets: Download - <strong>Mount-AppvClientConnectionGroup</strong>. Repair -<strong>AppvClientConnectionGroup</strong>.)</p>
<p></p></td>
</tr>
</tbody>
</table>
- **Overview**: The **Overview** tab contains the following elements:
- **Update**: Refreshes a virtualized application or to receive a new virtualized package.
- **Last Refresh**: Displays the current version of the virtualized package.
- **Download all virtual applications**: Use the Download tile to download all of the packages provisioned to the current user.
Associated Windows PowerShell cmdlet: `Mount-AppvClientPackage`
- **Work Offline**: Disallows all automatic and manual virtual application updates.
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Associated Windows PowerShell cmdlet: `-AppvPublishServer UserRefreshEnabled GlobalRefreshEnabled`
- **VIRTUAL APPS**: Displays all of the packages that have been published to the user.
You can also click a specific package and see all of the applications that are part of that package. This option displays information about packages that are currently in use and how much of each package has been downloaded to the computer. You can also start and stop package downloads, and repair the user state. A repair will delete all user data that is associated with a package.
- **APP CONNECTION GROUPS**: Displays all of the connection groups that are available to the current user. Click a specific connection group to see all of the packages that are part of the selected group. This displays information about connection groups that are already in use and how much of the connection group contents have been downloaded to the computer. Additionally, you can start and stop connection group downloads. You can use this section to initiate a repair. A repair will remove all of the user state that is associated a connection group.
Associated Windows PowerShell cmdlets:
- Download: `Mount-AppvClientConnectionGroup`
- Repair: `AppvClientConnectionGroup`
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics

92
windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
View File

@ -77,84 +77,20 @@ To get the name of the Publishing server and the port number (`http://<PubServer
In your publishing metadata query, enter the string values that correspond to the client operating system that youre using.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Architecture</th>
<th align="left">String value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows 10/11</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsClient_10.0_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 10/11</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsClient_10.0_x86</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows 8.1</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsClient_6.2_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 8.1</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsClient_6.2_x86</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsClient_6.2_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsClient_6.2_x86</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012 R2</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsServer_6.2_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2012 R2</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsServer_6.2_x86</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsServer_6.2_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsServer_6.2_x86</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 R2</p></td>
<td align="left"><p>64-bit</p></td>
<td align="left"><p>WindowsServer_6.1_x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 R2</p></td>
<td align="left"><p>32-bit</p></td>
<td align="left"><p>WindowsServer_6.1_x86</p></td>
</tr>
</tbody>
</table>
|Operating system|Architecture|String value|
|--- |--- |--- |
|Windows 10/11|64-bit|WindowsClient_10.0_x64|
|Windows 10/11|32-bit|WindowsClient_10.0_x86|
|Windows 8.1|64-bit|WindowsClient_6.2_x64|
|Windows 8.1|32-bit|WindowsClient_6.2_x86|
|Windows 8|64-bit|WindowsClient_6.2_x64|
|Windows 8|32-bit|WindowsClient_6.2_x86|
|Windows Server 2012 R2|64-bit|WindowsServer_6.2_x64|
|Windows Server 2012 R2|32-bit|WindowsServer_6.2_x86|
|Windows Server 2012|64-bit|WindowsServer_6.2_x64|
|Windows Server 2012|32-bit|WindowsServer_6.2_x86|
|Windows Server 2008 R2|64-bit|WindowsServer_6.1_x64|
|Windows Server 2008 R2|32-bit|WindowsServer_6.1_x86|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

1
windows/application-management/apps-in-windows-10.md
View File

@ -11,6 +11,7 @@ ms.author: mandia
author: MandiOhlinger
ms.localizationpriority: medium
ms.topic: article
ms.collection: highpri
---
# Overview of apps on Windows client devices

4
windows/application-management/index.yml
View File

@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
ms.collection:
- windows-10
- highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/24/2021 #Required; mm/dd/yyyy format.

3
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -12,13 +12,14 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.date: 09/20/2021
ms.topic: article
ms.collection: highpri
---
# Administrative Tools in Windows
**Applies to**
- Windows 10
- Windows 10
- Windows 11

3
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -11,6 +11,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: tracyp
ms.topic: troubleshooting
ms.collection: highpri
---
# Advanced troubleshooting 802.1X authentication
@ -37,7 +38,7 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.

7
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -10,6 +10,7 @@ ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.topic: troubleshooting
ms.collection: highpri
---
# Advanced troubleshooting for Windows boot problems
@ -230,7 +231,7 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
## Kernel Phase
@ -302,7 +303,7 @@ problems can be solved. Modify the registry at your own risk.
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
2. Open the registry.
@ -413,4 +414,4 @@ If the dump file shows an error that is related to a driver (for example, window
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

