deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20220914-winse-faq

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-10-06 08:13:23 -04:00
commit 2af1599210
56 changed files with 865 additions and 1074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.openpublishing.redirection.json
View File

@ -19654,6 +19654,26 @@
"source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
"redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
"redirect_document_id": false
},
{
"source_path": "education/windows/take-a-test-multiple-pcs.md",
"redirect_url": "/education/windows/edu-take-a-test-kiosk-mode",
"redirect_document_id": false
},
{
"source_path": "education/windows/take-a-test-single-pc.md",
"redirect_url": "/education/windows/take-tests-in-windows",
"redirect_document_id": false
},
{
"source_path": "education/windows/take-tests-in-windows-10.md",
"redirect_url": "/education/windows/take-tests-in-windows",
"redirect_document_id": false
},
{
"source_path": "education/windows/change-history-edu.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
}
]
}

2
education/index.yml
View File

@ -23,7 +23,7 @@ productDirectory:
# Card
- title: Phase 1 - Cloud deployment
imageSrc: ./images/EDU-Deploy.svg
summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your active directry and SIS, and license users.
summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your Active Directory and SIS, and license users.
url: /microsoft-365/education/deploy/create-your-office-365-tenant
# Card
- title: Phase 2 - Device management

22
education/windows/TOC.yml
View File

@ -29,19 +29,15 @@ items:
- name: Windows 10 configuration recommendations for education customers
href: configure-windows-for-education.md
- name: Take tests and assessments in Windows
href: take-tests-in-windows-10.md
href: take-tests-in-windows.md
- name: How-to-guides
items:
- name: Configure education features
items:
- name: Configure education themes
href: edu-themes.md
- name: Configure Stickers
href: edu-stickers.md
- name: Configure Take a Test on a single PC
href: take-a-test-single-pc.md
- name: Configure a Test on multiple PCs
href: take-a-test-multiple-pcs.md
- name: Configure education themes
href: edu-themes.md
- name: Configure Stickers
href: edu-stickers.md
- name: Configure Take a Test in kiosk mode
href: edu-take-a-test-kiosk-mode.md
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Change Windows edition
@ -98,8 +94,6 @@ items:
href: set-up-school-pcs-provisioning-package.md
- name: What's new in Set up School PCs
href: set-up-school-pcs-whats-new.md
- name: Take a Test app technical reference
- name: Take a Test technical reference
href: take-a-test-app-technical.md
- name: Change history for Windows 10 for Education
href: change-history-edu.md

156
education/windows/change-history-edu.md
View File

@ -1,156 +0,0 @@
---
title: Change history for Windows 10 for Education (Windows 10)
description: New and changed topics in Windows 10 for Education
keywords: Windows 10 education documentation, change history
ms.prod: windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation.
## May 2019
|New or changed topic | Description|
|-----------|-------------|
|[Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education|
## April 2018
New or changed topic | Description
--- | ---
[Windows 10 Pro in S mode for Education](s-mode-switch-to-edu.md) | Created a new topic on S mode for Education. |
[Change to Windows 10 Education from Windows 10 Pro](change-to-pro-education.md) | Updated sections referencing S mode.
## March 2018
New or changed topic | Description
--- | ---
[Reset devices with Autopilot Reset](autopilot-reset.md) | Added section for troubleshooting Autopilot Reset.
## November 2017
| New or changed topic | Description |
| --- | ---- |
| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. |
| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added more information about the Ctrl+Alt+Del key combination. |
## RELEASE: Windows 10, version 1709 (Fall Creators Update)
| New or changed topic | Description |
| --- | ---- |
| [Reset devices with Autopilot Reset](autopilot-reset.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. |
| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the *Go back to your previous edition of Windows 10* section with new information on how to work around cases where Win32 apps are blocked after switching from Windows 10 S back to your previous Windows edition. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps. |
## September 2017
| New or changed topic | Description |
| --- | ---- |
| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the prerequisites to provide more clarification. |
## August 2017
| New or changed topic | Description |
| --- | ---- |
| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
## July 2017
| New or changed topic | Description |
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017
| New or changed topic | Description |
| --- | ---- |
| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | Includes the following updates:</br></br> - New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs.</br> - New configuration information when using Windows 10 S for education. |
| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs. |
| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). |
## May 2017
| New or changed topic | Description |
| --- | ---- |
| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. |
| [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. |
## RELEASE: Windows 10, version 1703 (Creators Update)
| New or changed topic | Description|
| --- | --- |
| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
| [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. |
| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. |
| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. |
| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
| Set up School PCs app: </br> [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) </br> [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. |
| Set up using Windows Configuration Designer: </br> [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) </br> [Provision student PCs with apps](set-up-students-pcs-with-apps.md) | Updated the information for Windows 10, version 1703. |
| [Take tests in Windows 10](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Includes new information on ways you can set up the test account and assessment URL and methods for creating and distributing the link. Methods available to you vary depending on whether you're setting up Take a Test on a single PC or multiple PCs. |
## January 2017
| New or changed topic | Description |
| --- | --- |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Learn how schools can use invoices to pay for Minecraft: Education Edition. |
## December 2016
| New or changed topic | Description |
| --- | --- |
| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). |
## November 2016
| New or changed topic | Description|
| --- | --- |
| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Microsoft Store for Business. |
| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
## RELEASE: Windows 10, version 1607 (Anniversary Update)
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Set up Windows 10](set-up-windows-10.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## July 2016
| New or changed topic | Description|
| --- | --- |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use Configuration Manager, Intune, and Group Policy to manage devices. |
## June 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
## May 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 |
| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 |

2
education/windows/deploy-windows-10-overview.md
View File

@ -47,7 +47,7 @@ Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-base
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
**[Take tests in Windows 10](take-tests-in-windows-10.md)**
**[Take tests in Windows](take-tests-in-windows.md)**
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

13
education/windows/edu-stickers.md
View File

@ -37,23 +37,23 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
Assign the policy to a security group that contains as members the devices or users that you want to configure.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure Stickers using a provisioning package, use the following settings:
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
| Setting |
|--------|
| <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable Stickers on.
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
---
@ -74,4 +74,7 @@ Select the *X button* at the top of the screen to save your progress and close t
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

