deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into DHAppLogin

Browse Source
This commit is contained in:
jaimeo 2018-03-28 13:30:24 -07:00
commit 2f4e25d8a1
73 changed files with 2452 additions and 1405 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.publish.config.json
View File

@ -476,7 +476,7 @@
}
],
"notification_subscribers": [
"brianlic@microsoft.com"
"elizapo@microsoft.com"
],
"branches_to_filter": [
""

5
.openpublishing.redirection.json
View File

@ -6185,6 +6185,11 @@
"redirect_url": "/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions",
"redirect_document_id": true
},
{
"source_path": "windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md",
"redirect_url": "/windows/configuration/setup-kiosk-digital-signage",
"redirect_document_id": true
},
{
"source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",

3
devices/hololens/hololens-provisioning.md
View File

@ -36,7 +36,6 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
1. On the Windows Configuration Designer start page, select **Advanced provisioning**.
2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
3. Click **Next**.
@ -68,7 +67,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
6. On the **Select security details for the provisioning package**, click **Next**.
>[WARNING!]
>[!WARNING]
>If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.

2
devices/hololens/hololens-upgrade-enterprise.md
View File

@ -12,7 +12,7 @@ ms.date: 02/02/2018
# Unlock Windows Holographic for Business features
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/mixed-reality/release_notes_-_august_2016#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://docs.microsoft.com/windows/mixed-reality/commercial-features), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).

8
devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
View File

@ -45,26 +45,26 @@ Recent additions to the downloads for Surface devices provide you with options t
## Surface Book 2
Download the following updates for Surface Book 2 from the Microsoft Download Center.
Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261).
* SurfaceBook2_Win10_xxxxx_xxxxxx.msi Cumulative firmware and driver update package for Windows 10
## Surface Laptop
Download the following updates for Surface Laptop from the Microsoft Download Center.
Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489).
* SurfaceLaptop_Win10_xxxxx_xxxxxx.msi Cumulative firmware and driver update package for Windows 10
## Surface Pro
Download the following updates for Surface Pro (Model 1796) from the Microsoft Download Center.
Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484).
* SurfacePro_Win10_xxxxx_xxxxxx.msi Cumulative firmware and driver update package for Windows 10
## Surface Pro with LTE Advanced
Download the following updates for Surface Pro with LTE Advanced from the Microsoft Download Center.
Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278).
* SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi Cumulative firmware and driver update package for Windows 10
## Surface Studio

64
education/index.md
View File

@ -18,7 +18,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="Learn more about Microsoft Education products." />
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -36,7 +36,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -54,7 +54,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="Test Windows 10 S for education" />
<img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -88,7 +88,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/M365-education.svg" alt="Learn about Microsoft 365 Education" />
<img src="images/M365-education.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -107,7 +107,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
<img src="/media/hubs/education/education-pro-get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -126,7 +126,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-office365.svg" alt="Office 365 for Education" />
<img src="/media/hubs/education/education-pro-office365.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -145,7 +145,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-intune.svg" alt="Microsoft Intune for Education" />
<img src="/media/hubs/education/education-pro-intune.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -164,7 +164,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-windows10.svg" alt="Windows 10 for Education" />
<img src="/media/hubs/education/education-pro-windows10.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -183,7 +183,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-school-data.svg" alt="School Data Sync" />
<img src="/media/hubs/education/education-pro-school-data.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -202,7 +202,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="Azure Active Directory" />
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -221,7 +221,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -240,7 +240,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Educaton Edition" />
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -259,7 +259,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-pro-usb.svg" alt="Set up School PCs" />
<img src="images/education-pro-usb.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -278,7 +278,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
<img src="images/education-ms-teams.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -312,7 +312,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-office-help.svg" alt="Office help and training" />
<img src="/media/hubs/education/education-teachers-office-help.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -331,7 +331,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-windows-help.svg" alt="Windows help" />
<img src="/media/hubs/education/education-teachers-windows-help.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -350,7 +350,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -369,7 +369,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Education Edition" />
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -388,7 +388,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-educator-community.svg" alt="Microsoft Educator Community" />
<img src="/media/hubs/education/education-teachers-educator-community.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -407,7 +407,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
<img src="images/education-ms-teams.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -426,7 +426,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-pro-usb.svg" alt="Set up School PCs" />
<img src="images/education-pro-usb.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -460,7 +460,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-help.svg" alt="Get started for students" />
<img src="/media/hubs/education/education-students-help.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -479,7 +479,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-office-help.svg" alt="Office help and training" />
<img src="/media/hubs/education/education-students-office-help.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -498,7 +498,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-windows-help.svg" alt="Windows help" />
<img src="/media/hubs/education/education-students-windows-help.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -517,7 +517,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-imagine.svg" alt="Microsoft Imagine" />
<img src="/media/hubs/education/education-students-imagine.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -551,7 +551,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="UWP apps for education" />
<img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -570,7 +570,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-api-test.svg" alt="Take a Test API" />
<img src="/media/hubs/education/education-developers-api-test.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -589,7 +589,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-office-education.svg" alt="Office Education Dev Center" />
<img src="/media/hubs/education/education-developers-office-education.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -623,7 +623,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-partner-mepn-1.svg" alt="Microsoft Education Partner Network" />
<img src="images/education-partner-mepn-1.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -642,7 +642,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-partner-aep-2.svg" alt="Authorized Education Partner home page" />
<img src="images/education-partner-aep-2.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -661,7 +661,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-partner-directory-3.svg" alt="Authorized Education Partner directory" />
<img src="images/education-partner-directory-3.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -680,7 +680,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/education-partner-yammer.svg" alt="Education Partner community Yammer group" />
<img src="images/education-partner-yammer.svg" alt="" />
</div>
</div>
<div class="cardText">

3
store-for-business/TOC.md
View File

@ -15,7 +15,7 @@
### [Assign apps to employees](assign-apps-to-employees.md)
### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
### [Distribute offline apps](distribute-offline-apps.md)
## [Manage apps and devices](manage-apps-microsoft-store-for-business-overview.md)
## [Manage products and services](manage-apps-microsoft-store-for-business-overview.md)
### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md)
### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md)
### [Manage access to private store](manage-access-to-private-store.md)
@ -23,6 +23,7 @@
### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md)
### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md)
## [Device Guard signing portal](device-guard-signing-portal.md)
### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)

3
store-for-business/education/TOC.md
View File

@ -20,7 +20,7 @@
### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
### [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool?toc=/microsoft-store/education/toc.json)
### [Distribute offline apps](/microsoft-store/distribute-offline-apps?toc=/microsoft-store/education/toc.json)
## [Manage apps](/microsoft-store/manage-apps-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
## [Manage products and services](/microsoft-store/manage-apps-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
### [App inventory managemement for Microsoft Store for Business](/microsoft-store/app-inventory-management-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Manage app orders in Microsoft Store for Business and Education](/microsoft-store/manage-orders-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json)
@ -28,6 +28,7 @@
### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Manage Windows device deployment with Windows AutoPilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json)
### [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module?toc=/microsoft-store/education/toc.json)
### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](/microsoft-store/manage-mpsa-software-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json)
### [Add unsigned app to code integrity policy](/microsoft-store/add-unsigned-app-to-code-integrity-policy?toc=/microsoft-store/education/toc.json)
### [Sign code integrity policy with Device Guard signing](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing?toc=/microsoft-store/education/toc.json)

