deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3sb

Browse Source
This commit is contained in:
jdeckerMS 2017-09-21 12:14:59 -07:00
commit 2a87cb588b
227 changed files with 2372 additions and 829 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
browsers/edge/Index.md
View File

@ -23,7 +23,7 @@ Microsoft Edge is the new, default web browser for Windows 10, helping you to e
Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
>[!Note]
>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892).
>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956). For a detailed report that provides you with a framework to evaluate the potential financial impact of adopting Microsoft Edge within your organization, you can download the full study here: [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847).
>Also, if you've arrived here looking for Internet Explorer 11 content, you'll need to go to the [Internet Explorer 11 (IE11)](https://docs.microsoft.com/en-us/internet-explorer/) area.
@ -59,7 +59,9 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
## Related topics
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956)
- [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847)
- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)

3
browsers/edge/available-policies.md
View File

@ -21,7 +21,7 @@ Microsoft Edge works with Group Policy and Microsoft Intune to help you manage y
By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
> [!NOTE]
> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
@ -1027,5 +1027,4 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **1 (default).** Employees can sync between PCs.
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)

5
browsers/edge/change-history-for-microsoft-edge.md
View File

@ -12,6 +12,11 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
## September 2017
|New or changed topic | Description |
|---------------------|-------------|
|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New |
## February 2017
|New or changed topic | Description |
|----------------------|-------------|

1
browsers/edge/microsoft-edge-faq.md
View File

@ -7,6 +7,7 @@ ms.prod: edge
ms.mktglfcycl: general
ms.sitesec: library
ms.localizationpriority: high
ms.date: 09/07/2017
---
# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros

3
devices/surface-hub/manage-surface-hub.md
View File

@ -40,3 +40,6 @@ Learn about managing and updating Surface Hub.
| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
## Related topics
- [View Power BI presentation mode on Surface Hub & Windows 10](https://powerbi.microsoft.com/documentation/powerbi-mobile-win10-app-presentation-mode/)