73
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -37,9 +37,8 @@ It is important to understand the different Wi-Fi components involved, their exp
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
### Known Issues and fixes
** **
| **OS version** | **Fixed in** |
| OS version | Fixed in |
| --- | --- |
| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) |
| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) |
@ -54,13 +53,13 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
- [Windows 10 version 1511](https://support.microsoft.com/help/4000824)
- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470)
- [Windows Server 2012](https://support.microsoft.com/help/4009471)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469)
## Data Collection
1. Network Capture with ETW. Enter the following at an elevated command prompt:
```
```console
netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
```
2. Reproduce the issue.
@ -70,12 +69,12 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
- If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
3. Stop the trace by entering the following command:
```
```console
netsh trace stop
```
4. To convert the output file to text format:
```
```console
netsh trace convert c:\tmp\wireless.etl
```
@ -85,17 +84,13 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
The following is a high-level view of the main wifi components in Windows.
<table>
<tr><td><img src="images/wcm.png" alt="Windows Connection Manager"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png" alt="WLAN Autoconfig Service"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks</td></tr>
<tr><td><img src="images/msm.png" alt="Media Specific Module"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png" alt="Native WiFi stack"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png" alt="Wireless miniport"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
</table>
|Wi-fi Components|Description|
|--- |--- |
|![Windows Connection Manager](images/wcm.png)|The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service.|
|![WLAN Autoconfig Service](images/wlan.png)|The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:<li> Scanning for wireless networks in range<li>Managing connectivity of wireless networks|
|![Media Specific Module](images/msm.png)|The Media Specific Module (MSM) handles security aspects of connection being established.|
|![Native WiFi stack](images/wifi-stack.png)|The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.|
|![Wireless miniport](images/miniport.png)|Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.|
The wifi connection state machine has the following states:
- Reset
@ -109,39 +104,39 @@ The wifi connection state machine has the following states:
Standard wifi connections tend to transition between states such as:
**Connecting**
- Connecting
Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
**Disconnecting**
- Disconnecting
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
The following is an example of a good connection setup:
<pre>
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
</pre>
```
The following is an example of a failed connection setup:
<pre>
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
</pre>
```
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state.
@ -159,7 +154,7 @@ Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** fil
Continuing with the example above, the combined filters look like this:
<pre>
```console
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Reset to State: Ihv_Configuring
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
@ -177,7 +172,7 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
</pre>
```
> [!NOTE]
> In the next to last line the SecMgr transition is suddenly deactivating:<br>
@ -186,7 +181,7 @@ Authenticating to State: Roaming
Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
<pre>
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
@ -200,7 +195,7 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
</pre>
```
The trail backwards reveals a **Port Down** notification:
@ -212,7 +207,7 @@ Below, the MSM is the native wifi stack. These are Windows native wifi drivers w
Enable trace filter for **[Microsoft-Windows-NWifi]:**
<pre>
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
@ -226,12 +221,14 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming</pre>
Authenticating to State: Roaming
```
In the trace above, we see the line:
<pre>
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4</pre>
```console
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
```
This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
@ -242,7 +239,7 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas
## Example ETW capture
<pre>
```console
C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
Trace configuration:
@ -283,13 +280,13 @@ C:\tmp>dir
01/09/2019 02:59 PM 2,786,540 wireless.txt
3 File(s) 10,395,004 bytes
2 Dir(s) 46,648,332,288 bytes free
</pre>
```
## Wifi filter file
Copy and paste all the lines below and save them into a text file named "wifi.tat." Load the filter file into the TextAnalysisTool by clicking **File > Load Filters**.
```
```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<TextAnalysisTool.NET version="2018-01-03" showOnlyFilteredLines="False">
<filters>
@ -327,4 +324,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
![TAT filter example.](images/tat.png)
![TAT filter example.](images/tat.png)

2
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -3,7 +3,7 @@ title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.author: dougeby
ms.date: 11/25/2020
ms.topic: article
ms.custom:

5
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -13,6 +13,7 @@ ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.topic: article
ms.collection: highpri
---
# Connect to remote Azure Active Directory-joined PC
@ -20,7 +21,7 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10
- Windows 11
@ -72,7 +73,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
> [!NOTE]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials).
## Supported configurations

3
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -10,6 +10,7 @@ ms.author: delhan
ms.date: 8/28/2019
ms.reviewer: dcscontentpm
manager: dansimp
ms.collection: highpri
---
# How to determine the appropriate page file size for 64-bit versions of Windows
@ -66,7 +67,7 @@ Kernel memory crash dumps require enough page file space or dedicated dump file
Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead.
A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file.
A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
## System-managed page files

1
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -10,6 +10,7 @@ ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
manager: willchen
ms.collection: highpri
---
# Generate a kernel or complete crash dump

2
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -32,7 +32,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

4
windows/client-management/index.yml
View File

@ -10,7 +10,9 @@ metadata:
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
ms.collection:
- windows-10
- highpri
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2021 #Required; mm/dd/yyyy format.

13
windows/client-management/introduction-page-file.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.author: delhan
ms.reviewer: dcscontentpm
manager: dansimp
ms.collection: highpri
---
# Introduction to page files
@ -27,20 +28,20 @@ Page files enable the system to remove infrequently accessed modified pages from
Some products or services require a page file for various reasons. For specific information, check the product documentation.
For example, the following Windows servers requires page files:
For example, the following Windows servers require page files:
- Windows Server domain controllers (DCs)
- DFS Replication (DFS-R) servers
- Certificate servers
- ADAM/LDS servers
This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE in Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed" .
For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed".
### Support for system crash dumps
Page files can be used to "back" (or support) system crash dumps and extend how much system-committed memory (also known as “virtual memory”) a system can support.