BIN
store-for-business/images/bank-account-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
store-for-business/images/skype-icon-wn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.6 KiB

10
store-for-business/manage-apps-microsoft-store-for-business-overview.md
View File

@ -1,6 +1,6 @@
---
title: Manage apps and devices in Microsoft Store for Business (Windows 10)
description: Manage settings and access to apps in Microsoft Store for Business.
title: Manage products and services in Microsoft Store for Business (Windows 10)
description: Manage apps, software, devices, products and services in Microsoft Store for Business.
ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
ms.prod: w10
ms.mktglfcycl: manage
@ -18,7 +18,7 @@ ms.date: 10/17/2017
- Windows 10
- Windows 10 Mobile
Manage settings and access to apps in Microsoft Store for Business and Microsoft Store for Education.
Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**.
## In this section
@ -28,4 +28,6 @@ Manage settings and access to apps in Microsoft Store for Business and Microsoft
| [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
| [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. |
| [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | Use PowerShell cmdlets to automate basic app license assignment. |
| [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | Software purchased with the Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business and Education. This allows customers to manage online software purchases in one location. |

59
store-for-business/manage-mpsa-software-microsoft-store-for-business.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
description: Software purchased under Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.localizationpriority: high
ms.date: 3/20/2018
---
# Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location.
There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business.
**To manage MPSA software in Microsoft Store for Business**
1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then click **My Organization**.
3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to.
## Add tenant
The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain.
**To add a tenant to a purchasing account**
1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then click **My Organization**.
3. Click **Connected tenants**, and then click the ellipses for a purchasing account without a tenant listed.
4. Click **Choose a tenant**, and then click **Submit**.
If you don't see your tenant in the list, you can add the name of your tenant
**To add the name of your tenant**
1. On **Add a tenant**, click **Don't see your tenant?**.
2. Enter a domain name, and then click **Next**, and then click **Done**.
You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**.
## Add global admin
In some cases, we might not have info on who the global admin is for the tenant that you select. It might be that the tenant is unmanaged, and you'll need to identify a global admin. Or, you might only need to share account info for the global admin.
If you need to nominate someone to be the global admin, they need sufficient permissions:
- someone who can distribute sofware
- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role
**To add a global admin to a tenant**
We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**.
- On **Add a Global Admin**, click **Make me the Global Admin**, and then click **Submit**.
-or-
- On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**.

14
store-for-business/manage-private-store-settings.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 2/15/2018
ms.date: 3/29/2018
ms.localizationpriority: high
---
@ -53,7 +53,7 @@ You can add a collection to your private store from the private store, or from t
![Image showing Add a Collection.](images/msfb-add-collection.png)
4. Type a name for your collection, and then click **Next**.
5. Add at least one product to your collection, and then click **Done**.
5. Add at least one product to your collection, and then click **Done**. You can search for apps and refine results based on the source of the app, or the supported devices.
> [!NOTE]
> New collections require at least one app, or they will not be created.
@ -64,7 +64,7 @@ You can add a collection to your private store from the private store, or from t
3. Under **Apps & software**, choose an app you want to include in a new collection.
4. Under **Private Store Collections**, click **Add a collection**.
![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
5. Type a name for your collection, and then click **Next**.
6. Add at least one product to your collection, and then click **Done**.
@ -78,7 +78,7 @@ If you've already added a Collection to your private store, you can easily add a
1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
3. Click the ellipses next to the collection name, and click **Edit collection**.
4. Add or remove products from the collection, and then click **Done**.
@ -89,9 +89,8 @@ You can also add an app to a collection from the app details page.
3. Under **Apps & software**, choose an app you want to include in a new collection.
4. Under **Private Store Collections**, turn on the collection you want to add the app to.
![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png)
<!---
## Private store performance
We've recently made performance improvements for changes in the private store. This table includes common actions, and the current estimate for amount of time required for the change.
@ -103,5 +102,4 @@ We've recently made performance improvements for changes in the private store. T
| Create a new collection | 15 minutes|
| Edit or remove a collection | 15 minutes |
| Create private store tab | 4-6 hours |
| Rename private store tab | 4-6 hours |
-->
| Rename private store tab | 4-6 hours |

2
store-for-business/microsoft-store-for-business-education-powershell-module.md
View File

@ -22,7 +22,7 @@ Microsoft Store for Business and Education PowerShell module (preview) is now av
> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
You can use the PowerShell module to:
- View items you've purchased - shown in **Apps & software**
- View items you've purchased - shown in **Products & services**
- Manage licenses - assigning and removing
- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses

9
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 2/8/2018
ms.date: 3/29/2018
---
# Microsoft Store for Business and Education release history
@ -15,6 +15,13 @@ Microsoft Store for Business and Education regularly releases new and improved f
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## January and February 2018
- **One place for apps, software, and subscriptions** - The new **Products &amp; services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services.
- **Create collections of apps in your private store** - Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class. [Get more info](https://docs.microsoft.com/en-us/microsoft-store/manage-private-store-settings#private-store-collections)
- **Upgrade Office 365 trial subscription** - Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal.
- **Supporting Microsoft Product and Services Agreement customers** - If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details.
- **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role.
## December 2017
- Bug fixes and permformance improvements.

24
store-for-business/sfb-change-history.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.date: 10/31/2017
ms.date: 3/29/2018
ms.localizationpriority: high
---
@ -18,12 +18,32 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
## March 2018
| New or changed topic | Description |
| --- | --- |
| [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | New |
| [Manage private store settings](manage-private-store-settings.md) | Update for adding private store performance improvements. |
| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
## February 2018
| New or changed topic | Description |
| --- | --- |
| [Manage private store settings](manage-private-store-settings.md) | Update for adding private store collections. |
| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
## November 2017
| New or changed topic | Description |
| --- | --- |
| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
## October 2017
| New or changed topic | Description |
| --- | --- |
| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | Update. Add profile settings with supported build info. |
| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update. |
| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
## September 2017

22
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 2/16/2018
ms.date: 3/29/2018
---
# What's new in Microsoft Store for Business and Education
@ -15,17 +15,14 @@ Microsoft Store for Business and Education regularly releases new and improved f
## Latest updates for Store for Business and Education
**January &amp; February, 2018**
**March 2018**
| | |
|--------------------------------------|---------------------------------|
| ![Microsoft Store for Business Products &amp; services page.](images/product-and-service-icon.png) |**One place for apps, software, and subscriptions**<br /><br /> The new **Products &amp; services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. This includes Apps, Software, and Subscriptions that your organization acquired or manages through Microsoft Store for Business. This change centralizes these products, but the platform changes also improve overall performance. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Private store collections](images/private-store-icon.png) |**Create collections of apps in your private store**<br /><br /> Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class.<br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**<br /><br> Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Image showing Settings icon.](images/mpsa-link.png) |**Supporting Microsoft Product and Services Agreement customers**<br /><br>If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details. Also, we added the ability to associate your purchasing account to your tenant. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Image showing Settings icon.](images/invite-people.png) |**Microsoft Product and Services Agreement customers can invite people to take roles**<br /><br> MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Private store library icon](images/private-store-icon.png) |**Private store collection updates**<br /><br /> Weve made it easier to find apps when creating private store collections now you can search and filter results. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Skype icon.](images/skype-icon-wn.png) |**Manage Skype communication credits in Microsoft Store for Business and Education**<br /><br> Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**<br /><br> Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
<!---
Weve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
@ -39,6 +36,13 @@ Weve been working on bug fixes and performance improvements to provide you a
## Previous releases and updates
[January &amp; February, 2018](release-history-microsoft-store-business-education.md#january-and-february-2018)
- One place for apps, software, and subscriptions
- Create collections of apps in your private store
- Upgrade Office 365 trial subscription
- Supporting Microsoft Product and Services Agreement customers
- Microsoft Product and Services Agreement customers can invite people to take roles
[December 2017](release-history-microsoft-store-business-education.md#december-2017)
- Bug fixes and permformance improvements