25
devices/surface/deploy-surface-app-with-windows-store-for-business.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Surface app with Microsoft Store for Business or Microsoft Store for Education (Surface)
description: Find out how to add and download Surface app with Windows Store for Business or Microsoft Store for Education, as well as install Surface app with PowerShell and MDT.
description: Find out how to add and download Surface app with Microsoft Store for Business or Microsoft Store for Education, as well as install Surface app with PowerShell and MDT.
keywords: surface app, app, deployment, customize
ms.prod: w10
ms.mktglfcycl: deploy
@ -31,7 +31,7 @@ The Surface app is a lightweight Windows Store app that provides control of many
* Quick access to support documentation and information for your device
If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Windows Store for Business.
If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Microsoft Store for Business.
##Surface app overview
@ -45,11 +45,11 @@ Before users can install or deploy an app from a companys Microsoft Store for
2. Log on to the portal.
3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).<br/> <br/>
3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).<br/> <br/>
![Show offline licenses apps checkbox](images/deploysurfapp-figure1-enablingapps.png "Show offline licenses apps checkbox")<br/>
*Figure 1. Enable apps for offline use*
4. Add Surface app to your Micrososft Store for Business account by following this procedure:
4. Add Surface app to your Microsoft Store for Business account by following this procedure:
* Click the **Shop** menu.
* In the search box, type **Surface app**, and then click the search icon.
* After the Surface app is presented in the search results, click the apps icon.
@ -68,9 +68,9 @@ Before users can install or deploy an app from a companys Microsoft Store for
* Click **OK**.
##Download Surface app from a Microsoft Store for Business account
After you add an app to the Windows Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share.
After you add an app to the Microsoft Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share.
1. Log on to the Microsoft Store for Business account at https://businessstore.microsoft.com.
2. Click **Manage->Apps & software**. A list of all of your companys apps is displayed, including the Surface app you added in the [Add Surface app to a Windows Store for Business account](#add-surface-app-to-a-windows-store-for-business-account) section of this article.
2. Click **Manage->Apps & software**. A list of all of your companys apps is displayed, including the Surface app you added in the [Add Surface app to a Microsoft Store for Business account](#add-surface-app-to-a-microsoft-store-for-business-account) section of this article.
3. Under **Actions**, click the ellipsis (**…**), and then click **Download for offline use** for the Surface app.
4. Select the desired **Platform** and **Architecture** options from the available selections for the selected app, as shown in Figure 4.
@ -78,7 +78,7 @@ After you add an app to the Windows Store for Business account in Offline mode,
*Figure 4. Download the AppxBundle package for an app*
5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because youll need that later in this article.
6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Imaging and Configuration Designer (Windows ICD). Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Configuration Designer to create a provisioning package. Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because youll need that later in this article.
>[!NOTE]
@ -102,9 +102,12 @@ To download the required frameworks for the Surface app, follow these steps:
##Install Surface app on your computer with PowerShell
The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
1. Using the procedure described in the [How to download Surface app from a Microsoft Store for Business account](#download-surface-app-from-a-microsoft-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
2. Begin an elevated PowerShell session.
>**Note:**&nbsp;&nbsp;If you dont run PowerShell as an Administrator, the session wont have the required permissions to install the app.
>[!NOTE]
>If you dont run PowerShell as an Administrator, the session wont have the required permissions to install the app.
3. In the elevated PowerShell session, copy and paste the following command:
```
Add-AppxProvisionedPackage Online PackagePath <DownloadPath>\ Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle LicensePath <DownloadPath>\ Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
@ -118,7 +121,9 @@ The following procedure provisions the Surface app onto your computer and makes
```
4. The Surface app will now be available on your current Windows computer.
Before the Surface app is functional on the computer where it has been provisioned, you must also provision the frameworks described earlier in this article. To provision these frameworks, use the following procedure in the elevated PowerShell session you used to provision the Surface app.
5. In the elevated PowerShell session, copy and paste the following command:
```
Add-AppxProvisionedPackage Online SkipLicense PackagePath <DownloadPath>\Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx
@ -130,7 +135,7 @@ Before the Surface app is functional on the computer where it has been provision
##Install Surface app with MDT
The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
1. Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file.
1. Using the procedure described [earlier in this article](#download-surface-app-from-a-microsoft-store-for-business-account), download the Surface app AppxBundle and license file.
2. Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
3. On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:

6
education/windows/change-history-edu.md
View File

@ -15,6 +15,12 @@ ms.date: 08/01/2017
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## September 2017
| New or changed topic | Description |
| --- | ---- |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. |
## August 2017
| New or changed topic | Description |

7
education/windows/use-set-up-school-pcs-app.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/01/2017
ms.date: 09/18/2017
---
# Use the Set up School PCs app
@ -103,7 +103,10 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
- Install the app on your work PC and make sure you're connected to your school's network.
- You must be an administrator on Office 365 and Azure Active Directory, and have Microsoft Store for Education configured. It's best if you sign up for and configure Intune for Education before using the Set up School PCs app.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
- You must be a global admin, store admin, or purchaser in the Microsoft Store for Education.
- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
## Set up School PCs step-by-step

20
store-for-business/add-profile-to-devices.md
View File

@ -7,21 +7,21 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.date: 07/05/2107
ms.date: 09/12/2017
ms.localizationpriority: high
---
# Manage Windows device deployment with Windows AutoPilot Deployment
**Applies to**
- Windows 10
> [!IMPORTANT]
> This topic has been updated to reflect the latest functionality, which we are releasing to customers in stages. You may not see all of the options described here until you receive the update.
Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business.
<iframe width="560" height="315" src="https://www.youtube.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>
## What is Windows AutoPilot Deployment Program?
In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device.
@ -54,9 +54,13 @@ To manage devices through Microsoft Store for Business and Education, you'll nee
### Device information file format
Columns in the device information file need to use this naming and be in this order:
- Column 1: Device Serial Number
- Column 2: Windows Product ID
- Column 3: Hardware Hash
- Column A: Device Serial Number
- Column B: Windows Product ID
- Column C: Hardware Hash
Here's a sample device information file:
![Notepad file showing example entries for Column A (Device Serial Number), Column B (Windows Product ID), and Column C (Hardware Hash).](images/msfb-autopilot-csv.png)
When you add devices, you need to add them to an *AutoPilot deployment group*. Use these groups to apply AutoPilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group.

2
store-for-business/breadcrumb/toc.yml
View File

@ -2,6 +2,6 @@
tocHref: /
topicHref: /
items:
- name: Windows Store for Business
- name: Microsoft Store for Business
tocHref: /microsoft-store
topicHref: /microsoft-store/index

BIN
store-for-business/images/autopilot-process.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.1 KiB

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
store-for-business/images/msfb-autopilot-csv.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

4
windows/access-protection/hello-for-business/hello-planning-guide.md
View File

@ -160,9 +160,9 @@ If your organization does not have cloud resources, write **On-Premises** in box
Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end enetity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
Because the certificate trust tyoes issues certificates, there is more configuration and infrastrucutre needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificatat-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.

3
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
View File

@ -1,7 +1,6 @@
---
title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
description: Windows Defender Firewall with Advanced Security
Design Guide
description: Windows Defender Firewall with Advanced Security Design Guide
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.prod: w10
ms.mktglfcycl: deploy

3
windows/application-management/TOC.md
View File

@ -100,6 +100,7 @@
#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [Service Host process refactoring](svchost-service-refactoring.md)
## [Per User services in Windows](per-user-services-in-windows.md)
## [Per-user services in Windows](per-user-services-in-windows.md)
## [Understand apps in Windows 10](apps-in-windows-10.md)
## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Change history for Application management](change-history-for-application-management.md)

153
windows/application-management/apps-in-windows-10.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Windows 10 - Apps
description: What are Windows, UWP, and Win32 apps
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.localizationpriority: low
ms.date: 09/15/2017
---
# Understand the different apps included in Windows 10
The following types of apps run on Windows 10:
- Windows apps - introduced in Windows 8, primarily installed from the Store app.
- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
- "Win32" apps - traditional Windows applications, built for 32-bit systems.
Digging into the Windows apps, there are two categories:
- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
- Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in.
- Installed: Installed as part of the OS.
The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1511, 1607, and 1703, and indicate whether an app can be uninstalled through the UI.
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
> [!TIP]
> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
> ```powershell
> Get-AppxPackage |Select Name,PackageFamilyName
> Get-AppsProvisionedPackage -Online | select DisplayName,PackageName
> ```
## System apps
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|------------------|-------------------------------------------|------|------|------|--------------------------------------------------------|
| Cortana UI | CortanaListenUIApp | | | x | No |
| | Desktop Learning | | | x | No |
| | DesktopView | | | x | No |
| | EnvironmentsApp | | | x | No |
| Mixed Reality + | HoloCamera | | | x | No |
| Mixed Reality + | HoloItemPlayerApp | | | x | No |
| Mixed Reality + | HoloShell | | | x | No |
| | Microsoft.AAD.Broker.Plugin | x | x | x | No |
| | Microsoft.AccountsControl | x | x | x | No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
| | Microsoft.CredDialogHost | | | x | No |
| | Microsoft.LockApp | x | x | x | No |
| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No |
| | Microsoft.PPIProjection | | x | x | No |
| | Microsoft.Windows. Apprep.ChxApp | | x | x | No |
| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No |
| | Microsoft.Windows. CloudExperienceHost | x | x | x | No |
| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No |
| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
| | Microsoft.Windows. Holographic.FirstRun | | | x | No |
| | Microsoft.Windows. ModalSharePickerHost | | | x | No |
| | Microsoft.Windows. OOBENetworkCaptivePort | | | x | No |
| | Microsoft.Windows. OOBENetworkConnection | | | x | No |
| | Microsoft.Windows. ParentalControls | x | x | x | No |
| | Microsoft.Windows. SecHealthUI | | | x | No |
| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No |
| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No |
| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No |
| Windows Feedback | Microsoft.WindowsFeedback | x | * | * | No |
| | Microsoft.XboxGameCallableUI | x | x | x | No |
| Xbox logon UI | Microsoft.XboxIdentityProvider | x | | | No |
| Contact Support | Windows.ContactSupport | x | x* | x* | In 1511, no.* |
| | Windows.Devicesflow | x | | | No |
| Settings | Windows.ImmersiveControlPanel | x | x | x | No |
| Connect | Windows.MiracastView | x | x | x | No |
| Print UI | Windows.PrintDialog | x | x | x | No |
| Purchase UI | Windows.PurchaseDialog | x | | | No |
> [!NOTE]
> - The Windows Feedback app changed to the Windows Feedback Hub in version 1607. It's listed in the installed apps table below.
> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app.
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|--------------------|-----------------------------------------|------|------|------|---------------------------|
| Remote Desktop | Microsoft.RemoteDesktop | | x | x | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | | x | x | Yes |
| Candy Crush | king.com.CandyCrushSodaSaga | x | | | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | | x | x | Yes |
| Eclipse Manager | 46928bounde.EclipseManager | | x | x | Yes |
| Pandora | PandoraMediaInc.29680B314EFC2 | | x | x | Yes |
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | | x | x | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | | x | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | | x | x | Yes |
| Paid Wi-FI | | x | | | Yes |
| Skype Video | | x | | | Yes |
| Twitter | | x | | | Yes |
| PicArts | | x | | | Yes |
| Minecraft | | x | | | Yes |
| Flipboard | | x | | | Yes |
## Provisioned Windows apps
Here are the typical provisioned Windows apps in Windows 10 versions 1511, 1607, and 1703.
| Name | Full name | 1511 | 1607 | 1703 | Uninstall through UI? |
|---------------------------------|----------------------------------------|------|------|------|---------------------------|
| 3D Builder | Microsoft.3DBuilder | x | | x | Yes |
| App Connector | Microsoft.Appconnector | x | | | Yes, through Settings app |
| Money | Microsoft.BingFinance | x | | | Yes |
| News | Microsoft.BingNews | x | * | * | Yes |
| Sports | Microsoft.BingSports | x | | | Yes |
| Weather | Microsoft.BingWeather | x | x | x | No |
| Phone Companion | Microsoft.CommsPhone | x | | | Yes |
| | Microsoft.ConnectivityStore | x | | | No |
| | Microsoft.DesktopAppInstaller | | x | x | Yes, through Settings app |
| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes |
| Messaging | Microsoft.Messaging | x | x | x | No |
| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | | x | No |
| Get Office | Microsoft.MicrosoftOfficeHub | x | x | x | Yes |
| Solitaire | Microsoft.Microsoft SolitaireCollection | x | x | x | Yes |
| Sticky Notes | Microsoft.MicrosoftStickyNotes | | x | x | No |
| OneNote | Microsoft.Office.OneNote | x | x | x | No |
| Sway | Microsoft.Office.Sway | x | * | * | Yes |
| | Microsoft.OneConnect | | x | x | No |
| Paint 3D | Microsoft.MSPaint | | | x | No |
| People | Microsoft.People | x | x | x | No |
| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes |
| | Microsoft.StorePurchaseApp | | x | x | No |
| | Microsoft.Wallet | | | x | No |
| Photos | Microsoft.Windows.Photos | x | x | x | No |
| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
| Calculator | Microsoft.WindowsCalculator | x | x | x | No |
| Camera | Microsoft.WindowsCamera | x | x | x | No |
| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No |
| Feedback Hub | Microsoft.WindowsFeedbackHub | * | x | x | Yes |
| Maps | Microsoft.WindowsMaps | x | x | x | No |
| Phone | Microsoft.WindowsPhone | x | | | No |
| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No |
| Store | Microsoft.WindowsStore | x | x | x | No |
| Xbox | Microsoft.XboxApp | x | x | x | No |
| | Microsoft.XboxGameOverlay | | | x | No |
| | Microsoft.XboxIdentityProvider | * | x | x | No |
| Groove | Microsoft.ZuneMusic | x | x | x | No |
| Movies & TV | Microsoft.ZuneVideo | x | x | x | No |
| | Microsoft.XboxSpeech ToTextOverlay | | | x | No |
> [!NOTE]
> - As of Windows 10, version 1607, News and Sway are installed apps.
> - Both Feedback Hub and Microsoft.XboxIdentityProvider were installed apps in version 1511 and provisioned apps in versions 1607 and later.

7
windows/application-management/change-history-for-application-management.md
View File

@ -8,12 +8,19 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 09/15/2017
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## September 2017
| New or changed topic | Description |
| --- | --- |
| [Per-user services in Windows 10](per-user-services-in-windows.md) | New |
| [Understand the different apps included in Windows 10](apps-in-windows-10.md) | New |
## July 2017
| New or changed topic | Description |
| --- | --- |

3
windows/application-management/index.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
ms.date: 09/15/2017
---
# Windows 10 application management
@ -20,5 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
|---|---|
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise|
| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile |

BIN
windows/application-management/media/user-service-flag.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 65 KiB

29
windows/application-management/per-user-services-in-windows.md
View File

@ -1,5 +1,5 @@
---
title: Per-user services in Windows 10 and Windows Server 2016
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services introduced in Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
@ -7,32 +7,29 @@ ms.sitesec: library
ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.date: 08/14/2017
ms.date: 09/13/2017
---
# Per-user services in Windows 10 and Windows Server 2016
# Per-user services in Windows 10 and Windows Server
> Applies to: Windows 10, Windows Server
Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks.
> [!NOTE]
> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, there are two ways to prevent per-user services from being created:
You can set the template service's **Startup Type** to **Disabled** to create per-user services in a stopped and disabled state.
- Configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**.
> [!IMPORTANT]
> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment.
- Create a new Registry entry named UserServiceFlags under the service configuration in the registry as a DWORD (32 bit) value set to 0, as shown in the following example:
![UserServiceFlags registry entry](media/user-service-flag.png)
> [!IMPORTANT]
> Carefully test any changes to the template service's Startup Type before deploying to a production environment.
Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
## Per-user services
Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Windows 10 and Windows Server (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly.
@ -134,13 +131,17 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
### Managing Template Services with regedit.exe
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png)
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
![Create per-user services in disabled state](media/user-service-flag.png)
### Manage template services by modifying the Windows image
If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.

5
windows/client-management/change-history-for-client-management.md
View File

@ -16,6 +16,11 @@ ms.date: 06/13/2017
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
## July 2017
| New or changed topic | Description |

7
windows/client-management/mdm/TOC.md
View File

@ -17,9 +17,9 @@
## [Enterprise app management](enterprise-app-management.md)
## [Device update management](device-update-management.md)
## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md)
### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md)
#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md)
## [Management tool for the Micosoft Store for Business](management-tool-for-windows-store-for-business.md)
### [REST API reference for Micosoft Store for Business](rest-api-reference-windows-store-for-business.md)
#### [Data structures for Micosoft Store for Business](data-structures-windows-store-for-business.md)
#### [Get Inventory](get-inventory.md)
#### [Get product details](get-product-details.md)
#### [Get localized product details](get-localized-product-details.md)
@ -202,6 +202,7 @@
#### [Experience](policy-csp-experience.md)
#### [ExploitGuard](policy-csp-exploitguard.md)
#### [Games](policy-csp-games.md)
#### [Handwriting](policy-csp-handwriting.md)
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)

4
windows/client-management/mdm/applocker-csp.md
View File

@ -266,9 +266,9 @@ FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corp
You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Windows Store for Business**
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
1. Go to the Windows Store for Business website, and find your app. For example, Microsoft OneNote.
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<span><\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.

4
windows/client-management/mdm/assign-seats.md
View File

@ -1,6 +1,6 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business.
description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business.
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business.
The **Assign seat** operation assigns seat for a specified user in the Microsoft Store for Business.
## Request

4
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md
View File

@ -1,6 +1,6 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business.
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business.
ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business.
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Microsoft Store for Business.
## Request

6
windows/client-management/mdm/data-structures-windows-store-for-business.md
View File

@ -1,5 +1,5 @@
---
title: Data structures for Windows Store for Business
title: Data structures for Microsoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_data\_structures'
- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business'
@ -13,10 +13,10 @@ author: nickbrower
ms.date: 06/19/2017
---
# Data structures for Windows Store for Business
# Data structures for Microsoft Store for Business
Here's the list of data structures used in the Windows Store for Business REST APIs:
Here's the list of data structures used in the Microsoft Store for Business REST APIs:
- [AlternateIdentifier](#alternateidentifier)
- [BulkSeatOperationResultSet](#bulkseatoperationresultset)

2
windows/client-management/mdm/enterprise-app-management.md
View File

@ -18,7 +18,7 @@ This topic covers one of the key mobile device management (MDM) features in Wind
Windows 10 offers the ability for management servers to:
- Install apps directly from the Windows Store for Business
- Install apps directly from the Microsoft Store for Business
- Deploy offline Store apps and licenses
- Deploy line-of-business (LOB) apps (non-Store apps)
- Inventory all apps for a user (Store and non-Store apps)

2
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -68,7 +68,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
- PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall.
- RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Windows Store for Business.
- AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Microsoft Store for Business.
- nonStore - This classification is for apps that were not acquired from the Windows Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:

4
windows/client-management/mdm/get-inventory.md
View File

@ -1,6 +1,6 @@
---
title: Get Inventory
description: The Get Inventory operation retrieves information from the Windows Store for Business to determine if new or updated applications are available.
description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
MS-HAID:
- 'p\_phdevicemgmt.get\_seatblock'
- 'p\_phDeviceMgmt.get\_inventory'
@ -15,7 +15,7 @@ ms.date: 06/19/2017
# Get Inventory
The **Get Inventory** operation retrieves information from the Windows Store for Business to determine if new or updated applications are available.
The **Get Inventory** operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available.
## Request

4
windows/client-management/mdm/get-localized-product-details.md
View File

@ -1,6 +1,6 @@
---
title: Get localized product details
description: The Get localized product details operation retrieves the localization information of a product from the Windows Store for Business.
description: The Get localized product details operation retrieves the localization information of a product from the Micosoft Store for Business.
ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get localized product details
The **Get localized product details** operation retrieves the localization information of a product from the Windows Store for Business.
The **Get localized product details** operation retrieves the localization information of a product from the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-offline-license.md
View File

@ -1,6 +1,6 @@
---
title: Get offline license
description: The Get offline license operation retrieves the offline license information of a product from the Windows Store for Business.
description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business.
ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get offline license
The **Get offline license** operation retrieves the offline license information of a product from the Windows Store for Business.
The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-product-details.md
View File

@ -1,6 +1,6 @@
---
title: Get product details
description: The Get product details operation retrieves the product information from the Windows Store for Business for a specific application.
description: The Get product details operation retrieves the product information from the Micosoft Store for Business for a specific application.
ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get product details
The **Get product details** operation retrieves the product information from the Windows Store for Business for a specific application.
The **Get product details** operation retrieves the product information from the Micosoft Store for Business for a specific application.
## Request

4
windows/client-management/mdm/get-product-package.md
View File

@ -1,6 +1,6 @@
---
title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Windows Store for Business.
description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business.
ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get product package
The **Get product package** operation retrieves the information about a specific application in the Windows Store for Business.
The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-product-packages.md
View File

@ -1,6 +1,6 @@
---
title: Get product packages
description: The Get product packages operation retrieves the information about applications in the Windows Store for Business.
description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business.
ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get product packages
The **Get product packages** operation retrieves the information about applications in the Windows Store for Business.
The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-seat.md
View File

@ -1,6 +1,6 @@
---
title: Get seat
description: The Get seat operation retrieves the information about an active seat for a specified user in the Windows Store for Business.
description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get seat
The **Get seat** operation retrieves the information about an active seat for a specified user in the Windows Store for Business.
The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-seats-assigned-to-a-user.md
View File

@ -1,6 +1,6 @@
---
title: Get seats assigned to a user
description: The Get seats assigned to a user operation retrieves information about assigned seats in the Windows Store for Business.
description: The Get seats assigned to a user operation retrieves information about assigned seats in the Micosoft Store for Business.
ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get seats assigned to a user
The **Get seats assigned to a user** operation retrieves information about assigned seats in the Windows Store for Business.
The **Get seats assigned to a user** operation retrieves information about assigned seats in the Micosoft Store for Business.
## Request

4
windows/client-management/mdm/get-seats.md
View File

@ -1,6 +1,6 @@
---
title: Get seats
description: The Get seats operation retrieves the information about active seats in the Windows Store for Business.
description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Get seats
The **Get seats** operation retrieves the information about active seats in the Windows Store for Business.
The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business.
## Request

BIN
windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 106 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-vpnv2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

10
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -1,6 +1,6 @@
---
title: Management tool for the Windows Store for Business
description: The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk.
title: Management tool for the Micosoft Store for Business
description: The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool'
- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business'
@ -13,9 +13,9 @@ author: nickbrower
ms.date: 06/19/2017
---
# Management tool for the Windows Store for Business
# Management tool for the Micosoft Store for Business
The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.
The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.
Here's the list of the available capabilities:
@ -26,7 +26,7 @@ Here's the list of the available capabilities:
- Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices.
For additional information about Store for Business, see the TechNet topics in [Windows Store for Business](https://technet.microsoft.com/library/mt606951.aspx).
For additional information about Store for Business, see the TechNet topics in [Micosoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx).
## Management services

70
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/31/2017
ms.date: 09/12/2017
---
# What's new in MDM enrollment and management
@ -102,7 +102,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Management tool for the Windows Store for Business</p></td>
<td style="vertical-align:top"><p>Management tool for the Micosoft Store for Business</p></td>
<td style="vertical-align:top"><p>New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.</p></td>
</tr>
<tr class="even">
@ -929,6 +929,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</thead>
<tbody>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
@ -946,7 +956,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</tr>
<tr class="even">
<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
<td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
<td style="vertical-align:top"><p>Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
@ -989,9 +999,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added new policies.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">Microsoft Store for Business</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Authentication/AllowAadPasswordReset</li>
<li>Browser/LockdownFavorites</li>
<li>Browser/ProvisionFavorites</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
@ -1000,6 +1015,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>DeviceGuard/LsaCfgFlags</li>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>Games/AllowAdvancedGamingServices</li>
<li>Handwriting/PanelDefaultModeDocked</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@ -1043,7 +1059,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
<li>Search/AllowCloudSearch</li>
<li>Security/ClearTPMIfNotReady</li>
<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
<li>Update/DisableDualScan</li>
<li>Update/ScheduledInstallEveryWeek</li>
@ -1335,6 +1353,52 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### September 2017
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Authentication/AllowAadPasswordReset</li>
<li>Handwriting/PanelDefaultModeDocked</li>
<li>Search/AllowCloudSearch</li>
<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
</ul>
<p>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">Microsoft Store for Business</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
<td style="vertical-align:top"><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
<ul>
<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
</ul>
<p>For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
<td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
</td></tr>
</tbody>
</table>
### August 2017
<table class="mx-tdBreakAll">

17
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -307,6 +307,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### Authentication policies
<dl>
<dd>
<a href="./policy-csp-authentication.md#authentication-allowaadpasswordreset" id="authentication-allowaadpasswordreset">Authentication/AllowAadPasswordReset</a>
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-alloweapcertsso" id="authentication-alloweapcertsso">Authentication/AllowEAPCertSSO</a>
</dd>
@ -1024,6 +1027,14 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### Handwriting policies
<dl>
<dd>
<a href="./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked" id="handwriting-paneldefaultmodedocked">Handwriting/PanelDefaultModeDocked</a>
</dd>
</dl>
### InternetExplorer policies
<dl>
@ -2383,6 +2394,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### Search policies
<dl>
<dd>
<a href="./policy-csp-search.md#search-allowcloudsearch" id="search-allowcloudsearch">Search/AllowCloudSearch</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-allowindexingencryptedstoresoritems" id="search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
</dd>
@ -2646,6 +2660,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-system.md#system-disablesystemrestore" id="system-disablesystemrestore">System/DisableSystemRestore</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
</dd>

42
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/06/2017
---
# Policy CSP - Authentication
@ -19,6 +19,42 @@ ms.date: 08/30/2017
## Authentication policies
<!--StartPolicy-->
<a href="" id="authentication-allowaadpasswordreset"></a>**Authentication/AllowAadPasswordReset**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. 
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**
@ -46,10 +82,6 @@ ms.date: 08/30/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
> [!IMPORTANT]

6
windows/client-management/mdm/policy-csp-defender.md
View File

@ -572,7 +572,7 @@ ms.date: 08/30/2017
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
Value type is string.
<p style="margin-left: 20px">Value type is string.
<!--EndDescription-->
<!--EndPolicy-->
@ -609,7 +609,9 @@ Value type is string.
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
Value type is string.
<p style="margin-left: 20px">For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
<p style="margin-left: 20px">Value type is string.
<!--EndDescription-->
<!--EndPolicy-->

72
windows/client-management/mdm/policy-csp-handwriting.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Policy CSP - Handwriting
description: Policy CSP - Handwriting
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/07/2017
---
# Policy CSP - Handwriting
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Handwriting policies
<!--StartPolicy-->
<a href="" id="handwriting-paneldefaultmodedocked"></a>**Handwriting/PanelDefaultModeDocked**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
<p style="margin-left: 20px">The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
<p style="margin-left: 20px">In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
<p style="margin-left: 20px">The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
<ul>
<li>0 - Disabled (default)</li>
<li>1 - Enabled</li>
</ul>
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

36
windows/client-management/mdm/policy-csp-search.md
View File

@ -19,6 +19,42 @@ ms.date: 08/30/2017
## Search policies
<!--StartPolicy-->
<a href="" id="search-allowcloudsearch"></a>**Search/AllowCloudSearch**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**

45
windows/client-management/mdm/policy-csp-system.md
View File

@ -554,6 +554,51 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-limitenhanceddiagnosticdatawindowsanalytics"></a>**System/LimitEnhancedDiagnosticDataWindowsAnalytics**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
<p style="margin-left: 20px">To enable this behavior you must complete two steps:
<ul>
<li>Enable this policy setting</li>
<li>Set Allow Telemetry to level 2 (Enhanced)</li>
</ul>
<p style="margin-left: 20px">When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594).
<p style="margin-left: 20px">Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**
<!--StartSKU-->

14
windows/client-management/mdm/policy-csp-update.md
View File

@ -471,8 +471,12 @@ This policy is accessible through the Update setting in the user interface or Gr
<p style="margin-left: 20px">The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709)
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
<!--EndDescription-->
<!--EndPolicy-->
@ -1253,12 +1257,12 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows the IT admin to set a device to CBB train.
<p style="margin-left: 20px">Allows the IT admin to set a device to Semi-Annual Channel train.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
- 0 (default) User gets upgrades from Semi-Annual Channel (Targeted).
- 1 User gets upgrades from Semi-Annual Channel.
<!--EndDescription-->
<!--EndPolicy-->

4
windows/client-management/mdm/reclaim-seat-from-user.md
View File

@ -1,6 +1,6 @@
---
title: Reclaim seat from user
description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business.
description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business.
ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C
ms.author: maricia
ms.topic: article
@ -12,7 +12,7 @@ ms.date: 06/19/2017
# Reclaim seat from user
The **Reclaim seat from user** operation returns reclaimed seats for a user in the Windows Store for Business.
The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business.
## Request

6
windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
View File

@ -1,6 +1,6 @@
---
title: REST API reference for Windows Store for Business
description: REST API reference for Windows Store for Business
title: REST API reference for Micosoft Store for Business
description: REST API reference for Micosoft Store for Business
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'
@ -13,7 +13,7 @@ author: nickbrower
ms.date: 06/19/2017
---
# REST API reference for Windows Store for Business
# REST API reference for Micosoft Store for Business
Here's the list of available operations:

12
windows/client-management/mdm/vpnv2-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/07/2017
ms.date: 09/18/2017
---
# VPNv2 CSP
@ -35,7 +35,7 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
The following diagram shows the VPNv2 configuration service provider in tree format.
![vpnv2 csp diagram](images/provisioning-csp-vpnv2-rs1.png)
![vpnv2 csp diagram](images/provisioning-csp-vpnv2.png)
<a href="" id="device-or-user-profile"></a>**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@ -303,6 +303,14 @@ A device tunnel profile must be deleted before another device tunnel profile can
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="vpnv2-profilename-registerdns"></a>**VPNv2/***ProfileName***/RegisterDNS**
Allows registration of the connection's address in DNS.
Valid values:
- False = Do not register the connection's address in DNS (default).
- True = Register the connection's addresses in DNS.
<a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/***ProfileName***/DnsSuffix**
Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.

29
windows/client-management/mdm/vpnv2-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/07/2017
ms.date: 09/18/2017
---
# VPNv2 DDF file
@ -992,6 +992,33 @@ The XML below is for Windows 10, version 1709.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RegisterDNS</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>
False = Do not register the connection's address in DNS (default).
True = Register the connection's addresses in DNS.
</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DnsSuffix</NodeName>
<DFProperties>

5
windows/configuration/TOC.md
View File

@ -8,7 +8,10 @@
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)

26
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -14,20 +14,38 @@ author: jdeckerms
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topics have been added:
- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## September 2017
New or changed topic | Description
--- | ---
[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy.
## August 2017
New or changed topic | Description
--- | ---
[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN.
## July 2017
| New or changed topic | Description |
| --- | --- |
| [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
|[Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md)|Updated categories and included diagnostic data.|
|[Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
|[Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
|[Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
|[Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
## June 2017

2
windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -100,7 +100,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.

BIN
windows/configuration/images/multiappassignedaccesssettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/configuration/images/profile-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/configuration/images/sample-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

2
windows/configuration/kiosk-shared-pc.md
View File

@ -20,4 +20,4 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |

121
windows/configuration/lock-down-windows-10-applocker.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 10/05/2017
ms.author: jdecker
---
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
## Install apps
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
![configure rule enforcement](images/apprule.png)
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
![default rules warning](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
## Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
## Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).

607
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -1,6 +1,6 @@
---
title: Lock down Windows 10 to specific apps (Windows 10)
description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -9,120 +9,605 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 10/05/2017
ms.author: jdecker
---
# Lock down Windows 10 to specific apps
# Create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. Avoid applying AppLocker rules to devices running the multi-app kiosk configuration described in this topic.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
## Install apps
>[!WARNING]
>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
## Use AppLocker to set rules for apps
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
## Prerequisites
- (latest version of WCD -- is Store version okay at GA?)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
## Create XML file
1. Run Local Security Policy (secpol.msc) as an administrator.
Let's start by looking at the basic structure of the XML file.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
![configure rule enforcement](images/apprule.png)
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
3. Check **Configured** under **Executable rules**, and then click **OK**.
- Multiple config sections can be associated to the same profile.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
- A profile has no effect if its not associated to a config section.
![automatically generate rules](images/genrule.png)
![profile = app and config = account](images/profile-config.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
6. Type a name to identify this set of rules, and then click **Next**.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="">
<AllAppsList>
<AllowedApps/>
</AllAppsList>
<StartLayout/>
<Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account/>
<DefaultProfile Id=""/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
### Profile
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
A profile section in the XML has the following entries:
9. Read the message and click **Yes**.
- [**Id**](#id)
![default rules warning](images/appwarning.png)
- [**AllowedApps**](#allowedapps)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
- [**StartLayout**](#startlayout)
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
## Other settings to lock down
- [**Taskbar**](#taskbar)
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
#### Id
- Remove **All apps**.
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
- Hide **Ease of access** feature on the logon screen.
#### AllowedApps
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
- Disable the hardware power button.
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
>[!NOTE]
>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid applying AppLocker rules to devices running the multi-app kiosk configuration.
- Disable the camera.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
Here are the predefined assigned access AppLocker rules for **UWP apps**:
- Turn off app notifications on the lock screen.
1. Default rule is to allow all users to launch the signed package apps.
2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
>[!NOTE]
>Multi-app kiosk mode doesnt block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
- Disable removable media.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
 