Page files can be used to "back" (or support) system crash dumps and extend how much system-committed memory (also known as "virtual memory") a system can support.
For more information about system crash dumps, see [system crash dump options](system-failure-recovery-options.md#under-write-debugging-information).
@ -48,7 +49,7 @@ For more information about system crash dumps, see [system crash dump options](s
When large physical memory is installed, a page file might not be required to support the system commit charge during peak usage. For example, 64-bit versions of Windows and Windows Server support more physical memory (RAM) than 32-bit versions support. The available physical memory alone might be large enough.
However, the reason to configure the page file size has not changed. It has always been about supporting a system crash dump, if it is necessary, or extending the system commit limit, if it is necessary. For example, when a lot of physical memory is installed, a page file might not be required to back the system commit charge during peak usage. The available physical memory alone might be large enough to do this. However, a page file or a dedicated dump file might still be required to back a system crash dump.
However, the reason to configure the page file size hasn't changed. It has always been about supporting a system crash dump, if it's necessary, or extending the system commit limit, if it's necessary. For example, when a lot of physical memory is installed, a page file might not be required to back the system commit charge during peak usage. The available physical memory alone might be large enough to do this. However, a page file or a dedicated dump file might still be required to back a system crash dump.
## System committed memory
@ -64,7 +65,7 @@ The system commit charge is the total committed or "promised" memory of all comm
![Task Manager.](images/task-manager-commit.png)
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The **\Memory\% Committed Bytes In Use** counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
> [!NOTE]
> System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger, but no more than one-eighth of the volume size) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.

2
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -69,7 +69,7 @@ The scenarios presented in this guide illustrate how you can control device inst
Group Policy guides:
- [Create a Group Policy Object (Windows 10) - Windows security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Create a Group Policy Object (Windows 10) - Windows Security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
### Scenario #1: Prevent installation of all printers

2
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -26,7 +26,7 @@ To make use of the Settings App group policies on Windows server 2016, install f
>[!Note]
>Each server that you want to manage access to the Settings App must be patched.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app.

3
windows/client-management/mandatory-user-profile.md
View File

@ -11,6 +11,7 @@ ms.date: 09/14/2021
ms.reviewer:
manager: dansimp
ms.topic: article
ms.collection: highpri
---
# Create mandatory user profiles
@ -41,7 +42,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
## Mandatory user profile

16
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -39,11 +39,11 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365.](images/azure-ad-add-tenant4.png)
![login to office 365](images/azure-ad-add-tenant4.png)
6. Select **Install software**.
![login to office 365.](images/azure-ad-add-tenant5.png)
![login to office 365 portal](images/azure-ad-add-tenant5.png)
7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
1. Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
![register azuread.](images/azure-ad-add-tenant10.png)
![register in azuread.](images/azure-ad-add-tenant10.png)
2. On the **Home** page, select on the Admin tools icon.
![register azuread.](images/azure-ad-add-tenant11.png)
![register in azure-ad.](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread.](images/azure-ad-add-tenant12.png)
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![register azuread.](images/azure-ad-add-tenant13.png)
![registration in azure-ad](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![register azuread.](images/azure-ad-add-tenant14.png)
![registration in azuread.](images/azure-ad-add-tenant14.png)
6. You will see a welcome page when the process completes.
![register azuread.](images/azure-ad-add-tenant15.png)
![register screen of azuread](images/azure-ad-add-tenant15.png)

2
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
author: dansimp
ms.date: 07/10/2019
---

2
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -6,7 +6,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: ManikaDhiman
author: dansimp
ms.reviewer: jsuther1974
ms.date: 09/10/2020
---

652
windows/client-management/mdm/applocker-csp.md
View File

@ -18,7 +18,8 @@ ms.date: 11/19/2019
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
The following shows the AppLocker configuration service provider in tree format.
```
```console
./Vendor/MSFT
AppLocker
----ApplicationLaunchRestrictions
@ -258,54 +259,29 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
6. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive).
7. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
The **Device Portal** page opens on your browser.
![device portal screenshot.](images/applocker-screenshot1.png)
8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
![device portal app manager.](images/applocker-screenshot3.png)
10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
![app manager.](images/applocker-screenshot2.png)
The following table shows the mapping of information to the AppLocker publisher rule field.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Device portal data</th>
<th>AppLocker publisher rule field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>PackageFullName</p></td>
<td><p>ProductName</p>
<p>The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.</p></td>
</tr>
<tr class="even">
<td><p>Publisher</p></td>
<td><p>Publisher</p></td>
</tr>
<tr class="odd">
<td><p>Version</p></td>
<td><p>Version</p>
<p>This can be used either in the HighSection or LowSection of the BinaryVersionRange.</p>
<p>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.</p></td>
</tr>
</tbody>
</table>
|Device portal data|AppLocker publisher rule field|
|--- |--- |
|PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version<br> <br>This can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
Here is an example AppLocker publisher rule:
@ -325,21 +301,11 @@ You can get the publisher name and product name of apps using a web API.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><code>https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata</code></p></td>
</tr>
</tbody>
</table>
Request URI:
```http
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
```
Here is the example for Microsoft OneNote:
@ -360,35 +326,11 @@ Result
}
```
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Result data</th>
<th>AppLocker publisher rule field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>packageIdentityName</p></td>
<td><p>ProductName</p></td>
</tr>
<tr class="even">
<td><p>publisherCertificateName</p></td>
<td><p>Publisher</p></td>
</tr>
<tr class="odd">
<td><p>windowsPhoneLegacyId</p></td>
<td><p>Same value maps to the ProductName and Publisher name</p>
<p>This value will only be present if there is a XAP package associated with the app in the Store.</p>
<p>If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.</p></td>
</tr>
</tbody>
</table>
|Result data|AppLocker publisher rule field|
|--- |--- |
|packageIdentityName|ProductName|
|publisherCertificateName|Publisher|
|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there is a XAP package associated with the app in the Store. <br> <br>If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
## <a href="" id="settingssplashapps"></a>Settings apps that rely on splash apps
@ -428,464 +370,96 @@ The following list shows the apps that may be included in the inbox.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>App</th>