235
education/windows/edu-take-a-test-kiosk-mode.md Normal file
View File

@ -0,0 +1,235 @@
---
title: Configure Take a Test in kiosk mode
description: Description of how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 09/30/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Configure Take a Test in kiosk mode
Executing Take a Test in kiosk mode is the recommended option for high stakes assessments, such as mid-term exams. In this mode, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. Students must sign in using a test-taking account.
The configuration of Take a Test in kiosk mode can be done using:
- Microsoft Intune/MDM
- a provisioning package (PPKG)
- PowerShell
- the Settings app
When using the Settings app, you can configure Take a Test in kiosk mode using a local account only. This option is recommended for devices that aren't managed.
The other options allow you to configure Take a Test in kiosk mode using a local account, an account defined in the directory, or a guest account.
> [!TIP]
> While you could create a single account in the directory to be the dedicated test-taking account, it is recommended to use a guest account. This way, you don't get into a scenario where the testing account is locked out due to bad password attempts or other factors.
>
> An additional benefit of using a guest account, is that your students don't have to type a password to access the test.
Follow the instructions below to configure your devices, selecting the option that best suits your needs.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
You can use Intune for Education or a custom profile in Microsoft Intune:
- Intune for Education provides a simpler experience
- A custom profile provides more flexibility and controls over the configuration
> [!IMPORTANT]
> Currently, the policy created in Intune for Education is applicable to Windows 10 and Windows 11 only. **It will not apply to Windows 11 SE devices.**
>
> If you want to configure Take a Test for Windows 11 SE devices, you must use a custom policy.
### Configure Take a Test from Intune for Education
To configure devices using Intune for Education, follow these steps:
1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
1. Select **Groups** > Pick a group to configure Take a Test for
1. Select **Windows device settings**
1. Expand the **Take a Test profiles** category and select **+ Assign new Take a Test profile**
1. Specify a **Profile Name**, **Account Name**, **Assessment URL** and, optionally, **Description** and options allowed during the test
1. Select **Create and assign profile**
:::image type="content" source="./images/takeatest/intune-education-take-a-test-profile.png" alt-text="Intune for Education - creation of a Take a Test profile." lightbox="./images/takeatest/intune-education-take-a-test-profile.png" border="true":::
### Configure Take a Test with a custom policy
To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li> Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching`** </li><li> Data type: **Integer**</li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/AccountModel`**</li><li>Data type: **Integer** </li><li> Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableAccountManager`**</li><li>Data type: **Boolean** </li><li> Value: **True**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeAUMID`**</li><li>Data type: **String** </li><li> Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText`** </li><li>Data type: **String** </li><li> Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SecureAssessment/LaunchURI`** </li><li>Data type: **String** </li><li> Value: **\<provide testing URL>**</li>|
:::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
Assign the policy to a security group that contains as members the devices or users that you want to configure.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To create a provisioning package, you can either use Set up School PCs or Windows Configuration Designer:
- Set up School PCs provides a simpler, guided experience
- Windows Configuration Designer provides more flexibility and controls over the configuration
### Create a provisioning package using Set up School PCs
Create a provisioning package using the Set up School PCs app, configuring the settings in the **Set up the Take a Test app** page.
:::image type="content" source="./images/takeatest/suspcs-take-a-test.png" alt-text="Set up School PCs app - Take a test page" lightbox="./images/takeatest/suspcs-take-a-test.png" border="true":::
### Create a provisioning package using Windows Configuration Designer
[Create a provisioning package][WIN-1] using Windows Configuration Designer with the following settings:
| Setting |
|--------|
| <li> Path: **`Policies/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/WindowsLogon/HideFastUserSwitching`** </li><li>Value: **True**</li>|
| <li> Path: **`SharedPC/AccountManagement/AccountModel`** </li><li>Value: **Domain-joined only**</li>|
| <li> Path: **`SharedPC/AccountManagement/EnableAccountManager`** </li><li>Value: **True**</li>|
| <li> Path: **`SharedPC/AccountManagement/KioskModeAUMID`** </li><li>Value: **Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App**</li>|
| <li> Path: **`SharedPC/AccountManagement/KioskModeUserTileDisplayText`** </li><li>Value: **Take a Test** (or a string of your choice to display in the sing-in screen)</li>|
| <li> Path: **`TakeATest/LaunchURI/`** </li><li>Value: **\<provide testing URL>**</li>|
:::image type="content" source="./images/takeatest/wcd-take-a-test.png" alt-text="Windows Configuration Designer - configuration of policies to enable Take a Test to run in kiosk mode" lightbox="./images/takeatest/wcd-take-a-test.png" border="true":::
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell)
Configure your devices using PowerShell scripts via the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider).
> [!TIP]
> PowerShell scripts can be executed as scheduled tasks via Group Policy.
> [!IMPORTANT]
> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account.
>
> To test a PowerShell script, you can:
> 1. [Download the psexec tool](/sysinternals/downloads/psexec)
> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe`
> 1. Run the script in the PowerShell session
Edit the following sample PowerShell script to:
- Customize the assessment URL with **$testURL**
- Change the kiosk user tile name displayed in the sign-in screen with **$userTileName**
```powershell
$testURL = "https://contoso.com/algebra-exam"
$userTileName = "Take a Test"
$namespaceName = "root\cimv2\mdm\dmmap"
$ParentID="./Vendor/MSFT/Policy/Config"
#Configure SharedPC
$className = "MDM_SharedPC"
$instance = "SharedPC"
$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
if (-not ($cimObject)) {
$cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
}
$cimObject.AccountModel = 1
$cimObject.EnableAccountManager = $true
$cimObject.KioskModeAUMID = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App"
$cimObject.KioskModeUserTileDisplayText = $userTileName
Set-CimInstance -CimInstance $cimObject
#Configure SecureAssessment
$className = "MDM_SecureAssessment"
$instance = "SecureAssessment"
$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
if (-not ($cimObject)) {
$cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
}
$cimObject.LaunchURI= $testURL
Set-CimInstance -CimInstance $cimObject
#Configure interactive logon
$className = "MDM_Policy_Config01_LocalPoliciesSecurityOptions02"
$instance = "LocalPoliciesSecurityOptions"
$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
if (-not ($cimObject)) {
$cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
}
$cimObject.InteractiveLogon_DoNotDisplayLastSignedIn = 1
Set-CimInstance -CimInstance $cimObject
#Configure Windows logon
$className = "MDM_Policy_Config01_WindowsLogon02"
$instance = "WindowsLogon"
$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className
if (-not ($cimObject)) {
$cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance}
}
$cimObject.HideFastUserSwitching = 1
Set-CimInstance -CimInstance $cimObject
```
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **Settings app**](#tab/win)
To create a local account, and configure Take a Test in kiosk mode using the Settings app:
1. Sign into the Windows device with an administrator account
1. Open the **Settings** app and select **Accounts** > **Other Users**
1. Under **Other users**, select **Add account** > **I don't have this person's sign-in information** > **Add a user without a Microsoft account**
1. Provide a user name and password for the account that will be used for testing
:::image type="content" source="./images/takeatest/settings-accounts-create-take-a-test-account.png" alt-text="Use the Settings app to create a test-taking account." border="true":::
1. Select **Accounts > Access work or school**
1. Select **Create a test-taking account**
:::image type="content" source="./images/takeatest/settings-accounts-set-up-take-a-test-account.png" alt-text="Use the Settings app to set up a test-taking account." border="true":::
1. Under **Add an account for taking tests**, select **Add account** > Select the account created in step 4
:::image type="content" source="./images/takeatest/settings-accounts-choose-take-a-test-account.png" alt-text="Use the Settings app to choose the test-taking account." border="true":::
1. Under **Enter the tests's web address**, enter the assessment URL
1. Under **Test taking settings** select the options you want to enable during the test
- To enable printing, select **Require printing**
> [!NOTE]
> Make sure a printer is pre-configured on the Take a Test account if you're enabling this option.
- To enable teachers to monitor screens, select **Allow screen monitoring**
- To allow text suggestions, select **Allow text suggestions**
1. To take the test, a student must sign in using the test-taking account selected in step 4
:::image type="content" source="./images/takeatest/login-screen-take-a-test-single-pc.png" alt-text="Windows 11 SE login screen with the take a test account." border="true":::
> [!NOTE]
> To sign-in with a local account on a device that is joined to Azure AD or Active Directory, you must prefix the username with either `<computername>\` or `.\`.
---
## How to use Take a Test in kiosk mode
Once the devices are configured, a new user tile will be available in the sign-in screen. If selected, Take a Test will be executed in kiosk mode using the guest account, opening the assessment URL.
## How to exit Take a Test
To exit the Take a Test app at any time, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>. You'll be prompted to sign out of the test-taking account, or return to the test. Once signed out, the device will be unlocked from kiosk mode and can be used as normal.
The following animation shows the process of signing in to the test-taking account, taking a test, and exiting the test:
:::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true":::
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MEM-2]: /mem/intune/configuration/settings-catalog
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