2
windows/client-management/mdm/TOC.md
View File

@ -68,6 +68,8 @@
### [ICSPValidate](icspvalidate.md)
### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md)
## [Configuration service provider reference](configuration-service-provider-reference.md)
### [AccountManagement CSP](accountmanagement-csp.md)
#### [AccountManagement DDF file](accountmanagement-ddf.md)
### [ActiveSync CSP](activesync-csp.md)
#### [ActiveSync DDF file](activesync-ddf-file.md)
### [AllJoynManagement CSP](alljoynmanagement-csp.md)

62
windows/client-management/mdm/accountmanagement-csp.md Normal file
View File

@ -0,0 +1,62 @@
---
title: AccountManagement CSP
description: Used to configure settings in the Account Manager service
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/23/2018
---
# AccountManagement CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!Note]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following diagram shows the AccountManagement configuration service provider in tree format.
![accountmanagement csp](images/provisioning-csp-accountmanagement.png)
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.
<a href="" id="accountmanagement-userprofilemanagemen-enableprofilemanager"></a>**UserProfileManagement**
Interior node.
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime mangement for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get,Replace, and Delete. Value type is bool.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
Valid values:
- 0 - delete immediately when the device returns to a state with no currently active users
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get,Replace, and Delete. Value type is integer.

201
windows/client-management/mdm/accountmanagement-ddf.md Normal file
View File

@ -0,0 +1,201 @@
---
title: AccountManagement DDF file
description: Used to configure settings in the Account Manager service
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/23/2018
---
# AccountManagement DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AccountManagement</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/AccountManagement</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>UserProfileManagement</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EnableProfileManager</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable profile manager</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeletionPolicy</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Configures when profiles will be deleted. Allowed values: 0 (delete immediately upon device returning to a state with no currently active users); 1 (delete at storage capacity threshold); 2 (delete at both storage capacity threshold and profile inactivity threshold).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile deletion policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>StorageCapacityStartDeletion</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>25</DefaultValue>
<Description>Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to start profile deletion</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>StorageCapacityStopDeletion</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>50</DefaultValue>
<Description>Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Storage capacity threshold to stop profile deletion</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProfileInactivityThreshold</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DefaultValue>30</DefaultValue>
<Description>Start deleting profiles when they have not been logged on during the specified period, given as number of days.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Profile inactive threshold</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

2
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -39,7 +39,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
>
> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:

2
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -63,7 +63,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.

74
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/12/2018
ms.date: 03/23/2018
---
# Configuration service provider reference
@ -29,6 +29,7 @@ Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
<!--StartCSPs-->
<hr/>
@ -36,7 +37,7 @@ Footnotes:
## CSP support
<!--StartCSP-->
[APPLICATION CSP](application-csp.md)
[AccountManagement CSP](accountmanagement-csp.md)
<!--StartSKU-->
<table>
@ -50,13 +51,13 @@ Footnotes:
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
@ -119,6 +120,34 @@ Footnotes:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[APPLICATION CSP](application-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[AppLocker CSP](applocker-csp.md)
@ -2509,7 +2538,8 @@ Footnotes:
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1803
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
## CSP DDF files download
@ -2527,6 +2557,7 @@ The following list shows the configuration service providers supported in Window
| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
|--------|--------|------------|
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)3 |
| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
@ -2549,30 +2580,11 @@ The following list shows the configuration service providers supported in Window
Footnotes:
- 2 - Added in Windows 10, version 1703
## <a href="" id="newcsps"></a>New CSPs added in Windows 10, version 1703
- [BitLocker CSP](bitlocker-csp.md)
- [CleanPC CSP](cleanpc-csp.md)
- [DeveloperSetup CSP](developersetup-csp.md)
- [DynamicManagement CSP](dynamicmanagement-csp.md)
- [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
- [Messaging CSP](messaging-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [Office CSP](office-csp.md)
- [Personalization CSP](personalization-csp.md)
## <a href="" id="newcsps"></a>New CSPs added in Windows 10, version 1511
- [AllJoynManagement CSP](alljoynmanagement-csp.md)
- [Maps CSP](maps-csp.md)
- [Reporting CSP](reporting-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
- 3 - Added in Windows 10, version 1803
## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

BIN
windows/client-management/mdm/images/provisioning-csp-accountmanagement.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 8.6 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 46 KiB

101
windows/client-management/mdm/multisim-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 02/27/2018
ms.date: 03/22/2018
---
# MultiSIM CSP
@ -30,9 +30,13 @@ Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem
<a href="" id="modemid"></a>**_ModemID_/Identifier**
Modem ID.
Supported operation is Get. Value type is string.
<a href="" id="tbd"></a>**_ModemID_/IsEmbedded**
Indicates whether this modem is embedded or external.
Supported operation is Get. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots**
Represents all SIM slots in the Modem.
@ -42,17 +46,110 @@ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format i
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/Identifier**
Slot ID.
Supported operation is Get. Value type is integer.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsEmbedded**
Indicates whether this Slot is embedded or a physical SIM slot.
Supported operation is Get. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsSelected**
Indicates whether this Slot is selected or not.
Supported operation is Get and Replace. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/State**
Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
Supported operation is Get. Value type is integer.
<a href="" id="tbd"></a>**_ModemID_/Policies**
Policies associated with the Modem.
<a href="" id="tbd"></a>**_ModemID_/Policies/SlotSelectionEnabled**
Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
Supported operation is Get and Replace. Value type is bool.
## Examples
Get modem
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/MultiSIM
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Get slots
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/MultiSIM/Embedded/Slots
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Get slot state
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/MultiSIM/Embedded/Slots/Embedded/State
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Select slot
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/MultiSIM/Embedded/Slots/0/IsSelected
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```