<th>Product ID</th>
<th>Product name</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td>3D Viewer</td>
<td>f41647c9-d567-4378-b2ab-7924e5a152f3</td>
<td>Microsoft.Microsoft3DViewer <p>(Added in Windows 10, version 1703)</p></td>
</tr>
<tr class="odd">
<td>Advanced info</td>
<td>b6e3e590-9fa5-40c0-86ac-ef475de98e88</td>
<td>b6e3e590-9fa5-40c0-86ac-ef475de98e88</td>
</tr>
<tr class="even">
<td>Age out worker</td>
<td>09296e27-c9f3-4ab9-aa76-ecc4497d94bb</td>
<td></td>
</tr>
<tr class="odd">
<td>Alarms and clock</td>
<td>44f7d2b4-553d-4bec-a8b7-634ce897ed5f</td>
<td>Microsoft.WindowsAlarms</td>
</tr>
<tr class="even">
<td>App downloads</td>
<td>20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac</td>
<td></td>
</tr>
<tr class="odd">
<td>Assigned access lock app</td>
<td>b84f4722-313e-4f85-8f41-cf5417c9c5cb</td>
<td></td>
</tr>
<tr class="even">
<td>Bing lock images</td>
<td>5f28c179-2780-41df-b966-27807b8de02c</td>
<td></td>
</tr>
<tr class="odd">
<td>Block and filter</td>
<td>59553c14-5701-49a2-9909-264d034deb3d</td>
<td></td>
</tr>
<tr class="odd">
<td>Broker plug-in (same as Work or school account)</td>
<td></td>
<td>Microsoft.AAD.BrokerPlugin</td>
</tr>
<tr class="even">
<td>Calculator</td>
<td>b58171c6-c70c-4266-a2e8-8f9c994f4456</td>
<td>Microsoft.WindowsCalculator</td>
</tr>
<tr class="odd">
<td>Camera</td>
<td>f0d8fefd-31cd-43a1-a45a-d0276db069f1</td>
<td>Microsoft.WindowsCamera</td>
</tr>
<tr class="even">
<td>CertInstaller</td>
<td>4c4ad968-7100-49de-8cd1-402e198d869e</td>
<td></td>
</tr>
<tr class="odd">
<td>Color profile</td>
<td>b08997ca-60ab-4dce-b088-f92e9c7994f3</td>
<td></td>
</tr>
<tr class="even">
<td>Connect</td>
<td>af7d2801-56c0-4eb1-824b-dd91cdf7ece5</td>
<td>Microsoft.DevicesFlow</td>
</tr>
<tr class="odd">
<td>Contact Support</td>
<td>0db5fcff-4544-458a-b320-e352dfd9ca2b</td>
<td>Windows.ContactSupport</td>
</tr>
<tr class="even">
<td>Cortana</td>
<td>fd68dcf4-166f-4c55-a4ca-348020f71b94</td>
<td>Microsoft.Windows.Cortana</td>
</tr>
<tr class="odd">
<td>Cortana Listen UI</td>
<td></td>
<td>CortanaListenUI</td>
</tr>
<tr class="odd">
<td>Credentials Dialog Host</td>
<td></td>
<td>Microsoft.CredDialogHost</td>
</tr>
<tr class="odd">
<td>Device Portal PIN UX</td>
<td></td>
<td>holopairingapp</td>
</tr>
<tr class="odd">
<td>Email and accounts</td>
<td>39cf127b-8c67-c149-539a-c02271d07060</td>
<td>Microsoft.AccountsControl</td>
</tr>
<tr class="even">
<td>Enterprise installs app</td>
<td>da52fa01-ac0f-479d-957f-bfe4595941cb</td>
<td></td>
</tr>
<tr class="odd">
<td>Equalizer</td>
<td>373cb76e-7f6c-45aa-8633-b00e85c73261</td>
<td></td>
</tr>
<tr class="even">
<td>Excel</td>
<td>ead3e7c0-fae6-4603-8699-6a448138f4dc</td>
<td>Microsoft.Office.Excel</td>
</tr>
<tr class="odd">
<td>Facebook</td>
<td>82a23635-5bd9-df11-a844-00237de2db9e</td>
<td>Microsoft.MSFacebook</td>
</tr>
<tr class="even">
<td>Field Medic</td>
<td>73c58570-d5a7-46f8-b1b2-2a90024fc29c</td>
<td></td>
</tr>
<tr class="odd">
<td>File Explorer</td>
<td>c5e2524a-ea46-4f67-841f-6a9465d9d515</td>
<td>c5e2524a-ea46-4f67-841f-6a9465d9d515</td>
</tr>
<tr class="even">
<td>FM Radio</td>
<td>f725010e-455d-4c09-ac48-bcdef0d4b626</td>
<td>f725010e-455d-4c09-ac48-bcdef0d4b626</td>
</tr>
<tr class="odd">
<td>Get Started</td>
<td>b3726308-3d74-4a14-a84c-867c8c735c3c</td>
<td>Microsoft.Getstarted</td>
</tr>
<tr class="even">
<td>Glance</td>
<td>106e0a97-8b19-42cf-8879-a8ed2598fcbb</td>
<td></td>
</tr>
<tr class="odd">
<td>Groove Music</td>
<td>d2b6a184-da39-4c9a-9e0a-8b589b03dec0</td>
<td>Microsoft.ZuneMusic</td>
</tr>
<tr class="even">
<td>Hands-Free Activation</td>
<td>df6c9621-e873-4e86-bb56-93e9f21b1d6f</td>
<td></td>
</tr>
<tr class="odd">
<td>Hands-Free Activation</td>
<td>72803bd5-4f36-41a4-a349-e83e027c4722</td>
<td></td>
</tr>
<tr class="even">
<td>HAP update background worker</td>
<td>73c73cdd-4dea-462c-bd83-fa983056a4ef</td>
<td></td>
</tr>
<tr class="odd">
<td>Holographic Shell</td>
<td></td>
<td>HoloShell</td>
</tr>
<tr class="odd">
<td>Lumia motion data</td>
<td>8fc25fd2-4e2e-4873-be44-20e57f6ec52b</td>
<td></td>
</tr>
<tr class="even">
<td>Maps</td>
<td>ed27a07e-af57-416b-bc0c-2596b622ef7d</td>
<td>Microsoft.WindowsMaps</td>
</tr>
<tr class="odd">
<td>Messaging</td>
<td>27e26f40-e031-48a6-b130-d1f20388991a</td>
<td>Microsoft.Messaging</td>
</tr>
<tr class="even">
<td>Microsoft account</td>
<td>3a4fae89-7b7e-44b4-867b-f7e2772b8253</td>
<td>Microsoft.CloudExperienceHost</td>
</tr>
<tr class="odd">
<td>Microsoft Edge</td>
<td>395589fb-5884-4709-b9df-f7d558663ffd</td>
<td>Microsoft.MicrosoftEdge</td>
</tr>
<tr class="even">
<td>Microsoft Frameworks</td>
<td>ProductID = 00000000-0000-0000-0000-000000000000
<p>PublisherName=&quot;CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US&quot;</p></td>
<td></td>
</tr>
<tr class="odd">
<td>Migration UI</td>
<td></td>
<td>MigrationUIApp</td>
</tr>
<tr class="odd">
<td>MiracastView</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
</tr>
<tr>
<td>Mixed Reality Portal</td>
<td></td>
<td>Microsoft.Windows.HolographicFirstRun</td>
<tr class="even">
<td>Money</td>
<td>1e0440f1-7abf-4b9a-863d-177970eefb5e</td>
<td>Microsoft.BingFinance</td>
</tr>
<tr class="odd">
<td>Movies and TV</td>
<td>6affe59e-0467-4701-851f-7ac026e21665</td>
<td>Microsoft.ZuneVideo</td>
</tr>
<tr class="even">
<td>Music downloads</td>
<td>3da8a0c1-f7e5-47c0-a680-be8fd013f747</td>
<td></td>
</tr>
<tr class="odd">
<td>Navigation bar</td>
<td>2cd23676-8f68-4d07-8dd2-e693d4b01279</td>
<td></td>
</tr>
<tr class="even">
<td>Network services</td>
<td>62f172d1-f552-4749-871c-2afd1c95c245</td>
<td></td>
</tr>
<tr class="odd">
<td>News</td>
<td>9c3e8cad-6702-4842-8f61-b8b33cc9caf1</td>
<td>Microsoft.BingNews</td>
</tr>
<tr class="even">
<td>OneDrive</td>
<td>ad543082-80ec-45bb-aa02-ffe7f4182ba8</td>
<td>Microsoft.MicrosoftSkydrive</td>
</tr>
<tr class="odd">
<td>OneNote</td>
<td>ca05b3ab-f157-450c-8c49-a1f127f5e71d</td>
<td>Microsoft.Office.OneNote</td>
</tr>
<tr class="even">
<td>Outlook Calendar and Mail</td>
<td>a558feba-85d7-4665-b5d8-a2ff9c19799b</td>
<td>Microsoft.WindowsCommunicationsApps</td>
</tr>
<tr class="odd">
<td>People</td>
<td>60be1fb8-3291-4b21-bd39-2221ab166481</td>
<td>Microsoft.People</td>
</tr>
<tr class="even">
<td>Phone</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea5611</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea5611</td>
</tr>
<tr class="odd">
<td>Phone (dialer)</td>
<td>f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7</td>
<td>Microsoft.CommsPhone</td>
</tr>
<tr class="even">
<td>Phone reset dialog</td>
<td>2864278d-09b5-46f7-b502-1c24139ecbdd</td>
<td></td>
</tr>
<tr class="odd">
<td>Photos</td>
<td>fca55e1b-b9a4-4289-882f-084ef4145005</td>
<td>Microsoft.Windows.Photos</td>
</tr>
<tr class="even">
<td>Podcasts</td>
<td>c3215724-b279-4206-8c3e-61d1a9d63ed3</td>
<td>Microsoft.MSPodcast</td>
</tr>
<tr class="odd">
<td>Podcast downloads</td>
<td>063773e7-f26f-4a92-81f0-aa71a1161e30</td>
<td></td>
</tr>
<tr class="even">
<td>PowerPoint</td>
<td>b50483c4-8046-4e1b-81ba-590b24935798</td>
<td>Microsoft.Office.PowerPoint</td>
</tr>
<tr class="odd">
<td>PrintDialog</td>
<td>0d32eeb1-32f0-40da-8558-cea6fcbec4a4</td>
<td>Microsoft.PrintDialog</td>
</tr>
<tr class="even">
<td>Purchase dialog</td>
<td>c60e79ca-063b-4e5d-9177-1309357b2c3f</td>
<td></td>
</tr>
<tr class="odd">
<td>Rate your device</td>
<td>aec3bfad-e38c-4994-9c32-50bd030730ec</td>
<td></td>
</tr>
<tr class="even">
<td>RingtoneApp.WindowsPhone</td>
<td>3e962450-486b-406b-abb5-d38b4ee7e6fe</td>
<td>Microsoft.Tonepicker</td>
</tr>
<tr class="odd">
<td>Save ringtone</td>
<td>d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b</td>
<td></td>
</tr>
<tr class="even">
<td>Settings</td>
<td>2a4e62d8-8809-4787-89f8-69d0f01654fb</td>
<td>2a4e62d8-8809-4787-89f8-69d0f01654fb</td>
</tr>
<tr class="odd">
<td>Settings</td>
<td></td>
<td>SystemSettings</td>
</tr>
<tr class="odd">
<td>Setup wizard</td>
<td>07d87655-e4f0-474b-895a-773790ad4a32</td>
<td></td>
</tr>
<tr class="even">
<td>Sharing</td>
<td>b0894dfd-4671-4bb9-bc17-a8b39947ffb6</td>
<td></td>
</tr>
<tr class="odd">
<td>Sign in for Windows 10 Holographic</td>
<td></td>
<td>WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn</td>
</tr>
<tr class="odd">
<td>Skype</td>
<td>c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51</td>