13
education/windows/edu-themes.md
View File

@ -31,23 +31,23 @@ Education themes aren't enabled by default. Follow the instructions below to con
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
Assign the policy to a security group that contains as members the devices or users that you want to configure.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure education themes using a provisioning package, use the following settings:
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD), with the following settings:
| Setting |
|--------|
| <li> Path: **`Education/EnableEduThemes`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable education themes on.
Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created.
---
@ -61,4 +61,7 @@ To change the theme, select **Settings** > **Personalization** > **Themes** > **
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package

BIN
education/windows/images/takeatest/TakeATestURL.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.8 KiB

BIN
education/windows/images/takeatest/desktop-shortcuts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 207 KiB

BIN
education/windows/images/takeatest/flow-chart.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_accountsummary.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 100 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_addnewprofile.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_changegroup_selectgroup.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 97 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_groupassignment_selected.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 99 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 97 KiB

BIN
education/windows/images/takeatest/i4e_takeatestprofile_newtestaccount.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 140 KiB

BIN
education/windows/images/takeatest/intune-education-take-a-test-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 167 KiB

BIN
education/windows/images/takeatest/intune-take-a-test-custom-profile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 221 KiB

BIN
education/windows/images/takeatest/login-screen-take-a-test-single-pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 581 KiB

BIN
education/windows/images/takeatest/settings-accounts-choose-take-a-test-account.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

BIN
education/windows/images/takeatest/settings-accounts-create-take-a-test-account.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
education/windows/images/takeatest/settings-accounts-set-up-take-a-test-account.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

BIN
education/windows/images/takeatest/sign-in-sign-out.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.0 MiB

BIN
education/windows/images/takeatest/suspc_choosesettings_setuptakeatest.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 77 KiB

BIN
education/windows/images/takeatest/suspc_choosesettings_takeatest.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 80 KiB

BIN
education/windows/images/takeatest/suspc_choosesettings_takeatest_updated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 154 KiB

BIN
education/windows/images/takeatest/suspc_createpackage_takeatest.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 56 KiB

BIN
education/windows/images/takeatest/suspc_createpackage_takeatestpage.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 54 KiB

BIN
education/windows/images/takeatest/suspc_createpackage_takeatestpage_073117.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 99 KiB

BIN
education/windows/images/takeatest/suspcs-take-a-test.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

BIN
education/windows/images/takeatest/take_a_test_flow_dark.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
education/windows/images/takeatest/tat_settingsapp_setupaccount_addtestaccount.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
education/windows/images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
education/windows/images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 68 KiB

BIN
education/windows/images/takeatest/wcd-take-a-test.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 303 KiB

10
education/windows/index.yml
View File

@ -83,9 +83,13 @@ landingContent:
linkLists:
- linkListType: concept
links:
- text: Take tests and assessments
url: take-tests-in-windows-10.md
- text: Take tests and assessments in Windows
url: take-tests-in-windows.md
- text: Change Windows editions
url: change-home-to-edu.md
- text: "Deploy Minecraft: Education Edition"
url: get-minecraft-for-education.md
url: get-minecraft-for-education.md
- linkListType: how-to-guide
links:
- text: Configure Take a Test in kiosk mode
url: edu-take-a-test-kiosk-mode.md

2
education/windows/set-up-windows-10.md
View File

@ -40,7 +40,7 @@ You can use the following diagram to compare the tools.
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)
[Take tests in Windows](take-tests-in-windows.md)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)