78
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/15/2018
ms.date: 03/23/2018
---
# What's new in MDM enrollment and management
@ -1147,6 +1147,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold</li>
<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter</li>
<li>ApplicationDefaults/EnableAppUriHandlers</li>
<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
<li>Browser/AlwaysEnableBooksLibrary</li>
<li>Browser/EnableExtendedBooksTelemetry</li>
@ -1175,14 +1177,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</li>
<li>LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
@ -1193,10 +1188,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
@ -1283,16 +1276,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AutomaticRedeployment</li>
<li>doAutomaticRedeployment</li>
<li>LastError</li>
<li>Status</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
</td></tr>
@ -1345,6 +1328,17 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>OS/Mode</li>
</ul>
</td></tr>
<tr>
<<<<<<< HEAD
<td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
=======
<td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>UntrustedCertificates</li>
</ul>
>>>>>>> 2aa0839b99c52229c7cf43d58f467019b1284a6a
</td></tr>
</tbody>
</table>
@ -1651,10 +1645,23 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>UntrustedCertificates</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul>
<li>ApplicationDefaults/EnableAppUriHandlers</li>
<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
<li>Connectivity/AllowPhonePCLinking</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
</ul>
@ -1663,11 +1670,23 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML</li>
<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.</li>
</ul>
<p>Added a new section:</p>
<ul>
<li>[Policies supported by GP](policy-configuration-service-provider.md#policies-supported-by-gp) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP - Bluetooth](policy-csp-bluetooth.md)</td>
<td style="vertical-align:top"><p>Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).</p>
</td></tr>
<tr>
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
<td style="vertical-align:top"><p>Added SyncML examples and updated the settings descriptions.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.</p>
</td></tr>
</tbody>
</table>
@ -1775,14 +1794,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</li>
<li>LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
@ -1793,10 +1805,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
@ -1880,16 +1890,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AutomaticRedeployment</li>
<li>doAutomaticRedeployment</li>
<li>LastError</li>
<li>Status</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
</td></tr>

205
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/16/2018
---
# Policy CSP
@ -225,6 +225,12 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
</dd>
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall" id="applicationmanagement-msiallowusercontroloverinstall">ApplicationManagement/MSIAllowUserControlOverInstall</a>
</dd>
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges" id="applicationmanagement-msialwaysinstallwithelevatedprivileges">ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</a>
</dd>
<dd>
<a href="./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly" id="applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
</dd>
@ -4133,9 +4139,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
@ -4459,72 +4462,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Policies supported by IoT Core
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowBrowser](#browser-allowbrowser)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowInPrivate](#browser-allowinprivate)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
- [Connectivity/AllowNFC](#connectivity-allownfc)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)
- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)
- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [System/AllowEmbeddedMode](#system-allowembeddedmode)
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowStorageCard](#system-allowstoragecard)
- [System/TelemetryProxy](#system-telemetryproxy)
- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/PauseDeferrals](#update-pausedeferrals)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
<!--EndIoTCore-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business
@ -4548,14 +4485,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Experience/AllowCortana](#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
@ -4569,125 +4498,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/UpdateServiceUrl](#update-updateserviceurl)
<!--EndHoloLens-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
- [Browser/HomePages](#browser-homepages)
- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [ConfigOperations/ADMXInstall](#configoperations-admxinstall)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
- [Defender/AllowEmailScanning](#defender-allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](#defender-excludedextensions)
- [Defender/ExcludedPaths](#defender-excludedpaths)
- [Defender/ExcludedProcesses](#defender-excludedprocesses)
- [Defender/PUAProtection](#defender-puaprotection)
- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
- [Defender/ScanParameter](#defender-scanparameter)
- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](#defender-schedulescanday)
- [Defender/ScheduleScanTime](#defender-schedulescantime)
- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
- [Start/StartLayout](#start-startlayout)
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
- [TextInput/AllowIMELogging](#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
- [Update/DetectionFrequency](#update-detectionfrequency)
- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
- [Update/PauseQualityUpdates](#update-pausequalityupdates)
- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->
<!--StartEAS-->
## <a href="" id="eas"></a>Policies that can be set using Exchange Active Sync (EAS)
@ -4715,7 +4525,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Wifi/AllowWiFi](#wifi-allowwifi)
<!--EndEAS-->
## Examples
Set the minimum password length to 4 characters.

146
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -11,6 +11,8 @@ ms.date: 03/12/2018
# Policy CSP - ApplicationManagement
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -43,6 +45,12 @@ ms.date: 03/12/2018
<dd>
<a href="#applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
</dd>
<dd>
<a href="#applicationmanagement-msiallowusercontroloverinstall">ApplicationManagement/MSIAllowUserControlOverInstall</a>
</dd>
<dd>
<a href="#applicationmanagement-msialwaysinstallwithelevatedprivileges">ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</a>
</dd>
<dd>
<a href="#applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
</dd>
@ -538,6 +546,144 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-msiallowusercontroloverinstall"></a>**ApplicationManagement/MSIAllowUserControlOverInstall**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators.
If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.
If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.
This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow user control over installs*
- GP name: *EnableUserControl*
- GP ADMX file name: *MSI.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-msialwaysinstallwithelevatedprivileges"></a>**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.
If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Always install with elevated privileges*
- GP name: *AlwaysInstallElevated*
- GP ADMX file name: *MSI.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**

586
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/12/2018
ms.date: 03/16/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
@ -51,24 +51,6 @@ ms.date: 03/12/2018
<dd>
<a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-digitallysignsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-maximummachineaccountpasswordage">LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-domainmember-requirestrongsessionkey">LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
@ -93,9 +75,6 @@ ms.date: 03/12/2018
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
</dd>
@ -126,9 +105,6 @@ ms.date: 03/12/2018
<dd>
<a href="#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
@ -138,9 +114,6 @@ ms.date: 03/12/2018
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -784,375 +757,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Digitally encrypt or sign secure channel data (always)
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Default: Enabled.
Notes:
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Digitally encrypt secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
Default: Enabled.
Important
There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-digitallysignsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Digitally sign secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
Default: Enabled.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Digitally sign secure channel data (when possible)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges"></a>**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
Default: Disabled.
Notes
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Disable machine account password changes*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-maximummachineaccountpasswordage"></a>**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password.
Default: 30 days.
Important
This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Maximum machine account password age*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-domainmember-requirestrongsessionkey"></a>**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Domain member: Require strong (Windows 2000 or later) session key
This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
Default: Enabled.
Important
In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Domain member: Require strong (Windows 2000 or later) session key*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@ -1650,77 +1254,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component.
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled.
Important
For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
Notes
All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network client: Digitally sign communications (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
@ -2334,63 +1867,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
By default, this policy is enabled on Windows 7 and above.
By default, this policy is disabled on Windows Vista.
This policy is supported on at least Windows Vista or Windows Server 2008.
Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
<!--/Description-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@ -2586,66 +2062,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
Default:
Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**

8
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -4493,14 +4493,6 @@ Footnote:
## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic for Business
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
<!--EndHoloLens-->
<!--StartIoTCore-->

28
windows/client-management/mdm/remotewipe-csp.md
View File

@ -7,15 +7,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/29/2018
ms.date: 03/23/2018
---
# RemoteWipe CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
@ -47,29 +44,6 @@ Supported operation is Exec.
<a href="" id="doWipePersistUserData"></a>**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
<a href="" id="automaticredeployment"></a>**AutomaticRedeployment**
Added in Windows 10, version 1803. Node for the Automatic Redeployment operation.
<a href="" id="doautomaticredeployment"></a>**AutomaticRedeployment/doAutomaticRedeployment**
Added in Windows 10, version 1803. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
<a href="" id="lasterror"></a>**AutomaticRedeployment/LastError**
Added in Windows 10, version 1803. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).
<a href="" id="status"></a>**AutomaticRedeployment/Status**
Added in Windows 10, version 1803. Status value indicating current state of an Automatic Redeployment operation.
Supported values:
- 0: Never run (not started). The default state.
- 1: Complete.
- 10: Reset has been scheduled.
- 20: Reset is scheduled and waiting for a reboot.
- 30: Failed during CSP Execute ("Exec" in SyncML).
- 40: Failed: power requirements not met.
- 50: Failed: reset internals failed during reset attempt.
 