<td>Microsoft.SkypeApp</td>
</tr>
<tr class="even">
<td>Skype Video</td>
<td>27e26f40-e031-48a6-b130-d1f20388991a</td>
<td>Microsoft.Messaging</td>
</tr>
<tr class="odd">
<td>Sports</td>
<td>0f4c8c7e-7114-4e1e-a84c-50664db13b17</td>
<td>Microsoft.BingSports</td>
</tr>
<tr class="even">
<td>SSMHost</td>
<td>e232aa77-2b6d-442c-b0c3-f3bb9788af2a</td>
<td></td>
</tr>
<tr class="odd">
<td>Start</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea5602</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea5602</td>
</tr>
<tr class="even">
<td>Storage</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea564d</td>
<td>5b04b775-356b-4aa0-aaf8-6491ffea564d</td>
</tr>
<tr class="odd">
<td>Store</td>
<td>7d47d89a-7900-47c5-93f2-46eb6d94c159</td>
<td>Microsoft.WindowsStore</td>
</tr>
<tr class="even">
<td>Touch (gestures and touch)</td>
<td>bbc57c87-46af-4c2c-824e-ac8104cceb38</td>
<td></td>
</tr>
<tr class="odd">
<td>Voice recorder</td>
<td>7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0</td>
<td>Microsoft.WindowsSoundRecorder</td>
</tr>
<tr class="even">
<td>Wallet</td>
<td>587a4577-7868-4745-a29e-f996203f1462</td>
<td>Microsoft.MicrosoftWallet</td>
</tr>
<tr class="even">
<td>Wallet</td>
<td>12ae577e-f8d1-4197-a207-4d24c309ff8f</td>
<td>Microsoft.Wallet</td>
</tr>
<tr class="odd">
<td>Weather</td>
<td>63c2a117-8604-44e7-8cef-df10be3a57c8</td>
<td>Microsoft.BingWeather</td>
</tr>
<tr class="even">
<td>Windows default lock screen</td>
<td>cdd63e31-9307-4ccb-ab62-1ffa5721b503</td>
<td></td>
</tr>
<tr class="odd">
<td>Windows Feedback</td>
<td>7604089d-d13f-4a2d-9998-33fc02b63ce3</td>
<td>Microsoft.WindowsFeedback</td>
</tr>
<tr class="even">
<td>Word</td>
<td>258f115c-48f4-4adb-9a68-1387e634459b</td>
<td>Microsoft.Office.Word</td>
</tr>
<tr class="odd">
<td>Work or school account</td>
<td>e5f8b2c4-75ae-45ee-9be8-212e34f77747</td>
<td>Microsoft.AAD.BrokerPlugin</td>
</tr>
<tr class="even">
<td>Xbox</td>
<td>b806836f-eebe-41c9-8669-19e243b81b83</td>
<td>Microsoft.XboxApp</td>
</tr>
<tr class="odd">
<td>Xbox identity provider</td>
<td>ba88225b-059a-45a2-a8eb-d3580283e49d</td>
<td>Microsoft.XboxIdentityProvider</td>
</tr>
</tbody>
</table>
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
|Advanced info|b6e3e590-9fa5-40c0-86ac-ef475de98e88|b6e3e590-9fa5-40c0-86ac-ef475de98e88|
|Age out worker|09296e27-c9f3-4ab9-aa76-ecc4497d94bb||
|Alarms and clock|44f7d2b4-553d-4bec-a8b7-634ce897ed5f|Microsoft.WindowsAlarms|
|App downloads|20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac||
|Assigned access lock app|b84f4722-313e-4f85-8f41-cf5417c9c5cb||
|Bing lock images|5f28c179-2780-41df-b966-27807b8de02c||
|Block and filter|59553c14-5701-49a2-9909-264d034deb3d||
|Broker plug-in (same as Work or school account)||Microsoft.AAD.BrokerPlugin|
|Calculator|b58171c6-c70c-4266-a2e8-8f9c994f4456|Microsoft.WindowsCalculator|
|Camera|f0d8fefd-31cd-43a1-a45a-d0276db069f1|Microsoft.WindowsCamera|
|CertInstaller|4c4ad968-7100-49de-8cd1-402e198d869e||
|Color profile|b08997ca-60ab-4dce-b088-f92e9c7994f3||
|Connect|af7d2801-56c0-4eb1-824b-dd91cdf7ece5|Microsoft.DevicesFlow|
|Contact Support|0db5fcff-4544-458a-b320-e352dfd9ca2b|Windows.ContactSupport|
|Cortana|fd68dcf4-166f-4c55-a4ca-348020f71b94|Microsoft.Windows.Cortana|
|Cortana Listen UI||CortanaListenUI|
|Credentials Dialog Host||Microsoft.CredDialogHost|
|Device Portal PIN UX||holopairingapp|
|Email and accounts|39cf127b-8c67-c149-539a-c02271d07060|Microsoft.AccountsControl|
|Enterprise installs app|da52fa01-ac0f-479d-957f-bfe4595941cb||
|Equalizer|373cb76e-7f6c-45aa-8633-b00e85c73261||
|Excel|ead3e7c0-fae6-4603-8699-6a448138f4dc|Microsoft.Office.Excel|
|Facebook|82a23635-5bd9-df11-a844-00237de2db9e|Microsoft.MSFacebook|
|Field Medic|73c58570-d5a7-46f8-b1b2-2a90024fc29c||
|File Explorer|c5e2524a-ea46-4f67-841f-6a9465d9d515|c5e2524a-ea46-4f67-841f-6a9465d9d515|
|FM Radio|f725010e-455d-4c09-ac48-bcdef0d4b626|f725010e-455d-4c09-ac48-bcdef0d4b626|
|Get Started|b3726308-3d74-4a14-a84c-867c8c735c3c|Microsoft.Getstarted|
|Glance|106e0a97-8b19-42cf-8879-a8ed2598fcbb||
|Groove Music|d2b6a184-da39-4c9a-9e0a-8b589b03dec0|Microsoft.ZuneMusic|
|Hands-Free Activation|df6c9621-e873-4e86-bb56-93e9f21b1d6f||
|Hands-Free Activation|72803bd5-4f36-41a4-a349-e83e027c4722||
|HAP update background worker|73c73cdd-4dea-462c-bd83-fa983056a4ef||
|Holographic Shell||HoloShell|
|Lumia motion data|8fc25fd2-4e2e-4873-be44-20e57f6ec52b||
|Maps|ed27a07e-af57-416b-bc0c-2596b622ef7d|Microsoft.WindowsMaps|
|Messaging|27e26f40-e031-48a6-b130-d1f20388991a|Microsoft.Messaging|
|Microsoft account|3a4fae89-7b7e-44b4-867b-f7e2772b8253|Microsoft.CloudExperienceHost|
|Microsoft Edge|395589fb-5884-4709-b9df-f7d558663ffd|Microsoft.MicrosoftEdge|
|Microsoft Frameworks|ProductID = 00000000-0000-0000-0000-000000000000 PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"||
|Migration UI||MigrationUIApp|
|MiracastView|906beeda-b7e6-4ddc-ba8d-ad5031223ef9|906beeda-b7e6-4ddc-ba8d-ad5031223ef9|
|Mixed Reality Portal||Microsoft.Windows.HolographicFirstRun|
|Money|1e0440f1-7abf-4b9a-863d-177970eefb5e|Microsoft.BingFinance|
|Movies and TV|6affe59e-0467-4701-851f-7ac026e21665|Microsoft.ZuneVideo|
|Music downloads|3da8a0c1-f7e5-47c0-a680-be8fd013f747||
|Navigation bar|2cd23676-8f68-4d07-8dd2-e693d4b01279||
|Network services|62f172d1-f552-4749-871c-2afd1c95c245||
|News|9c3e8cad-6702-4842-8f61-b8b33cc9caf1|Microsoft.BingNews|
|OneDrive|ad543082-80ec-45bb-aa02-ffe7f4182ba8|Microsoft.MicrosoftSkydrive|
|OneNote|ca05b3ab-f157-450c-8c49-a1f127f5e71d|Microsoft.Office.OneNote|
|Outlook Calendar and Mail|a558feba-85d7-4665-b5d8-a2ff9c19799b|Microsoft.WindowsCommunicationsApps|
|People|60be1fb8-3291-4b21-bd39-2221ab166481|Microsoft.People|
|Phone|5b04b775-356b-4aa0-aaf8-6491ffea5611|5b04b775-356b-4aa0-aaf8-6491ffea5611|
|Phone (dialer)|f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7|Microsoft.CommsPhone|
|Phone reset dialog|2864278d-09b5-46f7-b502-1c24139ecbdd||
|Photos|fca55e1b-b9a4-4289-882f-084ef4145005|Microsoft.Windows.Photos|
|Podcasts|c3215724-b279-4206-8c3e-61d1a9d63ed3|Microsoft.MSPodcast|
|Podcast downloads|063773e7-f26f-4a92-81f0-aa71a1161e30||
|PowerPoint|b50483c4-8046-4e1b-81ba-590b24935798|Microsoft.Office.PowerPoint|
|PrintDialog|0d32eeb1-32f0-40da-8558-cea6fcbec4a4|Microsoft.PrintDialog|
|Purchase dialog|c60e79ca-063b-4e5d-9177-1309357b2c3f||
|Rate your device|aec3bfad-e38c-4994-9c32-50bd030730ec||
|RingtoneApp.WindowsPhone|3e962450-486b-406b-abb5-d38b4ee7e6fe|Microsoft.Tonepicker|
|Save ringtone|d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b||
|Settings|2a4e62d8-8809-4787-89f8-69d0f01654fb|2a4e62d8-8809-4787-89f8-69d0f01654fb|
|Settings||SystemSettings|
|Setup wizard|07d87655-e4f0-474b-895a-773790ad4a32||
|Sharing|b0894dfd-4671-4bb9-bc17-a8b39947ffb6||
|Sign in for Windows 10 Holographic||WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn|
|Skype|c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51|Microsoft.SkypeApp|
|Skype Video|27e26f40-e031-48a6-b130-d1f20388991a|Microsoft.Messaging|
|Sports|0f4c8c7e-7114-4e1e-a84c-50664db13b17|Microsoft.BingSports|
|SSMHost|e232aa77-2b6d-442c-b0c3-f3bb9788af2a||
|Start|5b04b775-356b-4aa0-aaf8-6491ffea5602|5b04b775-356b-4aa0-aaf8-6491ffea5602|
|Storage|5b04b775-356b-4aa0-aaf8-6491ffea564d|5b04b775-356b-4aa0-aaf8-6491ffea564d|
|Store|7d47d89a-7900-47c5-93f2-46eb6d94c159|Microsoft.WindowsStore|
|Touch (gestures and touch)|bbc57c87-46af-4c2c-824e-ac8104cceb38||
|Voice recorder|7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0|Microsoft.WindowsSoundRecorder|
|Wallet|587a4577-7868-4745-a29e-f996203f1462|Microsoft.MicrosoftWallet|
|Wallet|12ae577e-f8d1-4197-a207-4d24c309ff8f|Microsoft.Wallet|
|Weather|63c2a117-8604-44e7-8cef-df10be3a57c8|Microsoft.BingWeather|
|Windows default lock screen|cdd63e31-9307-4ccb-ab62-1ffa5721b503||
|Windows Feedback|7604089d-d13f-4a2d-9998-33fc02b63ce3|Microsoft.WindowsFeedback|
|Word|258f115c-48f4-4adb-9a68-1387e634459b|Microsoft.Office.Word|
|Work or school account|e5f8b2c4-75ae-45ee-9be8-212e34f77747|Microsoft.AAD.BrokerPlugin|
|Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp|
|Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider|
## <a href="" id="allow-list-examples"></a>Allowlist examples
@ -1887,4 +1461,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