96
education/windows/take-a-test-app-technical.md
View File

@ -1,41 +1,42 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
keywords: take a test, test taking, school, policies
description: List of policies and settings applied by the Take a Test app.
ms.date: 09/30/2022
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Take a Test app technical reference
# Take a Test app technical reference
Take a Test is an app that locks down the PC and displays an online assessment web page.
Take a Test is an application that locks down a device and displays an online assessment web page.
Whether you're a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This environment means that students taking the tests that dont have copy/paste privileges, cant access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teachers preferred assessment website to deliver digital assessments
Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments.
Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api).
## PC lockdown for assessment
## PC lock-down for assessment
When the assessment page initiates lock down, the students desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app won't be above lock and won't have any of the policies applied.
When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
When running above the lock screen:
- The app runs full screen with no chrome
- The hardware print screen button is disabled
- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software
- System clipboard is cleared
- Web apps can query the processes currently running in the users device
- Extended display shows up as black
- The app runs full screen with no chrome
- The hardware print screen button is disabled
- Depending on the parameter you set through the schema or dedicated account, content within the app will show up as black in screen capturing/sharing software
- System clipboard is cleared
- Web apps can query the processes currently running in the user's device
- Extended display shows up as black
- Auto-fill is disabled
## Mobile device management (MDM) policies
@ -45,7 +46,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
| Policy | Description | Value |
|---|---|---|
| AllowToasts | Disables toast notifications from being shown | 0 |
| AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 |
| AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 |
| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 |
| AllowCortana | Disables Cortana functionality | 0 |
@ -67,41 +68,42 @@ To ensure Take a Test activates correctly, make sure the following Group Policy
When Take a Test is running, the following functionality is available to students:
- Assistive technology that is configured to run above the lock screen should run as expected
- Narrator is available through Windows key + Enter
- Magnifier is available through Windows key + "+" key
- Full screen mode is compatible
- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements:
- Take a Test
- Assistive technology that may be running
- Assistive technology that is configured to run above the lock screen should run as expected
- Narrator is available through <kbd>Win</kbd>+<kbd>Enter</kbd>
- Magnifier is available through <kbd>Win</kbd>+<kbd>+</kbd>
- The student can press <kbd>Alt</kbd>+<kbd>Tab</kbd> when locked down. This key press results in the student being able to switch between the following elements:
- Take a Test
- Assistive technology that may be running
- Lock screen (not available if student is using a dedicated test account)
> [!NOTE]
> The app will exit if the student signs in to an account from the lock screen. Progress made in the test may be lost or invalidated.
- The student can exit the test by pressing one of the following key combinations:
- Ctrl+Alt+Del
On Windows 10 Enterprise or Windows 10 Education versions, IT admins can choose to block this functionality by configuring a [keyboard filter](/windows-hardware/customize/enterprise/keyboardfilter).
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
> [!NOTE]
> Alt+F4 is disabled in Windows 10, version 1703 (Creators Update) and later.
> [!NOTE]
> The app will exit if the student signs in to an account from the lock screen.
> Progress made in the test may be lost or invalidated.
- The student can exit the test by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>
## Permissive mode
Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps.
This mode enables students who need access to other apps, like accessibility tools, to use the apps.
When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
When permissive mode is triggered in lock-down mode, Take a Test transitions from lock-down mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
When running tests in this mode, keep the following points in mind:
- Permissive mode isn't supported in kiosk mode (dedicated test account).
- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode.
- Permissive mode isn't supported in kiosk mode (dedicated test account)
- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode
## Troubleshoot Take a Test with the event viewer
You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more.
To enable viewing events in the Event Viewer:
1. Open the `Event Viewer`
1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment`
1. Select `Operational` > `Enable Log`
To save the event logs:
1. Select `Operational` > `Save All Events As…`
## Learn more