## Related topics

92
windows/client-management/mdm/remotewipe-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/29/2018
ms.date: 03/23/2018
---
# RemoteWipe DDF file
@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the DDF for Windows 10, version 1803.
The XML below is the DDF for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1803.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/RemoteWipe</MIME>
<DDFName></DDFName>
</DFType>
<Description>The root node for remote wipe function.</Description>
</DFProperties>
@ -131,94 +131,8 @@ The XML below is the DDF for Windows 10, version 1803.
<Description>Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticRedeployment</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>doAutomaticRedeployment</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastError</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics

8
windows/client-management/mdm/rootcacertificates-csp.md
View File

@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/26/2017
ms.date: 03/06/2018
---
# RootCATrustedCertificates CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates.
> [!Note]
@ -44,6 +47,9 @@ Node for trusted publisher certificates.
<a href="" id="rootcatrustedcertificates-trustedpeople"></a>**RootCATrustedCertificates/TrustedPeople**
Node for trusted people certificates.
<a href="" id="rootcatrustedcertificates-untrustedcertificates"></a>**RootCATrustedCertificates/UntrustedCertificates**
Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
<a href="" id="certhash"></a>**_CertHash_**
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.

1245
windows/client-management/mdm/rootcacertificates-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

2
windows/configuration/TOC.md
View File

@ -12,7 +12,7 @@
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md)
### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)

4
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 03/13/2018
ms.date: 03/23/2018
---
# Change history for Configure Windows 10
@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
New or changed topic | Description
--- | ---
[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer.
## February 2018

2
windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -15,7 +15,7 @@ ms.date: 10/17/2017
**Applies to**
- Windows 10
- Windows 10 Enterprise
- Windows 10 Mobile
- Windows Server

2
windows/configuration/kiosk-shared-pc.md
View File

@ -19,6 +19,6 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| Topic | Description |
| --- | --- |
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |

7
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.date: 01/29/2018
ms.date: 03/22/2018
---
# Manage connections from Windows operating system components to Microsoft services
@ -77,14 +77,13 @@ Here's a list of changes that were made to this article for Windows 10, version
## <a href="" id="bkmk-othersettings"></a>Management options for each setting
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
### Settings for Windows 10 Enterprise edition
See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
@ -1516,6 +1515,8 @@ To turn off **Let apps run in the background**:
- **1**. Force allow
- **2**. Force deny
> [!NOTE]
> Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**.
### <a href="" id="bkmk-priv-motion"></a>17.18 Motion

2
windows/configuration/provisioning-packages/provisioning-create-package.md
View File

@ -41,7 +41,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)

2
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -82,7 +82,7 @@ The following table describes settings that you can configure using the wizards
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)

334
windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md → windows/configuration/setup-kiosk-digital-signage.md
View File

@ -1,44 +1,124 @@
---
title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown"]
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.date: 01/31/2018
ms.date: 03/23/2018
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
**Applies to**
- Windows 10
> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro.
Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps.](lock-down-windows-10-to-specific-apps.md).)
or
- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education).
or
- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only).
## Choose a method for configuring your kiosks and digitals signs
**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart.
>[!TIP]
>To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
>For **digital signage**, simply select a digital sign player as your kiosk app.
>[!NOTE]
>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk.
## Using a local device as a kiosk
>[!WARNING]
>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
>
>Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
### Methods for kiosks and digital signs running a UWP app
Choose this method | For this edition | For this kiosk account type
--- | --- | ---
[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user
[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user
[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
### Methods for kiosks and digital signs running a Classic Windows app
Choose this method | For this edition | For this kiosk account type
--- | --- | ---
[Provisioning](#wizard) | Ent, Edu | Local standard user
[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
### Other settings to lock down
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
Recommendation | How to
--- | ---
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`</br></br>[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)</br></br>You must restart the device after changing the registry.
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
Disable the hardware power button. | Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
Remove the power button from the sign-in screen. | Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
Disable the camera. | Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
Turn off app notifications on the lock screen. | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
Disable removable media. | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
**How to edit the registry to have an account automatically logged on**
1. Open Registry Editor (regedit.exe).
>[!NOTE]  
>If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 
2. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
- *DefaultUserName*: set value as the account that you want logged in.
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
>[!TIP]
>You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
<span id="local"/>
## Set up a kiosk or digital sign in local Settings
>App type: UWP
>
>OS edition: Windows 10 Pro, Ent, Edu
>
>Account type: Local standard user
You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
@ -48,99 +128,33 @@ If you do not want the kiosk account signed in automatically when the device res
![Screenshot of automatic sign-in setting](images/auto-signin.png)
<span id="wizard" />
## Set up a kiosk using Windows Configuration Designer
**To set up assigned access in PC settings**
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
<table>
<tr><td style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step two](images/two.png) ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](images/three.png) ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)</br></br>**Important:** You must use the Windows Configuration Designer app from Microsoft Store to select a Classic Windows application as the kiosk app in a provisioning package.</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
<tr><td style="width:45%" valign="top"> ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
</table>
>[!NOTE]
>If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
 
<span id="assigned-access" />
## Assigned access method for Universal Windows apps
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
### Requirements
- A domain or local user account.
- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
>[!NOTE]  
>Assigned access does not work on a device that is connected to more than one monitor.
 