120
windows/client-management/mdm/assign-seats.md
View File

@ -18,62 +18,21 @@ The **Assign seat** operation assigns seat for a specified user in the Microsoft
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
</tr>
</tbody>
</table>
**POST:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}
```
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
</tbody>
</table>
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
## Response
@ -81,58 +40,9 @@ The following parameters may be specified in the request URI.
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Invalid parameter</p>
<p>Details: String</p></td>
<td><p>Invalid can include productId, skuId or userName</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory, User, Seat</p>
<p>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName</p></td>
<td><p>ItemType: Inventory User Seat</p>
<p>Values: ProductId/SkuId UserName ProductId/SkuId/UserName</p></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
<td></td>
</tr>
</tbody>
</table>
 
 
|Error code|Description|Retry|Data field|Details|
|--- |--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br>Reason: Invalid parameter<br>Details: String|Invalid can include productId, skuId or userName|
|404|Not found||Item type: Inventory, User, Seat<br> <br>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName|ItemType: Inventory User Seat<br> <br>Values: ProductId/SkuId UserName ProductId/SkuId/UserName|
|409|Conflict||Reason: Not online||

593
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.collection: highpri
---
# Azure Active Directory integration with MDM
@ -135,7 +136,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then select OK.
9. For the App ID, enter `https://<your_tenant_name>/ContosoMDM`, then select OK.
10. While still in the Azure portal, select the **Configure** tab of your application.
@ -187,40 +188,14 @@ The following image show how MDM applications show up in the Azure app gallery.
The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Application ID</strong></p></td>
<td><p>The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td><p><strong>Publisher</strong></p></td>
<td><p>A string that identifies the publisher of the app.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Application URL</strong></p></td>
<td><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td><p><strong>Description</strong></p></td>
<td><p>A brief description of your MDM app, which must be under 255 characters.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Icons</strong></p></td>
<td><p>A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215</p></td>
</tr>
</tbody>
</table>
|Item|Description|
|--- |--- |
|**Application ID**|The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.|
|**Publisher**|A string that identifies the publisher of the app.|
|**Application URL**|A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.|
|**Description**|A brief description of your MDM app, which must be under 255 characters.|
|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
### Add on-premises MDM to the app gallery
@ -250,42 +225,10 @@ The CSS files provided by Microsoft contain version information and we recommend
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, then the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>CXH-HOST (HTTP HEADER)</th>
<th>Scenario</th>
<th>Background Theme</th>
<th>WinJS</th>
<th>Scenario CSS</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>FRX</td>
<td>OOBE</td>
<td>Dark theme + blue background color</td>
<td>Filename: Ui-dark.css</td>
<td>Filename: oobe-dekstop.css</td>
</tr>
<tr class="even">
<td>MOSET</td>
<td>Settings/
<p>Post OOBE</p></td>
<td>Light theme</td>
<td>Filename: Ui-light.css</td>
<td>Filename: settings-desktop.css</td>
</tr>
</tbody>
</table>
|CXH-HOST (HTTP HEADER)|Scenario|Background Theme|WinJS|Scenario CSS|
|--- |--- |--- |--- |--- |
|FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css|
|MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css|
## Terms of Use protocol semantics
@ -293,40 +236,16 @@ The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join
### Redirect to the Terms of Use endpoint
This redirect is a full page redirect to the Terms of User endpoint hosted by the MDM. Here's an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
This redirect is a full page redirect to the Terms of User endpoint hosted by the MDM. Here's an example URL, `https://fabrikam.contosomdm.com/TermsOfUse`.
The following parameters are passed in the query string:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>redirect_uri</p></td>
<td><p>After the user accepts or rejects the Terms of Use, the user is redirected to this URL.</p></td>
</tr>
<tr class="even">
<td><p>client-request-id</p></td>
<td><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.</p></td>
</tr>
<tr class="odd">
<td><p>api-version</p></td>
<td><p>Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td><p>mode</p></td>
<td><p>Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
|Item|Description|
|--- |--- |
|redirect_uri|After the user accepts or rejects the Terms of Use, the user is redirected to this URL.|
|client-request-id|A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.|
|api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.|
|mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.|
### Access token
@ -337,37 +256,13 @@ Azure AD issues a bearer access token. The token is passed in the authorization
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Object ID</p></td>
<td><p>Identifier of the user object corresponding to the authenticated user.</p></td>
</tr>
<tr class="even">
<td><p>UPN</p></td>
<td><p>A claim containing the user principal name (UPN) of the authenticated user.</p></td>
</tr>
<tr class="odd">
<td><p>TID</p></td>
<td><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td><p>Resource</p></td>
<td><p>A sanitized URL representing the MDM application. Example, https:<span></span>//fabrikam.contosomdm.com.</p></td>
</tr>
</tbody>
</table>
<br/>
|Item|Description|
|--- |--- |
|Object ID|Identifier of the user object corresponding to the authenticated user.|
|UPN|A claim containing the user principal name (UPN) of the authenticated user.|
|TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.|
|Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
@ -428,184 +323,35 @@ Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=A
The following table shows the error codes.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Cause</th>
<th>HTTP status</th>
<th>Error</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>api-version</p></td>
<td><p>302</p></td>
<td><p>invalid_request</p></td>
<td><p>unsupported version</p></td>
</tr>
<tr class="even">
<td><p>Tenant or user data are missing or other required prerequisites for device enrollment are not met</p></td>
<td><p>302</p></td>
<td><p>unauthorized_client</p></td>
<td><p>unauthorized user or tenant</p></td>
</tr>
<tr class="odd">
<td><p>Azure AD token validation failed</p></td>
<td><p>302</p></td>
<td><p>unauthorized_client</p></td>
<td><p>unauthorized_client</p></td>
</tr>
<tr class="even">
<td><p>internal service error</p></td>
<td><p>302</p></td>
<td><p>server_error</p></td>
<td><p>internal service error</p></td>
</tr>
</tbody>
</table>
|Cause|HTTP status|Error|Description|
|--- |--- |--- |--- |
|api-version|302|invalid_request|unsupported version|
|Tenant or user data are missing or other required prerequisites for device enrollment are not met|302|unauthorized_client|unauthorized user or tenant|
|Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
|internal service error|302|server_error|internal service error|
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (organization-owned device)</th>
<th>Azure AD adds a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>MDM auto-discovery using email address to retrieve MDM discovery URL</p></td>
<td><p>Enrollment</p></td>
<td><p>Not applicable</p>
<p>Discovery URL provisioned in Azure</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Uses MDM discovery URL</p></td>
<td><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
</tr>
<tr class="odd">
<td><p>Is MDM enrollment required?</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>No</p>
<p>User can decline.</p></td>
</tr>
<tr class="even">
<td><p>Authentication type</p></td>
<td><p>OnPremise</p>
<p>Federated</p>
<p>Certificate</p></td>
<td><p>Federated</p></td>
<td><p>Federated</p></td>
</tr>
<tr class="odd">
<td><p>EnrollmentPolicyServiceURL</p></td>
<td><p>Optional (all auth)</p></td>
<td><p>Optional (all auth)</p>
<p></p></td>
<td><p>Optional (all auth)</p>
<p></p></td>
</tr>
<tr class="even">
<td><p>EnrollmentServiceURL</p></td>
<td><p>Required (all auth)</p></td>
<td><p>Used (all auth)</p></td>
<td><p>Used (all auth)</p></td>
</tr>
<tr class="odd">
<td><p>EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL</p></td>
<td><p>Highly recommended</p></td>
<td><p>Highly recommended</p></td>
<td><p>Highly recommended</p></td>
</tr>
<tr class="even">
<td><p>AuthenticationServiceURL used</p></td>
<td><p>Used (Federated auth)</p></td>
<td><p>Skipped</p></td>
<td><p>Skipped</p></td>
</tr>
<tr class="odd">
<td><p>BinarySecurityToken</p></td>
<td><p>Custom per MDM</p></td>
<td><p>Azure AD issued token</p></td>
<td><p>Azure AD issued token</p></td>
</tr>
<tr class="even">
<td><p>EnrollmentType</p></td>
<td><p>Full</p></td>
<td><p>Device</p></td>
<td><p>Full</p></td>
</tr>
<tr class="odd">
<td><p>Enrolled certificate type</p></td>
<td><p>User certificate</p></td>
<td><p>Device certificate</p></td>
<td><p>User certificate</p></td>
</tr>
<tr class="even">
<td><p>Enrolled certificate store</p></td>
<td><p>My/User</p></td>
<td><p>My/System</p></td>
<td><p>My/User</p></td>
</tr>
<tr class="odd">
<td><p>CSR subject name</p></td>
<td><p>User Principal Name</p></td>
<td><p>Device ID</p></td>
<td><p>User Principal Name</p></td>
</tr>
<tr class="even">
<td><p>EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL</p></td>
<td><p>Not supported</p></td>
<td><p>Supported</p></td>
<td><p>Supported</p></td>
</tr>
<tr class="odd">
<td><p>CSPs accessible during enrollment</p></td>
<td><p>Windows 10 support:</p>
<ul>
<li>DMClient</li>
<li>CertificateStore</li>
<li>RootCATrustedCertificates</li>
<li>ClientCertificateInstall</li>
<li>EnterpriseModernAppManagement</li>
<li>PassportForWork</li>
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
</tr>
</tbody>
</table>
|Detail|Traditional MDM enrollment|Azure AD Join (organization-owned device)|Azure AD adds a work account (user-owned device)|
|--- |--- |--- |--- |