272
education/windows/take-a-test-multiple-pcs.md
View File

@ -1,272 +0,0 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
keywords: take a test, test taking, school, set up on multiple PCs
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Set up Take a Test on multiple PCs
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test.
Follow the guidance in this topic to set up Take a Test on multiple PCs.
## Set up a dedicated test account
To configure a dedicated test account on multiple PCs, select any of the following methods:
- [Provisioning package created through the Set up School PCs app](#set-up-a-test-account-in-the-set-up-school-pcs-app)
- [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
- [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
- [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
- [Group Policy to deploy a scheduled task that runs a PowerShell script](#create-a-scheduled-task-in-group-policy)
### Set up a test account in the Set up School PCs app
If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package.
If you set up Take a Test, the **Take a Test** button is added on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
**Figure 1** - Configure Take a Test in the Set up School PCs app
![Configure Take a Test in the Set up School PCs app.](images/takeatest/suspc_choosesettings_setuptakeatest.png)
### Set up a test account in Intune for Education
You can set up a test-taking account in Intune for Education. To do this, follow these steps:
1. In Intune for Education, select **Take a Test profiles** from the menu.
2. Click **+ Add Test Profile** to create an account.
**Figure 2** - Add a test profile in Intune for Education
![Add a test profile in Intune for Education.](images/takeatest/i4e_takeatestprofile_addnewprofile.png)
3. In the new profile page:
1. Enter a name for the profile.
2. Enter the assessment URL.
3. Toggle the switch to **Allow screen capture**.
4. Select a user account to use as the test-taking account.
5. Click **Save**.
**Figure 3** - Add information about the test profile
![Add information about the test profile.](images/takeatest/i4e_takeatestprofile_newtestaccount.png)
After you save the test profile, you'll see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
4. In the test account page, click **Groups**.
**Figure 4** - Assign the test account to a group
![Assign the test account to a group.](images/takeatest/i4e_takeatestprofile_accountsummary.png)
5. In the **Groups** page, click **Change group assignments**.
**Figure 5** - Change group assignments
![Change group assignments.](images/takeatest/i4e_takeatestprofile_groups_changegroupassignments.png)
6. In the **Change group assignments** page:
1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group.
2. Click **OK** when you're done making your selection.
**Figure 6** - Select the group(s) that will use the test account
![Select the groups that will use the test account.](images/takeatest/i4e_takeatestprofile_groupassignment_selected.png)
And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
### Set up a test account in MDM or Configuration Manager
You can configure a dedicated testing account through MDM or Configuration Manager by specifying a single account in the directory to be the test-taking account. Devices that have the test-taking policies can sign into the specified account to take the test.
**Best practice**
- Create a single account in the directory specifically for test taking
- Active Directory example: Contoso\TestAccount
- Azure Active Directory example: testaccount@contoso.com
- Deploy the policies to the group of test-taking devices
**To enable this configuration**
1. Launch your management console.
2. Create a policy to set up single app kiosk mode using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
- **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
*Account* can be in one of the following formats:
- username (not recommended)
- domain\username
- computer name\\username (not recommended)
- username@tenant.com
3. Create a policy to configure the assessment URL using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
- **String value** = *assessment URL*
4. Create a policy that associates the assessment URL to the account using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
- **String value** = Enter the account that you specified in step 2, using the same account format.
5. Deploy the policies to the test-taking devices.
6. To take the test, the student signs in to the test account.
### Set up a test account through Windows Configuration Designer
To set up a test account through Windows Configuration Designer, follow these steps.
1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
1. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
**Figure 7** - Add the account to use for test-taking
![Add the account to use for test-taking.](images/wcd/wcd_settings_assignedaccess.png)
The account can be in one of the following formats:
- username
- domain\username
- computer name\\username
- username@tenant.com
4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
- In **LaunchURI**, enter the assessment URL.
- In **TesterAccount**, enter the test account you entered in step 3.
3. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package).
- You'll see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username<em>\Windows Imaging and Configuration Designer (WICD)\*Project name</em>).
- Copy the provisioning package to a USB drive.
4. Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created.
### Set up a tester account in Group Policy
To set up a tester account using Group Policy, first create a PowerShell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
#### Create a PowerShell script
This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to:
- Use your assessment URL for **$obj.LaunchURI**
- Use your tester account for **$obj.TesterAccount**
- Use your tester account for **-UserName**
>[!NOTE]
>The account that you specify for the tester account must already exist on the device. For steps to create the tester account, see [Set up a dedicated test account](./take-a-test-single-pc.md#set-up-a-dedicated-test-account).
```powershell
$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
$obj.LaunchURI='https://www.foo.com';
$obj.TesterAccount='TestAccount';
$obj.put()
Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
```
#### Create a scheduled task in Group Policy
1. Open the Group Policy Management Console.
2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**.
3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**.
4. Right-click **Scheduled Tasks**, point to **New**, and select **Scheduled Task**.
5. In the **New Scheduled Task Properties** dialog box, click **Change User or Group**.
6. In the **Select User or Group** dialog box, click **Advanced**.
7. In the **Advanced** dialog box, click **Find Now**.
8. Select **System** in the search results
9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**.
10. Specify the operating system in the **Configure for** field.
11. Navigate to the **Actions** tab.
12. Create a new **Action**.
13. Configure the action to **Start a program**.
14. In the **Program/script** field, enter **powershell**.
15. In the **Add arguments** field, enter **-file "\<path to powershell script>"**.
16. Click **OK**.
17. Navigate to the **Triggers** tab and create a new trigger.
18. Specify the trigger to be **On a schedule**.
19. Specify the trigger to be **One time**.
20. Specify the time the trigger should start.
21. Click **OK**.
22. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**.
23. Click **OK**.
## Provide link to test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
**To provide a link to the test**
1. Create the link to the test using schema activation.
- Create a link using a web UI
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this option for teachers.
To get started, navigate to: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable.
For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
2. Distribute the link.
Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
3. To take the test, have the students click on the link and provide user consent.
### Create a link using schema activation
One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
**To enable schema activation for assessment URLs**
1. Embed a link or create a desktop shortcut with:
```http
ms-edu-secureassessment:<URL>#enforceLockdown
```
2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
- `&enableTextSuggestions` - Enables text suggestions
- `&requirePrinting` - Enables printing
- `&enableScreenCapture` - Enables screen capture
- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
If you exclude these parameters, the default behavior is disabled.
For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. The test web application may lock down the device once you've closed the apps.
> [!NOTE]
> The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:<URL>!enforcelockdown` is still supported, but not in combination with the new parameters.
3. To enable permissive mode, don't include `enforceLockdown` in the schema parameters.
For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
### Create a shortcut for the test link
You can also distribute the test link by creating a shortcut. To create the shortcut, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
3. Click **Next**.
4. Type a name for the shortcut and then click **Finish**.
Once the shortcut is created, you can copy it and distribute it to students.
## Related topics
[Take tests in Windows](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
[Take a Test app technical reference](take-a-test-app-technical.md)

136
education/windows/take-a-test-single-pc.md
View File

@ -1,136 +0,0 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
keywords: take a test, test taking, school, set up on single PC
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Set up Take a Test on a single PC
To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic.
## Set up a dedicated test account
To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
1. Sign into the Windows device with an administrator account.
2. Open the **Settings** app and go to **Accounts > Access work or school**.
3. Click **Set up an account for taking tests**.
**Figure 1** - Use the Settings app to set up a test-taking account
![Use the Settings app to set up a test-taking account.](images/takeatest/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
**Figure 2** - Choose the test-taking account
![Choose the test-taking account.](images/takeatest/tat_settingsapp_setuptesttakingaccount_1703.png)
> [!NOTE]
> If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I dont have this persons sign-in information > Add a user without a Microsoft account**.
5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**.
6. Select the options you want to enable during the test.
- To enable printing, select **Require printing**.
> [!NOTE]
> Make sure a printer is preconfigured on the Take a Test account if you're enabling this option.
- To enable teachers to monitor screens, select **Allow screen monitoring**.
- To allow text suggestions, select **Allow text suggestions**.
7. Click **Save**.
8. To take the test, the student must sign in using the test-taking account that you created.
## Provide a link to the test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
**To provide a link to the test**
1. Create the link to the test.
There are different ways you can do this:
- Create a link using a web UI
For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
- Create a link using schema activation
You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable.
For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
2. Distribute the link.
Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing.
You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
3. To take the test, have the students click on the link and provide user consent.
> [!NOTE]
> If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
### Create a link using schema activation
One of the ways you can present content in a locked down manner is by embedding a URL with a specific prefix. Once users click the URL, devices will be locked down.
**To enable schema activation for assessment URLs**
1. Embed a link or create a desktop shortcut with:
```
ms-edu-secureassessment:<URL>#enforceLockdown
```
2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
- `&enableTextSuggestions` - Enables text suggestions
- `&requirePrinting` - Enables printing
- `&enableScreenCapture` - Enables screen capture
- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
If you exclude these parameters, the default behavior is disabled.
For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
> [!NOTE]
> The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:<URL>!enforcelockdown` is still supported, but not in combination with the new parameters.
3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
### Create a shortcut for the test link
You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
3. Click **Next**.
4. Type a name for the shortcut and then click **Finish**.
Once the shortcut is created, you can copy it and distribute it to students.
## Related topics
[Take tests in Windows](take-tests-in-windows-10.md)
[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
[Take a Test app technical reference](take-a-test-app-technical.md)