### Set up assigned access in PC settings
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other people**.
2. Choose **Set up assigned access**.
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
### Set up assigned access in MDM
Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
<sp id="set-up-assigned-access-wcd" />
>[!NOTE]  
>Single-app kiosk configuration using assigned access does not work on a device that is connected to more than one monitor.
<span id="powershell"/>
## Set up a kiosk or digital sign using Windows PowerShell
### Set up assigned access using Windows PowerShell
>App type: UWP
>
>OS edition: Windows 10 Pro, Ent, Edu
>
>Account type: Local standard user
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
@ -178,50 +192,91 @@ Clear-AssignedAccess
```
### Set up automatic logon
<span id="wizard" />
## Set up a kiosk or digital sign using a provisioning package
When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
>App type: UWP or Classic Windows
>
>OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
>
>Account type: Local standard user
Edit the registry to have an account automatically logged on.
When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
1. Open Registry Editor (regedit.exe).
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
>[!NOTE]  
>If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 
2. Go to
[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
<table>
<tr><td style="width:45%" valign="top">![step one](images/one.png)![set up device](images/set-up-device.png)</br></br>Enable device setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Enter a name for the device.</br></br>(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)</br></br>Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.</br></br>You can also select to remove pre-installed software from the device. </td><td>![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step two](images/two.png) ![set up network](images/set-up-network.png)</br></br>Enable network setup if you want to configure settings on this page.</br></br>**If enabled:**</br></br>Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.</td><td>![Enter network SSID and type](images/set-up-network-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step three](images/three.png) ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
<tr><td style="width:45%" valign="top">![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
<tr><td style="width:45%" valign="top"> ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
</table>
- *DefaultUserName*: set value as the account that you want logged in.
- *DefaultPassword*: set value as the password for the account.
>[!NOTE]
>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** &gt; **AssignedAccess** &gt; **AssignedAccessSettings**
> [!NOTE]
> If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
### Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
<span id="shell-launcher" />
## Shell Launcher for Classic Windows applications
 
## Set up a kiosk or digital sign in Intune or other MDM service
>App type: UWP
>
>OS edition: Windows 10 Pro (version 1709), Ent, Edu
>
>Account type: Local standard user, Azure AD
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
**To configure kiosk in Microsoft Intune**
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
3. Select **Device configuration**.
4. Select **Profiles**.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Single app kiosk**.
1. Enter the user account (Azure AD or a local standard user account).
11. Enter the Application User Model ID for an installed app.
14. Select **OK**, and then select **Create**.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
<span id="shelllauncher" />
## Set up a kiosk or digital sign using Shell Launcher
>App type: Classic Windows
>
>OS edition: Windows 10 Ent, Edu
>
>Account type: Local standard user or administrator, Active Directory, Azure AD
Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
@ -239,6 +294,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
### Configure Shell Launcher
To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
@ -399,41 +455,15 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Other settings to lock down
## Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
- Put device in **Tablet mode**.
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Remove the power button from the sign-in screen.
Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
>[!NOTE]  
>To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
 
## Related topics

2
windows/configuration/wcd/wcd-accounts.md
View File

@ -29,7 +29,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di
- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard)
- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
## ComputerAccount

2
windows/deployment/TOC.md
View File

@ -241,7 +241,6 @@
##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
@ -249,6 +248,7 @@
##### [Security Update Status report](update/update-compliance-security-update-status.md)
##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
### [Device Health](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)

BIN
windows/deployment/update/images/uc-DO-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/deployment/update/images/upgrade-analytics-unsubscribe.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

42
windows/deployment/update/update-compliance-delivery-optimization.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Delivery Optimization in Update Compliance (Windows 10)
description: new Delivery Optimization data displayed in Update Compliance
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/27/2018
---
# Delivery Optimization in Update Compliance
The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
## Delivery Optimization Status
The Delivery Optimization Status section includes three blades:
- The **Device Configuration** blade shows a breakdown of download configuration for each device
- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category
- The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers).
![DO status](images/uc-DO-status.png)
## Device Configuration blade
Devices can be set to use different download modes; these download modes determine in what situations Delivery Optimization will use peer-to-peer distribution to accomplish the downloads. The top section shows the number of devices configured to use peer-to-peer distribution in *Peering On* compared to *Peering Off* modes. The table shows a breakdown of the various download mode configurations seen in your environment. For more information about the different configuration options, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md#download-mode).
## Content Distribution (%) blade
The first of two blades showing information on content breakdown, this blade shows a ring chart summarizing **Bandwidth Savings %**, which is the percentage of data received from peer sources out of the total data downloaded (for any device that used peer-to-peer distribution).
The table breaks down the Bandwidth Savings % into specific content categories along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
## Content Distribution (GB) blade
The second of two blades showing information on content breakdown, this blade shows a ring chart summarizing the total bytes downloaded by using peer-to-peer distribution compared to HTTP distribution.
The table breaks down the number of bytes from each download source into specific content categories, along with the number of devices seen downloading the given content type that used peer-to-peer distribution.
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates.

4
windows/deployment/update/update-compliance-using.md
View File

@ -5,8 +5,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
author: jaimeo
ms.author: jaimeo
ms.date: 10/13/2017
---

2
windows/deployment/update/waas-windows-insider-for-business.md
View File

@ -145,6 +145,7 @@ The Slow Windows Insider level is for users who prefer to see new builds of Wind
* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams.
* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
* These builds still might have issues that would be addressed in a future flight.
* These builds are typically released once a month.
### Fast
@ -154,6 +155,7 @@ Best for Windows Insiders who prefer being the first to get access to builds and
* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations.
* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
* Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum.
* These builds are typically released once a week.
>[!NOTE]
>Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete.

33
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -31,12 +31,16 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices)
[Disable Upgrade Readiness](#disable-upgrade-readiness)
### Devices not showing up
In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
>[!NOTE]
> If you generate the status report and get an error message saying "Sorry! Were not recognizing your Commercial Id," please go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. This is a known issue and we are working on a fix.
If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
@ -49,9 +53,9 @@ If devices are not showing up as expected, find a representative device and foll
If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally.
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
### Device Health crash data not appearing
#### Is WER disabled?
@ -151,7 +155,25 @@ Double-check that IE site discovery opt-in has been configured in the deployment
Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
[comment]: # (Device names are not showing up properly? Starting with Windows 10 1803, the device name is no longer collected by default and requires a separate opt-in by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowDeviceNameInTelemetry:DWORD == 1. This is done by default if you run the latest version of the deployment script, or can be set via policy. If the policy is not set, then the device name will show up as "Unknown (aka.ms/analyticsDeviceName)")
### Device Names don't show up on Windows 10 devices
Starting with the build currently available in the Windows Insider Program, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
### Disable Upgrade Readiness
If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png)
2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
**Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection".
## Other common questions
@ -165,7 +187,12 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
>[!NOTE]
> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health.
Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. In Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen.
Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. Within Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen. To be more specific, Azure Log Analytics is available in different pricing tiers as described in [Pricing - Log Analytics](https://azure.microsoft.com/pricing/details/log-analytics/).
- If you are using the free tier, which has a cap on the amount of data collected per day, the Windows Analytics data will not count towards this cap. You will be able to collect all the Windows Analytics data from your devices and still have the full cap available for collecting additional data from other sources.
- If you are using a paid tier that charges per GB of data collected, the Windows Analytics data will not be charged. You will be able to collect all the Windows Analytics data from your devices and not incur any costs.
Note that different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace's data retention policy. So, for example, if your workspace is on the free plan then Windows Analytics will retain the last week's worth of "daily snapshots" that are collected in the workspace.
### How does Windows Analytics support privacy?

20
windows/deployment/update/windows-analytics-get-started.md
View File

@ -44,9 +44,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.events.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10, version 1803|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10, version 1709 or earlier |
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10 |
| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with the build of Windows 10 available in the Windows Insider Program|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier |
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 |
| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft.