```xml
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
```
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
#### StartLayout
## Customize Start screen layout for the device (recommended)
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML as part of the assigned access configuration.
- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesnt have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
```xml
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
```
>[!NOTE]
>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
#### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you dont attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
```xml
<Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
>[!NOTE]
>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. Its not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
 
 
The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider its a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
>[!WARNING]
>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
>[!NOTE]
>For both domain and Azure AD accounts, its not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
<span id="add-xml" />
## Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
15. Copy the provisioning package to the root directory of a USB drive.
<span id="apply-ppkg" />
## Apply provisioning package to device
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
### After setup, from a USB drive, network folder, or SharePoint site
1. Sign in with an admin account.
2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
>[!NOTE]
>if your provisioning package doesnt include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
![add a package option](images/package.png)
### Validate provisioning
- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
<span id="alternate-methods" />
## Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
If your test device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
<span id="bridge" />
## Use MDM Bridge WMI Provider to configure assigned access
Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
Heres an example to set AssignedAccess configuration:
1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
2. Run `psexec.exe -i -s cmd.exe`.
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Execute the following script:
```ps
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
&lt;AllowedApps&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
&lt;/Profile&gt;
&lt;/Profiles&gt;
&lt;Configs&gt;
&lt;Config&gt;
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
"@
Set-CimInstance -CimInstance $obj
```
## Validate multi-app kiosk configuration
Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
>[!NOTE]
>The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
The following sections explain what to expect on a multi-app kiosk.
### App launching and switching experience
In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
### Start changes
When the assigned access user signs in, you should see a restricted Start experience:
- Start gets launched in full screen and prevents the end user from accessing the desktop.
- Start shows the layout aligned with what you defined in the multi-app configuration XML.
- Start prevents the end user from changing the tile layout.
- The user cannot resize, reposition, and unpin the tiles.
- The user cannot pin additional tiles on the start.
- Start hides **All Apps** list.
- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
- Start hides **Change account settings** option under **User** button.
### Taskbar changes
If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
- Disables context menu of Start button (Quick Link)
- Disables context menu of taskbar
- Prevents the end user from changing the taskbar
- Disables Cortana and Search Windows
- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
### Blocked hotkeys
The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
| Hotkey | Action |
| --- | --- |
| Windows logo key + A | Open Action center |
| Windows logo key + Shift + C | Open Cortana in listening mode |
| Windows logo key + D | Display and hide the desktop |
| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
| Windows logo key + E | Open File Explorer |
| Windows logo key + F | Open Feedback Hub |
| Windows logo key + G | Open Game bar when a game is open |
| Windows logo key + I | Open Settings |
| Windows logo key + J | Set focus to a Windows tip when one is available. |
| Windows logo key + O | Lock device orientation |
| Windows logo key + Q | Open search |
| Windows logo key + R | Open the Run dialog box |
| Windows logo key + S | Open search |
| Windows logo key + X | Open the Quick Link menu |
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
### Auto-trigger touch keyboard
In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You dont need to configure any other setting to enforce this behavior.
## Considerations for Windows Mixed Reality immersive headsets
With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
```xml
<App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" />
<App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" />
<App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" />
```
These are in addition to any mixed reality apps that you allow.
**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.
After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
## Policies set by multi-app kiosk configuration
It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
### Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
| Setting | Value |
| --- | --- |
Remove access to the context menus for the task bar | Enabled
Clear history of recently opened documents on exit | Enabled
Prevent users from customizing their Start Screen | Enabled
Prevent users from uninstalling applications from Start | Enabled
Remove All Programs list from the Start menu | Enabled
Remove Run menu from Start Menu | Enabled
Disable showing balloon notifications as toast | Enabled
Do not allow pinning items in Jump Lists | Enabled
Do not allow pinning programs to the Taskbar | Enabled
Do not display or track items in Jump Lists from remote locations | Enabled
Remove Notifications and Action Center | Enabled
Lock all taskbar settings | Enabled
Lock the Taskbar | Enabled
Prevent users from adding or removing toolbars | Enabled
Prevent users from resizing the taskbar | Enabled
Remove frequent programs list from the Start Menu | Enabled
Remove Pinned programs from the taskbar | Enabled
Remove the Security and Maintenance icon | Enabled
Turn off all balloon notifications | Enabled
Turn off feature advertisement balloon notifications | Enabled
Turn off toast notifications | Enabled
Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
### MDM policy
Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
Setting | Value | System-wide
--- | --- | ---
[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
Start/HidePeopleBar | 1 - True (hide) | No
[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes
<span id="lnk-files" />
## Provision .lnk files using Windows Configuration Designer
First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
```
msiexec /I "<appName>.msi" /qn /norestart
copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"
```
In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file
- Under **CommandLine**, enter cmd /c *FileName*.bat