|MDM auto-discovery using email address to retrieve MDM discovery URL|Enrollment|Not applicable<br>Discovery URL provisioned in Azure||
|Uses MDM discovery URL|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|Enrollment<br>Enrollment renewal<br>ROBO|
|Is MDM enrollment required?|Yes|Yes|No<br>User can decline.|
|Authentication type|OnPremise<br>Federated<br>Certificate|Federated|Federated|
|EnrollmentPolicyServiceURL|Optional (all auth)|Optional (all auth)|Optional (all auth)|
|EnrollmentServiceURL|Required (all auth)|Used (all auth)|Used (all auth)|
|EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL|Highly recommended|Highly recommended|Highly recommended|
|AuthenticationServiceURL used|Used (Federated auth)|Skipped|Skipped|
|BinarySecurityToken|Custom per MDM|Azure AD issued token|Azure AD issued token|
|EnrollmentType|Full|Device|Full|
|Enrolled certificate type|User certificate|Device certificate|User certificate|
|Enrolled certificate store|My/User|My/System|My/User|
|CSR subject name|User Principal Name|Device ID|User Principal Name|
|EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
## Management protocol with Azure AD
@ -737,202 +483,41 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
## Error codes
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Code</th>
<th>ID</th>
<th>Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>0x80180001</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180002</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180003</td>
<td>"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180004</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180005</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x80180006</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180007</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180008</td>
<td>"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180009</td>
<td>"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000A</td>
<td>"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000D</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x8018000E</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x8018000F</td>
<td>"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180010</td>
<td>"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x80180012</td>
<td>"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT</td>
<td><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180013</td>
<td>"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180014</td>
<td>"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180015</td>
<td>"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED</td>
<td><p>This feature isn't supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180016</td>
<td>"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW</td>
<td><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180017</td>
<td>"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE</td>
<td><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x80180018</td>
<td>"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE</td>
<td><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x80180019</td>
<td>"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td><p>Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>"rejectedTermsOfUse"</td>
<td>"idErrorRejectedTermsOfUse"</td>
<td><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td>0x801c0001</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0002</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0003</td>
<td>"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td><p>This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0006</td>
<td>"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000B</td>
<td>"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td>The server being contacted isn't trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td>0x801c000C</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td>0x801c000E</td>
<td>"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c000F</td>
<td>"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td>0x801c0010</td>
<td>"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td>0x801c0011</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0012</td>
<td>"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td>0x801c0013</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td>0x801c0014</td>
<td>"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND</td>
<td><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>
</table>
|Code|ID|Error message|
|--- |--- |--- |
|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.|
|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.|
|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.|
|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.|
|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.|
|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.|
|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.|
|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.|
|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.|
|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.|
|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}|
|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|
|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.|

988
windows/client-management/mdm/bitlocker-csp.md
View File

File diff suppressed because it is too large Load Diff

52
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
ms.date: 10/25/2021
---
# BrowserFavorite CSP
@ -17,14 +17,15 @@ ms.date: 06/26/2017
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1.
> [!Note]
> BrowserFavorite CSP is only supported in Windows Phone 8.1.
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
@ -39,7 +40,8 @@ favorite name
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
> [!Note]
> The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
@ -69,40 +71,12 @@ Adding a new browser favorite.
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top-level query: Yes|
## Related topics

99
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md
View File

@ -18,66 +18,22 @@ The **Bulk assign and reclaim seats from users** operation returns reclaimed or
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats</p></td>
</tr>
</tbody>
</table>
**POST**:
```http
https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats
```
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
<tr class="even">
<td><p>seatAction</p></td>
<td><p><a href="data-structures-windows-store-for-business.md#seataction" data-raw-source="[SeatAction](data-structures-windows-store-for-business.md#seataction)">SeatAction</a></p></td>
<td></td>
</tr>
</tbody>
</table>
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|username|string|Requires UserPrincipalName (UPN). User name of the target user account.|
|seatAction|[SeatAction](data-structures-windows-store-for-business.md#seataction) ||
## Response
@ -86,37 +42,8 @@ The following parameters may be specified in the request URI.
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory</p>
<p>Values: ProductId/SkuId</p></td>
</tr>
</tbody>
</table>
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|404|Not found||Item type: Inventory<br> Values: ProductId/SkuId|

31
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -30,32 +30,11 @@ CellularSettings
<a href="" id="dataroam"></a>**DataRoam**
<p> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
<table><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0</p></td>
<td><p>Dont roam</p></td>
</tr>
<tr class="even">
<td><p>1</p></td>
<td><p>Dont roam (or Domestic roaming if applicable)</p></td>
</tr>
<tr class="odd">
<td><p>2</p></td>
<td><p>Roam</p></td>
</tr>
</tbody>
</table>
|Value|Setting|
|--- |--- |
|0|Dont roam|
|1|Dont roam (or Domestic roaming if applicable)|
|2|Roam|
## Related topics

972
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

File diff suppressed because one or more lines are too long

2
windows/client-management/mdm/cleanpc-csp.md
View File

@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/cleanpc-ddf.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

2
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 07/30/2021
---

2
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

75
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 08/02/2017
---
@ -70,38 +70,14 @@ CM_CellularEntries
<a href="" id="connectiontype"></a>**ConnectionType**
<p>Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
<table><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>Gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>Cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>Lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>Legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>Lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>Iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
</table>
|Connection type|Usage|
|--- |--- |
|Gprs|Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).|
|Cdma|Used for CDMA type connections (1XRTT + EVDO).|
|Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.|
|Legacy|Used for GPRS + GSM + EDGE + UMTS connections.|
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
|Iwlan|Used for connections that are implemented over WiFi offload only|
@ -295,37 +271,14 @@ Configuring a CDMA connection:
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
|Element|Available|
|--- |--- |
|Nocharacteristic|Yes|
|Characteristic-query|Yes|
|Parm-query|Yes|
## Related topics

210
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---
@ -29,7 +29,7 @@ Each policy entry identifies one or more applications in combination with a host
The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
```
```console
./Vendor/MSFT
CMPolicy
----PolicyName
@ -42,6 +42,7 @@ CMPolicy
----------------ConnectionID
----------------Type
```
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
@ -83,154 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
|Connection type|GUID|
|--- |--- |
|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10 Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100 Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
|Network type|GUID|
|--- |--- |
|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
|Ethernet 10 Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
|Device type|GUID|
|--- |--- |
|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
@ -479,36 +370,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>uncharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>
|Element|Available|
|--- |--- |
|parm-query|Yes|
|uncharacteristic|Yes|
|characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top-level query: Yes|
## Related topics