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
@ -58,7 +58,7 @@ To enable data sharing, configure your proxy sever to whitelist the following en
### Configuring endpoint access with proxy servers
If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication:
- **Best option:** Configure your proxy servers to **not** require proxy authentication for any traffic to the diagnostic data endpoints. This is the most comprehensive solution and it works for all versions of Windows 10.
- **Best option:** Configure your proxy servers to **not** require proxy authentication for any traffic to the diagnostic data endpoints. In particular, disable SSL inspection. Windows checks for a Microsoft SSL certificate on the site, and this will be stripped and replaced if the proxy performs inspection. This is the most comprehensive solution and it works for all versions of Windows 10.
- **User proxy authentication:** Alternatively, you can configure devices on the user side. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices.
- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints.
@ -69,13 +69,16 @@ The compatibility update scans your devices and enables application usage tracki
| **Operating System** | **Updates** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 10 | The latest cumulative updates must be installed on Windows 10 devices to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com) <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](../upgrade/upgrade-readiness-requirements.md) for more information. |
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>**NOTE:** KB2976978 is a critical update, so it should already be installed by your management tool. You should, however, verify that it was deployed. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br>**NOTE:** If KB 3510513 is reported as out of date, you should manually find a recent version at [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513) and ensure that it is installed and deployed. |
| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](../upgrade/upgrade-readiness-requirements.md) for more information. |
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978>|
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664>|
>[!IMPORTANT]
>Restart devices after you install the compatibility updates for the first time.
>[!NOTE]
>We recommend you configure your update management tool to automatically install the latest version of these updates. There is a related optional update, [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513), which can provide updated configuration and definitions for older compatibiltiy updates. For more information about this optional update, see <https://support.microsoft.com/kb/3150513>.
If you are planning to enable IE Site Discovery in Upgrade Readiness, you will need to install a few additional updates.
@ -134,6 +137,7 @@ These policies are under Microsoft\Windows\DataCollection:
| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organizations Commercial ID. |
| AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
| AllowDeviceNameInTelemetry (in Windows 10) | In the build currently available in the Windows Insider Program for Windows 10, a separate opt-in is required to enable devices to continue to send the device name. |
| CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
@ -150,4 +154,4 @@ For more information about Internet Explorer Security Zones, see [About URL Secu
### Distribution at scale without using the deployment script
We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.
We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.

40
windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
View File

@ -1,39 +1,3 @@
---
title: Troubleshoot Upgrade Readiness (Windows 10)
description: Provides troubleshooting information for Upgrade Readiness.
ms.prod: w10
author: greg-lindsay
ms.date: 04/19/2017
---
# Troubleshoot Upgrade Readiness
If youre having issues seeing data in Upgrade Readiness after running the Upgrade Readiness Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
If you still dont see data in Upgrade Readiness, follow these steps:
1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
3. Check that isVerboseLogging is set to $true.
4. Run the script again. Log files will be saved to the directory specified in the script.
5. Open a support case with Microsoft Support through your regular channel and provide this information.
## Disable Upgrade Readiness
If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
![Upgrade Readiness unsubscribe](../images/upgrade-analytics-unsubscribe.png)
2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**:
**Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
**Windows 10**: Follow the instructions in the [Configure Windows diagnostic data in your organization](/configuration/configure-windows-diagnostic-data-in-your-organization.md) topic.
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
redirect_url: /windows/deployment/update/windows-analytics-FAQ-troubleshooting
---

2
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -37,7 +37,7 @@ To enable system, application, and driver data to be shared with Microsoft, you
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
>[!IMPORTANT]
>Upgrade Readiness is a free solution for Azure subsribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits.
>Upgrade Readiness is a free solution for Azure subscribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. The Upgrade Readiness service will ingest a full snapshot of your data into your OMS workspace on a daily basis. Each snapshot includes all of your devices that have been active within the past 30 days regardless of your OMS retention period.
If you are already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.

88
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -312,211 +312,218 @@ The following tables provide descriptions of the default groups that are located
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
</tr>
<tr class="even">
<td><p>[Enterprise Key Admins](#bkmk-enterprise-key-admins)</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>[Enterprise Read-only Domain Controllers](#bkmk-entrodc)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Event Log Readers](#bkmk-eventlogreaders)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Group Policy Creator Owners](#bkmk-gpcreatorsowners)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Guests](#bkmk-guests)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Hyper-V Administrators](#bkmk-hypervadministrators)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[IIS_IUSRS](#bkmk-iis-iusrs)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Key Admins](#key-admins)</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Network Configuration Operators](#bkmk-networkcfgoperators)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Performance Log Users](#bkmk-perflogusers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Performance Monitor Users](#bkmk-perfmonitorusers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[PreWindows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Print Operators](#bkmk-printoperators)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Protected Users](#bkmk-protectedusers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[RAS and IAS Servers](#bkmk-rasandias)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[RDS Endpoint Servers](#bkmk-rdsendpointservers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[RDS Management Servers](#bkmk-rdsmanagementservers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Read-only Domain Controllers](#bkmk-rodc)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Remote Desktop Users](#bkmk-remotedesktopusers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Remote Management Users](#bkmk-remotemanagementusers)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Replicator](#bkmk-replicator)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Schema Admins](#bkmk-schemaadmins)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Server Operators](#bkmk-serveroperators)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Storage Replica Administrators](#storage-replica-administrators)</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[System Managed Accounts Group](#system-managed-accounts-group)</p></td>
<td><p>Yes</p></td>
<td><p></p></td>
<td><p></p></td>
<td><p></p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Terminal Server License Servers](#bkmk-terminalserverlic)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Users](#bkmk-users)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Windows Authorization Access Group](#bkmk-winauthaccess)</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)</p></td>
<td><p></p></td>
<td><p>Yes</p></td>
@ -1756,8 +1763,25 @@ This security group has not changed since Windows Server 2008.
</tbody>
</table>
 
### Enterprise Key Admins
Members of this group can perform administrative actions on key objects within the forest.
The Enterprise Key Admins group was introduced in Windows Server 2016.
| Attribute | Value |
|-----------|-------|
| Well-Known SID/RID | S-1-5-21-&lt;domain&gt;-527 |
| Type | Global |
| Default container | CN=Users, DC=&lt;domain&gt;, DC= |
| Default members | None |
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
 
### <a href="" id="bkmk-entrodc"></a>Enterprise Read-Only Domain Controllers
Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
@ -2226,7 +2250,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Attribute | Value |
|-----------|-------|
| Well-Known SID/RID | S-1-5-21-4195037842-338827918-94892514-526 |
| Well-Known SID/RID | S-1-5-21-&lt;domain&gt;-526 |
| Type | Global |
| Default container | CN=Users, DC=&lt;domain&gt;, DC= |
| Default members | None |

10
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
ms.localizationpriority: high
ms.author: daniha
ms.date: 09/08/2017
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 03/26/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If youre not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
>[!IMPORTANT]
>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.

4
windows/security/identity-protection/hello-for-business/hello-features.md
View File

@ -150,6 +150,6 @@ On-premises deployments provide users with the ability to reset forgotton PINs e
The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smart card for all users, you can configure a device to all this enumeration on selected devices.
With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 02/23/2018
ms.date: 03/26/2018
---
# Configure Device Registration for Hybrid Windows Hello for Business
@ -88,7 +88,7 @@ Once you have your AD FS design ready, review [Deploying a Federation Server far
> [!IMPORTANT]
> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
#### ADFS Web Proxy ###
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.

6
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 11/08/2017
ms.date: 03/26/2018
---
# Hybrid Windows Hello for Business Prerequisites
@ -80,12 +80,12 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation ##
Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
### Section Review ###
> [!div class="checklist"]
> * Windows Server 2016 Active Directory Federation Services
> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658)
> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889)
<br>

8
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/23/2017
ms.date: 03/26/2018
---
# Hybrid Windows Hello for Business Provisioning
@ -48,12 +48,14 @@ The provisioning flow has all the information it needs to complete the Windows H
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
> [!IMPORTANT]
> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
> [!NOTE]
> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning.
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.

7
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
localizationpriority: high
author: mikestephens-MS
ms.author: mstephen
ms.date: 10/23/2017
ms.date: 03/26/2018
---
# Configure Windows Hello for Business: Active Directory Federation Services
@ -36,11 +36,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
```
The `Set-AdfsCertificateAuthority` cmdlet should show the following warning:
>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/20/2017
ms.date: 03/26/2018
---
# Windows Hello for Business Key Trust New Installation
@ -70,7 +70,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
## Configure a Production Public Key Infrastructure
If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:

8
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 12/04/2017
ms.date: 03/26/2018
---
# Windows Hello for Business
@ -43,12 +43,12 @@ The table shows the minimum requirements for each deployment.
| Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed |
| --- | --- | --- | --- |
| Windows 10, version 1511 or later| Windows 10, version 1703 or later (domain joined)</br>Windows 10, version 1511 or later (cloud joined) | Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with KB4022723 update (domain joined), and</br>Windows Server 2012 or later Network Device Enrollment Service (cloud joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
@ -65,7 +65,7 @@ The table shows the minimum requirements for each deployment.
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) |
| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) |
| AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |

4
windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/10/2017
ms.date: 03/26/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If youre not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
>[!IMPORTANT]
>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.

35
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -9,13 +9,12 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
ms.date: 10/20/2017
ms.date: 03/26/2018
---
# Planning a Windows Hello for Business Deployment
**Applies to**
- Windows 10
- Windows 10 Mobile
> This guide only applies to Windows 10, version 1511 or higher.
@ -70,7 +69,7 @@ Its fundamentally important to understand which deployment model to use for a
#### Trust types
A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trusts types, key trust and certificate trust.
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
@ -86,9 +85,9 @@ The in-box Windows Hello for Business provisioning experience creates a hardware
#### Multifactor authentication
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that providers easy two-factor authentication. The inbox provisioning experience accepts the users weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The inbox provisioning experience accepts the users weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
>[!NOTE]
> Azure Multi-Factor Authentication is available through:
>* Microsoft Enterprise Agreement
@ -102,11 +101,11 @@ Cloud only and hybrid deployments provide many choices for multifactor authentic
#### Directory synchronization
Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Azure Active Directory Connect to synchronization Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
### Management
Windows Hello for Business provides organizations with a rich set of granular policy setting with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
#### Group Policy
@ -129,11 +128,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
## Planning a Deployment
@ -147,13 +146,13 @@ Choose the deployment model based on the resources your users access. Use the f
If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hyrbid** in box **1a** on your planning worksheet.
If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
>[!NOTE]
>If youre unsure if your organization is federated, run the following Active Directory Windows PowerShell command from and elevated Windows PowerShell prompt and evaluate the results.
>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com -Properties keywords```
>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exists, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
>If youre unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.
>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
>* If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement
> * If the value begins with **azureADName:** write **Hybrid** in box **1a**on your planning worksheet.
> * If the value begins with **enterpriseDrsName:** write **On-Premises** in box **1a** on your planning worksheet.
@ -176,7 +175,7 @@ A successful Windows Hello for Business requires all devices to register with th
If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1c** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet.
### Key Registration
@ -184,7 +183,7 @@ All users provisioning Windows Hello for Business have their public key register
If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1d** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet.
### Directory Synchronization
@ -235,7 +234,7 @@ If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box
Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and non-domain joined. All devices are registered, however, not all devices are domain joined. You have the option of using Group Policy for domain joined devices and modern management for non-domain joined devices. Or, you can use modern management for both domain and non-domain joined devices.
If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet, Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.
If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.
If you use modern management for both domain and non-domain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
@ -261,7 +260,7 @@ Write **1703 or later** in box **3a** on your planning worksheet if any of the f
### Active Directory
The Active Directory portion of the planning guide should be complete. Most of conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type.
The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type.
Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
@ -306,7 +305,7 @@ Nearly all deployments of Windows Hello for Business require an Azure account.
If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **1f** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies do.

11
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -24,15 +24,6 @@ This article assumes that you understand how to set up AD DS to back up BitLock
This article does not detail how to configure AD DS to store the BitLocker recovery information.
This article contains the following topics:
- [What Is BitLocker Recovery?](#bkmk-whatisrecovery)
- [Testing Recovery](#bkmk-testingrecovery)
- [Planning Your Recovery Process](#bkmk-planningrecovery)
- [Using Additional Recovery Information](#bkmk-usingaddrecovery)
- [Resetting Recovery Passwords](#bkmk-appendixb)
- [Retrieving the BitLocker Key Package](#bkmk-appendixc)
## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
@ -109,7 +100,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
2. At the command prompt, type the following command and then press ENTER:
`manage-bde. -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user.
> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
 
## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process

2
windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
View File

@ -84,7 +84,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
None. This is the default configuration.
Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics

10
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -59,15 +59,17 @@ None. Changes to this policy become effective without a computer restart when th
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of implementation.
### Vulnerability
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
### Countermeasure
### Considerations
Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements.
Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/en-us/research/publication/password-guidance/) for further information.
Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
### Potential impact

60
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -117,6 +117,66 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Login to the [Microsoft Azure portal](https://portal.azure.com).
4. From the Intune blade, choose **Device configuration**.
![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
5. Under **Manage**, choose **Profiles** and click **Create Profile**.
![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
![Image of naming a policy](images/atp-intune-custom.png)
7. Click **Settings** > **Configure**.
![Image of settings](images/atp-intune-configure.png)
8. Under Custom OMA-URI Settings, click **Add**.
![Image of configuration settings](images/atp-custom-oma-uri.png)
9. Enter the following values, then click **OK**.
![Image of profile creation](images/atp-oma-uri-values.png)
- **Name**: Type a name for the setting.
- **Description**: Type a description for the setting.
- **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
- **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
10. Save the settings by clicking **OK**.
11. Click **Create**.
![Image of the policy being created](images/atp-intune-create-policy.png)
12. To deploy the Profile, click **Assignments**.
![Image of groups](images/atp-intune-assignments.png)
13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
![Image of groups](images/atp-intune-group.png)
14. Click **Save** to finish deploying the Configuration Profile.
![Image of deployment](images/atp-intune-save-deployment.png)
### Offboard and monitor endpoints

17
windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
ms.date: 03/27/2018
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
@ -184,6 +184,21 @@ Content-Type: application/json;
```
If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
The API currently supports the following IOC types:
- Sha1
- Sha256
- Md5
- FileName
- IpAddress
- DomainName
And the following operators:
- Equals
- StartWith
- EndWith
- Contains
## Bulk upload of alert definitions and IOCs
Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`. </br>

4
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/17/2017
ms.date: 03/21/2018
---
# Minimum requirements for Windows Defender ATP
@ -68,7 +68,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
#### Internet connectivity
Internet connectivity on endpoints is required either directly or through proxy.
The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .

3
windows/whats-new/whats-new-windows-10-version-1709.md
View File

@ -114,6 +114,9 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo
Microsoft has released new [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10).
### SMBLoris vulnerability
An issue, known as “SMBLoris”, which could result in denial of service, has been addressed.
## Windows Analytics