15
windows/configuration/lock-down-windows-10.md
View File

@ -1,15 +0,0 @@
---
title: Lock down Windows 10 (Windows 10)
description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
keywords: lockdown
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerms
ms.localizationpriority: high
---
# Lock down Windows 10

16
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -113,7 +113,7 @@ See the following table for a summary of the management settings for Windows 10
| [21. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
| [23. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) |
| [24. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
| [24. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
| [25. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
| [26. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | |
@ -558,7 +558,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10. <br /> Default: blank |
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
### <a href="" id="bkmk-ncsi"></a>13. Network Connection Status Indicator
@ -1636,7 +1636,7 @@ You can stop sending file samples back to Microsoft.
-or-
- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where:
- **0**. Always prompt.
@ -1682,9 +1682,9 @@ To remove Windows Media Player on Windows Server 2016:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
### <a href="" id="bkmk-spotlight"></a>24. Windows spotlight
### <a href="" id="bkmk-spotlight"></a>24. Windows Spotlight
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface, MDM policy, or through Group Policy.
If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
@ -1695,6 +1695,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
-or-
- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
-or-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
@ -1847,7 +1851,7 @@ You can turn off automatic updates by doing one of the following. This is not re
-or-
- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update), where:
- **0**. Notify the user before downloading the update.