212
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---
@ -29,7 +29,8 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
```
```console
./Vendor/MSFT
CMPolicy
----PolicyName
@ -83,156 +84,44 @@ For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you hav
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
|Connection type|GUID|
|--- |--- |
|GSM|{A05DC613-E393-40ad-AA89-CCCE04277CD9}|
|CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}|
|Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}|
|LTE|{2378E547-8312-46A5-905E-5C581E92693B}|
|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
|Network type|GUID|
|--- |--- |
|GPRS|{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}|
|1XRTT|{B1E700AE-A62F-49FF-9BBE-B880C995F27D}|
|EDGE|{C347F8EC-7095-423D-B838-7C7A7F38CD03}|
|WCDMA UMTS|{A72F04C6-9BE6-4151-B5EF-15A53E12C482}|
|WCDMA FOMA|{B8326098-F845-42F3-804E-8CC3FF7B50B4}|
|1XEVDO|{DD42DF39-EBDF-407C-8146-1685416401B2}|
|1XEVDV|{61BF1BFD-5218-4CD4-949C-241CA3F326F6}|
|HSPA HSDPA|{047F7282-BABD-4893-AA77-B8B312657F8C}|
|HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
|LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
|EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
|Ethernet 10Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
|Ethernet 100Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
|Device type|GUID|
|--- |--- |
|Cellular device|{F9A53167-4016-4198-9B41-86D9522DC019}|
|Ethernet|{97844272-00C7-4572-B20A-D8D861C095F2}|
|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
@ -479,36 +368,11 @@ Adding a host-based mapping policy:
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
|Element|Available|
|--- |--- |
|parm-query|Yes|
|nocharacteristic|Yes|
|characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top level query: Yes|
## Related topics

2
windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

2182
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---

2
windows/client-management/mdm/customdeviceui-ddf.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

21
windows/client-management/mdm/data-structures-windows-store-for-business.md
View File

@ -1,17 +1,17 @@
---
title: Data structures for Microsoft Store for Business
description: Learn about the various data structures for Microsoft Store for Business.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_data\_structures'
- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business'
ms.assetid: ABE44EC8-CBE5-4775-BA8A-4564CB73531B
ms.reviewer:
manager: dansimp
description: Learn about data structures for Microsoft Store for Business.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 09/18/2017
---
@ -105,7 +105,7 @@ Specifies the properties of the alternate identifier.
|lastModified|dateTime|Specifies the last modified date for an application. Modifications for an application include updated product details, updates to an application, and updates to the quantity of an application.|
|licenseType|[LicenseType](#licensetype)|Indicates whether the set of seats for a given application supports online or offline licensing.|
|distributionPolicy|[InventoryDistributionPolicy](#inventorydistributionpolicy)||
|Status|[InventoryStatus](#inventorystatus)||
|status|[InventoryStatus](#inventorystatus)||
## InventoryResultSet
@ -191,20 +191,19 @@ Specifies the properties of the localized product.
|packageFamilyName|String||
|supportedPlatforms|Collection of [ProductPlatform](#productplatform)||
## ProductImage
Specifies the properties of the product image.
|Name|Type|Description|
|--- |--- |--- |
|Location|URI|Location of the download image.|
|Purpose|String|Tag for the purpose of the image, for example "screenshot" or "logo".|
|Height|String|Height of the image in pixels.|
|Width|String|Width of the image in pixels.|
|Caption|String|Unlimited length.|
|backgroundColor|String|Format "#RRGGBB"|
|foregroundColor|String|Format "#RRGGBB"|
|location|URI|Location of the download image.|
|purpose|string|Tag for the image, for example "screenshot" or "logo".|
|height|string|Height of the image in pixels.|
|width|string|Width of the image in pixels.|
|caption|string|Unlimited length.|
|backgroundColor|string|Format "#RRGGBB"|
|foregroundColor|string|Format "#RRGGBB"|
|fileSize|integer-64|Size of the file.|
## ProductKey

2
windows/client-management/mdm/defender-csp.md
View File

@ -625,7 +625,7 @@ This policy setting controls whether or not exclusions are visible to Local Admi
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.

7
windows/client-management/mdm/defender-ddf.md
View File

@ -8,14 +8,14 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.localizationpriority: medium
ms.date: 07/23/2021
---
# Defender DDF file
This article shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -1007,5 +1007,4 @@ The XML below is the current version for this CSP.
## See also
[Defender configuration service provider](defender-csp.md)
[Defender configuration service provider](defender-csp.md)

8
windows/client-management/mdm/devdetail-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 03/27/2020
---
@ -77,7 +77,7 @@ For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it r
Supported operation is Get.
<a href="" id="swv"></a>**SwV**
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge.
Supported operation is Get.
@ -114,6 +114,8 @@ Supported operation is Get.
This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<!-- 12.15.2021 (mandia): Based on the description, I'm assuming this ID is specific to Windows 10 Mobile. Commented out as Windows 10 Mobile is past EoL.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
@ -121,6 +123,8 @@ Supported operation is Get.
The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-->
<a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**
Required. Returns the radio stack software version number.

2
windows/client-management/mdm/devdetail-ddf-file.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/03/2020
---

2
windows/client-management/mdm/developersetup-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2018
---

2
windows/client-management/mdm/developersetup-ddf.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

3
windows/client-management/mdm/device-update-management.md
View File

@ -9,8 +9,9 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 11/15/2017
ms.collection: highpri
---

2
windows/client-management/mdm/devicelock-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---

2
windows/client-management/mdm/devicelock-ddf-file.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---

2
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 11/01/2017
---

2
windows/client-management/mdm/devicemanageability-ddf.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

10
windows/client-management/mdm/devicestatus-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/25/2021
---
@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
Valid values:
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC).
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security.
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
Supported operation is Get.

2
windows/client-management/mdm/devicestatus-ddf.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 03/12/2018
---

2
windows/client-management/mdm/devinfo-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/26/2017
---

2
windows/client-management/mdm/devinfo-ddf-file.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 12/05/2017
---

9
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -8,8 +8,9 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 06/25/2018
ms.collection: highpri
---
# Diagnose MDM failures in Windows 10
@ -35,12 +36,12 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
You can also collect the MDM Diagnostic Information logs using the following command:
```xml
mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab c:\users\public\documents\MDMDiagReport.cab
mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip c:\users\public\documents\MDMDiagReport.zip
```
- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
### Understanding cab structure
The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub
### Understanding zip structure
The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)

12
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.date: 11/19/2019
---
@ -246,7 +246,15 @@ la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was <RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey> then folder `1` will contain the corresponding `export.reg` file.
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
```xml
<Collection HRESULT="0">
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
</Collection>
```
then folder `1` will contain the corresponding `export.reg` file.
The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed.

Some files were not shown because too many files have changed in this diff Show More