79
education/windows/take-tests-in-windows-10.md
View File

@ -1,79 +0,0 @@
---
title: Take tests in Windows
description: Learn how to set up and use the Take a Test app.
keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: windows
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Take tests in Windows
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test:
- Take a Test shows just the test and nothing else.
- Take a Test clears the clipboard.
- Students arent able to go to other websites.
- Students cant open or access other apps.
- Students can't share, print, or record their screens unless enabled by the teacher or IT administrator
- Students cant change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
## How to use Take a Test
![Set up and user flow for the Take a Test app.](images/takeatest/take_a_test_flow_dark.png)
There are several ways to configure devices for assessments, depending on your use case:
- For higher stakes testing such as mid-term exams, you can set up a device with a dedicated testing account and URL.
- For lower stakes assessments such as a quick quiz in a class, you can quickly create and distribute the assessment URL through any method of your choosing.
1. **Configure an assessment URL and a dedicated testing account**
In this configuration, a user signs into in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs.
- **For a single PC**
You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
- **For multiple PCs**
You can use any of these methods:
- Mobile device management (MDM) or Microsoft Endpoint Configuration Manager
- A provisioning package created in Windows Configuration Designer
- Group Policy to deploy a scheduled task that runs a Powershell script
You can also configure Take a Test using these options:
- Set up School PCs app
- Intune for Education
For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
2. **Create and distribute the assessment URL through the web, email, OneNote, or any other method**
This allows teachers and test administrators an easier way to deploy assessments quickly and simply. We recommend this method for lower stakes assessments. You can also create shortcuts to distribute the link.
You can enable this using a schema activation.
## How to exit Take a Test
To exit the Take a Test app at any time, press Ctrl+Alt+Delete.
## Get more info
- Teachers can use Microsoft Forms to create tests. See [Create tests using Microsoft Forms](https://support.microsoft.com/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d) to find out how.
- To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).

100
education/windows/take-tests-in-windows.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Take tests and assessments in Windows
description: Description of the built-in Take a Test app for Windows and how to use it.
ms.date: 09/30/2022
ms.prod: windows
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows 11 SE</b>
---
# Take tests and assessments in Windows
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- access other applications
- change system settings, such as display extension, notifications, updates
- access Cortana
- access content copied to the clipboard
## How to use Take a Test
There are different ways to use Take a Test, depending on the use case:
- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
![Set up and user flow for the Take a Test app.](images/takeatest/flow-chart.png)
## Create a secure assessment link
Anything hosted on the web can be presented in a locked down manner using the Take a Test app, not just assessments. To lock down online content, a URL must be embedded with a specific prefix and devices will be locked down when users open the link.
To create a secure assessment link to the test, there are two options:
- Create a link using a web application
- Create a link using schema activation
### Create a link using a web application
For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
- Paste the link to the assessment URL
- Select the options you want to allow during the test
- Generate the link by selecting the button Create link
This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
### Create a link using schema activation
For this option, you embed a URL with a specific prefix and specify parameters depending on what you want to allow during the test.
The URL must be in the following format:
```
ms-edu-secureassessment:<URL>#enforceLockdown
```
To enable printing, screen capture, or both, use the above link and append one of these parameters:
- `&enableTextSuggestions` - Enables text suggestions
- `&requirePrinting` - Enables printing
- `&enableScreenCapture` - Enables screen capture
- `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability.
If these parameters aren't included, the default behavior is to disable the capabilities.
For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. Take a Test will lock down the device once the applications are closed.
To enable permissive mode, don't include `enforceLockdown` in the schema parameters. For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
## Distribute the secure assessment link
Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
To take the test, have the students open the link.
> [!NOTE]
> If you enabled printing, the printer must be pre-configured for the account before the student takes the test.
:::image type="content" source="./images/takeatest/desktop-shortcuts.png" alt-text="Windows 11 SE desktop showing two shortcuts to assessment URLs." border="true":::
> [!NOTE]
> If using `enforceLockdown`, to exit the Take a Test app at any time, press <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd>. Students will be prompted to type their password to get back to their desktop.
## Additional information
Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/office/).
To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).

2
education/windows/tutorial-school-deployment/configure-device-settings.md
View File

@ -62,7 +62,7 @@ Settings that are commonly configured for student devices include:
- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9]
- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
For more information, see [Windows device settings in Intune for Education][INT-3].

2
education/windows/windows-editions-for-education-customers.md
View File

@ -21,7 +21,7 @@ appliesto:
Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows weve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsofts commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

2
windows/client-management/mdm/secureassessment-csp.md
View File

@ -127,7 +127,7 @@ Example:
## Related topics
[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs)
[Set up Take a Test](/education/windows/take-a-test-multiple-pcs)
[Configuration service provider reference](configuration-service-provider-reference.md)

8
windows/deployment/TOC.yml
View File

@ -129,13 +129,13 @@
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Subscription Activation
items:
- name: Windows 10/11 Subscription Activation
- name: Windows subscription activation
href: windows-10-subscription-activation.md
- name: Windows 10/11 Enterprise E3 in CSP
- name: Windows Enterprise E3 in CSP
href: windows-10-enterprise-e3-overview.md
- name: Configure VDA for Subscription Activation
- name: Configure VDA for subscription activation
href: vda-subscription-activation.md
- name: Deploy Windows 10/11 Enterprise licenses
- name: Deploy Windows Enterprise licenses
href: deploy-enterprise-licenses.md
- name: Deploy Windows client updates
items:

478
windows/deployment/deploy-enterprise-licenses.md
View File

@ -1,256 +1,296 @@
---
title: Deploy Windows 10/11 Enterprise licenses
manager: dougeby
ms.author: aaroncz
description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP
ms.prod: w10
ms.localizationpriority: medium
title: Deploy Windows Enterprise licenses
description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
author: aczechowski
ms.topic: article
ms.author: aaroncz
manager: dougeby
ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: how-to
ms.collection: highpri
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Deploy Windows 10/11 Enterprise licenses
# Deploy Windows Enterprise licenses
This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
- Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
- Enterprise E3 in CSP.
- Automatic, non-KMS activation also requires a device with a firmware-embedded activation key.
- Subscription activation requires Enterprise _per user_ licensing. It doesn't work with _per device_ licensing.
## Enable subscription activation with an existing EA
If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license:
| SKU | Description |
|---------|---------|
| **AAA-51069** | `Win OLS Activation User Alng Sub Add-on E3` |
| **AAA-51068** | `Win OLS Activation User Sub Add-on E5` |
| **VRM-00001** | `Win OLS Activation User GCC Sub Per User` <!-- 6783128 --> |
> [!NOTE]
> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 -->
1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant.
1. You can now assign subscription licenses to users.
If you need to update contact information and resend the activation email, use the following process:
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
1. Select **Subscriptions**.
1. Select **Online Services Agreement List**.
1. Enter your agreement number, and then select **Search**.
1. Select the **Service Name**.
1. In the **Subscription Contact** section, select the name listed under **Last Name**.
1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email.
## Preparing for deployment: reviewing requirements
- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
- Azure AD-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
### Active Directory synchronization with Azure AD
If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. Azure AD Connect is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
:::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
Figure 1: On-premises AD DS integrated with Azure AD
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [What is hybrid identity with Azure Active Directory?](/azure/active-directory/hybrid/whatis-hybrid-identity)
- [Azure AD Connect and Azure AD Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
## Assigning licenses to users
After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service:
:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing.":::
The following methods are available to assign licenses:
- When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
- You can sign in to the Microsoft 365 admin center and manually assign licenses:
:::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user.":::
- You can assign licenses by uploading a spreadsheet.
- [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx).
> [!TIP]
> Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/).
## Explore the upgrade experience
Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition.
> [!NOTE]
> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context.
> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it doesn't work on per device based licensing.
> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
### Step 1: Join Windows Pro devices to Azure AD
You can join a Windows Pro device to Azure AD during setup, the first time the device starts. You can also join a device that's already set up.
#### Join a device to Azure AD the first time the device is started
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
:::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup.":::
Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
1. On the **Choose how you'll connect** page, select **Join Azure AD**, and then select **Next**.
:::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
:::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
Now the device is Azure AD-joined to the organization's subscription.
#### Join a device to Azure AD when the device is already set up with Windows 10 Pro
> [!IMPORTANT]
> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device isn't able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
>
>Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".
> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
## Firmware-embedded activation key
1. Go to **Settings**, select **Accounts**, and select **Access work or school**.
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt:
:::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page.":::
Figure 5: "Connect to work or school" configuration in Settings.
1. In **Set up a work or school account**, select **Join this device to Azure Active Directory**.
:::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
Figure 6: Set up a work or school account.
1. On the **Let's get you signed in** page, enter your Azure AD credentials, and then select **Sign in**.
:::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
Figure 7: The "Let's get you signed in" window.
Now the device is Azure AD-joined to the organization's subscription.
### Step 2: Pro edition activation
If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
### Step 3: Sign in using Azure AD account
Once the device is joined to Azure AD, users will sign in with their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as an Azure AD user.":::
Figure 8: Sign in to Windows 10 with an Azure AD account.
### Step 4: Verify that Enterprise edition is enabled
To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**.
:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings.":::
Figure 9: Verify Windows 10 Enterprise subscription in Settings.
If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
> [!NOTE]
> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output:
>
> ```console
> Name: Windows(R), Professional edition
> Description: Windows(R) Operating System, RETAIL channel
> Partial Product Key: 3V66T
> ```
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues:
- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709.
### Troubleshoot common problems in the Activation pane
Use the following figures to help you troubleshoot when users experience common problems:
#### Device in healthy state
The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated.":::
#### Device that's not activated with active subscription
Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active.":::
Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings.
It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034."
#### Device that's activated without an Enterprise subscription
Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active.":::
Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.
It displays the following error: "Windows 10 Enterprise subscription is not valid."
#### Device that's not activated and without an Enterprise subscription
Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active.":::
Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings.
It displays both of the previously mentioned error messages.
### Review requirements on devices
Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
Devices must also be joined to Azure AD, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible.
Use the following procedures to review whether a particular device meets these requirements.
#### Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
```PowerShell
(Get-CimInstance -query select * from SoftwareLicensingService).OA3xOriginalProductKey
(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
## Enabling Subscription Activation with an existing EA
#### Determine if a device is Azure AD-joined
If you're an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Open a command prompt and enter `dsregcmd /status`.
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Azure AD.
- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
2. After an order is placed, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.
#### Determine the version of Windows
Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
1. Open a command prompt and enter `winver`.
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
2. Click **Subscriptions**.
3. Click **Online Services Agreement List**.
4. Enter your agreement number, and then click **Search**.
5. Click the **Service Name**.
6. In the **Subscription Contact** section, click the name listed under **Last Name**.
7. Update the contact information, then click **Update Contact Details**. This action will trigger a new email.
1. The **About Windows** window displays the OS version and build information.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
1. Compare this information again the Windows support lifecycle:
## Active Directory synchronization with Azure AD
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This synchronization means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png)
**Figure 1. On-premises AD DS integrated with Azure AD**
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
- [Windows 10 release information](/windows/release-health/release-information)
- [Windows 11 release information](/windows/release-health/windows11-release-information)
> [!NOTE]
> If you're implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
## Preparing for deployment: reviewing requirements
### Delay in the activation of Enterprise license of Windows 10
Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
## Assigning licenses to users
## Known issues
Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue:
> [!div class="mx-imgBorder"]
> ![profile.](images/al01.png)
- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`.
The following methods are available to assign licenses:
1. When you have the required Azure AD subscription, [group-based licensing](/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
2. You can sign in to portal.office.com and manually assign licenses:
![portal.](images/al02.png)
3. You can assign licenses by uploading a spreadsheet.
4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
## Explore the upgrade experience
Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices?
### Step 1: Join Windows 10/11 Pro devices to Azure AD
Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.<br/><br/>
<img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.<br/><br/>
<img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 3. The “Choose how youll connect” page in initial Windows 10 setup**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.<br/><br/>
<img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 4. The “Lets get you signed in” page in initial Windows 10 setup**
Now the device is Azure ADjoined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
>[!IMPORTANT]
>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.<br/><br/>
<img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
**Figure 5. Connect to work or school configuration in Settings**
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.<br/><br/>