2
windows/configuration/manage-tips-and-suggestions.md
View File

@ -44,7 +44,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi
| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
[Learn more about policy settings for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)
## Related topics

56
windows/configuration/multi-app-kiosk-troubleshoot.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Troubleshoot multi-app kiosk (Windows 10)
description: Tips for troubleshooting multi-app kiosk configuration.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
ms.date: 10/05/2017
ms.author: jdecker
---
# Troubleshoot multi-app kiosk
**Applies to**
- Windows 10
## Unexpected results
For example:
- Start is not launched in full-screen
- Blocked hotkeys are allowed
- Task Manager, Cortana, or Settings can be launched
- Start layout has more apps than expected
**Troubleshooting steps**
1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
2. Verify that the account (config) is mapped to a profile in the configuration XML file.
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
4. If the issue persists, [capture traces](https://msdn.microsoft.com/library/windows/desktop/dn904629.aspx) for components with the following GUIDs:
- 94097d3d-2a5a-5b8a-cdbd-194dd2e51a00
- ab84611c-2678-5cd7-d292-c940f9be6c6d
- f9f7f27c-5e5d-5273-468f-038e61965660
- 3e8fb07b-3e10-5981-01a9-fbd924fd5436
## Apps configured in AllowedList are blocked
1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile.
2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
## Start layout not as expected
- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
- Check if the apps included in the Start layout are installed for the assigned access user.
- Check if the shortcut exists on the target device, if a desktop app is missing on Start.
## Feedback
Feedback and bugs can be submitted in the Feedback Hub. You can use the [Problems Steps Recorder](https://support.microsoft.com/help/22878/windows-10-record-steps) to reproduce the issue, and attach the resulting .zip file to your feedback.

175
windows/configuration/multi-app-kiosk-xml.md Normal file
View File

@ -0,0 +1,175 @@
---
title: Multi-app kiosk XML reference (Windows 10)
description: XML and XSD for multi-app kiosk device configuration.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
ms.date: 10/05/2017
ms.author: jdecker
---
# Multi-app kiosk XML reference
**Applies to**
- Windows 10
## Full XML sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## XSD for AssignedAccess configuration XML
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="App"/>
<xs:field xpath="@AppUserModelId"/>
<xs:field xpath="@DesktopAppPath"/>
</xs:unique>
</xs:element>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
</xs:complexType>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
</xs:element>
<xs:element name="Configs" type="config_list_t"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```

3
windows/configuration/start-layout-xml-desktop.md
View File

@ -32,8 +32,7 @@ On Windows 10 for desktop editions, the customized Start works by:
>[!NOTE]
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
>[!NOTE]
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
## LayoutModification XML

4
windows/configuration/wcd/wcd-usberrorsoemoverride.md
View File

@ -13,7 +13,7 @@ ms.date: 08/21/2017
# UsbErrorsOEMOverride (reference)
Use UsbErrorsOEMOverride settings to .
Allows an OEM to hide the USB option UI in Settings and all USB device errors.
## Applies to
@ -24,4 +24,4 @@ Use UsbErrorsOEMOverride settings to .
## HideUsbErrorNotifyOptionUI
Configure to **Show** or **Hide** the USB error notification.

48
windows/configuration/windows-diagnostic-data.md
View File

@ -6,12 +6,14 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
author: eross-msft
ms.author: lizross
ms.date: 09/14/2017
---
# Windows 10, version 1703 Diagnostic Data
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the users needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the users needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
The data covered in this article is grouped into the following categories:
@ -21,10 +23,8 @@ The data covered in this article is grouped into the following categories:
- Product and Service Usage data
- Product and Service Performance data
- Software Setup and Inventory data
- Content Consumption data
- Browsing, Search and Query data
- Browsing History data
- Inking, Typing, and Speech Utterance data
- Licensing and Purchase data
> [!NOTE]
> The majority of diagnostic data falls into the first four categories.
@ -66,8 +66,15 @@ This type of data includes details about the health of the device, operating sys
| Category Name | Description and Examples |
| - | - |
| Device health and crash data | Information about the device and software health such as:<br><ul><li>Error codes and error messages, name and ID of the app, and process reporting the error</li><li>DLL library predicted to be the source of the error -- xyz.dll</li><li>System generated files -- app or product logs and trace files to help diagnose a crash or hang</li><li>System settings such as registry keys</li><li>User generated files .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang</li><li>Details and counts of abnormal shutdowns, hangs, and crashes</li><li>Crash failure data OS, OS component, driver, device, 1st and 3rd party app data</li><li>Crash and Hang dumps<ul><li>The recorded state of the working memory at the point of the crash.</li><li>Memory in use by the kernel at the point of the crash.</li><li>Memory in use by the application at the point of the crash.</li><li>All the physical memory used by Windows at the point of the crash.</li><li>Class and function name within the module that failed.</li></li></ul> |
| Device performance and reliability data | Information about the device and software performance such as:<br><ul><li>User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.</li><li>Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).</li><li>In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.</li><li>User input responsiveness onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.</li><li>UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance</li><li>Disk footprint -- Free disk space, out of memory conditions, and disk score.</li><li>Excessive resource utilization components impacting performance or battery life through high CPU usage during different screen and power states</li><li>Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results</li><li>Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times</li><li>Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.</li><li>Power and Battery life power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions</li><li>Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.</li><li>Diagnostic heartbeat regular signal to validate the health of the diagnostics system</li></ul>
|Device health and crash data | Information about the device and software health such as:<br><ul><li>Error codes and error messages, name and ID of the app, and process reporting the error</li><li>DLL library predicted to be the source of the error -- xyz.dll</li><li>System generated files -- app or product logs and trace files to help diagnose a crash or hang</li><li>System settings such as registry keys</li><li>User generated files .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang</li><li>Details and counts of abnormal shutdowns, hangs, and crashes</li><li>Crash failure data OS, OS component, driver, device, 1st and 3rd party app data</li><li>Crash and Hang dumps<ul><li>The recorded state of the working memory at the point of the crash.</li><li>Memory in use by the kernel at the point of the crash.</li><li>Memory in use by the application at the point of the crash.</li><li>All the physical memory used by Windows at the point of the crash.</li><li>Class and function name within the module that failed.</li></li></ul> |
|Device performance and reliability data | Information about the device and software performance such as:<br><ul><li>User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.</li><li>Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).</li><li>In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.</li><li>User input responsiveness onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.</li><li>UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance</li><li>Disk footprint -- Free disk space, out of memory conditions, and disk score.</li><li>Excessive resource utilization components impacting performance or battery life through high CPU usage during different screen and power states</li><li>Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results</li><li>Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times</li><li>Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.</li><li>Power and Battery life power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions</li><li>Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.</li><li>Diagnostic heartbeat regular signal to validate the health of the diagnostics system</li></ul>|
|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>Video Width, height, color pallet, encoding (compression) type, and encryption type</li><li>Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth</li><li>URL for a specific two second chunk of content if there is an error</li><li>Full screen viewing mode details|
|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>Service URL for song being downloaded from the music service collected when an error occurs to facilitate restoration of service</li><li>Content type (video, audio, surround audio)</li><li>Local media library collection statistics -- number of purchased tracks, number of playlists</li><li>Region mismatch -- User OS Region, and Xbox Live region</li></ul>|
|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>App accessing content and status and options used to open a Microsoft Store book</li><li>Language of the book</li><li>Time spent reading content</li><li>Content type and size details</li></ul>|
|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.<br><ul><li>File source data -- local, SD card, network device, and OneDrive</li><li>Image &amp; video resolution, video length, file sizes types and encoding</li><li>Collection view or full screen viewer use and duration of view</li></ul></ul>|
|On-device file query | Information about local search activity on the device such as: <ul><li>Kind of query issued and index type (ConstraintIndex, SystemIndex)</li><li>Number of items requested and retrieved</li><li>File extension of search result user interacted with</li><li>Launched item kind, file extension, index of origin, and the App ID of the opening app.</li><li>Name of process calling the indexer and time to service the query.</li><li>A hash of the search scope (file, Outlook, OneNote, IE history) </li><li>The state of the indices (fully optimized, partially optimized, being built)</li></ul> |
|Purchasing| Information about purchases made on the device such as:<br><ul><li>Product ID, edition ID and product URI</li><li>Offer details -- price</li><li>Order requested date/time</li><li>Store client type -- web or native client</li><li>Purchase quantity and price</li><li>Payment type -- credit card type and PayPal</li></ul> |
|Entitlements | Information about entitlements on the device such as:<br><ul><li>Service subscription status and errors</li><li>DRM and license rights details -- Groove subscription or OS volume license</li><li>Entitlement ID, lease ID, and package ID of the install package</li><li>Entitlement revocation</li><li>License type (trial, offline vs online) and duration</li><li>License usage session</li></ul> |
## Software Setup and Inventory data
@ -78,25 +85,13 @@ This type of data includes software installation and update information on the d
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:<br><ul><li>App, driver, update package, or components Name, ID, or Package Family Name</li><li>Product, SKU, availability, catalog, content, and Bundle IDs</li><li>OS component, app or driver publisher, language, version and type (Win32 or UWP)</li><li>Install date, method, and install directory, count of install attempts</li><li>MSI package code and product code</li><li>Original OS version at install time</li><li>User or administrator or mandatory installation/update</li><li>Installation type clean install, repair, restore, OEM, retail, upgrade, and update</li></ul> |
| Device update information | Information about Windows Update such as:<br><ul><li>Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)</li><li>Number of applicable updates, importance, type</li><li>Update download size and source -- CDN or LAN peers</li><li>Delay upgrade status and configuration</li><li>OS uninstall and rollback status and count</li><li>Windows Update server and service URL</li><li>Windows Update machine ID</li><li>Windows Insider build details</li></ul>
## Content Consumption data
## Browsing History data
This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits.
| Category Name | Examples |
| - | - |
| Movies | Information about movie consumption functionality on the device such as:<br><ul><li>Video Width, height, color pallet, encoding (compression) type, and encryption type</li><li>Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth</li><li>URL for a specific two second chunk of content if there is an error</li><li>Full screen viewing mode details</li></ul> |
| Music & TV | Information about music and TV consumption on the device such as:<br><ul><li>Service URL for song being downloaded from the music service collected when an error occurs to facilitate restoration of service</li><li>Content type (video, audio, surround audio)</li><li>Local media library collection statistics -- number of purchased tracks, number of playlists</li><li>Region mismatch -- User OS Region, and Xbox Live region</li></ul> |
| Reading | Information about reading consumption functionality on the device such as:<br><ul><li>App accessing content and status and options used to open a Microsoft Store book</li><li>Language of the book</li><li>Time spent reading content</li><li>Content type and size details</li></ul> |
| Photos App | Information about photos usage on the device such as:<br><ul><li>File source data -- local, SD card, network device, and OneDrive</li><li>Image &amp; video resolution, video length, file sizes types and encoding</li><li>Collection view or full screen viewer use and duration of view</li></ul>
## Browsing, Search and Query data
This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device.
This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
| Microsoft browser data | Information about Address bar and search box performance on the device such as:<ul><li>Text typed in address bar and search box</li><li>Text selected for Ask Cortana search</li><li>Service response time </li><li>Auto-completed text if there was an auto-complete</li><li>Navigation suggestions provided based on local history and favorites</li><li>Browser ID</li><li>URLs (which may include search terms)</li><li>Page title</li></ul>|
| On-device file query | Information about local search activity on the device such as: <ul><li>Kind of query issued and index type (ConstraintIndex, SystemIndex)</li><li>Number of items requested and retrieved</li><li>File extension of search result user interacted with</li><li>Launched item kind, file extension, index of origin, and the App ID of the opening app.</li><li>Name of process calling the indexer and time to service the query.</li><li>A hash of the search scope (file, Outlook, OneNote, IE history) </li><li>The state of the indices (fully optimized, partially optimized, being built)</li></ul> |
## Inking Typing and Speech Utterance data
@ -105,13 +100,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
| Voice, inking, and typing | Information about voice, inking and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results -- result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> |
## Licensing and Purchase data
This type of data includes diagnostic details about the purchase and entitlement activity on the device.
| Category Name | Data Examples |
| - | - |
| Purchase history | Information about purchases made on the device such as:<br><ul><li>Product ID, edition ID and product URI</li><li>Offer details -- price</li><li>Order requested date/time</li><li>Store client type -- web or native client</li><li>Purchase quantity and price</li><li>Payment type -- credit card type and PayPal</li></ul> |
| Entitlements | Information about entitlements on the device such as:<br><ul><li>Service subscription status and errors</li><li>DRM and license rights details -- Groove subscription or OS volume license</li><li>Entitlement ID, lease ID, and package ID of the install package</li><li>Entitlement revocation</li><li>License type (trial, offline vs online) and duration</li><li>License usage session</li></ul> |
| Voice, inking, and typing | Information about voice, inking and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results -- result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> |

2
windows/deployment/TOC.md
View File

@ -222,8 +222,6 @@
#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
##### [Keep your current Windows 10 edition](update/olympia/enrollment-keep-current-edition.md)
##### [Upgrade your Windows 10 edition from Pro to Enterprise](update/olympia/enrollment-upgrade-to-enterprise.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## Windows Analytics

15
windows/deployment/deploy-enterprise-licenses.md
View File

@ -15,8 +15,18 @@ author: greg-lindsay
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.<BR>
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.<BR>
## Enabling Subscription Activation with an existing EA
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3<BR>
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
@ -196,4 +206,3 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

2
windows/deployment/deploy-whats-new.md
View File

@ -79,7 +79,7 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
MDT build 884 is available, including support for:
MDT build 8443 is available, including support for:
- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
- The Windows ADK for Windows 10, version 1607.
- Integration with Configuration Manager version 1606.

44
windows/deployment/update/olympia/enrollment-keep-current-edition.md
View File

@ -1,44 +0,0 @@
---
title: Keep your current Windows 10 edition
description: Olympia Corp enrollment - Keep your current Windows 10 edition
ms.author: nibr
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/01/2017
---
# Olympia Corp enrollment
## Keep your current Windows 10 edition
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
![Settings -> Accounts](images/1-1.png)
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
![Set up a work or school account](images/1-3.png)
4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Update your password](images/1-4.png)
5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
7. Create a PIN for signing into your Olympia corporate account.
8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.

57
windows/deployment/update/olympia/enrollment-upgrade-to-enterprise.md
View File

@ -1,57 +0,0 @@
---
title: Upgrade your Windows 10 edition from Pro to Enterprise
description: Olympia Corp enrollment - Upgrade your Windows 10 edition from Pro to Enterprise
ms.author: nibr
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/01/2017
---
# Olympia Corp enrollment
## Upgrade your Windows 10 edition from Pro to Enterprise
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
![Settings -> Accounts](images/1-1.png)
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
3. Click **Connect**, then click **Join this device to Azure Active Directory**.
![Update your password](images/2-3.png)
4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
![Set up a work or school account](images/2-4.png)
5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Update your password](images/2-5.png)
6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
8. Create a PIN for signing into your Olympia corporate account.
9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
10. Restart your PC.
11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.