<img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
**Figure 6. Set up a work or school account**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.<br/><br/>
<img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
**Figure 7. The “Lets get you signed in” dialog box**
Now the device is Azure ADjoined to the company's subscription.
### Step 2: Pro edition activation
> [!IMPORTANT]
> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<br/><span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<br><strong>Figure 7a - Windows 10 Pro activation in Settings</strong>
Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
<br/><img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 8. Sign in by using Azure AD account**
### Step 4: Verify that Enterprise edition is enabled
You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
<br/><span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
**Figure 9 - Windows 10 Enterprise subscription in Settings**
If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
> [!NOTE]
> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
> Name: Windows(R), Professional edition
> Description: Windows(R) Operating System, RETAIL channel
> Partial Product Key: 3V66T
- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations.
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later.
- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
<br/><span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<br><strong>Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings</strong>
- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
<br/><span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<br><strong>Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
<br/><span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<br><strong>Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings</strong>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory-joined:**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
**To determine the version of Windows 10:**
At a command prompt, type: **winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
### Delay in the activation of Enterprise License of Windows 10
This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).

BIN
windows/deployment/images/sa-pro-activation.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

144
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -1,138 +1,42 @@
---
title: Olympia Corp enrollment guidelines
description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device.
ms.author: aaroncz
title: Olympia Corp Retirement
description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022.
ms.author: lizlong
ms.topic: article
ms.prod: w10
ms.technology: windows
author: aczechowski
author: lizgt2000
ms.reviewer:
manager: dougeby
ms.custom: seo-marvel-apr2020
manager: aaroncz
---
# Olympia Corp
<!-- 6472736 -->
**Applies to**
- Windows 10
- Windows 11
## What is Windows Insider Lab for Enterprise and Olympia Corp?
## Retirement of Olympia Corp
Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses.</br>
Olympia will be formally retired on October 31, 2022.</br>
We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise.
As an Olympia user, you will have an opportunity to:
> [!WARNING]
> To prevent data loss, Olympia participants need to complete the following:
> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses.
> - Please remove your device from Olympia before October 31, 2022.
- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
- Validate and test pre-release software in your environment.
- Provide feedback.
- Interact with engineering team members through a variety of communication channels.
To remove the account from Azure Active Directory, follow the steps below:
>[!Note]
>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice.
1. Open the **Settings** app.
1. Go to **Accounts** > **Access work or school**.
1. Select the connected account that you want to remove, then select **Disconnect**.
1. To confirm device removal, select **Yes**.
For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
- After removing your account from Olympia, log in to your device using your local account.
To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
## Enrollment guidelines
Welcome to Olympia Corp. Here are the steps needed to enroll.
As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade.
Choose one of the following two enrollment options:
- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
<a id="enrollment-keep-current-edition"></a>
### Set up an Azure Active Directory-REGISTERED Windows client device
This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Azure AD register FAQ](/azure/active-directory/devices/faq) for additional information.
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)).
![Settings -> Accounts.](images/1-1.png)
2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**.
![Entering account information when setting up a work or school account.](images/1-3.png)
4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Update your password.](images/1-4.png)
5. Read the **Terms and Conditions**. Select **Accept** to participate in the program.
6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details.
7. Create a PIN for signing into your Olympia corporate account.
8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
<a id="enrollment-upgrade-to-enterprise"></a>
### Set up Azure Active Directory-JOINED Windows client device
- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) for more information.
> [!NOTE]
> Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key).
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)).
![Settings -> Accounts.](images/1-1.png)
2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
3. Select **Connect**, then select **Join this device to Azure Active Directory**.
![Joining device to Azure AD.](images/2-3.png)
4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**.
![Set up a work or school account.](images/2-4.png)
5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
![Entering temporary password.](images/2-5.png)
6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details.
8. Create a PIN for signing into your Olympia corporate account.
9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
10. Restart your device.
11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise.
12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
> [!NOTE]
> To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
>[!NOTE]
> Your Windows client Enterprise license won't be renewed if your device isn't connected to Olympia.
- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register:
[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register)
<!-- https://learn.microsoft.com/en-us/windows-insider/business/register -->
Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions.

12
windows/deployment/windows-10-subscription-activation.md
View File

@ -14,15 +14,13 @@ search.appverid:
- MET150
ms.topic: conceptual
ms.date: 07/12/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Windows subscription activation
Applies to:
- Windows 10
- Windows 11
The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
@ -100,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
> Currently, subscription activation is only available on commercial tenants. It's currently not available on US GCC, GCC High, or DoD tenants.
> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
@ -218,7 +216,7 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if (
If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea).
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.

24
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -231,6 +231,30 @@ After a successful MFA, the provisioning flow asks the user to create and valida
Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
## Migrate from key trust deployment model to cloud Kerberos trust
If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
## Migrate from certificate trust deployment model to cloud Kerberos trust
> [!IMPORTANT]
> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment.
If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps:
1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
1. Reboot or sign out and sign back in
1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
> [!NOTE]
> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC.
## Troubleshooting
If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -85,6 +85,8 @@
href: merge-windows-defender-application-control-policies.md
- name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md
- name: Managing WDAC Policies with CI Tool
href: citool-commands.md
- name: Use code signing to simplify application control for classic Windows applications
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items:

105
windows/security/threat-protection/windows-defender-application-control/citool-commands.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Managing CI Policies and Tokens with CiTool
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
author: valemieux
ms.author: jogeurte
ms.service: security
ms.reviewer: jogeurte
ms.topic: how-to
ms.date: 08/07/2022
ms.custom: template-how-to
---
# Manage Windows Defender Application Control (WDAC) Policies with CI Tool
CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2.
## Policy Commands
| Command | Description | Alias |
|--------|---------|---------|
| --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
| --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp |
## Token Commands
| Command | Description | Alias |
|--------|---------|---------|
| --add-token `<Path/To/Token/File>` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
| --remove-token `<ID>` | Remove a Token indicated by ID from the system. | -rt |
| --list-tokens | Dump information about all tokens on the system | -lt |
> [!NOTE]
> Regarding --add-token, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
## Miscellaneous Commands
| Command | Description | Alias |
|--------|---------|---------|
| --device-id | Dump the Code Integrity Device ID | -id |
| --refresh | Attempt to Refresh WDAC Policies | -r |
| --help | Display the tool's help menu | -h |
## Examples
1. Deploy a WDAC policy onto the system
```powershell
PS C:\Users\<USER> CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip"
Operation Successful
Press Enter to Continue
```
2. Refresh the WDAC policies
```powershell
PS C:\Users\<USER> CITool --refresh
Operation Successful
```
3. Remove a specific WDAC policy by its policy ID
```powershell
PS C:\Users\<USER> CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}"
Operation Successful
Press Enter to Continue
```
4. Display the help menu
```powershell
PS C:\Users\<USER> CITool -h
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File <--token-id ID>
Deploy a token onto the current system, with an optional specific ID
If <ID> is specified, a pre-existing token with <ID> should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
```

2
windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
View File

@ -2,7 +2,6 @@
title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jgeurten
@ -10,6 +9,7 @@ ms.reviewer: vinpa
ms.author: jogeurte
manager: aaroncz
ms.date: 10/11/2021
ms.technology: itpro-security
---
# Understanding WDAC Policy Settings