87
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/01/2017
ms.date: 09/14/2017
---
# Olympia Corp enrollment guidelines
@ -17,6 +17,87 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Ent
Choose one of the following two enrollment options:
1. [Keep your current Windows 10 edition](./enrollment-keep-current-edition.md)
1. [Keep your current Windows 10 edition](#enrollment-keep-current-edition)
2. [Upgrade your Windows 10 edition from Pro to Enterprise](#enrollment-upgrade-to-enterprise)
<a id="enrollment-keep-current-edition"></a>
## Keep your current Windows 10 edition
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
![Settings -> Accounts](images/1-1.png)
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
![Set up a work or school account](images/1-3.png)
4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Update your password](images/1-4.png)
5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
6. If this is the first time you are logging in, please fill in the additional information to help you retrieve your account details.
7. Create a PIN for signing into your Olympia corporate account.
8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
<a id="enrollment-upgrade-to-enterprise"></a>
## Upgrade your Windows 10 edition from Pro to Enterprise
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
![Settings -> Accounts](images/1-1.png)
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
3. Click **Connect**, then click **Join this device to Azure Active Directory**.
![Update your password](images/2-3.png)
4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
![Set up a work or school account](images/2-4.png)
5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Update your password](images/2-5.png)
6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
7. If this is the first time you are signing in, please fill in the additional information to help you retrieve your account details.
8. Create a PIN for signing into your Olympia corporate account.
9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
10. Restart your PC.
11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your PC will upgrade to Windows 10 Enterprise*.
12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
\* Please note that your Windows 10 Enterprise license will not be renewed if your PC is not connected to Olympia.
2. [Upgrade your Windows 10 edition from Pro to Enterprise](./enrollment-upgrade-to-enterprise.md)

16
windows/deployment/update/update-compliance-get-started.md
View File

@ -25,14 +25,18 @@ Update Compliance has the following requirements:
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
Service | Endpoint
--- | ---
Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite

5
windows/deployment/update/update-compliance-using.md
View File

@ -147,7 +147,10 @@ Devices are evaluated by OS Version (e.g., 1607) and the count of how many are C
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
>[!IMPORTANT]
>If your devices are not showing up in the Windows Defender AV assessment section, check the [Troublshoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help.
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.

2
windows/deployment/update/waas-delivery-optimization.md
View File

@ -21,7 +21,7 @@ ms.date: 07/27/2017
Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This means that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
For more details, see [Download mode](#download-mode).

6
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -84,9 +84,9 @@ To enable data sharing, whitelist the following endpoints. Note that you may nee
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com/collect/v1`<br>`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
| `https://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
| `https://Vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
| `https://settings.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. |
Note: The compatibility update KB runs under the computers system account.

29
windows/deployment/usmt/usmt-common-issues.md
View File

@ -5,6 +5,7 @@ ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 09/07/2017
author: greg-lindsay
---
@ -28,6 +29,8 @@ The following sections discuss common issues that you might see when you run the
[Hard Link Migration Problems](#bkmk-hardlink)
[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
## General Guidelines for Identifying Migration Problems
@ -222,6 +225,28 @@ There are three typical causes for this issue.
**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
### USMT does not migrate the Start layout
**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
**Resolution:** The following workaround is available:
1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
```
Export-StartLayout -Path "C:\Layout\user1.xml"
```
2. Migrate the user's profile with USMT.
3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
```
Import-StartLayout LayoutPath "C:\Layout\user1.xml" MountPath %systemdrive%
```
This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
## <a href="" id="bkmk-offline"></a>Offline Migration Problems
@ -286,6 +311,10 @@ USMTutils /rd <storedir>
You should also reboot the machine.
## Related topics

39
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -1,6 +1,6 @@
---
title: What Does USMT Migrate (Windows 10)
description: What Does USMT Migrate
title: What does USMT migrate (Windows 10)
description: What does USMT migrate
ms.assetid: f613987d-0f17-43fe-9717-6465865ceda7
ms.prod: w10
ms.mktglfcycl: deploy
@ -8,23 +8,23 @@ ms.sitesec: library
author: greg-lindsay
---
# What Does USMT Migrate?
# What does USMT migrate?
## In This Topic
## In this topic
- [Default Migration Scripts](#bkmk-defaultmigscripts)
- [Default migration scripts](#bkmk-defaultmigscripts)
- [User Data](#bkmk-3)
- [Operating-System Components](#bkmk-4)
- [Operating-system components](#bkmk-4)
- [Supported Applications](#bkmk-2)
- [Supported applications](#bkmk-2)
- [What USMT Does Not Migrate](#no)
- [What USMT does not migrate](#no)
## <a href="" id="bkmk-defaultmigscripts"></a>Default Migration Scripts
## <a href="" id="bkmk-defaultmigscripts"></a>Default migration scripts
The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
@ -43,7 +43,7 @@ The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer ca
- Access control lists (ACLs) for folders outside the user profile.
## <a href="" id="bkmk-3"></a>User Data
## <a href="" id="bkmk-3"></a>User data
This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
@ -52,6 +52,9 @@ This section describes the user data that USMT migrates by default, using the Mi
My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
>[!IMPORTANT]
>Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
- Shared Documents
@ -84,7 +87,7 @@ To migrate ACLs, you must specify the directory to migrate in the MigUser.xml fi
 
## <a href="" id="bkmk-4"></a>Operating-System Components
## <a href="" id="bkmk-4"></a>Operating-system components
USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
@ -151,7 +154,7 @@ Some settings, such as fonts, are not applied by the LoadState tool until after
 
## <a href="" id="bkmk-2"></a>Supported Applications
## <a href="" id="bkmk-2"></a>Supported applications
Although it is not required for all applications, it is good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that the migrated settings are not overwritten by the application installers.
@ -361,12 +364,12 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi
 
## <a href="" id="no"></a>What USMT Does Not Migrate
## <a href="" id="no"></a>What USMT does not migrate
The following is a list of the settings that USMT does not migrate. If you are having a problem that is not listed here, see [Common Issues](usmt-common-issues.md).
### Application Settings
### Application settings
USMT does not migrate the following application settings:
@ -382,7 +385,7 @@ USMT does not migrate the following application settings:
- You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
### Operating-System Settings
### Operating-System settings
USMT does not migrate the following operating-system settings.
@ -402,10 +405,14 @@ You should also note the following:
- You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
### Start menu layout
Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
## Related topics
[Plan Your Migration](usmt-plan-your-migration.md)
[Plan your migration](usmt-plan-your-migration.md)
 

2
windows/deployment/windows-10-auto-pilot.md
View File

@ -18,7 +18,7 @@ ms.date: 06/30/2017
- Windows 10
Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.</br>
Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.</br>
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
## Benefits of Windows AutoPilot

2
windows/deployment/windows-10-enterprise-subscription-activation.md
View File

@ -102,7 +102,7 @@ changepk.exe /ProductKey %ProductKey%
### Obtaining an Azure AD licence
Enterprise Agreement/Software Assurance (EA/SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.

3
windows/device-security/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Add rules for packaged apps to existing AppLocker rule-set
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).

3
windows/device-security/applocker/administer-applocker.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Administer AppLocker
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.

3
windows/device-security/applocker/applocker-architecture-and-components.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker architecture and components
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professional describes AppLockers basic architecture and its major components.

3
windows/device-security/applocker/applocker-functions.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker functions
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.

3
windows/device-security/applocker/applocker-overview.md
View File

@ -13,7 +13,8 @@ author: brianlic-msft
# AppLocker
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

3
windows/device-security/applocker/applocker-policies-deployment-guide.md
View File

@ -13,7 +13,8 @@ author: brianlic-msft
# AppLocker deployment guide
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.

3
windows/device-security/applocker/applocker-policies-design-guide.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker design guide
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.

3
windows/device-security/applocker/applocker-policy-use-scenarios.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker policy use scenarios
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.

3
windows/device-security/applocker/applocker-processes-and-interactions.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker processes and interactions
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.

3
windows/device-security/applocker/applocker-settings.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker settings
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional lists the settings used by AppLocker.

3
windows/device-security/applocker/applocker-technical-reference.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# AppLocker technical reference
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This overview topic for IT professionals provides links to the topics in the technical reference.
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.

3
windows/device-security/applocker/configure-an-applocker-policy-for-audit-only.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Configure an AppLocker policy for audit only
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.

3
windows/device-security/applocker/configure-an-applocker-policy-for-enforce-rules.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Configure an AppLocker policy for enforce rules
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.

3
windows/device-security/applocker/configure-exceptions-for-an-applocker-rule.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Add exceptions for an AppLocker rule
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.

3
windows/device-security/applocker/configure-the-appLocker-reference-device.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Configure the AppLocker reference device
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.

3
windows/device-security/applocker/configure-the-application-identity-service.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Configure the Application Identity service
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.

3
windows/device-security/applocker/create-a-rule-for-packaged-apps.md
View File

@ -12,7 +12,8 @@ author: brianlic-msft
# Create a rule for packaged apps
**Applies to**
- Windows 10
- Windows 10
- Windows Server
This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.

Some files were not shown because too many files have changed in this diff Show More